Router can use ipv6 ok, but clients in lan cannot

Hello!
I have OpenWRT 19.07.2 running on a TP-Link Archer C7 v4. All works well, except that it doesn't seem to route ipv6 traffic from lan to wan. So,

• the router can ping6 and connect to TCP ports of servers on the WAN with no problem
• machines in the LAN can ping and connect to each other
• but these machines in the LAN cannot access the internet through ipv6, only ipv4.

This is what happens:

$ ping6 google.com
PING google.com(2800:3f0:4001:81a::200e (2800:3f0:4001:81a::200e)) 56 data bytes
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=1 Destination unreachable: Unknown code 5
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=2 Destination unreachable: Unknown code 5
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=3 Destination unreachable: Unknown code 5

# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd2e:e429:4ba5:0:22cf:30ff:fe68:e943/64 scope global dynamic mngtmpaddr 
       valid_lft forever preferred_lft forever
    inet6 fe80::22cf:30ff:fe68:e943/64 scope link 
       valid_lft forever preferred_lft forever

The route on the client machine is this:

# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd2e:e429:4ba5::/64 dev enp1s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
default via fe80::b24e:26ff:fe4f:54ad dev enp1s0 proto ra metric 1024 expires 1673sec hoplimit 64 pref medium

The setup is quite simple -- an OpenWRT router gets an ipv6 from the ISP via DHCP, and I have manually ran dhcp -6 enp1s0 on the client, and it did get an ipv6 after that, so I suppose IP assignment is fine.

On the router, I have

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd2e:e429:4ba5::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether b0:4e:26:4f:54:ae brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 2804:14c:46:83f1:b24e:26ff:fe4f:54ae/64 scope global dynamic 
       valid_lft 3599sec preferred_lft 3599sec
    inet6 2804:14c:46:83f1:941e:e849:aba1:2cd0/128 scope global dynamic 
       valid_lft 3192sec preferred_lft 3192sec
    inet6 fe80::b24e:26ff:fe4f:54ae/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether b0:4e:26:4f:54:ac brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b24e:26ff:fe4f:54ac/64 scope link 
       valid_lft forever preferred_lft forever

and the route on the router is this:

# ip -6 route
default from 2804:14c:46:83f1:941e:e849:aba1:2cd0 via fe80::5ee3:eff:fe17:ec86 dev eth0.2  metric 512 
default from 2804:14c:46:83f1::/64 via fe80::5ee3:eff:fe17:ec86 dev eth0.2  metric 512 
2804:14c:46:83f1::/64 dev eth0.2  metric 256 
fd2e:e429:4ba5::/64 dev br-lan  metric 1024 
unreachable fd2e:e429:4ba5::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
anycast 2804:14c:46:83f1:: dev eth0.2  metric 0 
anycast fd2e:e429:4ba5:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0.2  metric 256 
ff00::/8 dev wlan1  metric 256 
ff00::/8 dev wlan0  metric 256 

I don't see what can be wrong. I've tried a lot of things, read some posts and wiki pages, but it seems that the usual problem is the opposite (clients can use ipv6, and the router cannot). In my canse, the router can, and clients can't.

These are the network settings:

# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2e:e429:4ba5::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'b0:4e:26:4f:54:ae'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

And the firewall:

# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

And /etc/firewall.user is empty.

What else could I try in order to diagnose this? I'd be really grateful!

If you are not sure that they will delegate you a /56, don't request it specifically, leave it to auto.
From what I see, you have not been delegated a prefix, so this could be the reason.
What does ifstatus wan6 say?

Ok, so here's ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 38861,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2804:14c:46:83f1:b24e:26ff:fe4f:54ae",
			"mask": 64,
			"preferred": 3599,
			"valid": 3599
		},
		{
			"address": "2804:14c:46:83f1:941e:e849:aba1:2cd0",
			"mask": 128,
			"preferred": 2538,
			"valid": 2538
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2804:14c:46:83f1::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 3599,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::5ee3:eff:fe17:ec86",
			"metric": 512,
			"valid": 1799,
			"source": "2804:14c:46:83f1:b24e:26ff:fe4f:54ae/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::5ee3:eff:fe17:ec86",
			"metric": 512,
			"valid": 1799,
			"source": "2804:14c:46:83f1:941e:e849:aba1:2cd0/128"
		}
	],
	"dns-server": [
		"2804:14c:10:672:201:6:2:160",
		"2804:14c:11:672:201:6:2:113"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202804014c0010067202010006000201602804014c001106720201000600020113"
	}
}

I have also tried with option reqprefix 'auto', and the result is the same...

ipv6-prefix is empty, so there is no delegated prefix.
Are you connected directly to your provider or is there any modem/router between the Archer and your ISP?
Have you confirmed with your ISP that they delegate prefixes with DHCP6?

Are you connected directly to your provider or is there any modem/router between the Archer and your ISP?

No, there is a router. The contract forces me to use it.

Have you confirmed with your ISP that they delegate prefixes with DHCP6?

Hmm. I was afraid this would be the case. Most IPS where I live (Brazil) don't even let you get in touch with a technician, and usually say they do not offer "support for non-standard setups". I'll try anyway.

Your upstream doesn't support DHCPv6-PD, try NDP relay.

# cat /etc/config/dhcp
config dhcp wan
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
 
config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay

https://openwrt.org/docs/guide-user/network/ipv6/start

try NDP relay

Thank you for answering! I tried that and it doesn't seem to work.
On a client machine, after dhclient -6 enp2s0 I have this:

# ip addr show enp2s0
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet6 fd2e:e429:4ba5::ca1/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fdb9:d60d:83b8::808/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::428d:5cff:feb3:4355/64 scope link 
       valid_lft forever preferred_lft forever

# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd2e:e429:4ba5::ca1 dev enp2s0 proto kernel metric 256 pref medium
fdb9:d60d:83b8::808 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
default via fe80::b24e:26ff:fe4f:54ad dev enp2s0 metric 1024 pref medium

#ping6 google.com
PING google.com(2800:3f0:4001:80f::200e (2800:3f0:4001:80f::200e)) 56 data bytes
   (no response)

I have no firewall on this client box.

Is there any other setting I'd need to change?

If you don't see an address 2804:.... on your client then you won't have access to IPv6 internet.
The fe80 are link local addresses and fd2e are your ULA (private, same as 192.168. in IPv4).
If Relay doesn't work and your provider doesn't want to help you, then you'd have to resort to NAT66.

Yes, I was trying the relay config... But it did not work (and that shouldn't depend on the ISP, as far as I understand). What could I have done wrong?

I have changed the sections below in the DHCP config, and not changed the network config at all.

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'