Two openwrt routers - ipv6 configuration?

Would appreciate any help possible!

I'm using two openwrt routers. One is connected wan side to the LAN of the other one. I do this so I can provide a different gateway via DHCP when a user is connected to one router. The 'main' router gives out addresses in the range 192.168.1.x and the router connected to this one gives out addresses in the 192.168.2.x

I've managed to add some static routes to enable ipv4 traffic to talk to each other. This works fine.

However, I don't know where to start with ipv6 configuration. I can see at the moment anything connected to the secondary router seems to be getting ipv6 addresses both in the range of that router, and the range of the main router. I can't ping any clients across routers on ipv6. I've tried adding a static route, similar to the ipv4 setup but this doesn't seem to change anything. I'm also confused by the ipv6 DHCP options in the 'interface' setting, RA/DHCPv6 server/NDP proxy.

Any help appreciated!

1 Like

Are you trying to use the ULA private addresses on both routers or are you trying to delegate a public prefix down the routers?
In any case post the uci export network; uci export dhcp from both.

Here's the main router:

root@bthh:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb7:8066:5525::/48'

config dsl 'dsl'
	option annex 'b'
	option tone 'a'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option ip6assign '60'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'c8:91:f9:16:97:b6'

config interface 'wan'
	option proto 'pppoe'
	option ipv6 '1'
	option username 'xxx'
	option password 'xxx'
	option ifname 'dsl0.101'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr 'c8:91:f9:16:97:b7'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 4 5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2 6t'
	option vid '10'

config interface 'dmz'
	option proto 'static'
	option ifname 'eth0.10'
	option ipaddr '192.168.3.1'
	option ip6assign '60'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config route
	option target '192.168.2.0'
	option gateway '192.168.1.2'
	option netmask '255.255.255.0'
	option interface 'lan'

root@bthh:~# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option authoritative '1'
	list server '/vpn/192.168.1.2'
	option logqueries '1'
	list rebind_domain 'vpn'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option leasetime '1h'
	option start '192.168.1.100'
	option limit '50'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'dmz'
	option leasetime '12h'
	option limit '150'
	option interface 'dmz'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option start '192.168.3.100'

config host
	option mac 'CC:32:E5:40:EF:D3'
	option name 'tplink'
	option dns '1'
	option ip '192.168.1.2'

Here's the router connected to one of LAN ports of the above router. As you can see I push some DHCP options on this one.

root@tplink:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:8066:5525::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'cc:32:e5:40:ef:d2'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'cc:32:e5:40:ef:d3'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config route
	option target '192.168.1.0'
	option gateway '192.168.1.1'
	option interface 'lan'
	option netmask '255.255.255.0'

config route6
	option target 'fdb7:8066:5525::/48'
	option gateway 'fdb7:8066:5525:10::1'
	option interface 'lan'
	
root@tplink:~# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option domain 'vpn'
	option local '/vpn/'
	list server '/lan/192.168.1.1'
	option authoritative '1'
	list rebind_domain 'lan'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '1h'
	option limit '50'
	option start '100'
	list dhcp_option '3,192.168.2.5'
	list dhcp_option '6,192.168.2.5'
	option ra 'server'
	option ndp 'relay'
	option dhcpv6 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'vpn'
	option dns '1'
	option ip '192.168.2.5'
	option mac 'B8:27:EB:55:D1:24'

I don't get any ipv6 blocks further upstream, so this is all internal.

An example: I am on the secondary router (tplink). I can resolve a client on the other router (bthh) both ipv4 and ipv6, in this case:

$ dig +short backup.lan
192.168.1.15
$ dig +short backup.lan AAAA
fdb7:8066:5525:10::15

However:

$ ping 192.168.1.15 -c 4 -q
PING 192.168.1.15 (192.168.1.15) 56(84) bytes of data.

--- 192.168.1.15 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 4.777/31.109/67.185/26.122 ms
$ ping fdb7:8066:5525:10::15 -c 4 -q
ping: connect: Network is unreachable

On main router change lan-ip6assign from 60 to 52, so there is more available for delegation to the other. Change config dhcp 'lan' - option start '100'

On secondary remove option ula_prefix 'fd30:8066:5525::/48', remove the route6, in dhcp 'lan' disable ndp, and make ra/dhcpv6 server.

Thank you! That seems to have worked - initially I wasn't getting any ipv6 addresses on the tplink router but I went into the web interface, checked 'always announce default router' which seems to have added

option ra_default '1'
option ra_management '1'

And now it works!

On a completely different subject (and I'll happily make a new post if necessary) - I also have some google chromecast devices on the main network. Obviously I cant access them now when attached to the secondary router. Is is possible? I googled a bunch, understand devices use mDNS to connect but couldn't really find much info relating to openwrt.

Such things work better if they are in the same broadcast domain. So unless they are connected to the same router or you bridge the routers, then you'll have to do some manual work.

Thanks, I'll take a read through that thread. The python script looks promising.

As it happens I spoke too soon. It seems whilst clients on both routers now get ipv6 addresses with the same prefix (fdb7:8066:5525) in this case, I still can't seem to talk to them. Clients on the secondary router can resolve the ipv6 address of the client on the main router, but can't get to it - get the 'ping: connect: Network is unreachable' error. I get the same error trying to ping clients on the secondary router from hosts on the primary router.
The 'LAN' interface on the secondary router says ' IPv6: fdb7:8066:5525:1004::1/62' whereas the ipv6 addresses on the main router are all around fdb7:8066:5525:1000::1 and so I think there is some kind of routing issue between the two?

Make sure that firewall is allowing the lan<->wan traffic bidirectionally on secondary router.
Post from both routers:
ip -6 addr; ip -6 ro; ip -6 ru; ifstatus lan;
and on secondary router ifstatus wan6

From main router:

root@bthh:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6889:96ff:fe7a:2514/64 scope link 
       valid_lft forever preferred_lft forever
10: dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ca91:f9ff:fe16:97b7/64 scope link 
       valid_lft forever preferred_lft forever
20: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525:1000::1/52 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ca91:f9ff:fe16:97b6/64 scope link 
       valid_lft forever preferred_lft forever
22: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525::1/52 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6889:96ff:fe7a:2514/64 scope link 
       valid_lft forever preferred_lft forever
23: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ca91:f9ff:fe16:97b7/64 scope link 
       valid_lft forever preferred_lft forever
25: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ca91:f9ff:fe16:97b8/64 scope link 
       valid_lft forever preferred_lft forever
26: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ca91:f9ff:fe16:97b9/64 scope link 
       valid_lft forever preferred_lft forever
root@bthh:~# ip -6 ro
fdb7:8066:5525::/64 dev eth0.10  metric 1024 
fdb7:8066:5525:1000::/64 dev br-lan  metric 1024 
fdb7:8066:5525:1004::/62 via fe80::ce32:e5ff:fe40:efd3 dev br-lan  metric 1024 
unreachable fdb7:8066:5525::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev dsl0  metric 256 
fe80::/64 dev dsl0.101  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.10  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
anycast fdb7:8066:5525:: dev eth0.10  metric 0 
anycast fdb7:8066:5525:1000:: dev br-lan  metric 0 
anycast fe80:: dev dsl0  metric 0 
anycast fe80:: dev dsl0.101  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev eth0.10  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev wlan0  metric 0 
anycast fe80:: dev wlan1  metric 0 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0.10  metric 256 
ff00::/8 dev dsl0  metric 256 
ff00::/8 dev dsl0.101  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev wlan1  metric 256 
root@bthh:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000020:	from all iif br-lan lookup unspec 12
4200000022:	from all iif eth0.10 lookup unspec 12
4200000024:	from all iif pppoe-wan lookup unspec 12
root@bthh:~# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 20481,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "fdb7:8066:5525:1000::",
			"mask": 52,
			"local-address": {
				"address": "fdb7:8066:5525:1000::1",
				"mask": 52
			}
		}
	],
	"route": [
		{
			"target": "192.168.2.0",
			"mask": 24,
			"nexthop": "192.168.1.2",
			"source": "0.0.0.0/0"
		}
	],
	"dns-server": [
		"8.8.8.8",
		"8.8.4.4"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

From secondary:

root@tplink:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::ce32:e5ff:fe40:efd2/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525:1004::1/62 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ce32:e5ff:fe40:efd2/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525:1000:ce32:e5ff:fe40:efd3/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fdb7:8066:5525:1000::2/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ce32:e5ff:fe40:efd3/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ce32:e5ff:fe40:efd1/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::ce32:e5ff:fe40:efd2/64 scope link 
       valid_lft forever preferred_lft forever
root@tplink:~# ip -6 ro
fdb7:8066:5525::/48 from fdb7:8066:5525:1000::2 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
fdb7:8066:5525::/48 from fdb7:8066:5525:1000::/64 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
fdb7:8066:5525::/48 from fdb7:8066:5525:1004::/62 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
fdb7:8066:5525:1000::/64 dev eth0.2  metric 256 
fdb7:8066:5525:1004::b96 dev br-lan  metric 1024 
fdb7:8066:5525:1004:b0c4:c0f1:37c7:5dc dev br-lan  metric 1024 
fdb7:8066:5525:1004::/64 dev br-lan  metric 1024 
fdb7:8066:5525:1006::/63 via fe80::10c0:2cff:fe08:b5ac dev br-lan  metric 1024 
unreachable fdb7:8066:5525:1004::/62 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan1  metric 256 
anycast fdb7:8066:5525:1000:: dev eth0.2  metric 0 
anycast fdb7:8066:5525:1004:: dev br-lan  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan0  metric 0 
anycast fe80:: dev wlan1  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth0.2  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev wlan0  metric 256 
ff00::/8 dev wlan1  metric 256 
root@tplink:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from fdb7:8066:5525:1004::1/62 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000007:	from all iif eth0.2 lookup unspec 12
4200000007:	from all iif eth0.2 lookup unspec 12
root@tplink:~# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 17057,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.2.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "fdb7:8066:5525:1004::",
			"mask": 62,
			"local-address": {
				"address": "fdb7:8066:5525:1004::1",
				"mask": 62
			}
		}
	],
	"route": [
		{
			"target": "192.168.1.0",
			"mask": 24,
			"nexthop": "192.168.1.1",
			"source": "0.0.0.0/0"
		}
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}
root@tplink:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 17048,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "fdb7:8066:5525:1000:ce32:e5ff:fe40:efd3",
			"mask": 64
		},
		{
			"address": "fdb7:8066:5525:1000::2",
			"mask": 128
		}
	],
	"ipv6-prefix": [
		{
			"address": "fdb7:8066:5525:1004::",
			"mask": 62,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "fdb7:8066:5525:1004::",
					"mask": 62
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "fdb7:8066:5525:1000::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"source": "::/0"
		},
		{
			"target": "fdb7:8066:5525::",
			"mask": 48,
			"nexthop": "fe80::ca91:f9ff:fe16:97b6",
			"metric": 512,
			"valid": 1567,
			"source": "fdb7:8066:5525:1004::/62"
		},
		{
			"target": "fdb7:8066:5525::",
			"mask": 48,
			"nexthop": "fe80::ca91:f9ff:fe16:97b6",
			"metric": 512,
			"valid": 1567,
			"source": "fdb7:8066:5525:1000:ce32:e5ff:fe40:efd3/64"
		},
		{
			"target": "fdb7:8066:5525::",
			"mask": 48,
			"nexthop": "fe80::ca91:f9ff:fe16:97b6",
			"metric": 512,
			"valid": 1567,
			"source": "fdb7:8066:5525:1000::2/128"
		}
	],
	"dns-server": [
		"fdb7:8066:5525:1000::1"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "00170010fdb78066552510000000000000000001"
	}
}

The firewall is configured to accept everything on the secondary router (I believe!):

root@tplink:~# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

The firewall in the secondary is still blocking the traffic from wan.
You could disable it all together, or move the wan and wa6 interfaces under lan zone.
Post from both the following: uci show dhcp.lan

Firewall disabled entirely, still same symptoms.

From main:

root@bthh:~# uci show dhcp.lan
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.leasetime='1h'
dhcp.lan.start='100'
dhcp.lan.limit='50'

From secondary:

root@tplink:~# uci show dhcp.lan
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.dhcp_option='3,192.168.2.5' '6,192.168.2.5'

I am testing it myself, because it looks weird. Seems that the upstream router is dropping the replies. I'll let you know as soon as I have something.

If it helps, here's a routing table from a client on the main router:

$ route -6 -n
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fdb7:8066:5525:1000::50/128    ::                         U    600 1     0 wlxc4e98412f69a
fdb7:8066:5525:1000::/64       ::                         U    600 2     0 wlxc4e98412f69a
fdb7:8066:5525::/48            fe80::ca91:f9ff:fe16:97b6  UG   600 1     0 wlxc4e98412f69a
fe80::/64                      ::                         U    600 2     0 wlxc4e98412f69a
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   6     0 lo
fdb7:8066:5525:1000::50/128    ::                         Un   0   4     0 wlxc4e98412f69a
fdb7:8066:5525:1000:6129:1194:9def:ba44/128 ::                         Un   0   2     0 wlxc4e98412f69a
fdb7:8066:5525:1000:ad8b:5282:390f:e0d3/128 ::                         Un   0   3     0 wlxc4e98412f69a
fe80::4204:9075:2b22:8b38/128  ::                         Un   0   3     0 wlxc4e98412f69a
ff00::/8                       ::                         U    256 7     0 wlxc4e98412f69a
::/0                           ::                         !n   -1  1     0 lo

and a client on the secondary router:

$ route -6 -n
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fdb7:8066:5525:1004::3f3/128   ::                         U    600 1     0 wlp0s20f3
fdb7:8066:5525:1004::/64       ::                         U    600 2     0 wlp0s20f3
fdb7:8066:5525:1004::/62       fe80::1a62:2cff:fe44:27dc  UG   600 1     0 wlp0s20f3
fe80::/64                      ::                         U    600 2     0 wlp0s20f3
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   4     0 lo
fdb7:8066:5525:1004::3f3/128   ::                         Un   0   2     0 wlp0s20f3
fdb7:8066:5525:1004:507f:9e29:a6e3:d410/128 ::                         Un   0   4     0 wlp0s20f3
fdb7:8066:5525:1004:a22e:c521:ae42:560d/128 ::                         Un   0   2     0 wlp0s20f3
fe80::2286:ad10:4088:e762/128  ::                         Un   0   3     0 wlp0s20f3
ff00::/8                       ::                         U    256 5     0 wlp0s20f3
::/0                           ::                         !n   -1  1     0 lo

I resolved it in my case by disabling source routing.

uci set network.wan6.sourcerouting=0
uci commit network
ifup wan6

Can you confirm if this is on the main or secondary router (or both?)

I did it on my main only.

Still no joy here - from a client on the secondary router:

$ ping fdb7:8066:5525:1000::15
ping: connect: Network is unreachable

Since you are not using the wan6 interface, maybe it will work for you if you add it in lan.
Also disable any connection tracking and allow invalid packets in lan zone.
Take a look here too, seems that a reboot helped.

I'm afraid it wasn't the reboot, I rebooted it, and wait, I reconfigured the laptop nic and
wait for the RA to happen, and then I started pinging. When the laptop was pinging
unreachable, I connected to the router and started tcpdump -i eth1 icmp6, and then it
started to connect. I noticed that it's a problem when initializing the nic config, as
if I reboot the laptop it reproduces again, or my workstation, does the same even if
my laptop pings, so slaac may be missing to set something needed.

Alright, I'll try to reproduce it with some spare routers I have and see if I can find a permanent fix.