Hello!
I have OpenWRT 19.07.2 running on a TP-Link Archer C7 v4. All works well, except that it doesn't seem to route ipv6 traffic from lan to wan. So,
- the router can ping6 and connect to TCP ports of servers on the WAN with no problem
- machines in the LAN can ping and connect to each other
- but these machines in the LAN cannot access the internet through ipv6, only ipv4.
This is what happens:
$ ping6 google.com
PING google.com(2800:3f0:4001:81a::200e (2800:3f0:4001:81a::200e)) 56 data bytes
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=1 Destination unreachable: Unknown code 5
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=2 Destination unreachable: Unknown code 5
From shams.lan (fd2e:e429:4ba5::1) icmp_seq=3 Destination unreachable: Unknown code 5
# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd2e:e429:4ba5:0:22cf:30ff:fe68:e943/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::22cf:30ff:fe68:e943/64 scope link
valid_lft forever preferred_lft forever
The route on the client machine is this:
# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd2e:e429:4ba5::/64 dev enp1s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
default via fe80::b24e:26ff:fe4f:54ad dev enp1s0 proto ra metric 1024 expires 1673sec hoplimit 64 pref medium
The setup is quite simple -- an OpenWRT router gets an ipv6 from the ISP via DHCP, and I have manually ran dhcp -6 enp1s0
on the client, and it did get an ipv6 after that, so I suppose IP assignment is fine.
On the router, I have
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd2e:e429:4ba5::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link
valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b0:4e:26:4f:54:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 2804:14c:46:83f1:b24e:26ff:fe4f:54ae/64 scope global dynamic
valid_lft 3599sec preferred_lft 3599sec
inet6 2804:14c:46:83f1:941e:e849:aba1:2cd0/128 scope global dynamic
valid_lft 3192sec preferred_lft 3192sec
inet6 fe80::b24e:26ff:fe4f:54ae/64 scope link
valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:4f:54:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::b24e:26ff:fe4f:54ad/64 scope link
valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether b0:4e:26:4f:54:ac brd ff:ff:ff:ff:ff:ff
inet6 fe80::b24e:26ff:fe4f:54ac/64 scope link
valid_lft forever preferred_lft forever
and the route on the router is this:
# ip -6 route
default from 2804:14c:46:83f1:941e:e849:aba1:2cd0 via fe80::5ee3:eff:fe17:ec86 dev eth0.2 metric 512
default from 2804:14c:46:83f1::/64 via fe80::5ee3:eff:fe17:ec86 dev eth0.2 metric 512
2804:14c:46:83f1::/64 dev eth0.2 metric 256
fd2e:e429:4ba5::/64 dev br-lan metric 1024
unreachable fd2e:e429:4ba5::/48 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
anycast 2804:14c:46:83f1:: dev eth0.2 metric 0
anycast fd2e:e429:4ba5:: dev br-lan metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev eth0.2 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev wlan1 metric 0
anycast fe80:: dev wlan0 metric 0
ff00::/8 dev eth0 metric 256
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth0.2 metric 256
ff00::/8 dev wlan1 metric 256
ff00::/8 dev wlan0 metric 256
I don't see what can be wrong. I've tried a lot of things, read some posts and wiki pages, but it seems that the usual problem is the opposite (clients can use ipv6, and the router cannot). In my canse, the router can, and clients can't.
These are the network settings:
# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2e:e429:4ba5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'b0:4e:26:4f:54:ae'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '56'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
And the firewall:
# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
And /etc/firewall.user
is empty.
What else could I try in order to diagnose this? I'd be really grateful!