Routing(?) error using IPv6

gergelypolonkai · April 1, 2025, 9:29pm

I recently bought an OpenWRT One and decided to give IPv6 a go. The device came with OpenWRT 24 preinstalled. I have a hunch that i got hit by this issue (filed for 22.03), but not completely sure yet.

My ISP delegates me a /56 subnet, currently 2001:c4c4:1f20:ec00::/56. The ISP’s own router has a WAN address from a different subnet, right now it’s 2001:c4c4:202:3c:80c7:c1d3:3805:39c7. It’s LAN address is 2001:c4c4:1f20:ec00:8601:12ff:fe25:90b (which is, obviously, from within the delegated range).

My OpenWRT router has two addresses on it’s wan6 interface: 2001:c4c4:1f20:ec00::1000/128 and 2001:c4c4:1f20:ec00:2205:b7ff:fe00:840/64. It got the delegated prefix 2001:c4c4:1f20:ece0::/60 from the ISP router, which still seems fine. The lan interface got the address 2001:c4c4:1f20:ece0::1/64. The link-local address of the br-lan device is fe80::2205:b7ff:fe00:841/64.

My desktop computer also got two addresses: 2001:c4c4:1f20:ece0::2/128 and 2001:c4c4:1f20:ece0:7df7:7113:1e54:9ba0/64. It also has a link-local address, fe80::e854:b05:3a1b:e193/64.

The routing table on my desktop now looks like this:

2001:c4c4:1f20:ece0::2 dev enp8s0 proto kernel metric 100 pref medium
2001:c4c4:1f20:ece0::/64 dev enp8s0 proto ra metric 100 pref medium
2001:c4c4:1f20:ece0::/60 via fe80::2205:b7ff:fe00:841 dev enp8s0 proto ra metric 100 pref medium
f0d0:bb28:1fba::/64 dev wg0 proto kernel metric 256 pref medium
fc00::/8 dev cjdns proto kernel metric 256 pref medium
fe80::/64 dev cjdns proto kernel metric 256 pref medium
fe80::/64 dev enp8s0 proto kernel metric 1024 pref medium
default via fe80::2205:b7ff:fe00:841 dev enp8s0 proto ra metric 100 pref medium

I went through the IPv6 troubleshooting page and set everything accordingly (double checked, but feel free to doubt and tell me to check again). I did turn off ULA assignments but tested with it both turned on and off; neither helps.

From the router i can do whatever IPv6 traffic i want: i can ping my VPS, fetch pages from there using curl/wget, and whatnot. However, any IPv6 traffic i initiate from my desktop fails.

From my machine I can successfully ping (or connect to)

the machine’s own addresses (duh)
OpenWRT’s LAN addresses (including the link local address)

And that’s it. OpenWRT’s WAN addresses, my ISP router, and my VPS, is unreachable.

When i dump ICMPv6 traffic on the OpenWRT, i get this strangeness:

23:28:49.277043 24:4b:fe:54:dd:53 > 20:05:b7:00:08:41, ethertype IPv6 (0x86dd), length 118: 2001:c4c4:1f20:ece0::2 > 2001:c4c4:1f20:ec00:2205:b7ff:fe00:840: ICMP6, echo request, id 6, seq 3, length 64
23:28:49.277526 20:05:b7:00:08:41 > 24:4b:fe:54:dd:53, ethertype IPv6 (0x86dd), length 118: 2001:c4c4:1f20:ec00:8601:12ff:fe25:90b > 2001:c4c4:1f20:ece0::2: ICMP6, destination unreachable, unknown unreach code (5)

Is there anything else besides the stuff on the troubleshooting page i could try? I need IPv6 for my work, so right now i’m stuck with my ISP router (which is crap when it comes to WiFi, so i have to ditch as much functionality as possible from it) and, even worse, my brand new OpenWRT One is just sitting there collecting dust.

brada4 · April 1, 2025, 9:42pm

Please post pcap, no normal system generates error codes without them being from known error code set. Unknown !ould be silence, nothing returned.

gergelypolonkai · April 2, 2025, 7:29am

I think this is only unknown for tcpdump.

According to IANA, unreach code 5 means “source address failed ingress/egress policy”, which is defined in RFC4443:

If the reason for the failure to deliver is that the packet with this source address is not allowed due to ingress or egress filtering policies, the Code field is set to 5.

egc · April 2, 2025, 8:35am

What does the routing table of the OpenWRT router shows?

ip -6 route show

mk24 · April 2, 2025, 9:39am

The wan should only be holding the single IP assigned by the ISP, which is outside the prefix. Don't have an ip6assign option on wan. Since your ISP appears to be following recommended practices of v6 assignment, the OpenWrt default configuration should work.

Although, it looks like your modem or something else upstream rejected a source IP which is inside your /56, which should not happen.

gergelypolonkai · April 2, 2025, 3:32pm

ip -6 route show is a hefty one:

2001:c4c4:1f20:ece0::2 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:881:cf:31ff:500f dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:1aa3:f4d3:9972:fd4b dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:2131:b494:d71e:2a5c dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:2468:4495:e7b5:801a dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:28e8:afc0:17c7:560e dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:59b0:6f4e:5a1f:4be3 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:6807:50e7:ccc7:e60b dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:70d6:f0dd:85ac:e309 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:7406:3f8f:7cbb:5e11 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:7430:b4ff:fe19:e8ef dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:76f7:dc71:c039:44 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:7df7:7113:1e54:9ba0 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:8032:c653:af0:c80 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:83df:bbac:30ae:9c9d dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:87a8:e94c:3c0a:2450 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:8fd4:a7dc:eb7b:2d1b dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:924e:612a:c3e3:d53d dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:9467:2ed7:c488:94e4 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:95f2:82ea:a482:65bc dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:98d0:34ff:fe1e:fed4 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:9f3f:6d51:a82b:1e29 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:a039:443f:1609:e50c dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:a899:c5af:7af3:3bbb dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:a8bb:d0a9:32e1:cf15 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:aef9:12a1:882c:a0ab dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:afe4:4f23:28a8:5fd3 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:b467:84cb:a8a0:4528 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:b513:70e6:bc1c:7f9 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:c252:13ab:5f65:c775 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:c928:40f:346c:1506 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:d0ca:c605:c54e:73cf dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:d367:6793:3b5c:6636 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:d8af:c208:ac24:4c2c dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:e13f:fb6d:fa51:3097 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:f0d1:f9fe:cebd:50e2 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:f0db:b0cc:3b64:4e98 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:f323:718a:9d98:85d3 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:f700:63a5:c153:ea69 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:f9cf:f9d2:7250:f259 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:fb65:c992:6261:3453 dev br-lan  metric 1024 
2001:c4c4:1f20:ece0:fca0:397d:47f0:4e6c dev br-lan  metric 1024 
2001:c4c4:1f20:ece0::/64 dev br-lan  metric 256  expires 0sec
2001:c4c4:1f20:ecf0::2 dev br-lan  metric 1024 
2001:c4c4:1f20:ecf0:28e8:afc0:17c7:560e dev br-lan  metric 1024 
2001:c4c4:1f20:ecf0:8fc1:40ab:7d04:bd37 dev br-lan  metric 1024 
2001:c4c4:1f20:ecf0::/64 dev br-lan  metric 1024 
unreachable 2001:c4c4:1f20:ecf0::/60 dev lo  metric 2147483647 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0  metric 256 
anycast 2001:c4c4:1f20:ec00:: dev eth0  metric 0 
anycast 2001:c4c4:1f20:ece0:: dev br-lan  metric 0 
anycast 2001:c4c4:1f20:ecf0:: dev br-lan  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
multicast ff00::/8 dev br-lan  metric 256 
multicast ff00::/8 dev eth0  metric 256

mk24 · April 2, 2025, 3:36pm

A /128 route to each endpoint looks like relay mode. You should not be using relay mode. Again I suggest starting with default configuration and troubleshoot from there if needed.

gergelypolonkai · April 2, 2025, 4:16pm

The only thing that is in relay mode is the NDP proxy. However, disabling it doesn’t solve the problem. Everything else is set according to the troubleshooting page (linked in OP), which almost everywhere was the same as the defaults.

gergelypolonkai · April 2, 2025, 4:26pm

I just realised that i forgot to paste my network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

heja · April 4, 2025, 7:59pm

I have exactly the same problem with my x86/64 system running OpenWrt 24.10.0.

gergelypolonkai · April 5, 2025, 9:50am

Since all „unreachable” packets originate from the ISP router, iʼm beginning to think the problem is there. I wrote to their helpdesk, letʼs hope they answer soon.

kissg · April 8, 2025, 7:00am

The /128 prefix is quite suspicious. It should be /64.

egc · April 8, 2025, 7:25am

It is the DHCPv6 address looks fine to me