Wireguard ipv6 handshake but no data

snippem · December 5, 2022, 6:32pm

Hi all
i am trying to take the last step into ipv6.
Wireguard is the only thing that is not ipv6 enabled.
With the settings that i have at the moment i have a handshake on the IPV6 but no internet.(say's it is blocked a firewal)
On ipv4 everything is fine. Hope somebody could take at my settings.

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:781c:cad1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'da:96:6e:0e:99:43'

config device
	option name 'eth0'
	option macaddr 'da:96:6e:0e:99:42'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.0.0.1'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth1.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	list ip6class 'local'
	list ip6class 'wan6'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth1.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '1'
	list ip6class 'local'
	list ip6class 'wan6'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses 'fd42:42:42::1/128'
	list addresses '10.13.13.1/32'

config wireguard_WG0
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option description 'peer10'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips 'fd42:42:42::10/128'

DHCP:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'VLAN2'
	option interface 'VLAN2'
	option start '100'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option leasetime '12m'
	list dhcp_option '6,192.168.2.4'
	list ra_flags 'other-config'
	list dns 'fd97:781c:cad1:2:5e82:4bc:402d:6929'

config dhcp 'VLAN3'
	option interface 'VLAN3'
	option start '100'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option leasetime '12m'
	list ra_flags 'other-config'

firewal:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config zone
	option name 'VLAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN2'
	list network 'WG0'

config zone
	option name 'VLAN3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN3'

config rule
	list proto 'udp'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option name 'allow mDNS'
	option src '*'

config forwarding
	option src 'VLAN2'
	option dest 'wan'

config forwarding
	option src 'VLAN3'
	option dest 'wan'

config forwarding
	option src 'VLAN2'
	option dest 'VLAN3'

config rule
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

mk24 · December 5, 2022, 9:12pm

On your wg interfaces, use a /64 netmask on the ULA so both ends are in the same network segment. Then you can try pinging from one tunnel endpoint to the other using its IP. (Similarly, expand the ip4 to a /24).
The allowed_ips can (and should) stay at /32 and /128 since there will only ever be the peer's own IP as the source of packets from the peer.

snippem · December 5, 2022, 10:43pm

I changed all of the things you pointed out and stil a handshake no internet.
But i want to point out that i use a dynamic dns cloudflare script to point to lookup my Hostname
Registered IP.(see screenshots)
But is this the actual ipv6 adres that i want to use in wireguard?

Because the ipv6 adres is different when i compare it with "whats my ip" is showing.

snippem · December 6, 2022, 10:39pm

Hope there is somebody who could explain how to setup a wireguard vpn server using ipv6?
(Probably i am stuck because i am trying to set it up as an ipv4 connection)

trendy · December 6, 2022, 10:59pm

If you want to route the internet over the wg tunnel, then you need to add ::/0 in the allowed IPs on the peer.
Furthermore you'll need to masquerade the ULA prefix before it can be routed to the internet.

snippem · December 6, 2022, 11:32pm

Okay a noob here how do i masquerade the ula prefix ?

trendy · December 7, 2022, 7:59am

snippem · December 7, 2022, 8:18am

Found the page allready read it but not sure what to change.

enterd this through SSH :

Configure firewall

uci set firewall.@zone[1].masq6="1"
uci commit firewall
/etc/init.d/firewall restart

Not sure if need to alter something for example @zone[1] do i need to change the [1]?

Then I reactivated my dynamic DNS script and cloudflare received an update of its ipv6.

Tried to setup a connection through wireguard.
Result again a handshake data is exchanged but no web-browsing etc

trendy · December 7, 2022, 8:56am

Can you check if the masq6 option is added in wan zone?

snippem · December 7, 2022, 9:50am

I do not see the option under firewall WAN only masq 1. But under VLAN2 i see masq6 1

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config zone
	option name 'VLAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN2'
	list network 'WG0'
	option masq6 '1'

config zone
	option name 'VLAN3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN3'

config rule
	list proto 'udp'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option name 'allow mDNS'
	option src '*'

config forwarding
	option src 'VLAN2'
	option dest 'wan'

config forwarding
	option src 'VLAN3'
	option dest 'wan'

config forwarding
	option src 'VLAN2'
	option dest 'VLAN3'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:781c:cad1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'xxxxxxxxxxxxxxxx'

config device
	option name 'eth0'
	option macaddr 'xxxxxxxxxxxxxxxx'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth1.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6weight '3'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth1.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6hint '3'
	option ip6weight '2'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses '10.13.13.1/28'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'


config wireguard_WG0
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option description 'peer10'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'

trendy · December 7, 2022, 10:10am

Try this

uci delete firewall.@zone[1].masq6
uci set firewall.@zone[0].masq6="1"
uci commit firewall
/etc/init.d/firewall restart

snippem · December 7, 2022, 10:13am

Removed the masq6 option on VLAN2 and added it to the WAN.
Then i added my local DNS server to the peer information because chrome complained there was no DNS adres.

Then started wireguard and this is what chrome tells:

Je toegang tot internet wordt geblokkeerd

De verbinding is mogelijk geblokkeerd door de firewall of antivirussoftware.

Probeer dit eens:

Controleer de verbinding
Controleer firewall- en antivirusconfiguraties
[Windows Netwerkcontrole uitvoeren](javascript:diagnoseErrors())

ERR_NETWORK_ACCESS_DENIED

Firewall, peer information and network after changes

Network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:781c:cad1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'da:96:6e:0e:99:43'

config device
	option name 'eth0'
	option macaddr 'da:96:6e:0e:99:42'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth1.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6weight '3'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth1.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6hint '3'
	option ip6weight '2'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses '10.13.13.1/28'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_WG0
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option description 'peer10'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option masq6 '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'VLAN2'

config zone
	option name 'VLAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN2'
	list network 'WG0'

config zone
	option name 'VLAN3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN3'

config rule
	list proto 'udp'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option name 'allow mDNS'
	option src '*'

config forwarding
	option src 'VLAN2'
	option dest 'wan'

config forwarding
	option src 'VLAN3'
	option dest 'wan'

config forwarding
	option src 'VLAN2'
	option dest 'VLAN3'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

Peer information:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = fdf1:e8a1:8d3f:9::2/128
DNS = fd97:781c:cad1:2::5e82

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = ::/0
Endpoint = ipv6.famsnippe.nl:51820

snippem · December 7, 2022, 10:21am

Tried the code you suggested the same result as the post above yours and i see no difference in the rules that i posted earlier.

Because i use adguardhome as my dns server here is my DHCP file content.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'VLAN2'
	option interface 'VLAN2'
	option start '100'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option leasetime '12m'
	list dhcp_option '6,192.168.2.4'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dns 'fd97:781c:cad1:2::5e82'

config dhcp 'VLAN3'
	option interface 'VLAN3'
	option start '100'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option leasetime '12m'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

trendy · December 7, 2022, 10:50am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
ip6tables-save -c; nft list ruleset; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

snippem · December 7, 2022, 11:30am

Here is the result.

Deleted the rest of the content just in case something usefull is left behind.

trendy · December 7, 2022, 12:43pm

Try this and report back with the same output if it doesn't work.

snippem · December 7, 2022, 12:54pm

All of the code of this page ?

trendy · December 7, 2022, 1:50pm

uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart

snippem · December 7, 2022, 7:32pm

This works i now have a working ipv6 wireguard connections
Thanks for your support.

snippem · December 8, 2022, 7:05am

@trendy a bit off topic maybe. But on the forum off ziggo my internet provider i placed the findings so it could help others.
The question is should masq6 be on or off? Because that wasn't the problem or was it part of the problem? and what does it do for wireguard?