Setup
I built a x86 OpenWrt router with two LAN (lan_vault, lan_guest) and six WAN (wan_a to wan_f, and wan_a_6 to wan_f_6 for IPv6)
Each of the six wan_*_6
interface is assigned a public IPv6 address with prefix 60 by ISP, so I distribute the 64 address to my two LAN. RA server mode. MWAN3 is not installed.
Problem
- Clients in LAN have no IPv6 Internet access
Troubleshooting
- ping6 test result
╔════════════════════╦════════╦═════════════╦══════════════════╗
║ source ║ router ║ host in LAN ║ host on Internet ║
║ dest ║ ║ ║ ║
╠════════════════════╬════════╬═════════════╬══════════════════╣
║ router ║ ║ Y ║ Y ║
╠════════════════════╬════════╬═════════════╬══════════════════╣
║ other hosts in LAN ║ Y ║ Y ║ N ║
╠════════════════════╬════════╬═════════════╬══════════════════╣
║ host on Internet ║ Y ║ N ║ ║
╚════════════════════╩════════╩═════════════╩══════════════════╝
OpenWrt config
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan_vault'
option type 'bridge'
option ifname 'eth0.10'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign '64'
option macaddr '52:54:00:40:6F:BE'
option ip6hint '0'
option ip6ifaceid '::1'
config interface 'lan_guest'
option type 'bridge'
option ifname 'eth0.20'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
option macaddr '52:54:00:40:6F:BF'
option ip6hint '1'
option ip6ifaceid '::1'
config interface 'wan_a'
option ifname 'eth4.100'
option proto 'pppoe'
option password '***'
option username '***'
option metric '100'
option macaddr '52:54:00:4E:7D:78'
option ipv6 '1'
config interface 'wan_b'
option ifname 'eth4.110'
option proto 'pppoe'
option password '***'
option username '***'
option metric '110'
option macaddr '52:54:00:4E:7D:79'
option ipv6 '1'
config interface 'wan_c'
option ifname 'eth4.120'
option proto 'pppoe'
option password '***'
option username '***'
option metric '120'
option macaddr '52:54:00:4E:7D:7A'
option ipv6 '1'
config interface 'wan_d'
option ifname 'eth4.130'
option proto 'pppoe'
option password '***'
option username '***'
option metric '130'
option macaddr '52:54:00:4E:7D:7B'
option ipv6 '1'
config interface 'wan_e'
option ifname 'eth4.140'
option proto 'pppoe'
option password '***'
option username '***'
option metric '140'
option macaddr '52:54:00:4E:7D:7C'
option ipv6 '1'
config interface 'wan_f'
option ifname 'eth4.150'
option proto 'pppoe'
option username '***'
option password '***'
option metric '150'
option macaddr '52:54:00:4E:7D:7D'
option ipv6 '1'
config interface 'wan_a_6'
option proto 'dhcpv6'
option ifname '@wan_a'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wan_b_6'
option proto 'dhcpv6'
option ifname '@wan_b'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wan_c_6'
option proto 'dhcpv6'
option ifname '@wan_c'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wan_d_6'
option proto 'dhcpv6'
option ifname '@wan_d'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wan_e_6'
option proto 'dhcpv6'
option ifname '@wan_e'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wan_f_6'
option proto 'dhcpv6'
option ifname '@wan_f'
option reqaddress 'try'
option reqprefix 'auto'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan_guest'
list network 'lan_guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan_vault'
list network 'lan_vault'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan_a'
list network 'wan_b'
list network 'wan_c'
list network 'wan_d'
list network 'wan_e'
list network 'wan_f'
list network 'wan_a_6'
list network 'wan_b_6'
list network 'wan_c_6'
list network 'wan_d_6'
list network 'wan_e_6'
list network 'wan_f_6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan_guest'
option dest 'wan'
config forwarding
option src 'lan_vault'
option dest 'wan'
config forwarding
option src 'lan_vault'
option dest 'lan_guest'
config rule
option src 'wan'
option name 'Allow IPv6'
option family 'ipv6'
option target 'ACCEPT'
option dest 'lan_guest'
list proto 'all'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan_guest'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan_guest'
config include
option path '/etc/firewall.user'