OpenWrt router in an IPv6 enabled network

imilos · March 20, 2022, 7:35pm

My Ubiquiti ER-4 router resides in an IPv4/IPv6 network and has a simple config. The interface lan0 has a public IPv4 address and the other 3 interfaces (lan1, lan2, and lan3) are bridged into br-lan and use NATed range 192.168.1.0/24.

However, since the outside network at my workplace is IPv6 enabled (/64 prefix) with static addressing, I would like to keep IPv4 config as is, but "propagate" IPv6 from wan6 to the devices connected to br-lan, either addressed statically or using eui64 for LAN devices.

Is it possible? Please point me to a good tutorial if one exists, since my experience in IPv6 is not sufficient. Thanks in advance!

trendy · March 20, 2022, 8:55pm

IPv6 works by default on OpenWrt. Let's see what you have now and what needs to be added.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
ifstatus wan6; ifstatus lan

imilos · March 21, 2022, 7:23am

Dear @trendy,

Thanks for your quick reply. I have chosen OpenWRT exactly for its good IPv6 support. It is working perfectly on my WAN6 interface and I can access all IPv6-enabled devices on 9001:5170:3020:1::/64 (not real range) from the router. However, I would like to make br-lan interface a part of 9001:5170:3020:1::/64. Is it possible without bridging with WAN6? My config follows:

root@Ubiquiti-ER-4:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
> ifstatus wan6; ifstatus lan
{
	"kernel": "5.4.154",
	"hostname": "Ubiquiti-ER-4",
	"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
	"model": "Ubiquiti EdgeRouter 4",
	"board_name": "ubnt,edgerouter-4",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "octeon/generic",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:4aa7:1e1c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ip6ifaceid 'eui64'
	option ip6assign '64'

config interface 'wan'
	option device 'lan0'
	option proto 'static'
	option ipaddr '$PUBLIC_IP_IPV4'
	option netmask '255.255.255.0'
	option gateway '$GATEWAY_IPV4'
	option broadcast '$BROADCAST_IPV4'

config interface 'WAN6'
	option proto 'static'
	option device 'lan0'
	option ip6gw '9001:5170:3020:1::1'
	option ip6ifaceid 'eui64'
	list ip6addr '9001:5170:3020:1::8/64'
	option ip6prefix '9001:5170:3020:1::/64'
	list ip6class 'local'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option ednspacket_max '1232'
	list server '$DNS1'
	list server '$DNS2'
	option domainneeded '1'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'mmilos'
	option ip '192.168.1.148'
	option mac '50:65:F3:1E:AB:86'

config dhcp 'WAN6'
	option interface 'WAN6'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'vpns+'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH mmilos'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22'
	option dest_ip '192.168.1.148'
	option dest_port '22'

config rule
	option name 'Allow-SSH'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'
	option name 'Allow-Luci-public'

config rule
	option name 'Allow-OpenConnect'
	option src 'wan'
	option dest_port '4443'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP forward'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8080'
	option dest_ip '192.168.1.148'
	option dest_port '8080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP forward'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5000'
	option dest_ip '192.168.1.148'
	option dest_port '5000'

config forwarding
	option src 'wan'
	option dest 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 9001:5170:3020:1::8/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6ad7:9aff:fe49:fe16/64 scope link 
       valid_lft forever preferred_lft forever
32: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 9001:5170:3020:1:6ad7:9aff:fe49:fe17/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::6ad7:9aff:fe49:fe17/64 scope link 
       valid_lft forever preferred_lft forever
9001:5170:3020:1::/64 dev lan0  metric 256 
9001:5170:3020:1::/64 dev br-lan  metric 1024 
fdfb:4aa7:1e1c::/64 dev br-lan  metric 1024 
unreachable fdfb:4aa7:1e1c::/48 dev lo  metric 2147483647 
fe80::/64 dev lan0  metric 256 
fe80::/64 dev br-lan  metric 256 
local ::1 dev lo table local  metric 0 
anycast 9001:5170:3020:1:: dev lan0 table local  metric 0 
anycast 9001:5170:3020:1:: dev br-lan table local  metric 0 
local 9001:5170:3020:1::8 dev lan0 table local  metric 0 
local 9001:5170:3020:1:6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
anycast fdfb:4aa7:1e1c:: dev br-lan table local  metric 0 
local fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
anycast fe80:: dev lan0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
local fe80::6ad7:9aff:fe49:fe16 dev lan0 table local  metric 0 
local fe80::6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
multicast ff00::/8 dev lan0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 9001:5170:3020:1:6ad7:9aff:fe49:fe17/64 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000003:	from all iif lan0 lookup unspec 12
4200000003:	from all iif lan0 lookup unspec 12
4200000032:	from all iif br-lan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Mar 21 07:07 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Mar 18 08:57 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Mar 18 08:57 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
Interface wan6 not found
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 359,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes",
		"prefixes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": false,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "9001:5170:3020:1::",
			"mask": 64,
			"local-address": {
				"address": "9001:5170:3020:1:6ad7:9aff:fe49:fe17",
				"mask": 64
			}
		},
		{
			"address": "fdfb:4aa7:1e1c::",
			"mask": 64,
			"local-address": {
				"address": "fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

trendy · March 21, 2022, 8:29am

it is possible, with ipv6 relay. However your configuration has troubled me. A few remarks:

WAN6 is not part of wan firewall zone.
You allow forwarding from wan to lan zone.
You allow Luci public on port 80 unencrypted and unsecure.
You are assigning a ULA on WAN6.

Is your wan interface an uplink to your ISP, or is it just connecting to some other router in your house? In the second case I would understand your configuration. Otherwise you are quite exposed.
If your ISP is only assigning a /64, it is very lame. Usually a /60, /56 or /48 is allocated.
If you are administering the uplink router you can delegate a bigger prefix to OpenWrt.
Relay should be the last resort, as it is a workaround.

imilos · March 21, 2022, 5:46pm

Thanks once again for your quick reply. I corrected issues (1) and (4) that you've noticed. The second case is my case - I am connecting to the main router in my house, which is 9001:5170:3020:1::1, with /64 prefix (unfortunatelly). The network outside OpenWRT is static IPv6 (no DHCPv6), so I set RA/DHCPv6 on WAN6 and relay mode on LAN, if that is what you meant.

However, still, no luck. Devices on LAN and VPN (I use ocserv) are regularly getting their IPv6 addresses and are visible from the OpenWRT router. However, they cannot ping the main router 9001:5170:3020:1::1. Must be something with routes. I'm attaching the current config.

root@Ubiquiti-ER-4:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.*
 /tmp/resolv.*/* ; \
> ifstatus wan6; ifstatus lan
{
	"kernel": "5.4.154",
	"hostname": "Ubiquiti-ER-4",
	"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
	"model": "Ubiquiti EdgeRouter 4",
	"board_name": "ubnt,edgerouter-4",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "octeon/generic",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfb:4aa7:1e1c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ip6ifaceid 'eui64'
	option ip6assign '64'

config interface 'wan'
	option device 'lan0'
	option proto 'static'
	option ipaddr '$PUBLIC_IPv4'
	option netmask '255.255.255.0'
	option gateway '$GATEWAY'
	option broadcast '$BCAST'

config interface 'WAN6'
	option proto 'static'
	option device 'lan0'
	option ip6ifaceid 'eui64'
	list ip6addr '9001:51703020:1::8/64'
	option ip6gw '9001:51703020:1::1'
	option ip6prefix '9001:51703020:1::8/64'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option ednspacket_max '1232'
	list server '$DNS1'
	list server '$DNS2'
	option domainneeded '1'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'relay'
	option dhcpv6 'relay'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'mmilos'
	option ip '192.168.1.148'
	option mac '50:65:F3:1E:AB:86'

config dhcp 'WAN6'
	option interface 'WAN6'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option ra 'server'
	list ra_flags 'none'
	option dhcpv6 'server'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'vpns+'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	list network 'WAN6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH mmilos'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22'
	option dest_ip '192.168.1.148'
	option dest_port '22'

config rule
	option name 'Allow-SSH'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'
	option name 'Allow-Luci-public'

config rule
	option name 'Allow-OpenConnect'
	option src 'wan'
	option dest_port '4443'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP forward'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8080'
	option dest_ip '192.168.1.148'
	option dest_port '8080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP forward'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5000'
	option dest_ip '192.168.1.148'
	option dest_port '5000'

config forwarding
	option src 'wan'
	option dest 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 9001:51703020:1::8/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6ad7:9aff:fe49:fe16/64 scope link 
       valid_lft forever preferred_lft forever
40: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 9001:51703020:1:6ad7:9aff:fe49:fe17/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::6ad7:9aff:fe49:fe17/64 scope link 
       valid_lft forever preferred_lft forever
43: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1434 state UNKNOWN qlen 500
    inet6 9001:51703020:1:6ad7:9aff:0:1/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f08a:641d:1745:e70d/64 scope link flags 800 
       valid_lft forever preferred_lft forever
9001:51703020:1:6ad7:9aff:0:1 dev vpns0  metric 256 
9001:51703020:1:6ad7:9aff:1386:21e7 dev vpns0  metric 1 
9001:51703020:1::/64 dev lan0  metric 256 
9001:51703020:1::/64 dev br-lan  metric 1024 
unreachable 9001:51703020:1::/64 dev lo  metric 2147483647 
fdfb:4aa7:1e1c::/64 dev br-lan  metric 1024 
unreachable fdfb:4aa7:1e1c::/48 dev lo  metric 2147483647 
fe80::/64 dev lan0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev vpns0  metric 256 
default via 9001:51703020:1::1 dev lan0  metric 1024 
local ::1 dev lo table local  metric 0 
anycast 9001:51703020:1:: dev lan0 table local  metric 0 
anycast 9001:51703020:1:: dev br-lan table local  metric 0 
local 9001:51703020:1::8 dev lan0 table local  metric 0 
local 9001:51703020:1:6ad7:9aff:0:1 dev vpns0 table local  metric 0 
local 9001:51703020:1:6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
anycast fdfb:4aa7:1e1c:: dev br-lan table local  metric 0 
local fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
anycast fe80:: dev lan0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev vpns0 table local  metric 0 
local fe80::6ad7:9aff:fe49:fe16 dev lan0 table local  metric 0 
local fe80::6ad7:9aff:fe49:fe17 dev br-lan table local  metric 0 
local fe80::f08a:641d:1745:e70d dev vpns0 table local  metric 0 
multicast ff00::/8 dev lan0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev vpns0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 9001:51703020:1:6ad7:9aff:fe49:fe17/64 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000003:	from all iif lan0 lookup unspec 12
4200000003:	from all iif lan0 lookup unspec 12
4200000040:	from all iif br-lan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Mar 21 17:13 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Mar 18 08:57 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Mar 18 08:57 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
Interface wan6 not found
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 9741,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes",
		"prefixes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": false,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "9001:51703020:1::",
			"mask": 64,
			"local-address": {
				"address": "9001:51703020:1:6ad7:9aff:fe49:fe17",
				"mask": 64
			}
		},
		{
			"address": "fdfb:4aa7:1e1c::",
			"mask": 64,
			"local-address": {
				"address": "fdfb:4aa7:1e1c:0:6ad7:9aff:fe49:fe17",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

trendy · March 21, 2022, 10:35pm

The relay configuration is not correct.

imilos · March 22, 2022, 8:26am

Dear @trendy, many thanks for your patience! I successfully resolved the issue by setting up the DHCPv6 server on LAN and relay on WAN6 as you proposed.

system · April 1, 2022, 8:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.