Hello, world!
I am a long time user, first time poster. I've been using OpenWRT on-and-off since the WRT54G, and it's been amazing and almost completely trouble-free. So major props for that. Now, of course, I have a problem. I'd appreciate anyone who's interested, taking a look.
Highlights
- OpenWRT 21.02.3 r16554-1d4dea6d4f
- Netgear WNDR3700 v4
- Comcast residential DOCSIS
- Seeing "dhcp6 solicit" and "dhcp6 advertise", nothing after
- Works for a Win10 laptop plugged into cable modem
Narrative
IPv6 was working for me, now it's not.
It appears router isn't getting a DHCP lease from the ISP (Comcast). It does have a link-local IPv6 address. tcpdump on the router shows a "dhcp6 solicit" leaving, and a "dhcp6 advertise" being received in response, but nothing after. I also see periodic RAs coming in; router apparently isn't doing anything with them, either.
In LuCI under Network -> Interfaces, my "WAN6" object still appears . It shows "IPv6" and "DHCPv6" but no IP address. I haven't (knowingly) messed with the firewall rules, beyond port forwarding. I believe LuCI is showing me both "WAN" (IPv4) and "WAN6" are in the "wan" firewall zone.
My LAN nodes all have their LAN and ULA (fd00::/8) addresses. I can ping the router using IPv6. So IPv6 is working in the general case. The router gets a DHCPv4 lease no problem (I'm using it to post this).
I've tried rebooting the router. I've tried powering off router and modem, waiting for more than 15 minutes, powering modem up and letting it stabilize, and then powering up the router. That didn't make a difference that I can see.
I tried connecting a Windows 10 laptop directly to the cable modem, and it was able to get an IPv6 DHCPv6 lease. I was able to ping www.google.com and it came back using IPv6. So I'm thinking the ISP is not the problem (for once).
I finally got around to setting up IPv6 about five months ago, on 21.02.2 at the time. It worked fine then, and did for at least a month or two. At some point, it stopped working. I'm not exactly sure when, since I don't normally pay much attention to which protocol is getting used. So the failure may or may not have been related to upgrading to 21.02.3.
If anyone can think of anything I could do or try, please let me know. I'm not that experienced with IPv6, so if I'm missing something obvious, please hit me over the head with it.
tcpdump
noid# tcpdump -t -n -i eth0.2 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::xxxx:xxxx:fed3:692.546 > ff02::1:2.547: dhcp6 solicit
IP6 2001:558:4023:1ac::10.547 > fe80::xxxx:xxxx:fed3:692.546: dhcp6 advertise
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 288
Config
uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd0:c001:deed::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.10.1'
list dns_search 'home.example.com'
config device
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option hostname 'ispusername'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option local '/home.example.com/'
option domain 'home.example.com'
option sequential_ip '1'
option filterwin2k '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option leasetime '4h'
option force '1'
list domain 'home.example.com'
option limit '99'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'noid.home.example.com'
option ip '10.10.10.1'
config domain
option name 'blackfire.home.example.com'
option ip '10.10.10.11'
config host
option name 'blackfire.home.example.com'
option dns '1'
option mac '00:1E:C9:2B:14:09'
option ip '10.10.10.11'
config host
option name 'companion'
option dns '1'
option mac '00:01:E6:7A:16:76'
option ip '10.10.10.14'
config domain
option name 'companion'
option ip '10.10.10.14'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'blackfireSSH'
list proto 'tcp'
option src 'wan'
option src_dport 'REDACTED'
option dest_ip '10.10.10.11'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'noidSSH'
list proto 'tcp'
option src 'wan'
option src_dport 'REDACTED'
option dest_ip '10.10.10.1'
option dest_port '22'
cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:fed3:691/64 scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fdd0:c001:deed::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fed3:691/64 scope link
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:fed3:692/64 scope link
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:fed3:691/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:fed3:693/64 scope link
valid_lft forever preferred_lft forever
ip -6 ro li tab all
fdd0:c001:deed::/64 dev br-lan metric 1024
unreachable fdd0:c001:deed::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan0 metric 256
fe80::/64 dev wlan1 metric 256
local ::1 dev lo table local metric 0
anycast fdd0:c001:deed:: dev br-lan table local metric 0
local fdd0:c001:deed::1 dev br-lan table local metric 0
anycast fe80:: dev eth0.2 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan0 table local metric 0
anycast fe80:: dev wlan1 table local metric 0
local fe80::xxxx:xxxx:fed3:691 dev eth0 table local metric 0
local fe80::xxxx:xxxx:fed3:691 dev br-lan table local metric 0
local fe80::xxxx:xxxx:fed3:691 dev wlan0 table local metric 0
local fe80::xxxx:xxxx:fed3:692 dev eth0.2 table local metric 0
local fe80::xxxx:xxxx:fed3:693 dev wlan1 table local metric 0
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev eth0.2 table local metric 256
multicast ff00::/8 dev wlan0 table local metric 256
multicast ff00::/8 dev wlan1 table local metric 256
ip -6 ru
0: from all lookup local
32766: from all lookup main
4200000001: from all iif lo lookup unspec 12
4200000006: from all iif br-lan lookup unspec 12
4200000008: from all iif eth0.2 lookup unspec 12
ip6tables-save -c
# Generated by ip6tables-save v1.8.7 on Mon Aug 29 22:36:10 2022
*mangle
:PREROUTING ACCEPT [55094:7738586]
:INPUT ACCEPT [44212:4689997]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41289:17341415]
:POSTROUTING ACCEPT [41290:17341471]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Aug 29 22:36:10 2022
# Generated by ip6tables-save v1.8.7 on Mon Aug 29 22:36:10 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[44213:4690069] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[41822:4381722] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[43:3440] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1890:154641] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[501:153706] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[41290:17341587] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[40262:17259956] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[937:68345] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[91:13286] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[90:19170] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[43:3440] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[937:68345] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1890:154641] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[1890:154641] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[937:68345] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[937:68345] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1890:154641] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[91:13286] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[501:153706] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1:56] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[410:134480] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[90:19170] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[91:13286] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[91:13286] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[90:19170] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Aug 29 22:36:10 2022