Since you are not using the wan6 interface, maybe it will work for you if you add it in lan.
Also disable any connection tracking and allow invalid packets in lan zone.
Take a look here too, seems that a reboot helped.
I'm afraid it wasn't the reboot, I rebooted it, and wait, I reconfigured the laptop nic and
wait for the RA to happen, and then I started pinging. When the laptop was pinging
unreachable, I connected to the router and started tcpdump -i eth1 icmp6, and then it
started to connect. I noticed that it's a problem when initializing the nic config, as
if I reboot the laptop it reproduces again, or my workstation, does the same even if
my laptop pings, so slaac may be missing to set something needed.
So I've been playing about with this for a while. I wasn't managing to ping between clients on either router but just on a whim I checked 'always announce default router' on both main and secondary router (this adds option ra_default '1' to the dhcp 'lan' section) and as I type, I am able to ping all ipv6 addresses from all clients (with one or two exceptions, but I think they just might need to refresh DHCP or power cycle in order to route correctly).
I had some time to try it myself @pekkari@sfxdude
The primary router is my current internet gateway, more or less standard configuration.
The secondary was a freshly and clean upgraded to 19.07.2 spare router.
Secondary router acquired the delegated prefix and was able to ping everywhere. Host in the secondary lan was not.
After enabling the "always announce default gateway" on dhcp6 option of secondary, the host received default route and was able to ping the primary router, but not hosts in primary lan.
This is due to asymmetric routing, so when I disable "Drop invalid packets" in Global firewall setting I don't have such drops anymore [105:10920] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
and ping replies are coming back.
hummmm... seems not enough for me, that option was already disabled, did you add that
iptable rule manually? My iptables seems to have a rule per zone:
-A zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
The rule that I mentioned was the one that was blocking the traffic. It was also on INPUT and OUTPUT, but without hits.
Regarding your rules, I have them in the wan interfaces only, where I do NAT. I don't see why you want to prevent NAT leakage on lan. And most likely they are the reason that your pings fail.
a quick reminder also, ping between nodes works in my case, it's just the
router who drop the ping, If I try to ping my workstation from the laptop
it succeed, and the other way around. Moreover, if I ping the router on
it's ipv6 of another net it does reply, for example, if I use my laptop,
lan connected, to ping routers ip in wlan, it does answer, it drops if I
ping it's ip in lan.
$ ping fdb4:fc:9c:c::1
PING fdb4:fc:9c:c::1(fdb4:fc:9c:c::1) 56 data bytes
64 bytes from fdb4:fc:9c:c::1: icmp_seq=1 ttl=64 time=1.44 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=2 ttl=64 time=0.707 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=3 ttl=64 time=0.711 ms
64 bytes from fdb4:fc:9c:c::1: icmp_seq=4 ttl=64 time=0.732 ms
^C
--- fdb4:fc:9c:c::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 88ms
rtt min/avg/max/mdev = 0.707/0.896/1.436/0.313 ms
you are very right in ip6tables topic, sorry about that!
still no luck:
# ip6tables -S|grep INVALID
-A zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan6_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wlan_dest_ACCEPT -o br-wlan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
# ip6tables -D zone_lan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
Moving on to laptop at lan, and pinging:
$ ping fdb4:fc:9c:b::1
PING fdb4:fc:9c:b::1(fdb4:fc:9c:b::1) 56 data bytes
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=1 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=2 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=3 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=4 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=5 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=6 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=8 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=9 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=11 Destination unreachable: Address unreachable
From fdb4:fc:9c:b:224:67ff:fe35:1074: icmp_seq=12 Destination unreachable: Address unreachable
Both laptop and workstation are sitting in lan, connected through ethernet
to the router. The ping that success is from lan to ip of the router on wlan,
it happens the same if I ping the ip of the router on the tun devices for
openvpn, which looks a bit like a security thread, if you get to the network,
you can really reach any zone from each other through ipv6.
Apologies for dragging this thread up again, but I thought as this issue was related, it saved creating a new thread.
Everything works fine for me, thanks to @trendy. The only slightly odd issue I'm facing, is the secondary router is unable to update or use opkg. I think it must be related to having an IPv6 address from the upstream router. (I don't get any kind of IPv6 from my ISP).
root@bthh2:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig
Signature file download failed.
Remove wrong Signature file.
Collected errors:
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/targets/lantiq/xrx200/kmods/4.14.171-1-0f59e90218b95a909e229a713d3da157/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/base/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/luci/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/telephony/Packages.sig, wget returned 4.
* opkg_download: Check your network settings and connectivity.
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
nslookup downloads.openwrt.org
root@bthh2:~# ip -4 addr ; ip -4 ro ; ip -4 ru; \
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 src 192.168.1.3
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.3
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@bthh2:~# ip -6 addr ; ip -6 ro ; ip -6 ru; \
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::7497:acff:fee4:916c/64 scope link
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fdb7:8066:5525:1004::1/62 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1a62:2cff:fe44:27dc/64 scope link
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fdb7:8066:5525:1000:70d4:a9ff:fe79:6e9f/64 scope global
valid_lft forever preferred_lft forever
inet6 fdb7:8066:5525:1000::3/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::70d4:a9ff:fe79:6e9f/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::1a62:2cff:fe44:27de/64 scope link
valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::1a62:2cff:fe44:27df/64 scope link
valid_lft forever preferred_lft forever
default from fdb7:8066:5525:1000::3 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2 metric 512
default from fdb7:8066:5525:1000::/64 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2 metric 512
default from fdb7:8066:5525:1004::/62 via fe80::ca91:f9ff:fe16:97b6 dev eth0.2 metric 512
fdb7:8066:5525:1000::/64 dev eth0.2 metric 256
fdb7:8066:5525:1004::/64 dev br-lan metric 1024
unreachable fdb7:8066:5525:1004::/62 dev lo metric 2147483647 error -148
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
anycast fdb7:8066:5525:1000:: dev eth0.2 metric 0
anycast fdb7:8066:5525:1004:: dev br-lan metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev eth0.2 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev wlan1 metric 0
anycast fe80:: dev wlan0 metric 0
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth0.2 metric 256
ff00::/8 dev br-lan metric 256
ff00::/8 dev wlan1 metric 256
ff00::/8 dev wlan0 metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from fdb7:8066:5525:1004::1/62 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000005: from all iif br-lan lookup unspec 12
4200000007: from all iif eth0.2 lookup unspec 12
4200000007: from all iif eth0.2 lookup unspec 12
root@bthh2:~# ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx 1 root root 16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Apr 14 21:31 /tmp/resolv.conf
-rw-r--r-- 1 root root 104 Apr 1 23:53 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search vpn
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search vpn
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface WAN2
nameserver 192.168.1.1
search lan
# Interface WAN2v6
nameserver fdb7:8066:5525:1000::1
root@bthh2:~# nslookup downloads.openwrt.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: downloads.openwrt.org
downloads.openwrt.org canonical name = mirror-02.infra.openwrt.org
Name: mirror-02.infra.openwrt.org
Address 1: 176.9.48.73
downloads.openwrt.org canonical name = mirror-02.infra.openwrt.org
Address 2: 2a01:4f8:150:6449::2