Ping6: sendto: Permission denied

Hi,

I have a IPv6 issue on my main router:

ping6: sendto: Permission denied

I don't find the issue on my config (main router behind my box):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:54b0:5e6e::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan1 lan2 lan3'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ip6ifaceid '::254'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'
        option delegate '0'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option ifname 'wan'

Can you help me to solve this issue ?

ls -la `(which ping6)`
ls -la /bin/busybox
uci show firewall.wan
uci show firewall.lan

Thx

lrwxrwxrwx    1 root     root             7 Jun 25 02:36 /bin/ping6 -> busybox
root@hubble:~# ls -la /bin/busybox
-rwxr-xr-x    1 root     root        299048 Jun 25 02:36 /bin/busybox
root@hubble:~# uci show firewall.wan
uci: Entry not found
root@hubble:~# uci show firewall.lan
uci: Entry not found
root@hubble:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan vpn'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].src='lan'
firewall.@rule[0].src_ip='192.168.1.11' '192.168.1.4' '192.168.1.3'
firewall.@rule[0].dest='wan'
firewall.@rule[0].target='REJECT'
firewall.@rule[0].start_time='20:00:00'
firewall.@rule[0].stop_time='08:00:00'
firewall.@rule[0].name='[Disallow] Internet enfants soir'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-IGMP'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='igmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-DHCP-Renew'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='udp'
firewall.@rule[2].dest_port='68'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].enabled='0'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-Ping'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].enabled='0'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].name='Support-UDP-Traceroute'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest_port='33434:33689'
firewall.@rule[10].proto='udp'
firewall.@rule[10].family='ipv4'
firewall.@rule[10].target='REJECT'
firewall.@rule[10].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
...

Which IP are you trying to ping?
Post also these: ip -6 addr; ip -6 ro; ip -6 ru (you can change a bit the public addresses if you don't want them to be seen here)

A simple google.fr...

root@hubble:~# ping6 google.fr
PING google.fr (2a00:1450:4007:80b::2003): 56 data bytes
ping6: sendto: Permission denied
root@hubble:~# ip -6 addr; ip -6 ro; ip -6 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::8ac3:97ff:fe3b:6ab9/64 scope link
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx::xxxx:xxxx:fe3b:6ab8/64 scope link
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xxxx::254/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:fe3b:6ab9/64 scope link
       valid_lft forever preferred_lft forever
10: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 xxxx:xxxx:xxxx:3a9c::1/64 scope global
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx::xxxx:xxxx:fe3b:6aba/64 scope link
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx::xxxx:xxxx:fe3b:6abb/64 scope link
       valid_lft forever preferred_lft forever
xxxx:xxxx:xxxx::/64 dev br-lan proto static metric 1024 pref medium
unreachable xxxx:xxxx:xxxx::/48 dev lo proto static metric 2147483647 pref medium
xxxx:xxxx:xxxx:3a9c::/64 dev vpn proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo failed_policy
4200000003:     from all iif wan failed_policy
4200000009:     from all iif br-lan failed_policy
4200000010:     from all iif vpn failed_policy

Thank you for you help !

I don't see any default route in the ipv6 routing table, hence the error.
The fd.... address is ULA and is private, no need to redact that.

1 Like

OK... but how create it ? I haven't any IPv4 route so...

Does your isp provide IPv6 connectivity?
What is the output of uci export network; ifstatus wan6; ifstatus wan_6

Yes.

uci export network; ifstatus wan6;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:54b0:5e6e::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan1 lan2 lan3'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ip6ifaceid '::254'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'
        option delegate '0'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option ifname 'wan'

config interface 'vpn'
        option proto 'wireguard'
 ...

{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "proto": "dhcpv6",
        "device": "wan",
        "data": {

        }
}

Try ifup wan6; ifstatus

No...

 ifup wan6; ifstatus wan6
{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "proto": "dhcpv6",
        "device": "wan",
        "data": {

        }
}

But in Luci, wan6 seem up...

Install and run tcpdump:
tcpdump -i eth0 -evn icmp6 or udp port 547
from another ssh connection do an ifup wan6 and post here the output after letting it run for a minute.

1 Like

Nothing...

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

There doesn't seem to be any IPv6 connection. Did it ever work or are you trying to make it work for the first time?

It was already working... If I connect my laptop directly on my box, I have an IPv6 and a ping6, but not with OpenWRT.

OK... My fault !!!!! PEBKAC...

I have disabled some default rules...

OK, it's better...

My OpenWRT have IPv6 acces (ping google.fr) but if I connect my laptop on my router, I can't ping6...

Any idea ?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thks !

{
	"kernel": "5.4.48",
	"hostname": "hubble",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Redmi Router AC2100",
	"board_name": "xiaomi,redmi-router-ac2100",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r13628-870588b6eb",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r13628-870588b6eb"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd06:54b0:5e6e::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan1 lan2 lan3'
	option proto 'static'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'

config interface 'wan'
	option ifname 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'vpn'
	option proto 'wireguard'
[...]

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	option local '/starfleet/'
	option domain 'starfleet'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'

config tag 'kids'
	list dhcp_option '6,208.67.222.123,208.67.220.123'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '192'
	option limit '14'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
[...]

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan vpn'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option src 'lan'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.4'
	list src_ip '192.168.1.3'
	option dest 'wan'
	option target 'REJECT'
	option start_time '20:00:00'
	option stop_time '08:00:00'
	option name '[Disallow] Internet enfants soir'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name '[VPN] Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '192.168.1.254'
	option dest_port '51820'

config redirect
	option target 'DNAT'
	option name '[HTTP] Deepspace9'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name '[HTTPs] Deepspace9'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '443'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5581'
	option dest 'lan'
	option dest_port '80'
	option name '[HTTP] IPCAM RDC'
	option dest_ip '192.168.1.76'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5582'
	option dest 'lan'
	option dest_port '80'
	option name '[HTTP] IPCAM 1er étage'
	option dest_ip '192.168.1.77'

config redirect
	option target 'DNAT'
	option name '[HTTP] Kodi'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8080'
	option dest 'lan'
	option dest_ip '192.168.1.5'
	option dest_port '8080'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5554'
	option dest 'lan'
	option dest_port '554'
	option name '[RTSP] IPCAM 1er étage'
	option dest_ip '192.168.1.77'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5541'
	option dest 'lan'
	option dest_port '554'
	option name '[RTSP] IPCAM RDC'
	option dest_ip '192.168.1.76'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by ip6tables-save v1.8.4 on Thu Nov  5 22:58:44 2020
*mangle
:PREROUTING ACCEPT [1044:138522]
:INPUT ACCEPT [1021:135798]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1004:655538]
:POSTROUTING ACCEPT [1004:655538]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Nov  5 22:58:44 2020
# Generated by ip6tables-save v1.8.4 on Thu Nov  5 22:58:44 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1021:135798] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[960:130983] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7:560] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[51:4063] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[10:752] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1006:656166] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[965:652826] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[26:1976] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[15:1364] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[7:560] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[26:1976] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[51:4063] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[51:4063] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[26:1976] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[26:1976] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[51:4063] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[15:1364] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[10:752] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[6:432] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:128] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[3:192] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[15:1364] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[15:1364] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Nov  5 22:58:44 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::8ac3:97ff:fe3b:6ab9/64 scope link 
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:XXXX:XXXX::f31a:ee44/128 scope global dynamic noprefixroute 
       valid_lft 86206sec preferred_lft 86206sec
    inet6 fe80::8ac3:97ff:fe3b:6ab8/64 scope link 
       valid_lft forever preferred_lft forever
10: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fdf1:7610:d152:3a9c::1/64 scope global 
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::8ac3:97ff:fe3b:6aba/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::8ac3:97ff:fe3b:6abb/64 scope link 
       valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd06:54b0:5e6e::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fd06:54b0:5e6e::254/64 scope global deprecated dynamic 
       valid_lft 6930sec preferred_lft 0sec
    inet6 fe80::8ac3:97ff:fe3b:6ab9/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a01:e34:XXXX:XXXX::f31a:ee44 via fe80::8e97:eaff:fe37:5aef dev wan proto static metric 512 pref medium
2a01:e34:XXXX:XXXX::/64 dev wan proto static metric 256 pref medium
fd06:54b0:5e6e::/64 dev br-lan proto kernel metric 256 expires 6929sec pref medium
fd06:54b0:5e6e::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd06:54b0:5e6e::/48 dev lo proto static metric 2147483647 pref medium
fdf1:7610:d152:3a9c::/64 dev vpn proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a01:e34:XXXX:XXXX::f31a:ee44 dev wan table local proto kernel metric 0 pref medium
anycast fd06:54b0:5e6e:: dev br-lan table local proto kernel metric 0 pref medium
local fd06:54b0:5e6e::1 dev br-lan table local proto kernel metric 0 pref medium
local fd06:54b0:5e6e::254 dev br-lan table local proto kernel metric 0 pref medium
anycast fdf1:7610:d152:3a9c:: dev vpn table local proto kernel metric 0 pref medium
local fdf1:7610:d152:3a9c::1 dev vpn table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::8ac3:97ff:fe3b:6ab8 dev wan table local proto kernel metric 0 pref medium
local fe80::8ac3:97ff:fe3b:6ab9 dev eth0 table local proto kernel metric 0 pref medium
local fe80::8ac3:97ff:fe3b:6ab9 dev br-lan table local proto kernel metric 0 pref medium
local fe80::8ac3:97ff:fe3b:6aba dev wlan0 table local proto kernel metric 0 pref medium
local fe80::8ac3:97ff:fe3b:6abb dev wlan1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev vpn table local metric 256 pref medium
ff00::/8 dev wan table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
0:	from all lookup local
32766:	from all lookup main
4200000001:	from all iif lo failed_policy
4200000003:	from all iif wan failed_policy
4200000003:	from all iif wan failed_policy
4200000010:	from all iif vpn failed_policy
4200000014:	from all iif br-lan failed_policy
lrwxrwxrwx    1 root     root            16 Jun 25 02:36 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Nov  5 19:49 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            83 Nov  5 22:55 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            83 Nov  5 22:55 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 192.168.0.254
# Interface wan6
nameserver fd0f:ee:b0::1

==> /tmp/resolv.conf <==
# Interface wan
nameserver 192.168.0.254
# Interface wan6
nameserver fd0f:ee:b0::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.0.254
# Interface wan6
nameserver fd0f:ee:b0::1

I cannot understand which IPs you have got from the provider.
I told you that fd addresses are ULA and you don't need to redact them. For the others you can hide a few characters.