WAN ipv6 not responding to icmp

Hi, I have a small problem where the WAN IPv6 addresses don't respond to icmp-requests.

I receive 2 WAN IP's (a /128 and a /64) from my ISP, I also have a /57 prefix that gets delegated to a /64 on my LAN.

From the 2 WAN IP's, I can ping towards google DNS, but I can not ping from the internet to the WAN IP's. A tcpdump doesn't show any icmp requests going towards the WAN interface.
The strange thing is that I can ping from the internet towards the /64 I receive on my LAN.
When I do a traceroute from the internet towards any IP address (WAN and LAN), the last hop that responds is the same IP address from my ISP.

The obvious problem would be the firewall rules, but I just use the default ones, that allow icmpv6 echo requests.

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

Can somebody point me towards the right direction?

So it is filtered somewhere else?
Try traceroute -6

I did a traceroute on https://tools.keycdn.com/traceroute

Frankfurt

Start: 2024-11-25T15:55:47+0000
                                   Loss   Snt   Last   Avg  Best  Wrst StDev
  1.|-- fd42:10::1                 0.0%     4    0.1   0.1   0.1   0.1   0.0
  2.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  3.|-- 2001:730:2d00::5474:80dc   0.0%     4   19.3   5.6   0.9  19.3   9.1
  4.|-- 2001:730:2d00::5474:80d5   0.0%     4    1.2   1.2   1.1   1.4   0.1
  5.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  6.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  7.|-- 2a02:1800:2:2d02::4        0.0%     4   11.4  11.1  10.4  11.4   0.4
  8.|-- 2a02:181f:1:6121:3142:ffa 75.0%     4   24.9  24.9  24.9  24.9   0.0
  9.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0

Start: 2024-11-25T15:57:37+0000
                                   Loss   Snt   Last   Avg  Best  Wrst StDev
  1.|-- fd42:10::1                 0.0%     4    0.1   0.1   0.1   0.1   0.0
  2.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  3.|-- 2001:730:2d00::5474:80d4   0.0%     4    0.9   2.4   0.9   5.2   2.0
  4.|-- 2001:730:2d00::5474:80d5   0.0%     4    1.0   1.0   0.9   1.2   0.1
  5.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  6.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  7.|-- 2a02:1800:2:2d02::4        0.0%     4   11.1  11.4  11.1  11.6   0.3
  8.|-- 2a02:181f:1:6121:3142:ffa  0.0%     4   23.7  26.4  23.7  28.5   2.1
  9.|-- MY IPV6 /64 on LAN         0.0%     4   24.4  26.1  24.4  29.2   2.1

The first traceroute I did towards the WAN /64, the second I did towards the LAN /64.
In both cases, the same ISP address is the second to last hop (as expected), but i don't receive any response from my WAN IPv6 address

Run tcpdump and do some portscan or something else as loud.

I noticed that the /64 wan address is usually from the PD pool while the /128 is different and from the ISP side.
I did not need the /64 for the WAN from the PD pool, it can be disabled by Disabling the "IPv6 assignment length" on the Advanced tab of wan6.

But I also noticed that not all ISP's implement IPv6 the same so YMMV

It is not weird that the ISP is not allowing ping or anything else to its infrastructure IPs. And your WAN IPs are part of its infrastructure. You should use the delegated IPs you get (the /57) when you try to access your device from the Internet.