Software vlan for wan

moamo67 · August 21, 2020, 7:03pm

Hello all ,

iml using openwrt but i see on my log this :

daemon.err odhcp6c[708]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)

i use a vlan for getting web from my isp on vlan eth1.836

but on ifconfig i see this :

eth1      Link encap:Ethernet  HWaddr 00:E0:4C:F8:D9:0D  
          inet6 addr: fe80::2e0:4cff:fef8:d90d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1700  Metric:1
          RX packets:278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:55165 (53.8 KiB)  TX bytes:43687 (42.6 KiB)

eth1.836  Link encap:Ethernet  HWaddr 34:27:92:39:FD:9C  
          inet6 addr: fe80::3627:92ff:xxxx:fd9c/64 Scope:Link
          inet6 addr: 2a01:e01:3:f836:7cbd::39/128 Scope:Global
          inet6 addr: 2a01:e0a:b2:xxxx:0:5ba2:c88e:0/128 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1700  Metric:1
          RX packets:188 errors:0 dropped:1 overruns:0 frame:0
          TX packets:223 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:51121 (49.9 KiB)  TX bytes:35963 (35.1 KiB)

when i use eth1.836 for pinging is good , but when i use eht1 not . i wont eth1 why openwrt create this interface ? this interface is not on /etc/config/network ...

trendy · August 22, 2020, 9:05am

It could be the firewall, although by default it is not blocking the outgoing traffic.
Verify that with uci export firewall

It works with eth1.836 because frames need to be tagged. Eth1 exists anyway and eth1.836 could not exist without eth1. In config/network you have the configuration of the logical interfaces, eth1 is a physical.

moamo67 · August 22, 2020, 9:16am

Thanks i trendy for u response il looking now on firewall

moamo67 · August 22, 2020, 9:33am

im trying to add rule for , but no way

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wan_4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option target 'ACCEPT'
	option family 'ipv6'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1196'

config zone
	option name 'lan2'
	option network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'vpn'
	option network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

moamo67 · August 22, 2020, 9:36am

Sat Aug 22 11:49:30 2020 daemon.err odhcp6c[32734]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)
Sat Aug 22 11:49:30 2020 daemon.err odhcp6c[32734]: Failed to send RS (Permission denied)
Sat Aug 22 11:49:30 2020 daemon.err odhcp6c[31683]: Failed to send RS (Permission denied)
Sat Aug 22 11:49:30 2020 kern.warn kernel: [42438.857733] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:30 2020 daemon.err odhcp6c[31683]: Failed to send DHCPV6 message to ff02::1:2 (Permission denied)
Sat Aug 22 11:49:30 2020 kern.warn kernel: [42439.177750] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:30 2020 kern.warn kernel: [42439.294180] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:30 2020 kern.warn kernel: [42439.497749] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:31 2020 kern.warn kernel: [42439.817787] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:31 2020 kern.warn kernel: [42440.137727] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!
Sat Aug 22 11:49:31 2020 kern.warn kernel: [42440.294293] ip6_tunnel: map-wan_4 xmit: Local address not yet configured!

lost connexion all 20min

trendy · August 22, 2020, 10:21am

No need to add anything, the wan zone already allows output, so it is not blocked on the firewall.

Let's better see the whole picture here:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

moamo67 · August 22, 2020, 11:12am

is not the first time i have problem with snapshot of bc2711 , i updated ( 22 08 20 snap )and restored my config now its ok ff02::1:2 is responding from my ping

thanks

trendy · August 22, 2020, 5:06pm

ff02::1:2 is a multicast address.
All DHCPv6 servers and relay agents on the local network segment (defined in RFC 3315)

moamo67 · August 22, 2020, 5:07pm

dhcpv6 on the back snapshot are down with dhcpv6 , thank you trendy for u help and u explain

moamo67 · August 23, 2020, 10:18am

hello all after a multiple test , i found some bug on samba4 , when are activated u get wan problem , ipp6 erase , permission denied for icmpv6 and dhcv6

if u have some deconnexion try whithout SAMBA4

i removed SAMBA4 , my connexion are stable for 24h !!