Twin IPV6 setup: one HE.net, other PPP from ISP

aboaboit · April 13, 2019, 8:22pm

Ok, I switched it to PPPOE. Now I have:

pppoe-wan with an IPv4
pppoe-wan6 with a different IPv4 and an IPv6
wan6_6 visible only in the gui, as virtual dynamic interface

Is this what you meant? I'm pretty sure my previous setup did not waste an IPv4 address just in order to have an IPv6 one, too. Also, br-lan does not get an IPv6 prefix assigned to it, even after adding ip6class, and IPv4 forwarding is still shot.

I guess I need to study the current documentation a bit more in depth:
https://openwrt.org/docs/guide-user/network/ipv6/start

aboaboit · April 13, 2019, 8:24pm

Hmm, sorry, I'm afraid I don't understand your point. Could you clarify your suggestion?
All I get from those command are details of the he.net tunnel, not what I was looking for.

vgaetera · April 13, 2019, 9:34pm

If it can't fetch the correct interface automatically see the full dump below.

ubus call network.interface dump

Check:

Upstream interface prefix and routes
Downstream interface prefix assignment

ip a; ip r; ip ru
uci show network; uci show firewall
sysctl net 2>/dev/null | grep -e forward

Verify there're no errors and collisions:

Physical interfaces <-> Logical interfaces <-> Firewall zones
Routing tables + Routing policies
Forwardings

aboaboit · April 13, 2019, 11:29pm

I've tried a few things:

changed wan6 to use '@wan' instead of 'eth0.2' (this made the spurious second IPv4 disappear)
added ip6assign to lan
added ipv6 '1' to wan (no, auto isn't enough with ppp, according to the docs)

This way I have br-lan with an ISP-assigned prefix, br-guest with the one from he.net and... forwarding is still shot (and dyndns isn't getting updated ). Fun fact, this is now almost the same config I had with 15.05, only visible difference is the separate stanza for "lan_dev" and the MAC.

These are the current configs, hopefully they'll be clearer to you than the output of "ip" is to me:

network)

config interface 'lan'
        option ifname 'eth0.1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ipv6 '0' # 'auto'
        list ip6class 'wan6'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '...'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
#       option username 'adsl@alice6.it'
#       option password 'adsl@alice6.it'
        option username 'username'
        option password 'password'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'
#       option ipv6 '1' # required for IPV6 / PPP
        option keepalive '6 5'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '...'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option ipv6 'auto'
        option auto '0' # 1
        option defaultroute '1'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        list ip6class 'he_1_nyc'
        option ipv6 'auto'

config interface 'modem'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option delegate '0'
        option defaultroute '0'
        option peerdns '0'

config interface 'he_1_nyc'
        option proto '6in4'
        [redacted]
        option auto '1'

config interface 'he_2_zur'
        option proto '6in4'
        [redacted]
        option auto '0'

config interface 'vpn0'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

firewall)

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'he_1_nyc he_2_zur wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

onfig rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'guest'
        option network 'guest'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'modem'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'modem'

config rule
        option src 'wan'
        option proto '41'
        option target 'ACCEPT'
        option name 'IPv6-in-IPv4'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option name 'OpenVPN'
        option dest_port '1194'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'vpn'
        option network 'vpn0'

config forwarding
        option dest 'wan'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'modem'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

Switching the commented values, changes the config from working to broken and viceversa.
I'll try again when I have a chance, thank you for your help.

vgaetera · April 14, 2019, 9:06am

To troubleshoot, you should first check runtime configuration.
When you see an error, dig in persistent configuration.
Otherwise you can't verify that the runtime configuration is applied properly.

aboaboit · April 14, 2019, 9:09am

Problem is, I can't read it fluently.

mikma · April 14, 2019, 9:21am

We also can't since you haven't posted it.

aboaboit · April 14, 2019, 9:34am

That is a problem that can be easily solved, though
In a few moments I am going to change configuration, copy the runtime, go back to current working config and post it here.

aboaboit · April 14, 2019, 10:24am

Output of "ubus call network.interface dump":

{
	"interface": [
		{
			"interface": "guest",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 39837,
			"l3_device": "br-guest",
			"proto": "static",
			"device": "br-guest",
			"updated": [
				"addresses"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				{
					"address": "192.168.3.1",
					"mask": 24
				}
			],
			"ipv6-address": [
				
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				{
					"address": "2001:470:8afd::",
					"mask": 64,
					"local-address": {
						"address": "2001:470:8afd::1",
						"mask": 64
					}
				}
			],
			"route": [
				
			],
			"dns-server": [
				
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "he_1_nyc",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 51,
			"l3_device": "6in4-he_1_nyc",
			"proto": "6in4",
			"updated": [
				"addresses",
				"routes",
				"prefixes"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				
			],
			"ipv6-address": [
				{
					"address": "2001:470:1f06:82b::2",
					"mask": 64
				}
			],
			"ipv6-prefix": [
				{
					"address": "2001:470:8afd::",
					"mask": 48,
					"class": "he_1_nyc",
					"assigned": {
						"guest": {
							"address": "2001:470:8afd::",
							"mask": 64
						}
					}
				}
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				{
					"target": "::",
					"mask": 0,
					"nexthop": "::",
					"source": "2001:470:8afd::\/48"
				},
				{
					"target": "::",
					"mask": 0,
					"nexthop": "::",
					"source": "2001:470:1f06:82b::2\/64"
				}
			],
			"dns-server": [
				"2001:470:20::2",
				"2001:4860:4860::8888",
				"2001:4860:4860::8844"
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "he_2_zur",
			"up": false,
			"pending": false,
			"available": true,
			"autostart": false,
			"dynamic": false,
			"proto": "6in4",
			"data": {
				
			}
		},
		{
			"interface": "lan",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 71,
			"l3_device": "br-lan",
			"proto": "static",
			"device": "br-lan",
			"updated": [
				"addresses"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				{
					"address": "192.168.2.1",
					"mask": 24
				}
			],
			"ipv6-address": [
				
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				{
					"address": "2a01:2000:2001:d964::",
					"mask": 64,
					"preferred": 315,
					"valid": 315,
					"local-address": {
						"address": "2a01:2000:2001:d964::1",
						"mask": 64
					}
				}
			],
			"route": [
				
			],
			"dns-server": [
				
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "loopback",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 43508,
			"l3_device": "lo",
			"proto": "static",
			"device": "lo",
			"updated": [
				"addresses"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				{
					"address": "127.0.0.1",
					"mask": 8
				}
			],
			"ipv6-address": [
				
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				
			],
			"dns-server": [
				
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "modem",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 43507,
			"l3_device": "eth0.2",
			"proto": "dhcp",
			"device": "eth0.2",
			"updated": [
				"addresses",
				"routes",
				"data"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": false,
			"ipv4-address": [
				{
					"address": "192.168.1.4",
					"mask": 24
				}
			],
			"ipv6-address": [
				
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				
			],
			"dns-server": [
				
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					{
						"target": "0.0.0.0",
						"mask": 0,
						"nexthop": "192.168.1.1",
						"source": "192.168.1.4\/32"
					}
				],
				"dns-server": [
					"192.168.1.1",
					"192.168.1.1"
				],
				"dns-search": [
					
				]
			},
			"data": {
				"leasetime": 172800
			}
		},
		{
			"interface": "vpn0",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 43478,
			"l3_device": "tun0",
			"proto": "none",
			"device": "tun0",
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				
			],
			"ipv6-address": [
				
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				
			],
			"dns-server": [
				
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "wan",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 52,
			"l3_device": "pppoe-wan",
			"proto": "pppoe",
			"device": "eth0.2",
			"updated": [
				"addresses"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				{
					"address": "79.24.190.114",
					"mask": 32,
					"ptpaddress": "192.168.100.1"
				}
			],
			"ipv6-address": [
				{
					"address": "fe80::1",
					"mask": 128
				}
			],
			"ipv6-prefix": [
				
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				{
					"target": "0.0.0.0",
					"mask": 0,
					"nexthop": "192.168.100.1",
					"source": "0.0.0.0\/0"
				}
			],
			"dns-server": [
				"8.8.8.8",
				"8.8.4.4"
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					"85.38.28.120",
					"85.38.28.121"
				],
				"dns-search": [
					
				]
			},
			"data": {
				
			}
		},
		{
			"interface": "wan6",
			"up": true,
			"pending": false,
			"available": true,
			"autostart": true,
			"dynamic": false,
			"uptime": 46,
			"l3_device": "pppoe-wan",
			"proto": "dhcpv6",
			"device": "pppoe-wan",
			"updated": [
				"prefixes"
			],
			"metric": 0,
			"dns_metric": 0,
			"delegation": true,
			"ipv4-address": [
				
			],
			"ipv6-address": [
				{
					"address": "2a01:2000:2000:1255::1",
					"mask": 64,
					"preferred": 604785,
					"valid": 2591985
				}
			],
			"ipv6-prefix": [
				{
					"address": "2a01:2000:2001:d964::",
					"mask": 64,
					"preferred": 315,
					"valid": 315,
					"class": "wan6",
					"assigned": {
						"lan": {
							"address": "2a01:2000:2001:d964::",
							"mask": 64
						}
					}
				}
			],
			"ipv6-prefix-assignment": [
				
			],
			"route": [
				{
					"target": "2a01:2000:2000:1255::",
					"mask": 64,
					"nexthop": "::",
					"metric": 256,
					"valid": 2591985,
					"source": "::\/0"
				},
				{
					"target": "::",
					"mask": 0,
					"nexthop": "fe80::90:1a00:1a4:d80f",
					"metric": 512,
					"valid": 25,
					"source": "2a01:2000:2000:1255::1\/64"
				},
				{
					"target": "::",
					"mask": 0,
					"nexthop": "fe80::90:1a00:1a4:d80f",
					"metric": 512,
					"valid": 25,
					"source": "2a01:2000:2001:d964::\/64"
				}
			],
			"dns-server": [
				"2001:4b18:3050:916f::53:c001",
				"2001:4b18:3050:916f::53:c002"
			],
			"dns-search": [
				
			],
			"inactive": {
				"ipv4-address": [
					
				],
				"ipv6-address": [
					
				],
				"route": [
					
				],
				"dns-server": [
					
				],
				"dns-search": [
					
				]
			},
			"data": {
				"passthru": "0017002020014b183050916f000000000053c00120014b183050916f000000000053c002"
			}
		}
	]
}

Output of "ip a":

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e695:6eff:fe40:5ee2/64 scope link 
       valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
4: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc hfsc state UNKNOWN qlen 32
    link/ether 36:61:60:5c:92:2d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3461:60ff:fe5c:922d/64 scope link 
       valid_lft forever preferred_lft forever
5: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 9a:96:f6:70:51:d3 brd ff:ff:ff:ff:ff:ff
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::e695:6eff:fe40:5ee3/64 scope link 
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet 10.42.0.1 peer 10.42.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2001:470:8afd:42::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::aaa7:1c81:a6dc:fe40/64 scope link 
       valid_lft forever preferred_lft forever
39: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 2001:470:8afd::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::e695:6eff:fe40:5ee2/64 scope link 
       valid_lft forever preferred_lft forever
40: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
55: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2a01:2000:2001:d964::1/64 scope global dynamic 
       valid_lft 306sec preferred_lft 306sec
    inet6 fe80::e695:6eff:fe40:5ee2/64 scope link 
       valid_lft forever preferred_lft forever
56: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
58: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e695:6eff:fe40:5ee2/64 scope link 
       valid_lft forever preferred_lft forever
59: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1462 qdisc hfsc state UNKNOWN qlen 3
    link/ppp 
    inet 79.24.190.114 peer 192.168.100.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2a01:2000:2000:1255::1/64 scope global dynamic 
       valid_lft 2591976sec preferred_lft 604776sec
    inet6 fe80::1/10 scope link 
       valid_lft forever preferred_lft forever
60: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether e4:95:6e:40:5e:e3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e695:6eff:fe40:5ee3/64 scope link 
       valid_lft forever preferred_lft forever
61: 6in4-he_1_nyc@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    link/sit 79.24.190.114 peer 209.51.161.14
    inet6 2001:470:1f06:82b::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::4f18:be72/64 scope link 
       valid_lft forever preferred_lft forever

Output of "ip r":

default via 192.168.100.1 dev pppoe-wan 
10.42.0.0/24 via 10.42.0.2 dev tun0 
10.42.0.2 dev tun0 scope link  src 10.42.0.1 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.4 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1 
192.168.100.1 dev pppoe-wan scope link  src 79.24.190.114 
209.51.161.14 via 192.168.100.1 dev pppoe-wan

Output of "ip ru":

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

Output of "uci show network":

network.globals=globals
network.globals.ula_prefix='fd05:11f7:5291::/48'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[1].ports='0 6t'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].vid='3'
network.@switch_vlan[2].ports='4 6t'
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.ifname='eth0.1'
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.2.1'
network.lan.netmask='255.255.255.0'
network.lan.ipv6='auto'
network.lan.ip6class='wan6'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='e4:95:6e:40:5e:e2'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.username='adsl@alice6.it'
network.wan.password='adsl@alice6.it'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8 8.8.4.4'
network.wan.ipv6='1'
network.wan.keepalive='6 5'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='e4:95:6e:40:5e:e3'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.wan6.ipv6='auto'
network.wan6.auto='1'
network.wan6.defaultroute='1'
network.guest=interface
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ifname='eth0.3'
network.guest.ipaddr='192.168.3.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='64'
network.guest.ip6class='he_1_nyc'
network.guest.ipv6='auto'
network.modem=interface
network.modem.proto='dhcp'
network.modem.ifname='eth0.2'
network.modem.delegate='0'
network.modem.defaultroute='0'
network.modem.peerdns='0'
network.he_1_nyc=interface
network.he_1_nyc.proto='6in4'
network.he_1_nyc.peeraddr='209.51.161.14'
network.he_1_nyc.ip6addr='2001:470:1f06:82b::2/64'
network.he_1_nyc.ip6prefix='2001:470:8afd::/48'
network.he_1_nyc.tunnelid='xxxxxx'
network.he_1_nyc.username='xxxxxx'
network.he_1_nyc.password='xxxxxx'
network.he_1_nyc.dns='2001:470:20::2 2001:4860:4860::8888 2001:4860:4860::8844'
network.he_1_nyc.auto='1'
network.he_2_zur=interface
network.he_2_zur.proto='6in4'
network.he_2_zur.peeraddr='216.66.80.98'
network.he_2_zur.ip6addr='2001:470:25:b78::2/64'
network.he_2_zur.ip6prefix='2001:470:b4f9::/48'
network.he_2_zur.tunnelid='xxxxxx'
network.he_2_zur.username='xxxxxx'
network.he_2_zur.password='xxxxxx'
network.he_2_zur.dns='2001:470:20::2 2001:4860:4860::8888 2001:4860:4860::8844'
network.he_2_zur.auto='0'
network.vpn0=interface
network.vpn0.proto='none'
network.vpn0.ifname='tun0'
network.vpn0.auto='1'

Output of "uci show firewall":

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='REJECT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='he_1_nyc he_2_zur wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src_dport='7885'
firewall.@redirect[0].dest_ip='192.168.2.4'
firewall.@redirect[0].dest_port='7885'
firewall.@redirect[0].name='DHT-mononoke'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='6885'
firewall.@redirect[1].dest_ip='192.168.2.4'
firewall.@redirect[1].dest_port='6885'
firewall.@redirect[1].name='Torrent-mononoke'
firewall.@redirect[1].enabled='0'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].src_dport='51413'
firewall.@redirect[2].dest_ip='192.168.2.3'
firewall.@redirect[2].dest_port='51413'
firewall.@redirect[2].name='Torrent-nasone'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='udp'
firewall.@redirect[3].src_dport='8885'
firewall.@redirect[3].dest_ip='192.168.2.4'
firewall.@redirect[3].dest_port='8885'
firewall.@redirect[3].name='Tracker-mononoke'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='guest'
firewall.@zone[2].network='guest'
firewall.@zone[3]=zone
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].name='modem'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@zone[3].network='modem'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='41'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].name='IPv6-in-IPv4'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='10022'
firewall.@rule[10].name='ssh router'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='udp'
firewall.@rule[11].name='OpenVPN'
firewall.@rule[11].dest_port='1194'
firewall.@zone[4]=zone
firewall.@zone[4].input='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].name='vpn'
firewall.@zone[4].network='vpn0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='modem'
firewall.@forwarding[2].src='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='wan'
firewall.@forwarding[3].src='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='lan'
firewall.@forwarding[4].src='vpn'

Output of "sysctl net 2>/dev/null | grep -e forward":

net.ipv4.conf.6in4-he_1_nyc.forwarding = 1
net.ipv4.conf.6in4-he_1_nyc.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br-guest.forwarding = 1
net.ipv4.conf.br-guest.mc_forwarding = 0
net.ipv4.conf.br-lan.forwarding = 1
net.ipv4.conf.br-lan.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.1.forwarding = 1
net.ipv4.conf.eth0.1.mc_forwarding = 0
net.ipv4.conf.eth0.2.forwarding = 1
net.ipv4.conf.eth0.2.mc_forwarding = 0
net.ipv4.conf.eth0.3.forwarding = 1
net.ipv4.conf.eth0.3.mc_forwarding = 0
net.ipv4.conf.ifb0.forwarding = 1
net.ipv4.conf.ifb0.mc_forwarding = 0
net.ipv4.conf.ifb1.forwarding = 1
net.ipv4.conf.ifb1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.pppoe-wan.forwarding = 1
net.ipv4.conf.pppoe-wan.mc_forwarding = 0
net.ipv4.conf.sit0.forwarding = 1
net.ipv4.conf.sit0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.conf.wlan0-1.forwarding = 1
net.ipv4.conf.wlan0-1.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.6in4-he_1_nyc.forwarding = 1
net.ipv6.conf.6in4-he_1_nyc.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.br-guest.forwarding = 1
net.ipv6.conf.br-guest.mc_forwarding = 0
net.ipv6.conf.br-lan.forwarding = 1
net.ipv6.conf.br-lan.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth0.1.forwarding = 1
net.ipv6.conf.eth0.1.mc_forwarding = 0
net.ipv6.conf.eth0.2.forwarding = 1
net.ipv6.conf.eth0.2.mc_forwarding = 0
net.ipv6.conf.eth0.3.forwarding = 1
net.ipv6.conf.eth0.3.mc_forwarding = 0
net.ipv6.conf.ifb0.forwarding = 1
net.ipv6.conf.ifb0.mc_forwarding = 0
net.ipv6.conf.ifb1.forwarding = 1
net.ipv6.conf.ifb1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.pppoe-wan.forwarding = 1
net.ipv6.conf.pppoe-wan.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.wlan0-1.forwarding = 1
net.ipv6.conf.wlan0-1.mc_forwarding = 0

vgaetera · April 14, 2019, 1:04pm

It seems, you need to add default route for the prefix.
Check to be sure:

ip -6 r; ip -6 ru

aboaboit · April 14, 2019, 4:27pm

Which prefix, the one coming from he.net or from the ISP? Incidentally, he.net works nicely alone and the "default gateway" box is ticked in both "he_1_nyc" and "wan6".

By the by, I find it puzzling that he.net does not get updated. There is still a single IPV4 WAN so the dynamic update shouldn't be confused. The RX counter at zero means IPv4 endpoint is wrong, as I rediscovered recently.

Anyhow, here is the information you asked for.

Output of "ip -6 r":

default from 2001:470:1f06:82b::/64 dev 6in4-he_1_nyc  metric 1024 
default from 2001:470:8afd::/48 dev 6in4-he_1_nyc  metric 1024 
default from 2a01:2000:2000:1d2e::/64 via fe80::90:1a00:1a4:d80f dev pppoe-wan  metric 512 
default from 2a01:2000:2001:e27d::/64 via fe80::90:1a00:1a4:d80f dev pppoe-wan  metric 512 
2001:470:1f06:82b::/64 dev 6in4-he_1_nyc  metric 256 
2001:470:8afd::/64 dev br-guest  metric 1024 
2001:470:8afd:42::/64 dev tun0  metric 256 
unreachable 2001:470:8afd::/48 dev lo  metric 2147483647  error -148
2a01:2000:2000:1d2e::/64 dev pppoe-wan  metric 256 
2a01:2000:2001:e27d::/64 dev br-lan  metric 1024 
unreachable 2a01:2000:2001:e27d::/64 dev lo  metric 2147483647  error -148
unreachable fd05:11f7:5291::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev ifb0  metric 256 
fe80::/64 dev tun0  metric 256 
fe80::/64 dev br-guest  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan0-1  metric 256 
fe80::/64 dev 6in4-he_1_nyc  metric 256 
fe80::/10 dev pppoe-wan  metric 1 
fe80::/10 dev pppoe-wan  metric 256 
anycast 2001:470:1f06:82b:: dev 6in4-he_1_nyc  metric 0 
anycast 2001:470:8afd:: dev br-guest  metric 0 
anycast 2001:470:8afd:42:: dev tun0  metric 0 
anycast 2a01:2000:2000:1d2e:: dev pppoe-wan  metric 0 
anycast 2a01:2000:2001:e27d:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev ifb0  metric 0 
anycast fe80:: dev tun0  metric 0 
anycast fe80:: dev br-guest  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan0  metric 0 
anycast fe80:: dev wlan0-1  metric 0 
anycast fe80:: dev pppoe-wan  metric 0 
anycast fe80:: dev 6in4-he_1_nyc  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth0.2  metric 256 
ff00::/8 dev ifb0  metric 256 
ff00::/8 dev tun0  metric 256 
ff00::/8 dev br-guest  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev wlan0-1  metric 256 
ff00::/8 dev pppoe-wan  metric 256 
ff00::/8 dev 6in4-he_1_nyc  metric 256

Output of "ip -6 ru":

0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 2001:470:8afd::1/64 iif br-guest lookup unspec unreachable
4200000000:	from 2a01:2000:2001:e27d::1/64 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000011:	from all iif eth0.2 lookup unspec 12
4200000016:	from all iif tun0 lookup unspec 12
4200000039:	from all iif br-guest lookup unspec 12
4200000074:	from all iif br-lan lookup unspec 12
4200000078:	from all iif pppoe-wan lookup unspec 12
4200000078:	from all iif pppoe-wan lookup unspec 12
4200000080:	from all iif 6in4-he_1_nyc lookup unspec 12

vgaetera · April 14, 2019, 5:14pm

The routes are there, let's test them:

. /lib/functions/network.sh
network_flush_cache
for NET_IF in lan wan6
do
network_get_ipaddr6 NET_ADDR "${NET_IF}"
traceroute6 -m 10 -q 1 -s "${NET_ADDR}" example.org
done

aboaboit · April 14, 2019, 7:05pm

Since I can reach HE via ipv6 from my desktop, I updated the endpoint manually (I'll figure out why it doesn't work another day) and took the liberty of adding he_1_nyc to your "for" loop. Next moment I can try to debug this is in a few days, in the meanwhile here is the output:

traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2a01:2000:2001:e57b::1, 10 hops max, 64 byte packets
 1  *
 2  2a01:20f0:2006::4 (2a01:20f0:2006::4)  35.480 ms
 3  *
 4  *
 5  2001:41a8:20:2::6 (2001:41a8:20:2::6)  47.060 ms
 6  ibs-resid.milano30.mil.seabone.net (2001:41a8:20:2::1)  44.500 ms
 7  mil51-loop0-v6.mil.seabone.net (2001:41a8:20::33)  37.720 ms
 8  2001:41a8:20:2::9e (2001:41a8:20:2::9e)  48.380 ms
 9  ae-1.r01.mlanit01.it.bb.gin.ntt.net (2001:728:0:2000::d)  45.780 ms
10  ae-13.r25.frnkge08.de.bb.gin.ntt.net (2001:728:0:2000::176)  70.081 ms
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2a01:2000:2000:2105::1, 10 hops max, 64 byte packets
 1  *
 2  *
 3  *
 4  *
 5  2001:41a8:20:2::6 (2001:41a8:20:2::6)  53.441 ms
 6  ibs-resid.milano30.mil.seabone.net (2001:41a8:20:2::1)  40.880 ms
 7  mil51-loop0-v6.mil.seabone.net (2001:41a8:20::33)  55.100 ms
 8  2001:41a8:20:2::9e (2001:41a8:20:2::9e)  38.720 ms
 9  *
10  ae-13.r25.frnkge08.de.bb.gin.ntt.net (2001:728:0:2000::176)  100.701 ms
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2001:470:1f06:82b::2, 10 hops max, 64 byte packets
 1  tunnel320522.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:82b::1)  208.881 ms
 2  ve422.core1.nyc4.he.net (2001:470:0:5d::1)  195.720 ms
 3  100ge11-1.core1.nyc5.he.net (2001:470:0:20a::2)  169.501 ms
 4  100ge8-2.core1.dub1.he.net (2001:470:0:440::2)  239.501 ms
 5  *
 6  *
 7  *
 8  2604:a880:ffff:d::9 (2604:a880:ffff:d::9)  218.780 ms
 9  *
10  *

Other fun facts:

ping both ipv4.google.com and ipv6.google.com from the desktop and the router: they all work
Thunderbird can't get through to gmail
from the desktop ipv6-test.com is dead slow and fails most of the IPV4 tests. If I try that with HE only, it is quite fast and gets 19/20 score.
ddns is throwing curl 7 errors when updating duckdns (the config for this service is unchanged with respect to my "HE-only" IPV6 setup).
the VPNs I have on the NAS cannot connect (servers are listed by IP, not name)

Wednesday or thursday I should have time for more tests, hopefully.
Thanks,
Andrea.

vgaetera · April 15, 2019, 7:42am

Your routing and firewall seem normal.
But the missing responses in traceroute output makes me suspect connection stability.
I suggest to test the connection with mtr.

This is confusing because IPv6 tunnel broker works via IPv4.
The tunnel broker might work better because of low MTU:
https://github.com/openwrt/openwrt/blob/master/package/network/ipv6/6in4/files/6in4.sh#L76
So, try to reduce the link MTU down to 1400 or 1300.

Also replace ISP-DNS with some public DNS-provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

aboaboit · April 17, 2019, 6:49pm

Thanks, I will try your suggestion of a lower MTU and provide the mtr output after some more testing.

I was indeed using Google's DNS also for IPV6 when I ran the tests but even switching to those provided by the ISP doesn't help.

vgaetera · April 17, 2019, 7:57pm

To verify that MTU has changed, see:

ip link show

In fact, major DNS-providers, such as Google, Cloudflare or Quad9, often work better than ISP-DNS due to higher fault tolerance and compatibility.

aboaboit · April 21, 2019, 4:42pm

New round of testing:

I set MTU to 1300 for wan6 and the HE tunnel
Using Google's DNS servers for both IPV4 and IPV6
Again, had to manually update the tunnel endpoint, else RX would remain stuck at 0.

No changes in outcome: only HE tunnel website works reliably.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
4: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc hfsc state UNKNOWN qlen 32
    link/ether 36:61:60:5c:92:2d brd ff:ff:ff:ff:ff:ff
5: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 9a:96:f6:70:51:d3 brd ff:ff:ff:ff:ff:ff
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e3 brd ff:ff:ff:ff:ff:ff
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
39: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
40: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
117: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
118: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
120: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether e4:95:6e:40:5e:e2 brd ff:ff:ff:ff:ff:ff
122: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP qlen 1000
    link/ether e4:95:6e:40:5e:e3 brd ff:ff:ff:ff:ff:ff
124: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1462 qdisc hfsc state UNKNOWN qlen 3
    link/ppp 
125: 6in4-he_1_nyc@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN qlen 1000
    link/sit 79.24.190.213 peer 209.51.161.14

traceroute:

traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2a01:2000:2001:c58b::1, 10 hops max, 64 byte packets
 1  *
 2  2a01:20f0:2006::4 (2a01:20f0:2006::4)  28.800 ms
 3  *
 4  *
 5  2001:41a8:20:2::6 (2001:41a8:20:2::6)  31.700 ms
 6  ibs-resid.milano30.mil.seabone.net (2001:41a8:20:2::1)  31.800 ms
 7  mil51-loop0-v6.mil.seabone.net (2001:41a8:20::33)  31.720 ms
 8  2001:41a8:20:2::9e (2001:41a8:20:2::9e)  33.000 ms
 9  ae-1.r01.mlanit01.it.bb.gin.ntt.net (2001:728:0:2000::d)  33.281 ms
10  ae-13.r25.frnkge08.de.bb.gin.ntt.net (2001:728:0:2000::176)  41.560 ms
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2a01:2000:2000:42ee::1, 10 hops max, 64 byte packets
 1  *
 2  2a01:20f0:2005::4 (2a01:20f0:2005::4)  27.960 ms
 3  *
 4  *
 5  2001:41a8:20:2::6 (2001:41a8:20:2::6)  31.460 ms
 6  ibs-resid.milano30.mil.seabone.net (2001:41a8:20:2::1)  33.040 ms
 7  mil51-loop0-v6.mil.seabone.net (2001:41a8:20::33)  32.060 ms
 8  2001:41a8:20:2::9e (2001:41a8:20:2::9e)  32.400 ms
 9  ae-1.r01.mlanit01.it.bb.gin.ntt.net (2001:728:0:2000::d)  32.740 ms
10  ae-13.r25.frnkge08.de.bb.gin.ntt.net (2001:728:0:2000::176)  62.220 ms
traceroute to openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2001:470:1f06:82b::2, 10 hops max, 64 byte packets
 1  tunnel320522.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:82b::1)  140.240 ms
 2  ve422.core1.nyc4.he.net (2001:470:0:5d::1)  134.761 ms
 3  100ge11-1.core1.nyc5.he.net (2001:470:0:20a::2)  134.600 ms
 4  100ge8-2.core1.dub1.he.net (2001:470:0:440::2)  193.760 ms
 5  *
 6  *
 7  2001:7f8:1::a501:4061:3 (2001:7f8:1::a501:4061:3)  207.201 ms
 8  *
 9  *
10  *

Any ideas?

vgaetera · April 21, 2019, 4:54pm

When talking about reducing MTU, I meant the logical interface wan and the layer 3 device pppoe-wan.

aboaboit · April 21, 2019, 6:02pm

Whoopsie, my bad. Still, even with pppoe-wan at 1300, the connection doesn't work, traceroute has similar gaps and the HE tunnel endpoint must be manually updated.

aboaboit · April 25, 2019, 3:13pm

I ran a different test today: I shut down the HE tunnel and the guest side of the switch, then I reconfigured the wan to enable IPV6 (still with MTU 1300 for IPV4) and tried the traceroute test: from the router, it looks "patchy" just like earlier tests.

From the desktop, I can ping openwrt.org both IPV4 and IPV6 with reasonable times but a simple apt-get would fail on some sources and ipv6-test fails to load completely. The ISP still says "reachability is only guaranteed for a few institutional sites", so it's obvious they don't give a flying f* and I should just give up ;(

Thanks to those who helped