Router has IPv6 but devices can't connect to IPv6 addresses

Router model: Netgear Nighthawk X4S R7800
Firmware version: OpenWrt 23.05.2 r23630-842932a63d / LuCI openwrt-23.05 branch git-23.306.39416-c86c256

IPv4 works perfectly. However, none of my connected devices can connect to IPv6 sites, and when I use a site such as test-ipv6.com, it fails to detect an IPv6 address.

However, the router seems to have an IPv6 address (see screenshot). I'm inexperienced with IPv6 so maybe I'm incorrect but it appears that my ISP is supplying IPv6, so I'm wondering if maybe the issue is related to my Firewall Traffic Rules in OpenWRT? Any help is much appreciated.


1 Like

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

You get single ip6 address, you can redistribute it via nat66 or better find an option to get at least /96 in your providers documents.

From the screenshot I can see, that you get only a /64 prefix delegation. This would need to be relayed to your lan.

Try to set the "Request IPv6-prefix of length" in you wan6 interface to 60 ot 56 as @brada4 suggested.

This, I had to do the same before my ISP (Comcast in case that matters) gave me more than a /64 like you seem to be getting currently. I've configured mine to ask for /56, "only" getting /60, but that works.

In addition to all that make sure that lan and/or guest_interface (if applicable) are configured for delegation of a /64 out of that /60 prefix, e.g.:

Set the IPv6 preference according to the "importance" of each of your internal networks re: IPv6.

Then under DHCP settings for each of the internal networks:

and

1 Like

I followed the above advice: I changed the requested wan6 ipv6 prefix length to 60, and changed the lan ipv6 assignment length to 64 and ipv6 preference to 4. I saved and applied the changes, and rebooted the router. Unfortunately, my connected devices still are failing the test at test-ipv6.com, it seems they aren't able to connect via ipv6.

Any suggestion? Thanks in advance. Requested output below:

root@OpenWrt:~# ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6weight '4'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns_search '<my-tailnet-name>.ts.net'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 6t'
        option vid '1'
        option description 'default-vlan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'
        option description 'wan-vlan'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1 6t'
        option vid '3'
        option description 'guest-vlan'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.3'

config interface 'guest_interface'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'my main wifi'
        option encryption 'psk2'
        option key '<redacted>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'my guest wifi'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'guest_interface'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan_zone'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan_zone'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan_zone'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan_zone'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest_zone'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'guest_zone'
        option dest_port '53'
        option target 'ACCEPT'

Does your lan interface gets a IPv6 assignment and does your clients get an IPv6 addresse and gateway?

Test from the router:

ping 2606:4700:4700::1111
ping -I {prefix address} 2606:4700:4700::1111

where {prefix address} is any address from the delegated prefix range, like 2601:cc:0:xxx::1234

Please avoid using pictures. If you want to show the current state of the interface, post the output of ifstatus {interface name} as formatted text.

1 Like

Is this happening to devices on the guest network? Looking at your firewall config, you're rejecting INPUT there at the zone level. The DHCP rules only cover IPv4. Try ACCEPTing input in guest.

If you need to restrict devices on guest from connecting to services on the router itself, try something like this as a rule to block them explicitly:

config rule
	option name 'no mgmt from guest'
	list proto 'tcp'
	option src 'guest_zone'
	option target 'REJECT'

Also, edit: You don't seem to have DHCPv6 enabled in guest at all. Again, if that's what you intended.

OK, I missed that you specifically tried this with lan, not guest.

The only thing that sticks out at me is that you have

option ra_slaac '1'

whereas I don't, and devices on my lan interface do get IPv6 from the delegated prefix.

This despite:

I guess it's the default so it doesn't matter? Sorry I don't have anything else atm...

When I try pinging Cloudflare's DNS server from the router (2606:4700:4700::1111), it times out.

This also fails:
root@OpenWrt:~# ping -I 2601:cc:0:6da0::1234 2606:4700:4700::1111

PING 2606:4700:4700::1111 (2606:4700:4700::1111) from 2601:cc:0:6da0::1234: 56 data bytes
ping: bind: Address not available

Does your lan interface gets a IPv6 assignment and does your clients get an IPv6 addresse and gateway?

I'm not sure, how can I determine this?

Please avoid using pictures. If you want to show the current state of the interface, post the output of ifstatus {interface name} as formatted text.

Sorry about that. Here is the output of ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 159216,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2001:558:xxxx:yy:zzzz:aaaa:bbbb:9bde",
			"mask": 128,
			"preferred": 178745,
			"valid": 178745
		}
	],
	"ipv6-prefix": [
		{
			"address": "2601:cc:0:6da0::",
			"mask": 60,
			"preferred": 178745,
			"valid": 178745,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2601:cc:0:6da0::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::201:5cff:fe72:8e46",
			"metric": 512,
			"valid": 1796,
			"source": "2601:cc:0:6da0::/60"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::201:5cff:fe72:8e46",
			"metric": 512,
			"valid": 1796,
			"source": "2001:558:xxxx:yy:zzzz:aaaa:bbbb:9bde/128"
		}
	],
	"dns-server": [
		"2606:4700:4700::1111",
		"2606:4700:4700::1001"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"2001:558:feed::1",
			"2001:558:feed::2"
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "0017002020010558feed0000000000000000000120010558feed00000000000000000002"
	}
}

Ups, you probably need to use your router LAN IP as a source.
Run ifstatus lan as well.

root@OpenWrt:~# ifstatus lan

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 161195,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ip6weight": 4,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2601:cc:0:6da0::",
			"mask": 64,
			"preferred": 176774,
			"valid": 176774,
			"local-address": {
				"address": "2601:cc:0:6da0::1",
				"mask": 64
			}
		}
	],

So I tried this, but it also times out:
root@OpenWrt:~# ping -I 2601:cc:0:6da0::1 2606:4700:4700::1111

PING 2606:4700:4700::1111 (2606:4700:4700::1111) from 2601:cc:0:6da0::1: 56 data bytes

@AndrewZ , just wanted to bump this and ask if you have any suggestions based on the above ping timing out? Thank you.

I have a feeling that something is wrong with the address and/or prefix allocation somewhere upstream.
If you have a cable modem, switch it off completely for ~30 min, afterwards reboot your router and re-test everything.

1 Like

I unplugged my cable modem and router for 30 min, then plugged them back in. Once everything booted up, I ssh'd into the router and tried this command again:

root@OpenWrt:~# ping -I 2601:cc:0:6da0::1 2606:4700:4700::1111
PING 2606:4700:4700::1111 (2606:4700:4700::1111) from 2601:cc:0:6da0::1: 56 data bytes

But it's still timing out. I'm not sure what to try next.

I checked the output of ifstatus wan6 and nothing has changed from the above values.

Do you still have the same address 2601:cc:0:6da0::1 on your router LAN port?

Apologies for the late response, for some reason I missed your reply.

It shows this:

root@OpenWrt:~# ifstatus lan

        "ipv6-prefix-assignment": [
                {
                        "address": "2601:cc:0:6da0::",
                        "mask": 64,
                        "preferred": 3714,
                        "valid": 3714,
                        "local-address": {
                                "address": "2601:cc:0:6da0::1",
                                "mask": 64
                        }
                }
        ],

So I think the answer to your question is yes, it appears the address is the same: 2601:cc:0:6da0::1

What is this setting?

The first reference I located in the Forums is from circa 2020, but nobody seems to know what it's for.

It looks like ip6weight is IPv6 Preference which is found under Interfaces -> lan -> Advanced Settings.

1 Like