ULA for WAN6 interface?

How would a firewall make the GUA work, but not the ULA?

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='OpenVPNServer lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].network='wan6 wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-WWW'
firewall.@rule[3].proto='tcp'
firewall.@rule[3].dest_port='80'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='22'
firewall.@rule[10].name='SSH'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_ip='10.165.17.1'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='SSH'
firewall.@redirect[0].src_dport='2222'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='993'
firewall.@redirect[1].dest_ip='10.165.17.1'
firewall.@redirect[1].dest_port='993'
firewall.@redirect[1].name='IMAPS'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_ip='10.165.17.1'
firewall.@redirect[2].dest_port='443'
firewall.@redirect[2].name='HTTPS'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp'
firewall.@redirect[3].src_dport='4190'
firewall.@redirect[3].dest_ip='10.165.17.1'
firewall.@redirect[3].dest_port='4190'
firewall.@redirect[3].name='ManagedSieve'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].proto='tcp udp'
firewall.@redirect[4].src_dport='8883'
firewall.@redirect[4].dest_ip='10.165.17.1'
firewall.@redirect[4].dest_port='8883'
firewall.@redirect[4].name='MQTT'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='tcp udp'
firewall.@redirect[5].src_dport='465'
firewall.@redirect[5].dest_ip='10.165.17.1'
firewall.@redirect[5].dest_port='8883'
firewall.@redirect[5].name='MQTT-over-SMTPS'
firewall.@redirect[6]=redirect
firewall.@redirect[6].enabled='1'
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src_dport='587'
firewall.@redirect[6].dest_ip='10.165.17.1'
firewall.@redirect[6].dest_port='587'
firewall.@redirect[6].name='Submission'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='443'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='HTTPS IPv6'
firewall.@rule[12]=rule
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='tcp'
firewall.@rule[12].dest='lan'
firewall.@rule[12].dest_port='993'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].name='IMAPS IPv6'
firewall.@rule[13]=rule
firewall.@rule[13].src='wan'
firewall.@rule[13].proto='tcp'
firewall.@rule[13].dest='lan'
firewall.@rule[13].dest_port='587'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].name='Submission IPv6'
firewall.@rule[14]=rule
firewall.@rule[14].src='wan'
firewall.@rule[14].proto='tcp'
firewall.@rule[14].dest='lan'
firewall.@rule[14].dest_port='465'
firewall.@rule[14].family='ipv6'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].name='MQTT-over-SMTPS IPv6'
firewall.@rule[15]=rule
firewall.@rule[15].src='wan'
firewall.@rule[15].proto='tcp'
firewall.@rule[15].dest='lan'
firewall.@rule[15].dest_port='4190'
firewall.@rule[15].family='ipv6'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].name='Sieve IPv6'
firewall.@rule[16]=rule
firewall.@rule[16].src='wan'
firewall.@rule[16].proto='tcp udp'
firewall.@rule[16].dest='lan'
firewall.@rule[16].dest_port='8883'
firewall.@rule[16].family='ipv6'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].name='MQTT IPv6'
firewall.@rule[17]=rule
firewall.@rule[17].src='wan'
firewall.@rule[17].proto='tcp'
firewall.@rule[17].dest='lan'
firewall.@rule[17].dest_port='22'
firewall.@rule[17].family='ipv6'
firewall.@rule[17].target='ACCEPT'
firewall.@rule[17].name='SSH IPv6'
firewall.@rule[18]=rule
firewall.@rule[18].target='ACCEPT'
firewall.@rule[18].src='wan'
firewall.@rule[18].proto='udp'
firewall.@rule[18].name='OpenVPN'
firewall.@rule[18].dest_port='1194 1195'
firewall.@rule[19]=rule
firewall.@rule[19].target='ACCEPT'
firewall.@rule[19].src='wan'
firewall.@rule[19].dest='lan'
firewall.@rule[19].name='Ping To Network'
firewall.@rule[19].proto='icmp'
firewall.@rule[19].icmp_type='echo-request'
firewall.@rule[20]=rule
firewall.@rule[20].target='ACCEPT'
firewall.@rule[20].src='wan'
firewall.@rule[20].dest='lan'
firewall.@rule[20].dest_port='1883'
firewall.@rule[20].name='MQTT-To-BH'
firewall.@rule[20].dest_ip='192.168.3.1'
firewall.@rule[20].src_ip='10.165.40.0/24'
firewall.@rule[21]=rule
firewall.@rule[21].target='ACCEPT'
firewall.@rule[21].src='wan'
firewall.@rule[21].dest='lan'
firewall.@rule[21].name='iperf'
firewall.@rule[21].dest_port='5001'
firewall.@rule[22]=rule
firewall.@rule[22].target='ACCEPT'
firewall.@rule[22].src='wan'
firewall.@rule[22].dest='lan'
firewall.@rule[22].name='SSH-DMZ-toLAN'
firewall.@rule[22].proto='tcp'
firewall.@rule[22].src_ip='10.165.40.0/24'
firewall.@rule[22].dest_port='22'
firewall.@zone[2]=zone
firewall.@zone[2].name='Untrusted'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='Untrusted'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='Untrusted'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='Untrusted'
firewall.@forwarding[2].src='lan'
firewall.@rule[23]=rule
firewall.@rule[23].target='ACCEPT'
firewall.@rule[23].src='wan'
firewall.@rule[23].dest='Untrusted'
firewall.@rule[23].name='home-le2Untrusted'
firewall.@rule[23].proto='all'
firewall.@rule[23].src_ip='10.165.40.0/24'
firewall.@rule[24]=rule
firewall.@rule[24].target='ACCEPT'
firewall.@rule[24].dest='lan'
firewall.@rule[24].name='HTTP-home-le-toTradfriUK'
firewall.@rule[24].dest_ip='10.166.150.100'
firewall.@rule[24].src='*'
firewall.@rule[24].proto='tcp udp'
firewall.@rule[24].src_ip='10.165.40.0/24'
firewall.@rule[25]=rule
firewall.@rule[25].target='ACCEPT'
firewall.@rule[25].src='wan'
firewall.@rule[25].dest='lan'
firewall.@rule[25].proto='tcp'
firewall.@rule[25].dest_ip='10.164.16.22'
firewall.@rule[25].dest_port='25'
firewall.@rule[25].name='SMTP-DMZ-to-outpost1'
firewall.@rule[25].src_ip='10.165.40.0/24'
# Generated by ip6tables-save v1.4.21 on Wed Nov 25 22:41:45 2020
*mangle
:PREROUTING ACCEPT [1530878:883805216]
:INPUT ACCEPT [61197:4549614]
:FORWARD ACCEPT [1461735:877797290]
:OUTPUT ACCEPT [63549:5987092]
:POSTROUTING ACCEPT [1525159:883776093]
COMMIT
# Completed on Wed Nov 25 22:41:45 2020
# Generated by ip6tables-save v1.4.21 on Wed Nov 25 22:41:45 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Untrusted_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Untrusted_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Untrusted_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_Untrusted_dest_ACCEPT - [0:0]
:zone_Untrusted_forward - [0:0]
:zone_Untrusted_input - [0:0]
:zone_Untrusted_output - [0:0]
:zone_Untrusted_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-WWW" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1.3 -m comment --comment "!fw3" -j zone_Untrusted_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A zone_Untrusted_dest_ACCEPT -o eth1.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_Untrusted_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_Untrusted_rule
-A zone_Untrusted_forward -m comment --comment "!fw3: forwarding Untrusted -> wan" -j zone_wan_dest_ACCEPT
-A zone_Untrusted_forward -m comment --comment "!fw3" -j zone_Untrusted_dest_ACCEPT
-A zone_Untrusted_input -m comment --comment "!fw3: user chain for input" -j input_Untrusted_rule
-A zone_Untrusted_input -m comment --comment "!fw3" -j zone_Untrusted_src_ACCEPT
-A zone_Untrusted_output -m comment --comment "!fw3: user chain for output" -j output_Untrusted_rule
-A zone_Untrusted_output -m comment --comment "!fw3" -j zone_Untrusted_dest_ACCEPT
-A zone_Untrusted_src_ACCEPT -i eth1.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> Untrusted" -j zone_Untrusted_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Submission IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 465 -m comment --comment "!fw3: MQTT-over-SMTPS IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 4190 -m comment --comment "!fw3: Sieve IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 8883 -m comment --comment "!fw3: MQTT IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 8883 -m comment --comment "!fw3: MQTT IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH IPv6" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment "!fw3: Ping To Network" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: iperf" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 5001 -m comment --comment "!fw3: iperf" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1195 -m comment --comment "!fw3: OpenVPN" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 25 22:41:45 2020

1 Like
~# uci show network.wan6
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.wan6.reqprefix='auto'
network.wan6.reqaddress='try'
1 Like

Let's see some packets:

opkg update; opkg install tcpdump; \
tcpdump -i eth0 -evn icmp6 or udp port 546

Restart odhcpcd and wait until the dhcp and slaac is finished.

1 Like

Well look at that, its a heisenbug ... I changed the prefix on the fritzbox to get packages while tcpdump was running, and now the interface not only got the new ULA, but even the old one ...

~# ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:165:40:1:f6f2:6dff:fec5:fc73/64 scope global noprefixroute dynamic 
       valid_lft 7074sec preferred_lft 3474sec
    inet6 fd00:165:40::f6f2:6dff:fec5:fc73/64 scope global noprefixroute dynamic 
       valid_lft 7051sec preferred_lft 3451sec
    inet6 [global prefix]:f6f2:6dff:fec5:fc73/128 scope global noprefixroute dynamic 
       valid_lft 5574sec preferred_lft 1974sec
    inet6 fe80::f6f2:6dff:fec5:fc73/64 scope link 
       valid_lft forever preferred_lft forever
1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

Let me keep an eye on it how it manages restarts and that sort of stuff. I mean, it's not like we had a reproducible solution here ...

I am more surprised that you had an issue. As long as the ISP router advertises the ULA prefix, the OpenWrt will create an IPv6 from that too.

1 Like

Yes, me too. But you saw the ip -6 addr show dev eth0 earlier (and I saw the output of lxc list on the machine in the DMZ showing that the ULA was also distributed just fine earlier).

Okay, I'll mark this as solved, can always go back if the problem shows up again.

1 Like

This can only be caught red handed with tcpdump. Otherwise you cannot know where to point the finger.
If the prefix is in the RA, then we'd need to investigate why OpenWrt didn't add it.
If for some reason it was not, you'd have to troubleshoot with the vendor.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.