Relay: IPv6 does not work by default until interface is restarted

Hi,

I use openwrt 19.07 (last stable) on a netgear R6220.

I use the relay package and followed the tutorial there to relay my main wireless network:

I also configured IPv6 and it's working relatively well, apart from a tiny thing: when I start my router, I wouldn't get IPv6 by default, I need to restart an interface. Now I have the following script as a service and it's enough to indeed get IPv6 working normally.

My question is thus: is it a bug somewhere? I was about to open an issue on the github repo, but I thought I'd ask around for confirmation first.

As you can see on the screenshot, the problem is the "Network device is not present", which is solved by the script I mentioned.

#!/bin/sh /etc/rc.common
# Example script
# Copyright (C) 2007 OpenWrt.org

START=99
STOP=99

start() {
    sleep 5
    uci set network.wwan6.reqaddress='try'
    uci commit network
    /etc/init.d/network reload
    uci set network.wwan6.reqaddress='force'
    uci commit network
}

stop() {
  echo stop custom dhcp fix
}

Version information:

"Powered by LuCI openwrt-19.07 branch (git-20.136.49537-fb2f363) / OpenWrt 19.07.3 r11063-85e04e9f46"


Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde3:63eb:0903::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'REDACTED'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'wwan'
	option proto 'dhcp'

config interface 'stabridge'
	option proto 'relay'
	list network 'lan'
	list network 'wwan'
	list network 'wwanrep'

config interface 'wwanrep'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.16.1'

config interface 'wwan6'
	option ifname 'wlan1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'force'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT40'
	option channel 'auto'
	option legacy_rates '0'
	option country 'CH'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option legacy_rates '0'
	option channel 'auto'
	option htmode 'VHT80'
	option country 'CH'

config wifi-iface 'wifinet0'
	option ssid 'REDACTED'
	option device 'radio1'
	option mode 'sta'
	option key ''
	option network 'wwan'
	option encryption 'psk2'

config wifi-iface 'wifinet1'
	option ssid 'OpenWrt'
	option device 'radio0'
	option mode 'ap'
	option network 'wwanrep'
	option key ''
	option encryption 'psk2'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option ignore '1'
	option interface 'wwan'
	option ra 'relay'
	option ndp 'relay'
	option master '1'
	option try '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wwanrep'
	option interface 'wwanrep'
	option ignore '1'
	option ra 'relay'
	option ndp 'relay'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'bridgezone'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan wwan wwanrep'

config redirect
	option name 'wg'
	option target 'DNAT'
	option dest_ip '192.168.1.2'
	option dest 'lan'
	list proto 'udp'
	option src 'bridgezone'
	option dest_port '51822'
	option src_dport '51822'
	option enabled '0'

config rule
	option dest 'lan'
	option src 'wan'
	option name 'all'
	option target 'ACCEPT'

config zone
	option name 'rep'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'rep'

config rule
	option dest 'rep'
	option src 'wan'
	option name 'all2'
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.188/24 brd 192.168.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.16.1/24 brd 192.168.16.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlan1 table 16800 
192.168.1.1 dev wlan1 table 16800 scope link 
192.168.1.134 dev wlan1 table 16800 scope link 
192.168.1.173 dev wlan1 table 16800 scope link 
192.168.1.217 dev wlan1 table 16800 scope link 
192.168.15.3 dev br-lan table 16800 scope link 
192.168.1.141 dev wlan0 table 16801 scope link 
192.168.15.3 dev br-lan table 16801 scope link 
default via 192.168.1.1 dev wlan1 table 16802 
192.168.1.1 dev wlan1 table 16802 scope link 
192.168.1.134 dev wlan1 table 16802 scope link 
192.168.1.141 dev wlan0 table 16802 scope link 
192.168.1.173 dev wlan1 table 16802 scope link 
192.168.1.217 dev wlan1 table 16802 scope link 
default via 192.168.1.1 dev wlan1  src 192.168.1.188 
192.168.1.0/24 dev wlan1 scope link  src 192.168.1.188 
192.168.15.0/24 dev br-lan scope link  src 192.168.15.1 
192.168.16.0/24 dev wlan0 scope link  src 192.168.16.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wlan1 table local scope link  src 192.168.1.188 
local 192.168.1.188 dev wlan1 table local scope host  src 192.168.1.188 
broadcast 192.168.1.255 dev wlan1 table local scope link  src 192.168.1.188 
broadcast 192.168.15.0 dev br-lan table local scope link  src 192.168.15.1 
local 192.168.15.1 dev br-lan table local scope host  src 192.168.15.1 
broadcast 192.168.15.255 dev br-lan table local scope link  src 192.168.15.1 
broadcast 192.168.16.0 dev wlan0 table local scope link  src 192.168.16.1 
local 192.168.16.1 dev wlan0 table local scope host  src 192.168.16.1 
broadcast 192.168.16.255 dev wlan0 table local scope link  src 192.168.16.1 
0:	from all lookup local 
2:	from all iif lo lookup 1 
2:	from all iif wlan0 lookup 16800 
2:	from all iif wlan1 lookup 16801 
2:	from all iif br-lan lookup 16802 
32766:	from all lookup main 
32767:	from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::425d:82ff:fedd:8fb0/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPV6_REDACTED::1/64 scope global dynamic 
       valid_lft 3275sec preferred_lft 3275sec
    inet6 fde3:63eb:903::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::425d:82ff:fedd:8fb0/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::425d:82ff:fedd:8fb1/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPV6_REDACTED:425d:82ff:fedd:8fb4/64 scope global dynamic 
       valid_lft 7180sec preferred_lft 3580sec
    inet6 fdaa:bbcc:ddee:0:425d:82ff:fedd:8fb4/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 IPV6_REDACTED:61a0:d410:9f58:f0ec/128 scope global dynamic 
       valid_lft 3275sec preferred_lft 3275sec
    inet6 fe80::425d:82ff:fedd:8fb4/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fde3:63eb:903:10::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::425d:82ff:fedd:8fb0/64 scope link 
       valid_lft forever preferred_lft forever
default from IPV6_REDACTED:61a0:d410:9f58:f0ec via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
default from IPV6_REDACTED::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
default from fdaa:bbcc:ddee::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
IPV6_REDACTED:107f:290d:ba82:256d dev wlan0  metric 1024 
IPV6_REDACTED:3a29:363c:f2e5:ed8e dev br-lan  metric 1024 
IPV6_REDACTED:55b0:cea2:bc69:f559 dev wlan1  metric 1024 
IPV6_REDACTED:961e:b45e:6681:4cb8 dev br-lan  metric 1024 
IPV6_REDACTED:beef:2df9:7ac9:d358 dev br-lan  metric 1024 
IPV6_REDACTED::/64 dev wlan1  metric 256 
IPV6_REDACTED::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
IPV6_REDACTED::/64 dev br-lan  metric 1024 
unreachable IPV6_REDACTED::/64 dev lo  metric 2147483647  error -148
fdaa:bbcc:ddee:0:107f:290d:ba82:256d dev wlan0  metric 1024 
fdaa:bbcc:ddee:0:5a90:43ff:feae:55ab dev wlan1  metric 1024 
fdaa:bbcc:ddee::/64 dev wlan1  metric 256 
fdaa:bbcc:ddee::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
fde3:63eb:903::/64 dev br-lan  metric 1024 
fde3:63eb:903:10::/64 dev wlan0  metric 1024 
unreachable fde3:63eb:903::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
local ::1 dev lo table local  metric 0 
anycast IPV6_REDACTED:: dev wlan1 table local  metric 0 
anycast IPV6_REDACTED:: dev br-lan table local  metric 0 
local IPV6_REDACTED::1 dev br-lan table local  metric 0 
local IPV6_REDACTED:425d:82ff:fedd:8fb4 dev wlan1 table local  metric 0 
local IPV6_REDACTED:61a0:d410:9f58:f0ec dev wlan1 table local  metric 0 
anycast fdaa:bbcc:ddee:: dev wlan1 table local  metric 0 
local fdaa:bbcc:ddee:0:425d:82ff:fedd:8fb4 dev wlan1 table local  metric 0 
anycast fde3:63eb:903:: dev br-lan table local  metric 0 
local fde3:63eb:903::1 dev br-lan table local  metric 0 
anycast fde3:63eb:903:10:: dev wlan0 table local  metric 0 
local fde3:63eb:903:10::1 dev wlan0 table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
local fe80::425d:82ff:fedd:8fb0 dev eth0 table local  metric 0 
local fe80::425d:82ff:fedd:8fb0 dev br-lan table local  metric 0 
local fe80::425d:82ff:fedd:8fb0 dev wlan0 table local  metric 0 
local fe80::425d:82ff:fedd:8fb1 dev eth0.2 table local  metric 0 
local fe80::425d:82ff:fedd:8fb4 dev wlan1 table local  metric 0 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev eth0.2 table local  metric 256 
ff00::/8 dev wlan1 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from IPV6_REDACTED::1/64 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000008:	from all iif wlan1 lookup unspec 12
4200000008:	from all iif wlan1 lookup unspec 12
4200000009:	from all iif wlan0 lookup unspec 12

Edit: I realized there's been a new release since I installed OpenWrt, 19.07.4, I'm gonna try it out and see if I still need the workaround after.

Edit 2: same result after updating to this version:
Powered by LuCI openwrt-19.07 branch (git-20.247.75781-0d0ab01) / OpenWrt 19.07.4 r11208-ce6496d796

The Local IPv4 address is missing.

Your settings don't follow the guide: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration#adding_ipv6_support
Use ifname @wwan , Request IPv6 address: disabled
Also you have the firewall zone wrong. wwan and wwan6 must be in lan zone.
Since there are a lot of mistakes, I suggest you reset to defaults and start from scratch the configuration following the guide to the letter and then adding the extras that you want.

2 Likes

I've followed the tutorial again (with another device but exactly the same model). I have the same problem, and the same script "solves" it. Attached is the output of your command.

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:f984:b6c3::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'REDACTED'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'repeater_bridge'
	option proto 'relay'
	list network 'lan'
	list network 'wwan'
	option ipaddr '192.168.1.228'

config interface 'wwan6'
	option ifname 'wlan1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'none'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'REDACTED'
	option encryption 'psk2'
	option ssid 'OpenWrt2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'

config wifi-iface 'wifinet2'
	option key 'REDACTED'
	option ssid 'REDACTED'
	option device 'radio1'
	option mode 'sta'
	option bssid 'REDACTED'
	option network 'wwan'
	option encryption 'psk2'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option ignore '1'
	option interface 'wwan'
	option ra 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wwan repeater_bridge wwan6'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.228/24 brd 192.168.1.255 scope global wlan1
       valid_lft forever preferred_lft forever
192.168.1.2 dev br-lan table 16800 scope link  src 192.168.1.228 
192.168.1.2 dev br-lan table 16801 scope link 
default via 192.168.1.1 dev wlan1  src 192.168.1.228 
192.168.1.0/24 dev wlan1 scope link  src 192.168.1.228 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wlan1 table local scope link  src 192.168.1.228 
local 192.168.1.228 dev wlan1 table local scope host  src 192.168.1.228 
broadcast 192.168.1.255 dev wlan1 table local scope link  src 192.168.1.228 
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.1 
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1 
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1 
0:	from all lookup local 
2:	from all iif lo lookup 16800 
2:	from all iif wlan1 lookup 16801 
2:	from all iif br-lan lookup 16802 
32766:	from all lookup main 
32767:	from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::2e30:33ff:fe3a:958/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED scope global dynamic 
       valid_lft 2135sec preferred_lft 2135sec
    inet6 fdcb:f984:b6c3::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::2e30:33ff:fe3a:958/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2e30:33ff:fe3a:959/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED scope global dynamic 
       valid_lft 7172sec preferred_lft 3572sec
    inet6 fdaa:bbcc:ddee:0:2e30:33ff:fe3a:95c/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 REDACTED scope global dynamic 
       valid_lft 2136sec preferred_lft 2136sec
    inet6 fe80::2e30:33ff:fe3a:95c/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2e30:33ff:fe3a:958/64 scope link 
       valid_lft forever preferred_lft forever
default from REDACTED via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
default from REDACTED via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
default from fdaa:bbcc:ddee::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
REDACTED dev br-lan  metric 1024 
REDACTED dev wlan1  metric 1024 
REDACTED dev br-lan  metric 1024 
REDACTED dev br-lan  metric 1024 
REDACTED dev br-lan  metric 1024 
REDACTED dev wlan1  metric 256 
REDACTED via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
REDACTED dev br-lan  metric 1024 
unreachable REDACTED dev lo  metric 2147483647  error -148
fdaa:bbcc:ddee:0:5a90:43ff:feae:55ab dev wlan1  metric 1024 
fdaa:bbcc:ddee:0:ec68:697a:e133:d3af dev br-lan  metric 1024 
fdaa:bbcc:ddee::/64 dev wlan1  metric 256 
fdaa:bbcc:ddee::/64 via fe80::5a90:43ff:feae:55ab dev wlan1  metric 512 
fdcb:f984:b6c3::/64 dev br-lan  metric 1024 
unreachable fdcb:f984:b6c3::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
local ::1 dev lo table local  metric 0 
anycast REDACTED dev br-lan table local  metric 0 
anycast REDACTED dev wlan1 table local  metric 0 
local REDACTED dev br-lan table local  metric 0 
local REDACTED dev wlan1 table local  metric 0 
local REDACTED dev wlan1 table local  metric 0 
anycast fdaa:bbcc:ddee:: dev wlan1 table local  metric 0 
local fdaa:bbcc:ddee:0:2e30:33ff:fe3a:95c dev wlan1 table local  metric 0 
anycast fdcb:f984:b6c3:: dev br-lan table local  metric 0 
local fdcb:f984:b6c3::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
local fe80::2e30:33ff:fe3a:958 dev eth0 table local  metric 0 
local fe80::2e30:33ff:fe3a:958 dev br-lan table local  metric 0 
local fe80::2e30:33ff:fe3a:958 dev wlan0 table local  metric 0 
local fe80::2e30:33ff:fe3a:959 dev eth0.2 table local  metric 0 
local fe80::2e30:33ff:fe3a:95c dev wlan1 table local  metric 0 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev eth0.2 table local  metric 256 
ff00::/8 dev wlan1 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from REDACTED iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000008:	from all iif wlan1 lookup unspec 12
4200000008:	from all iif wlan1 lookup unspec 12

Remove these from lan interface.

Use ifname @wwan

Finally I think there is a typo in the documentation, the interface in dhcp wan section should be wwan6.

Ok it seems to work with @wwan as the interface, thanks! For your comment regarding the possible typo, I'm not sure what you referred to, and since it seems to be working I guess I'll leave it like this.

config dhcp wan6

Ok, yeah I tried and it works just as well. Thanks!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.