Hi there,
I actually have a problem with IPv6 via Wireguard on holidays.
The router is configured as a Wireguard-Client to my Home-Site OpenWRT-Router with splitting tunnel.
My Travelrouter can ping the Home-Site IPv6-subnets without any problems from console via ssh, my clients behind the Travelrouter unfortunately not.
HTTPs via IPv6 to the Home-Site IPv6-subnets is also not possible.
IPv6-Pings from the Clients to WAN-Site (e.g. www.heise.de) are possible.
My configuration on Travelrouter:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd1a::/60'
config device
option name 'br-lan'
option type 'bridge'
option bridge_empty '1'
list ports 'lan1'
list ports 'lan2'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-work'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-multimedia'
option bridge_empty '1'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
option peerdns '0'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '5.1.66.255'
list dns '185.150.99.255'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
option reqaddress 'none'
option reqprefix '56'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '5.1.66.255'
list dns '185.150.99.255'
config interface 'wwan6'
option proto 'dhcpv6'
option device '@wwan'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
option reqaddress 'none'
option reqprefix '56'
config interface 'tethering_wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '5.1.66.255'
list dns '185.150.99.255'
config interface 'tethering_wan6'
option proto 'dhcpv6'
option device '@tethering_wan'
option reqaddress 'none'
option reqprefix '56'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.100.1'
option ip6weight '10'
option ip6hint '0'
option ip6assign '64'
config interface 'lan6'
option proto 'dhcpv6'
option device '@lan'
option force_link '1'
option reqaddress 'none'
option reqprefix 'auto'
option delegate '0'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.40.1/26'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
list dns_search 'br1l0.gu35t'
option ip6weight '8'
option ip6assign '64'
option ip6hint '2'
config interface 'work'
option proto 'static'
list ipaddr '192.168.61.1/29'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
option device 'br-work'
option ip6weight '9'
option ip6assign '64'
option ip6hint '1'
config interface 'multimedia'
option proto 'static'
list ipaddr '192.168.70.1/27'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
option device 'br-multimedia'
list dns_search 'br1l0.mult1m3d14'
option ip6weight '7'
option ip6assign '64'
option ip6hint '3'
config interface 'wg0'
option proto 'wireguard'
option peerdns '0'
option private_key 'ZZZZZZZZZZZZZZZZ'
list addresses '192.168.77.3/32'
list addresses 'fd11:5ee:bad:c0de::3/128'
list dns 'fd00::dea6:32ff:fe85:b004'
list dns 'fd00::dea6:32ff:fe19:ede8'
list dns '192.168.1.5'
list dns '192.168.1.15'
config wireguard_wg0
option description 'XXX.HOME'
option public_key 'YYYYYYYYYYYYYYYYYYYY'
option preshared_key 'XXXXXXXXXXXXXXX'
option persistent_keepalive '25'
option endpoint_host 'xxxx.yyyy.zzzz'
option endpoint_port '51821'
option route_allowed_ips '1'
list allowed_ips '192.168.77.0/24'
list allowed_ips 'fd00::/60'
list allowed_ips '192.168.1.0/24'
list allowed_ips 'fd11:5ee:bad:c0de::/124'
list allowed_ips '10.0.0.0/29'
list allowed_ips '192.168.2.0/24'
list allowed_ips 'fd02::/64'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan6'
option log '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '0'
list network 'wwan'
list network 'wwan6'
list network 'wan'
list network 'wan6'
list network 'tethering_wan'
list network 'tethering_wan6'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone 'Work'
option name 'work'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option log '0'
list network 'work'
config zone 'Multimedia'
option name 'multimedia'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option log '0'
list network 'multimedia'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'multimedia'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'work'
option dest 'wan'
config forwarding
option src 'multimedia'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'work'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option name 'LAN - Allow ICMPv4-OUT LAN-WORK'
config rule
list proto 'tcp'
option src 'lan'
option dest 'work'
option dest_port '3389'
option target 'ACCEPT'
option name 'LAN - Allow RDP-OUT LAN-WORK'
config rule
option src 'lan'
option dest 'guest'
option target 'DROP'
option name 'LAN - Drop LAN-Guest'
config rule
option src 'lan'
option dest 'work'
option target 'DROP'
option name 'LAN - Drop LAN-WORK'
Trying Ping IPv6 from Client:
Trying Ping IPv6 from Router:
I've also tried configuring a firewall-rule with ICMPv6-Forwarding from LAN to VPN, but no luck.
Can you please give me an advice, what am I missing?
PS: I've shortened the Firewall-Configuration to the relevant entries, the other subnets work without problems.
Have a nice weekend!
With best regards