Router has IPv6 but devices can't connect to IPv6 addresses

Foil64 · June 9, 2024, 2:02pm

Router model: Netgear Nighthawk X4S R7800
Firmware version: OpenWrt 23.05.2 r23630-842932a63d / LuCI openwrt-23.05 branch git-23.306.39416-c86c256

IPv4 works perfectly. However, none of my connected devices can connect to IPv6 sites, and when I use a site such as test-ipv6.com, it fails to detect an IPv6 address.

However, the router seems to have an IPv6 address (see screenshot). I'm inexperienced with IPv6 so maybe I'm incorrect but it appears that my ISP is supplying IPv6, so I'm wondering if maybe the issue is related to my Firewall Traffic Rules in OpenWRT? Any help is much appreciated.

goetz · June 9, 2024, 6:30pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

brada4 · June 9, 2024, 7:01pm

You get single ip6 address, you can redistribute it via nat66 or better find an option to get at least /96 in your providers documents.

goetz · June 9, 2024, 8:01pm

From the screenshot I can see, that you get only a /64 prefix delegation. This would need to be relayed to your lan.

Try to set the "Request IPv6-prefix of length" in you wan6 interface to 60 ot 56 as @brada4 suggested.

dimitris · June 10, 2024, 2:36am

This, I had to do the same before my ISP (Comcast in case that matters) gave me more than a /64 like you seem to be getting currently. I've configured mine to ask for /56, "only" getting /60, but that works.

In addition to all that make sure that lan and/or guest_interface (if applicable) are configured for delegation of a /64 out of that /60 prefix, e.g.:

Set the IPv6 preference according to the "importance" of each of your internal networks re: IPv6.

Then under DHCP settings for each of the internal networks:

and

Foil64 · June 15, 2024, 7:52pm

I followed the above advice: I changed the requested wan6 ipv6 prefix length to 60, and changed the lan ipv6 assignment length to 64 and ipv6 preference to 4. I saved and applied the changes, and rebooted the router. Unfortunately, my connected devices still are failing the test at test-ipv6.com, it seems they aren't able to connect via ipv6.

Any suggestion? Thanks in advance. Requested output below:

root@OpenWrt:~# ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6weight '4'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns_search '<my-tailnet-name>.ts.net'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 6t'
        option vid '1'
        option description 'default-vlan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'
        option description 'wan-vlan'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1 6t'
        option vid '3'
        option description 'guest-vlan'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.3'

config interface 'guest_interface'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'my main wifi'
        option encryption 'psk2'
        option key '<redacted>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'my guest wifi'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'guest_interface'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan_zone'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan_zone'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan_zone'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan_zone'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest_zone'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'guest_zone'
        option dest_port '53'
        option target 'ACCEPT'

goetz · June 16, 2024, 10:00am

Does your lan interface gets a IPv6 assignment and does your clients get an IPv6 addresse and gateway?

AndrewZ · June 16, 2024, 1:40pm

Test from the router:

ping 2606:4700:4700::1111
ping -I {prefix address} 2606:4700:4700::1111

where {prefix address} is any address from the delegated prefix range, like 2601:cc:0:xxx::1234

Please avoid using pictures. If you want to show the current state of the interface, post the output of ifstatus {interface name} as formatted text.

dimitris · June 16, 2024, 8:14pm

Is this happening to devices on the guest network? Looking at your firewall config, you're rejecting INPUT there at the zone level. The DHCP rules only cover IPv4. Try ACCEPTing input in guest.

If you need to restrict devices on guest from connecting to services on the router itself, try something like this as a rule to block them explicitly:

config rule
	option name 'no mgmt from guest'
	list proto 'tcp'
	option src 'guest_zone'
	option target 'REJECT'

Also, edit: You don't seem to have DHCPv6 enabled in guest at all. Again, if that's what you intended.

dimitris · June 16, 2024, 8:24pm

OK, I missed that you specifically tried this with lan, not guest.

The only thing that sticks out at me is that you have

option ra_slaac '1'

whereas I don't, and devices on my lan interface do get IPv6 from the delegated prefix.

This despite:

I guess it's the default so it doesn't matter? Sorry I don't have anything else atm...

Foil64 · June 17, 2024, 2:35pm

When I try pinging Cloudflare's DNS server from the router (2606:4700:4700::1111), it times out.

This also fails:
root@OpenWrt:~# ping -I 2601:cc:0:6da0::1234 2606:4700:4700::1111

PING 2606:4700:4700::1111 (2606:4700:4700::1111) from 2601:cc:0:6da0::1234: 56 data bytes
ping: bind: Address not available

Does your lan interface gets a IPv6 assignment and does your clients get an IPv6 addresse and gateway?

I'm not sure, how can I determine this?

Please avoid using pictures. If you want to show the current state of the interface, post the output of ifstatus {interface name} as formatted text.

Sorry about that. Here is the output of ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 159216,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2001:558:xxxx:yy:zzzz:aaaa:bbbb:9bde",
			"mask": 128,
			"preferred": 178745,
			"valid": 178745
		}
	],
	"ipv6-prefix": [
		{
			"address": "2601:cc:0:6da0::",
			"mask": 60,
			"preferred": 178745,
			"valid": 178745,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2601:cc:0:6da0::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::201:5cff:fe72:8e46",
			"metric": 512,
			"valid": 1796,
			"source": "2601:cc:0:6da0::/60"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::201:5cff:fe72:8e46",
			"metric": 512,
			"valid": 1796,
			"source": "2001:558:xxxx:yy:zzzz:aaaa:bbbb:9bde/128"
		}
	],
	"dns-server": [
		"2606:4700:4700::1111",
		"2606:4700:4700::1001"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"2001:558:feed::1",
			"2001:558:feed::2"
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "0017002020010558feed0000000000000000000120010558feed00000000000000000002"
	}
}

AndrewZ · June 17, 2024, 2:40pm

Ups, you probably need to use your router LAN IP as a source.
Run ifstatus lan as well.

Foil64 · June 17, 2024, 3:04pm

root@OpenWrt:~# ifstatus lan

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 161195,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ip6weight": 4,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2601:cc:0:6da0::",
			"mask": 64,
			"preferred": 176774,
			"valid": 176774,
			"local-address": {
				"address": "2601:cc:0:6da0::1",
				"mask": 64
			}
		}
	],

So I tried this, but it also times out:
root@OpenWrt:~# ping -I 2601:cc:0:6da0::1 2606:4700:4700::1111

PING 2606:4700:4700::1111 (2606:4700:4700::1111) from 2601:cc:0:6da0::1: 56 data bytes