Strange connection problem since playing around with ipv6

Hello all,

i have played arround to get ipv6 running in my LAN, and now i have problem with the lan port connection

my configuration is:
openwrt on linksys wrt 1200acs (v2)

wan and wan6 -> zone wan
lan1...4 radio0, radio 1 -> zone Lan

see config bolow ...

now i have strange problem:

--- whats working
every device connected via wifi, on 2ghz or 5 ghz working fine !!!
ipv4 connection fine,
ipv6 connection also quite fine, im getting 16/20 points on ipv6 test

the 4 missing points are from:
Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.

--- whats not working
every device connected via lan (im only using lan1, there is a big switch behind lan1) im getting no connection to anywhere. Not on ipv4 neither on ipv6!

form linux machine connected via lan:

#>ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ec:a8:6b:fe:09:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.201/16 brd 192.168.255.255 scope global dynamic eno1
       valid_lft 230sec preferred_lft 230sec
    inet6 2axx:xxxx:xxxx:aaaa::451/128 scope global dynamic
       valid_lft 42646sec preferred_lft 42646sec
    inet6 2axx:xxxx:xxxx:bbbb::451/128 scope global dynamic
       valid_lft 42646sec preferred_lft 42646sec
    inet6 fe80::eea8:6bff:fefe:980/64 scope link
       valid_lft forever preferred_lft forever
3: br-9db5b1f91c0e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:f8:e9:02:82 brd ff:ff:ff:ff:ff:ff
    inet 172.26.0.1/16 brd 172.26.255.255 scope global br-9db5b1f91c0e
       valid_lft forever preferred_lft forever
4: br-b83bb6f5fe3d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:bb:b8:b1:3f brd ff:ff:ff:ff:ff:ff
    inet 172.27.0.1/16 brd 172.27.255.255 scope global br-b83bb6f5fe3d
       valid_lft forever preferred_lft forever
    inet6 fe80::42:bbff:feb8:b13f/64 scope link
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:c7:da:56:6d brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
7: veth52691a0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b83bb6f5fe3d state UP group default
    link/ether 12:fb:cc:2d:1b:2d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::10fb:ccff:fe2d:1b2d/64 scope link
       valid_lft forever preferred_lft forever

so prefix delegation looks like working.
also dns lookups looks like it working:

#>Server:         192.168.10.200
Address:        192.168.10.200#53

Non-authoritative answer:
Name:   www.google.de
Address: 142.251.36.227
Name:   www.google.de
Address: 2a00:1450:4016:80b::2003

also icmp:

#>ping -4 www.google.com
PING www.google.com (142.251.36.196) 56(84) bytes of data.
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=1 ttl=117 time=15.1 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=2 ttl=117 time=7.96 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=3 ttl=117 time=9.26 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=4 ttl=117 time=8.38 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=5 ttl=117 time=10.2 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=6 ttl=117 time=11.6 ms
64 bytes from muc12s12-in-f4.1e100.net (142.251.36.196): icmp_seq=7 ttl=117 time=8.79 ms
#>ping -6 www.google.com
PING www.google.com(muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004)) 56 data bytes
64 bytes from muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004): icmp_seq=1 ttl=118 time=17.4 ms
64 bytes from muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004): icmp_seq=2 ttl=118 time=9.41 ms
64 bytes from muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004): icmp_seq=3 ttl=118 time=9.60 ms
64 bytes from muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004): icmp_seq=4 ttl=118 time=9.05 ms
64 bytes from muc11s27-in-x04.1e100.net (2a00:1450:4016:80c::2004): icmp_seq=5 ttl=118 time=8.46 ms

but tcp/ip does not:

#> curl -4 www.google.com -> hangs (no response - timeout)
#> curl -6 www.google.com -> hangs (no response - timeout)

connection inside the Lan zone working ...
i.e. ssh from wifi device to lan device and back working

thats happen on all lan connected devices.
i have no clue where to search atm ...

my configs:

#>cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.10.200'
        option netmask '255.255.0.0'

config device
        option name 'wan'
        option macaddr '62:38:e0:10:b1:bf'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname '*'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
#> cat /etc/config/dhcp
   option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'HBergerNet.Local'
        option local '/lan/'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '2815'
        option limit '100'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        list ra_flags 'managed-config'
        option ra_slaac '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option dhcpv6 'relay'
        list ra_flags 'none'

config domain
        option name 'ldap_s1'
        option ip '192.168.10.201'

config host
        option name 'RBNetGearSwitch1'
        option dns '1'
        option mac '00:1E:2A:CE:02:A3'
        option ip '192.168.10.155'

... tons of config host entries -> static leases
#>cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'https'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.10.201'
        option dest_port '443'
        list proto 'tcp'
        list proto 'udp'

I think that most of your configuration is close to default, so the only possible culprit would be the fact that you are using incorrectly hybrid for DHCPv6 and RAs in dhcp configuration. Since you mentioned prefix delegation, there is no need for relay, hence the hybrid is not needed, only server.

As you can see the echo-request is allowed.

That's weird and I cannot explain it. Try another port and connect your pc directly on the router.

In general, your setup can work with the default OpenWrt configuration. So worst case, take a backup and reset to defaults to be sure.

thanks for the answer :slight_smile:
atm i cannot try, but later i will :slight_smile:
think i will take the newest firmware again and install it inclusive factory rest ....