[SOLVED] IPv6 stopped working; getting dhcp6 advertise but no lease

Hello, world!

I am a long time user, first time poster. I've been using OpenWRT on-and-off since the WRT54G, and it's been amazing and almost completely trouble-free. So major props for that. Now, of course, I have a problem. I'd appreciate anyone who's interested, taking a look.

Highlights

  • OpenWRT 21.02.3 r16554-1d4dea6d4f
  • Netgear WNDR3700 v4
  • Comcast residential DOCSIS
  • Seeing "dhcp6 solicit" and "dhcp6 advertise", nothing after
  • Works for a Win10 laptop plugged into cable modem

Narrative

IPv6 was working for me, now it's not.

It appears router isn't getting a DHCP lease from the ISP (Comcast). It does have a link-local IPv6 address. tcpdump on the router shows a "dhcp6 solicit" leaving, and a "dhcp6 advertise" being received in response, but nothing after. I also see periodic RAs coming in; router apparently isn't doing anything with them, either.

In LuCI under Network -> Interfaces, my "WAN6" object still appears . It shows "IPv6" and "DHCPv6" but no IP address. I haven't (knowingly) messed with the firewall rules, beyond port forwarding. I believe LuCI is showing me both "WAN" (IPv4) and "WAN6" are in the "wan" firewall zone.

My LAN nodes all have their LAN and ULA (fd00::/8) addresses. I can ping the router using IPv6. So IPv6 is working in the general case. The router gets a DHCPv4 lease no problem (I'm using it to post this).

I've tried rebooting the router. I've tried powering off router and modem, waiting for more than 15 minutes, powering modem up and letting it stabilize, and then powering up the router. That didn't make a difference that I can see.

I tried connecting a Windows 10 laptop directly to the cable modem, and it was able to get an IPv6 DHCPv6 lease. I was able to ping www.google.com and it came back using IPv6. So I'm thinking the ISP is not the problem (for once).

I finally got around to setting up IPv6 about five months ago, on 21.02.2 at the time. It worked fine then, and did for at least a month or two. At some point, it stopped working. I'm not exactly sure when, since I don't normally pay much attention to which protocol is getting used. So the failure may or may not have been related to upgrading to 21.02.3.

If anyone can think of anything I could do or try, please let me know. I'm not that experienced with IPv6, so if I'm missing something obvious, please hit me over the head with it.

tcpdump

noid# tcpdump -t -n -i eth0.2 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::xxxx:xxxx:fed3:692.546 > ff02::1:2.547: dhcp6 solicit
IP6 2001:558:4023:1ac::10.547 > fe80::xxxx:xxxx:fed3:692.546: dhcp6 advertise
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288

Config

uci export network

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd0:c001:deed::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.10.10.1'
	list dns_search 'home.example.com'

config device
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option hostname 'ispusername'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

uci export dhcp

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/home.example.com/'
	option domain 'home.example.com'
	option sequential_ip '1'
	option filterwin2k '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option leasetime '4h'
	option force '1'
	list domain 'home.example.com'
	option limit '99'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'noid.home.example.com'
	option ip '10.10.10.1'

config domain
	option name 'blackfire.home.example.com'
	option ip '10.10.10.11'

config host
	option name 'blackfire.home.example.com'
	option dns '1'
	option mac '00:1E:C9:2B:14:09'
	option ip '10.10.10.11'

config host
	option name 'companion'
	option dns '1'
	option mac '00:01:E6:7A:16:76'
	option ip '10.10.10.14'

config domain
	option name 'companion'
	option ip '10.10.10.14'

uci export firewall

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'blackfireSSH'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'REDACTED'
	option dest_ip '10.10.10.11'
	option dest_port '22'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'noidSSH'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'REDACTED'
	option dest_ip '10.10.10.1'
	option dest_port '22'

cat /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

ip -6 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:fed3:691/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdd0:c001:deed::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:fed3:691/64 scope link 
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:fed3:692/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:fed3:691/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:fed3:693/64 scope link 
       valid_lft forever preferred_lft forever

ip -6 ro li tab all

fdd0:c001:deed::/64 dev br-lan  metric 1024 
unreachable fdd0:c001:deed::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
local ::1 dev lo table local  metric 0 
anycast fdd0:c001:deed:: dev br-lan table local  metric 0 
local fdd0:c001:deed::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
local fe80::xxxx:xxxx:fed3:691 dev eth0 table local  metric 0 
local fe80::xxxx:xxxx:fed3:691 dev br-lan table local  metric 0 
local fe80::xxxx:xxxx:fed3:691 dev wlan0 table local  metric 0 
local fe80::xxxx:xxxx:fed3:692 dev eth0.2 table local  metric 0 
local fe80::xxxx:xxxx:fed3:693 dev wlan1 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev eth0.2 table local  metric 256 
multicast ff00::/8 dev wlan0 table local  metric 256 
multicast ff00::/8 dev wlan1 table local  metric 256 

ip -6 ru

0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000006:	from all iif br-lan lookup unspec 12
4200000008:	from all iif eth0.2 lookup unspec 12

ip6tables-save -c

# Generated by ip6tables-save v1.8.7 on Mon Aug 29 22:36:10 2022
*mangle
:PREROUTING ACCEPT [55094:7738586]
:INPUT ACCEPT [44212:4689997]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41289:17341415]
:POSTROUTING ACCEPT [41290:17341471]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Aug 29 22:36:10 2022
# Generated by ip6tables-save v1.8.7 on Mon Aug 29 22:36:10 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[44213:4690069] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[41822:4381722] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[43:3440] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1890:154641] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[501:153706] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[41290:17341587] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[40262:17259956] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[937:68345] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[91:13286] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[90:19170] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[43:3440] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[937:68345] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1890:154641] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[1890:154641] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[937:68345] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[937:68345] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1890:154641] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[91:13286] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[501:153706] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:56] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[410:134480] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[90:19170] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[91:13286] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[91:13286] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[90:19170] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Aug 29 22:36:10 2022

Stupidity of your ISP to answer dhcp6 solicits from GUA address, instead of link local.
Adapt Allow-DHCPv6 by removing source address.

Ahhhh. I even saw that the source address of the DHCP server seemed to be coming from a different net, but being new to IPv6, I just figured that was how it was supposed to work.

Makes sense. I'll make the firewall change this evening, and report back here with results.

Thanks for the quick reply!

And sure enough, that fixed it.

So it was the ISP after all. Comcast finds yet another dumb way to screw things up.

Thanks again for the quick and helpful answer!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.