Hey!
I want the lan traffic to go through a VPN connection (with exceptions) and the guest traffic through my normal ISP connection. When using ipv4 everything works as it should. But when enabling ipv6 stuff breaks -.-
I was able to get the vpn running with ipv6 using nat6_simplified, but now I can't access the Internet over the guest network: DNS works, ping works, http request time out. Also VPN Policy routing is now broken for ipv4 and ipv6. On ipv4 only sites, the request times out on ipv6 sites it ignores the entry and uses the default gateway.
I'm still stuggeling with ipv6, perhabs you see where I went wrong.
DHCP
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option noresolv '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option leasetime '12h'
option dhcpv4 'server'
option limit '254'
list dhcp_option '6,192.168.1.2'
option ra 'server'
option dhcpv6 'server'
list dns 'ddac:707:4759:50:4436:dbff:fe27:8e33'
list ra_flags 'managed-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'management'
option interface 'management'
option leasetime '12h'
option limit '254'
option netmask '255.255.255.0'
option start '50'
list dhcp_option '3'
list dhcp_option '6,192.168.1.2'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'none'
config dhcp 'lab'
option interface 'lab'
option leasetime '12h'
option limit '254'
option start '50'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'none'
option dns_service '0'
config dhcp 'iot'
option interface 'iot'
option leasetime '12h'
option limit '254'
option start '50'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'none'
option dns_service '0'
config dhcp 'guest'
option interface 'guest'
option leasetime '12h'
option limit '254'
option start '50'
option ra 'server'
option dhcpv6 'server'
list dhcp_option '6,192.168.1.2'
list ra_flags 'none'
list dns 'ddac:707:4759:50:4436:dbff:fe27:8e33'
config dhcp 'external'
option interface 'external'
option leasetime '12h'
option start '50'
option limit '254'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'none'
option dns_service '0'
Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq6 '1'
option masq6_privacy '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'mullvad'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'mullvad'
option masq '1'
config forwarding
option src 'lan'
option dest 'mullvad'
config zone
option name 'management'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'management'
option forward 'ACCEPT'
config forwarding
option src 'management'
option dest 'mullvad'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config zone
option name 'external'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'external'
config forwarding
option src 'external'
option dest 'wan'
config zone
option name 'lab'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lab'
config forwarding
option src 'lab'
option dest 'mullvad'
config rule
option name 'PiHole DNS'
option src '*'
option dest 'management'
option dest_port '53'
option target 'ACCEPT'
list dest_ip '192.168.1.2'
list dest_ip 'ddac:707:4759:50:4436:dbff:fe27:8e33'
config zone 'guest'
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
firewall.nat6
iptables-save --table="nat" | sed -e "/\s[DS]NAT\s/d" | ip6tables-restore --table="nat"
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'ddac:0707:4759::/48'
config device
option type '8021q'
option ifname 'bond0'
option vid '1'
option name 'mgmt'
config device
option type '8021q'
option ifname 'bond0'
option vid '10'
option name 'wan'
config device
option type '8021q'
option ifname 'bond0'
option vid '100'
option name 'lan'
config device
option type '8021q'
option ifname 'bond0'
option vid '200'
option name 'iot'
config device
option type '8021q'
option ifname 'bond0'
option vid '210'
option name 'external'
config device
option type '8021q'
option ifname 'bond0'
option vid '220'
option name 'lab'
config device
option type '8021q'
option ifname 'bond0'
option vid '230'
option name 'guest'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'bond0.10'
list dns '192.168.1.2'
list dns '193.138.218.74'
config interface 'wan6'
option device 'bond0.10'
option proto 'dhcpv6'
option peerdns '0'
option reqaddress 'try'
option reqprefix 'auto'
list dns 'ddac:707:4759:50:4436:dbff:fe27:8e33'
config interface 'management'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option device 'bond0.1'
option ip6assign '60'
config interface 'lan'
option device 'bond0.100'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config interface 'iot'
option device 'bond0.200'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.200.1'
config interface 'external'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.220.1'
option device 'bond0.220'
config interface 'lab'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.210.1'
option device 'bond0.210'
config interface 'guest'
option device 'bond0.230'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.230.1'
config interface 'mullvad'
option proto 'wireguard'
option force_link '1'
option mtu '1380'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option addresses '10.110.113.212/32 fc00:bbbb:bbbb:bb01::2f:71d3/128'
config wireguard_mullvad
option persistent_keepalive '25'
option endpoint_port '51820'
option endpoint_host 'de7-wireguard.mullvad.net'
option public_key '+0BEfUZ3D0DEM/fJVPUUhYYDdkkLjqedVerm8dV4bmE='
option description 'de7-wireguard.mullvad.net'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '1'
rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
modprobe bonding mode=balance-xor miimon=100
ifconfig bond0 up
ip link set eth0 master bond0
ip link set eth1 master bond0
exit 0
vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option ipv6_enabled '1'
option resolver_ipset 'none'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Guest'
option src_addr '192.168.230.0/24'
option interface 'wan'
config policy
option interface 'wan'
option name 'Guestv6'
option src_addr 'ddac:707:4759:10::1/60'