Two openwrt routers - ipv6 configuration?

sfxdude · April 1, 2020, 2:09pm

If it helps, here's a routing table from a client on the main router:

$ route -6 -n
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fdb7:8066:5525:1000::50/128    ::                         U    600 1     0 wlxc4e98412f69a
fdb7:8066:5525:1000::/64       ::                         U    600 2     0 wlxc4e98412f69a
fdb7:8066:5525::/48            fe80::ca91:f9ff:fe16:97b6  UG   600 1     0 wlxc4e98412f69a
fe80::/64                      ::                         U    600 2     0 wlxc4e98412f69a
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   6     0 lo
fdb7:8066:5525:1000::50/128    ::                         Un   0   4     0 wlxc4e98412f69a
fdb7:8066:5525:1000:6129:1194:9def:ba44/128 ::                         Un   0   2     0 wlxc4e98412f69a
fdb7:8066:5525:1000:ad8b:5282:390f:e0d3/128 ::                         Un   0   3     0 wlxc4e98412f69a
fe80::4204:9075:2b22:8b38/128  ::                         Un   0   3     0 wlxc4e98412f69a
ff00::/8                       ::                         U    256 7     0 wlxc4e98412f69a
::/0                           ::                         !n   -1  1     0 lo

and a client on the secondary router:

$ route -6 -n
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fdb7:8066:5525:1004::3f3/128   ::                         U    600 1     0 wlp0s20f3
fdb7:8066:5525:1004::/64       ::                         U    600 2     0 wlp0s20f3
fdb7:8066:5525:1004::/62       fe80::1a62:2cff:fe44:27dc  UG   600 1     0 wlp0s20f3
fe80::/64                      ::                         U    600 2     0 wlp0s20f3
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   4     0 lo
fdb7:8066:5525:1004::3f3/128   ::                         Un   0   2     0 wlp0s20f3
fdb7:8066:5525:1004:507f:9e29:a6e3:d410/128 ::                         Un   0   4     0 wlp0s20f3
fdb7:8066:5525:1004:a22e:c521:ae42:560d/128 ::                         Un   0   2     0 wlp0s20f3
fe80::2286:ad10:4088:e762/128  ::                         Un   0   3     0 wlp0s20f3
ff00::/8                       ::                         U    256 5     0 wlp0s20f3
::/0                           ::                         !n   -1  1     0 lo

trendy · April 1, 2020, 7:14pm

I resolved it in my case by disabling source routing.

uci set network.wan6.sourcerouting=0
uci commit network
ifup wan6

sfxdude · April 1, 2020, 8:22pm

Can you confirm if this is on the main or secondary router (or both?)

trendy · April 1, 2020, 9:13pm

I did it on my main only.

sfxdude · April 1, 2020, 11:55pm

Still no joy here - from a client on the secondary router:

$ ping fdb7:8066:5525:1000::15
ping: connect: Network is unreachable

trendy · April 2, 2020, 8:34am

Since you are not using the wan6 interface, maybe it will work for you if you add it in lan.
Also disable any connection tracking and allow invalid packets in lan zone.
Take a look here too, seems that a reboot helped.

pekkari · April 2, 2020, 9:23am

I'm afraid it wasn't the reboot, I rebooted it, and wait, I reconfigured the laptop nic and
wait for the RA to happen, and then I started pinging. When the laptop was pinging
unreachable, I connected to the router and started tcpdump -i eth1 icmp6, and then it
started to connect. I noticed that it's a problem when initializing the nic config, as
if I reboot the laptop it reproduces again, or my workstation, does the same even if
my laptop pings, so slaac may be missing to set something needed.

trendy · April 2, 2020, 9:45am

Alright, I'll try to reproduce it with some spare routers I have and see if I can find a permanent fix.

sfxdude · April 3, 2020, 1:01am

So I've been playing about with this for a while. I wasn't managing to ping between clients on either router but just on a whim I checked 'always announce default router' on both main and secondary router (this adds option ra_default '1' to the dhcp 'lan' section) and as I type, I am able to ping all ipv6 addresses from all clients (with one or two exceptions, but I think they just might need to refresh DHCP or power cycle in order to route correctly).

trendy · April 8, 2020, 3:33pm

I had some time to try it myself @pekkari @sfxdude
The primary router is my current internet gateway, more or less standard configuration.
The secondary was a freshly and clean upgraded to 19.07.2 spare router.
Secondary router acquired the delegated prefix and was able to ping everywhere. Host in the secondary lan was not.
After enabling the "always announce default gateway" on dhcp6 option of secondary, the host received default route and was able to ping the primary router, but not hosts in primary lan.
This is due to asymmetric routing, so when I disable "Drop invalid packets" in Global firewall setting I don't have such drops anymore
[105:10920] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
and ping replies are coming back.

pekkari · April 8, 2020, 4:29pm

hummmm... seems not enough for me, that option was already disabled, did you add that
iptable rule manually? My iptables seems to have a rule per zone:

-A zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

trendy · April 8, 2020, 5:29pm

The rule that I mentioned was the one that was blocking the traffic. It was also on INPUT and OUTPUT, but without hits.
Regarding your rules, I have them in the wan interfaces only, where I do NAT. I don't see why you want to prevent NAT leakage on lan. And most likely they are the reason that your pings fail.

pekkari · April 8, 2020, 7:17pm

Though I totally agree with you, that rule seems not useful in my case, it seems
dropping it manually doesn't help either:

# iptables -S|grep INVALID
-A zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
# iptables -D zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
# iptables -S|grep INVALID
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

From my laptop:

$ ping fdb4:fc:9c:b::1
PING fdb4:fc:9c:b::1(fdb4:fc:9c:af::1) 56 data bytes
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=1 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=2 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=5 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=6 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=8 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=9 Destination unreachable: Address unreachable
^C
--- fdb4:fc:9c:af::1 ping statistics ---
11 packets transmitted, 0 received, +6 errors, 100% packet loss, time 272ms
pipe 4

This make me think that even if we find what produces those rules my cse wont be solved yet.

pekkari · April 8, 2020, 7:24pm

a quick reminder also, ping between nodes works in my case, it's just the
router who drop the ping, If I try to ping my workstation from the laptop
it succeed, and the other way around. Moreover, if I ping the router on
it's ipv6 of another net it does reply, for example, if I use my laptop,
lan connected, to ping routers ip in wlan, it does answer, it drops if I
ping it's ip in lan.

$ ping fdb4:fc:9c:c::1
PING fdb4:fc:9c:c::1(fdb4:fc:9c:c::1) 56 data bytes 
64 bytes from fdb4:fc:9c:c::1: icmp_seq=1 ttl=64 time=1.44 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=2 ttl=64 time=0.707 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=3 ttl=64 time=0.711 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=4 ttl=64 time=0.732 ms
^C
--- fdb4:fc:9c:c::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 88ms
rtt min/avg/max/mdev = 0.707/0.896/1.436/0.313 ms

trendy · April 8, 2020, 9:44pm

I don't follow you exactly because I don't know where the laptop and the workstation are, I mean in which network segment, what IPs are you pinging.

Moreover in this post you are showing iptables rules, but ipv6 rules are applied in ip6tables.

pekkari · April 9, 2020, 4:49am

you are very right in ip6tables topic, sorry about that!
still no luck:

# ip6tables -S|grep INVALID
-A zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
# ip6tables -D zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

Moving on to laptop at lan, and pinging:

$ ping fdb4:fc:9c:b::1
PING fdb4:fc:9c:b::1(fdb4:fc:9c:b::1) 56 data bytes 
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=1 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=2 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=3 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=4 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=5 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=6 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=8 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=9 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=11 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=12 Destination unreachable: Address unreachable

Both laptop and workstation are sitting in lan, connected through ethernet
to the router. The ping that success is from lan to ip of the router on wlan,
it happens the same if I ping the ip of the router on the tun devices for
openvpn, which looks a bit like a security thread, if you get to the network,
you can really reach any zone from each other through ipv6.

sfxdude · April 16, 2020, 1:02pm

Apologies for dragging this thread up again, but I thought as this issue was related, it saved creating a new thread.

Everything works fine for me, thanks to @trendy. The only slightly odd issue I'm facing, is the secondary router is unable to update or use opkg. I think it must be related to having an IPv6 address from the upstream router. (I don't get any kind of IPv6 from my ISP).

root@bthh2:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig
Signature file download failed.
Remove wrong Signature file.
Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

root@bthh2:~# wget http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig
Downloading 'http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig'
Connecting to 2a01:4f8:150:6449::2:80
Connection error: Connection failed

(secondary router is now a bthh as well)

I can't seem to force opkg to use ipv4 at all. And I get no issues with any computer connected to the secondary router.

trendy · April 16, 2020, 1:16pm

Can you post the following from secondary?

ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
nslookup downloads.openwrt.org

slh · April 16, 2020, 1:32pm

You need to configure gateway and DNS information on the WAN interface of "bthh2".

sfxdude · April 16, 2020, 1:44pm

root@bthh2:~# ip -4 addr ; ip -4 ro ; ip -4 ru; \
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.3 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.3 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@bthh2:~# ip -6 addr ; ip -6 ro ; ip -6 ru; \
> 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::7497:acff:fee4:916c/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525:1004::1/62 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::1a62:2cff:fe44:27dc/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb7:8066:5525:1000:70d4:a9ff:fe79:6e9f/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fdb7:8066:5525:1000::3/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::70d4:a9ff:fe79:6e9f/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1a62:2cff:fe44:27de/64 scope link 
       valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1a62:2cff:fe44:27df/64 scope link 
       valid_lft forever preferred_lft forever
default from fdb7:8066:5525:1000::3 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
default from fdb7:8066:5525:1000::/64 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
default from fdb7:8066:5525:1004::/62 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2  metric 512 
fdb7:8066:5525:1000::/64 dev eth0.2  metric 256 
fdb7:8066:5525:1004::/64 dev br-lan  metric 1024 
unreachable fdb7:8066:5525:1004::/62 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
anycast fdb7:8066:5525:1000:: dev eth0.2  metric 0 
anycast fdb7:8066:5525:1004:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev eth0.2  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev eth0.2  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev wlan1  metric 256 
ff00::/8 dev wlan0  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from fdb7:8066:5525:1004::1/62 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000007:	from all iif eth0.2 lookup unspec 12
4200000007:	from all iif eth0.2 lookup unspec 12
root@bthh2:~# ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx    1 root     root            16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 14 21:31 /tmp/resolv.conf
-rw-r--r--    1 root     root           104 Apr  1 23:53 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search vpn
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search vpn
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface WAN2
nameserver 192.168.1.1
search lan
# Interface WAN2v6
nameserver fdb7:8066:5525:1000::1
root@bthh2:~# nslookup downloads.openwrt.org
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      downloads.openwrt.org
downloads.openwrt.org	canonical name = mirror-02.infra.openwrt.org
Name:      mirror-02.infra.openwrt.org
Address 1: 176.9.48.73
downloads.openwrt.org	canonical name = mirror-02.infra.openwrt.org
Address 2: 2a01:4f8:150:6449::2