[Solved] Help to config IPV6 correctly on my router

topsbr · November 5, 2023, 7:15pm

Good afternoon people...

I'm finding it difficult to configure IPV6 correctly on my x64/64 router where I have the wan connected to eth0 and the lan connected to eth1...

My ISP delivers IPV6 to me on the wan_6 virtual interface and I can see something on the interface like "PD" - Prefix Delegation, right?

My configs of network are:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:c511:0f07::/48'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option dhcpv6 'server'
        option ra_management '1'
        option ra 'server'
        option ndp 'hybrid'
        option delegate '0'
        list ip6class 'wan_6'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'cliente@cliente'
        option password 'cliente'
        option ignore '1'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'
        option ipv6 'auto'
        option force_link '1'

config interface 'onu_VSol'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'

config device
        option name 'eth1'
        option promisc '0'

and I have one firewall rule:

        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'onu_VSol'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 replies'
        option family 'ipv6'
        option src_port '547'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.2.143'
        option dest_port '45000-65535'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DDNS 8181'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.2.1'
        option dest_port '81'

The interesting thing is that I receive IPV6 on my computers' network cards,like it:
2023-11-05_16h18_06

Router:
Physical interface eth0 (WAN):
IPv6: fe80::9493:bc9c:365f:6f87/128
Advanced Settings:
=> Force Link: Checked
=> Obtain IPv6 address: Automatic
=> Override IPv6 routing table: none
=> Delegate IPv6 prefixes: Checked
=> IPv6 assignment length: disabled
=> IPv6 prefix filter: none
=> IPv6 suffix: none (default config is configured ::1)
=> IPv6 preference: none (default config is configured 0)

Virtual interface (wan_6):
IPv6: 2804:431:d7a9:f83e:9493:bc9c:365f:6f87/64
IPv6-PD: 2804:431:cfd4:e2ed::/64
It is not possible to change any configuration of this interface

ETH1 physical interface (LAN):

IPv6: 2804:431:cfd4:e2ed::1/64
Advanced Settings:
=> Force Link: Checked
=> Override IPv6 routing table: none
=> Delegate IPv6 prefixes: Not Checked
=> IPv6 assignment length: 64
=> IPv6 assignment hint: none (default config is configured 0)
=> IPv6 prefix filter: wan_6
=> IPv6 suffix: none (default config is configured ::1)
=> IPv6 preference: none (default config is configured 0)

OK, I have with me the ISP's default modem settings where IPV6 works correctly, where it is configured to receive IPV6 automatically, in SLAAC mode and DHCP PD is active too and I don't have any other visible configuration, like this:
dhcpv6

Going back to Openwrt, the dhcpv6 part of my lan interface is configured like this:
IPV6 Settings:
=> Designated master: none
=> RA-Service: server mode
=> DHCPv6-Service: server mode
=> Announced IPv6 DNS servers: none
=> Local IPv6 DNS server: none
=> Announced DNS domains: none
=> NDP-Proxy: disabled

IPV6 RA Settings:
=> Default router: Automatic
=> Enable SLAAC: Checked
=> RA Flags: O and H

And the rest of the settings are set to default.

When I go to the website https://test-ipv6.com/ to test, I get this response:

Can anyone clarify and help me configure this correctly? I can start IPV6 configuration from scratch without any problems.

Sorry for my English, it's not my native language...

hnyman · November 5, 2023, 8:17pm

Does your ISP only offer a /64 prefix delegation? That is bad.
It should typically be /56 or /48.

You might need to use the relay mode due to that /64. Your wan seems to have the relay config items, but Lan deviates from relay config for some reason.

https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay

You didn't actually mention, how is the real-life connectivity? Can the router itself ping IPv6 addresses? And the PC?

topsbr · November 5, 2023, 8:29pm

Hi @HNYMAN, thanks for your response...

I can ping IPV6 address from my router like to Openwrt.org IPV6 address...

But I can´t ping from my PC in network...

I´m reading de docs, I´´ try the relay mode..

Interestingly, it is on the ISP's modem, it works perfectly, however, it is not possible to obtain the settings in a clearer way... the equipment is very bad.

I'm about to turn on the ISP equipment to perform other tests.
If you know, there is a Mitrastar modem, used by Vivo Brasil, a subsidiary of the Spanish Telefonica...

mikma · November 5, 2023, 9:18pm

Which firewall zone is configured on wan_6, no zone at all? Shouldn't it be in the wan zone?

topsbr · November 5, 2023, 9:31pm

Hi mikma...

I can't see it through Luci...

Every time I get this feedback...

Is there any other way to get this information, via CLI, for example?

mikma · November 5, 2023, 9:37pm

I guess it's handled automatically since it's a virtual interface. You can disregard my comment.

topsbr · November 5, 2023, 9:44pm

Anyway, as I'm curious and anxious, I went to connect the provider's old equipment...
And I have this information, in case it can help you try to help me in some way...
Remembering that with old equipment, IPV6 connections work normally...
When I connect to it, I get this information:
Z-windows

Some settings that I removed from inside the modem, without changing absolutely anything...

z_ipv6_nat

I hope that with this, we can adjust the Openwrt settings in some way, because as you can see, it works on the ISP's equipment.

mk24 · November 6, 2023, 2:02am

Yes add wan_6 to the wan firewall zone. This is important. You can remove wan6 (not the same as wan_6) as that is now unused; it was part of the default configuration which does not use pppoe.

These belong in the lan section of /etc/config/dhcp. Since your lan interface has an IPv6 of <ISP prefix>::1, the lan devices should be receiving or assigning themselves IPv6s in the same <ISP prefix>::/64 as lan. The devices' default v6 route should be to the link-local of the router lan interface. You should be able to ping <ISP prefix>::1 and router link-local from the device while it is connected.

The router's v6 routing table should show ::64 routed out to eth0, and the default ipv6 route through wan_6.

Note with only a single /64 from the ISP you can only delegate to one lan-like interface you can't (conventionally) have multiple LANs / guest networks or multiple stages of routing inside the house. This use case does not require any of those though, so the single /64 should work.

_bernd · November 6, 2023, 5:53am

If the screenshot tell the Truth he should have a /48....

topsbr · November 6, 2023, 10:19am

Hi @mk24 ...

I will try all the settings you suggested...
A colleague of mine here in Brazil said exactly what you posted, that the ISP Vivo delivers IPV6 only to a single network...
I'm a noob in more specific network configurations, firewall, etc. but I have a great desire to learn, because with Open, we can easily apply these configurations to "stronger" Linux servers...
I'm in Brazil, with time zone -3, it's now 7:16 AM and I'll probably try to reproduce these suggested settings for you in the evening, after my work.
If I have any difficulty, I will ask you for the step-by-step guide for "noobs", because like me, I believe that there are many people, but many are embarrassed to ask for this type of thing.
Thank you very much so far and let's talk here.
Hugs!

topsbr · November 6, 2023, 10:21am

Hello @_bernd

yes, its true...

The whole confusion starts when we observe a /64 prefix and not a /48...
I'm a noob at some of the more advanced settings, as I said above, but I'm very eager to learn and I'm not ashamed to say that "I don't know"...
Anyway, thank you too...
The information that @mk24 suggested seems to be the most correct and I will try to apply it here.

lleachii · November 6, 2023, 12:41pm

I thought you supplied configs in your first post?
Where is the wan_6 config?
Why has the wan6 config been edited from default?

In any case, to display the network config on CLI - use:

cat /etc/config/network

For firewall:

cat /etc/config/firewall

Also to see Firewall settings, you would

Browse to Network > Firewall on LuCI to see the Firewall page; or
Edit the interface config and look at the Firewall assignment

topsbr · November 6, 2023, 4:17pm

Hello @lleachii ...

Answering your questions...

Friend, I've seen so much information that I've been trying to put it into practice in some way... I'm grateful for all the help you've provided so far...

Below is the required information...

cat /etc/config/firewall

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:c511:0f07::/48'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns_search 'HSH'
        option ip6assingn '64' # Configuração IPv6

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'cliente@cliente'
        option password 'cliente'
        option ignore '1'
        option ipv6 'auto' # Configuraão IPv6 - Criawan_6 automaticamente

config interface 'onu_VSol'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'

config device
        option name 'eth1'
        option promisc '1'
        option ip6segmentrouting '1'

config device
        option name 'pppoe-wan'
        option ip6segmentrouting '1'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'onu_VSol'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan_6'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 replies'
        option family 'ipv6'
        option src_port '547'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.2.143'
        option dest_port '45000-65535'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DDNS'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.2.1'
        option dest_port '8181'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow DDNS'
        list proto 'tcp'
        option src 'wan'
        option src_port '80'
        list dest_ip '192.168.2.1'
        option dest_port '8181'
        option target 'ACCEPT'

and, cat /etc/config/dhcp, if necessary ...

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/HSH/'
        option domain 'HSH'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option localuse '1'
        option proxydnssec '1'
        option logqueries '1'
        list server '127.0.0.1#5453'
        list server '0::1#5453'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '6h'
        option dhcpv4 'server'
        option force '1'
        option ra 'server' # Configuração IPv6
        option dhcpv6 'server' # ConfiguraçãoIPv6
        list ra_flags 'managed-config' # Configuração IPv6
        list ra_flags 'other-config' # Configuração IPv6

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'horus'
        option ip '192.168.2.1'

config domain
        option name 'anubis'
        option ip '192.168.2.2'

config domain
        option name 'osiris'
        option ip '192.168.2.3'

config domain
        option name 'toth'
        option ip '192.168.2.4'

config host
        option name 'NintendoSwitch'
        option mac '20:0B:CF:E4:75:54'
        option ip '192.168.2.30'

I think that I have an error in firewall rules...

Thanks!

lleachii · November 6, 2023, 5:29pm

And the inquires?

topsbr · November 6, 2023, 9:40pm

Hello all...

I share with you my solution (and suggestions of my friends) to solve my problem...

What I did was the following:

I went to the Openwrt Interfaces tab, and then edited the wan, where in advanced settings, I configured the "Obtain IPv6 address" field to "Automatic" and the "IPv6 assignment length" field, I left it to "disabled" - These settings should be enough for Openwrt to create the virtual interface called "wan_6" and receive 2 IPV6 addresses on it, where one starts with the prefix "2008" and ends with "/64" and the other starts with "PD", which is the prefix delegated by Vivo ISP...

Then I edited the lan, where in advanced settings), I configured the "IPv6 assignment length" fields to "64" and the "IPv6 suffix" field to "::1" - These settings should be enough for Openwrt create 2 IPV6 addresses on the lan, one of which is exactly the same as the address received on "wan_6" which starts with the prefix "2008" and ends with "/64" and the other, any address with "/64" at the end"

Soon after, I checked the firewall zones, going to "Firewall" and here was the "trick", at least I think, because only the wan interface was set there... neither "wan_6" or " onu-Vsol"(modem) were configured, so I removed the "wan" from that zone, saved and applied leaving no configuration, I entered again and added the wan, wan_6 and onu-Vsol, saved and applied...

I didn't even need to disable or reactivate the network card and it was working correctly...

Here is my config files:

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:c511:0f07::/48'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns_search 'HSH'
        option ip6assingn '64'
        option ip6ifaceid '::1'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'cliente@cliente'
        option password 'cliente'
        option ignore '1'
        option ipv6 'auto'

config interface 'onu_VSol'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'

config device
        option name 'eth1'
        option promisc '1'
        option ip6segmentrouting '1'

config device
        option name 'pppoe-wan'
        option ip6segmentrouting '1'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/HSH/'
        option domain 'HSH'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option localuse '1'
        option proxydnssec '1'
        option logqueries '1'
        list server '127.0.0.1#5453'
        list server '0::1#5453'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '6h'
        option dhcpv4 'server'
        option force '1'
        option ra 'server'
        option dhcpv6 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'horus'
        option ip '192.168.2.1'

config domain
        option name 'anubis'
        option ip '192.168.2.2'

config domain
        option name 'osiris'
        option ip '192.168.2.3'

config domain
        option name 'toth'
        option ip '192.168.2.4'

config host
        option name 'NintendoSwitch'
        option mac '20:0B:CF:E4:75:54'
        option ip '192.168.2.30'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list device 'eth0'
        list device 'pppoe-wan'
        list network 'onu_VSol'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan_6'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 replies'
        option family 'ipv6'
        option src_port '547'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.2.143'
        option dest_port '45000-65535'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DDNS'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.2.1'
        option dest_port '8181'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow DDNS'
        list proto 'tcp'
        option src 'wan'
        option src_port '80'
        list dest_ip '192.168.2.1'
        option dest_port '8181'
        option target 'ACCEPT'

The router was restarted several times and each time, IPv4 and IPv6 were changed and passed on correctly to the stations.

With this, I conclude that the problem has been resolved, but we will keep an eye on it to see if anything unusual happens along the way.

Thank you all for your help!

vgaetera · November 7, 2023, 2:03am

There's a typo, it becomes duplicate after fixing.

This is the default, so should be redundant.

system · November 17, 2023, 2:04am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.