Wireguard peers cannot connect to LAN devices via IPv6 but can via IPv4

Let's start with the situation at hand:

  • I can access LAN devices from Wireguard peers via IPv4 just fine
  • But I cannot access them from Wireguard peers via IPv6
  • I want to be able to communicate from Wireguard peers to LAN devices via IPv6
  • I do not have IPv6 on WAN (ISP only offers IPv6 with DS-Lite or IPv4-only with a public dynamic address, and I chose the latter because it's more practical)
  • The LAN has a /64 ULA prefix (fd88...), this was there by default after installing OpenWRT
  • I have a separate prefix for the Wireguard VPN (fd48...), I assumed this works just like different subnets with IPv4

LAN Setup

Largely the defaults OpenWRT provided

  • IPv4 subnet (192.168.1.0/24) that doesn't conflict with the local subnet of the WAN interface
  • randomly generated IPv6 ULA prefix (fd88:d0a9:2656::/64)
  • default DHCP/DNS with some static IPv4 addresses and a local DNS entry added for the EUI64 address of one device

Wireguard Setup on OpenWRT

I have set up Wireguard by adding a wg0 interface via LuCI
General:

  • Protocol: Wireguard VPN
  • IP Address: 10.0.8.1/24, fd48:d0a9:2656::1/64
  • No host routes: [unchecked]

Advanced:

  • DNS Servers: 10.0.8.1, fd48:d0a9:2656::1
  • Everything else in that section left on defaults

Firewall:

  • Assigned to zone lan

DHCP:

  • General: ignore interface checked (default)
  • IPv6: everything disabled (default)

Peers:
(this is the first one, the only differences between them are new keypairs and incremented IPs)

  • Keypair and Preshared key: configured
  • Allowed IPs: 10.0.8.2/32, fd48:d0a9:2656::2/128
  • Route Allowed IPs: [checked] (probably redundant?)
  • Persistent keep alive: 25 for mobile clients, 0 otherwise

Wireguard Setup on Peers

Interface:

  • Addresses: 10.0.8.2/32, fd48:d0a9:2656::2/128
  • DNS Servers: 10.0.8.1, fd48:d0a9:2656::1
    Peer:
    Allowed IPs: 192.168.1.0/24 (lan), 10.0.8.0/24 (wg0), fd88:d0a9:2656::/64 (lan), fd48:d0a9:2656::/64 (wg0)

The problem

  • I can connect from wireguard peers to lan devices via IPv4 just fine
  • I can connect between lan devices via IPv6 just fine
  • I can connect between wireguard peers via IPv6 just fine
  • I can connect from the wireguard peers to the router's fd88... address just fine
  • I cannot connect from the wireguard peers to any lan devices on the fd88 prefix

Traceroute to a LAN device (192.168.1.x) from a WG peer works fine given the -I flag:
traceroute -I 192.168.1.247

traceroute to 192.168.1.247 (192.168.1.247), 30 hops max, 60 byte packets
 1  _gateway (10.0.8.1)  18.974 ms  20.011 ms *
 2  192.168.1.247 (192.168.1.247)  22.297 ms * *

But it no longer works with IPv6 (adding -I makes it time out even on the first hop in this case it's the same as here in both cases now):
traceroute fd88:d0a9:2656:0:[redacted EUI64 address]

traceroute to fd88:d0a9:2656:0:[redacted] (fd88:d0a9:2656:0:[redacted]), 30 hops max, 80 byte packets
 1  _gateway (fd48:d0a9:2656::1)  24.767 ms  24.724 ms  24.706 ms
 2  * * *
 3  * * *
[ removed repetition ]
30  * * *

Thoughts

As far as I understand, putting both of these interfaces on the same lan firewall zone allows forwarding between them. Which works with IPv4. But suddenly with IPv6 it does not work. It looks like IPv6 doesn't get forwarded between the wg0 and lan interfaces, and I can't figure out why.

Additional information

I found some information on this documentation page about troubleshooting, suggesting to run this:

# Restart services
/etc/init.d/log restart; /etc/init.d/network restart; sleep 10
 
# Log and status
logread; ifstatus wan; ifstatus wan6
 
# Runtime configuration
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show dhcp; uci show firewall

So here are the outputs of most of these, let me know if more info is needed:
ifstatus wan

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 7,
	"l3_device": "wan",
	"proto": "dhcp",
	"device": "wan",
	"updated": [
		"addresses",
		"routes",
		"data"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.0.96",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "192.168.0.1",
			"source": "192.168.0.96/32"
		}
	],
	"dns-server": [
		"62.179.1.62",
		"62.179.1.63"
	],
	"dns-search": [
		"chello.pl"
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"dhcpserver": "192.168.0.1",
		"hostname": "OpenWrt",
		"leasetime": 86400
	}
}

ifstatus wan6

{
	"up": false,
	"pending": true,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"proto": "dhcpv6",
	"device": "wan",
	"data": {
		
	}
}

ip route show table all

default via 192.168.0.1 dev wan  src 192.168.0.96
10.0.8.0/24 dev wg0 scope link  src 10.0.8.1
10.0.8.2 dev wg0 scope link
10.0.8.3 dev wg0 scope link
192.168.0.0/24 dev wan scope link  src 192.168.0.96
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
local 10.0.8.1 dev wg0 table local scope host  src 10.0.8.1
broadcast 10.0.8.255 dev wg0 table local scope link  src 10.0.8.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.0.96 dev wan table local scope host  src 192.168.0.96
broadcast 192.168.0.255 dev wan table local scope link  src 192.168.0.96
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
fd48:d0a9:2656::2 dev wg0  metric 1024
fd48:d0a9:2656::3 dev wg0  metric 1024
fd48:d0a9:2656::/64 dev wg0  metric 256
fd88:d0a9:2656::/64 dev br-lan  metric 1024
unreachable fd88:d0a9:2656::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wl1-ap0  metric 256
fe80::/64 dev wan  metric 256
fe80::/64 dev wl0-ap0  metric 256
local ::1 dev lo table local  metric 0
anycast fd48:d0a9:2656:: dev wg0 table local  metric 0
local fd48:d0a9:2656::1 dev wg0 table local  metric 0
anycast fd88:d0a9:2656:: dev br-lan table local  metric 0
local fd88:d0a9:2656::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wl1-ap0 table local  metric 0
anycast fe80:: dev wan table local  metric 0
local fe80::20c:43ff:fe26:4698 dev wl1-ap0 table local  metric 0
local fe80::3698:b5ff:fe12:3221 dev eth0 table local  metric 0
local fe80::3698:b5ff:fe12:3221 dev br-lan table local  metric 0
local fe80::3698:b5ff:fe12:3221 dev wan table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wg0 table local  metric 256
multicast ff00::/8 dev wl1-ap0 table local  metric 256
multicast ff00::/8 dev wan table local  metric 256
multicast ff00::/8 dev wl0-ap0 table local  metric 256

ip rule show

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

ip -6 rule show

0:	from all lookup local
32766:	from all lookup main

nft list ruleset

table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		udp dport 61222 counter packets 0 bytes 0 accept comment "!fw4: Allow-Wireguard"
		iifname { "wg0", "br-lan" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname { "wg0", "br-lan" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname { "wg0", "br-lan" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname { "wg0", "br-lan" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname { "wg0", "br-lan" } counter packets 1 bytes 30 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname { "wg0", "br-lan" } counter packets 2 bytes 256 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 1 bytes 48 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname "wan" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname "wan" counter packets 10 bytes 950 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname { "wg0", "br-lan" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
		iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wg0", "br-lan" } jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
		oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}

	chain dstnat_lan {
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.0.96 udp dport 60000-60006 dnat ip to 192.168.1.247:60000-60006 comment "!fw4: Pluto Mosh (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.0.96 tcp dport 61228-61232 dnat ip to 192.168.1.247:61228-61232 comment "!fw4: Pluto Random (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.0.96 udp dport 61228-61232 dnat ip to 192.168.1.247:61228-61232 comment "!fw4: Pluto Random (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.0.96 tcp dport 9084 dnat ip to 192.168.1.247:9084 comment "!fw4: Pluto Ntfy HTTPS (reflection)"
	}

	chain srcnat_lan {
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.1.247 udp dport 60000-60006 snat ip to 192.168.1.1 comment "!fw4: Pluto Mosh (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.1.247 tcp dport 61228-61232 snat ip to 192.168.1.1 comment "!fw4: Pluto Random (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.1.247 udp dport 61228-61232 snat ip to 192.168.1.1 comment "!fw4: Pluto Random (reflection)"
		ip saddr { 10.0.8.0/24, 192.168.1.0/24 } ip daddr 192.168.1.247 tcp dport 9084 snat ip to 192.168.1.1 comment "!fw4: Pluto Ntfy HTTPS (reflection)"
	}

	chain dstnat_wan {
		meta nfproto ipv4 udp dport 60000-60006 counter packets 0 bytes 0 dnat ip to 192.168.1.247:60000-60006 comment "!fw4: Pluto Mosh"
		meta nfproto ipv4 tcp dport 61228-61232 counter packets 0 bytes 0 dnat ip to 192.168.1.247:61228-61232 comment "!fw4: Pluto Random"
		meta nfproto ipv4 udp dport 61228-61232 counter packets 0 bytes 0 dnat ip to 192.168.1.247:61228-61232 comment "!fw4: Pluto Random"
		meta nfproto ipv4 tcp dport 9084 counter packets 0 bytes 0 dnat ip to 192.168.1.247:9084 comment "!fw4: Pluto Ntfy HTTPS"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}
}

uci show network; uci show dhcp; uci show firewall

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd88:d0a9:2656::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='REDACTED'
network.wg0.listen_port='61222'
network.wg0.dns='10.0.8.1' 'fd48:d0a9:2656::1'
network.wg0.addresses='10.0.8.1/24' 'fd48:d0a9:2656::1/64'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='REDACTED'
network.@wireguard_wg0[0].private_key='REDACTED'
network.@wireguard_wg0[0].preshared_key='REDACTED'
network.@wireguard_wg0[0].description='Venus'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='10.0.8.2/32' 'fd48:d0a9:2656::2/128'
network.@wireguard_wg0[1]=wireguard_wg0
network.@wireguard_wg0[1].public_key='REDACTED'
network.@wireguard_wg0[1].private_key='REDACTED'
network.@wireguard_wg0[1].preshared_key='REDACTED'
network.@wireguard_wg0[1].description='Jupiter'
network.@wireguard_wg0[1].route_allowed_ips='1'
network.@wireguard_wg0[1].allowed_ips='10.0.8.3/32' 'fd48:d0a9:2656::3/128'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].address='/pluto.lan/pluto/fd88:d0a9:2656:0:[REDACTED]'
dhcp.@dnsmasq[0].interface='lan' 'wg0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.wg0=dhcp
dhcp.wg0.interface='wg0'
dhcp.wg0.ignore='1'
dhcp.@host[0]=host
dhcp.@host[0].name='pluto'
dhcp.@host[0].ip='192.168.1.247'
dhcp.@host[0].mac='REDACTED'
dhcp.@host[0].dns='1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'wg0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Pluto Mosh'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='60000-60006'
firewall.@redirect[0].dest_ip='192.168.1.247'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Pluto Random'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='61228-61232'
firewall.@redirect[1].dest_ip='192.168.1.247'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Wireguard'
firewall.@rule[9].proto='udp'
firewall.@rule[9].src='*'
firewall.@rule[9].dest_port='61222'
firewall.@rule[9].target='ACCEPT'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='Pluto Ntfy HTTPS'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='9084'
firewall.@redirect[2].dest_ip='192.168.1.247'
1 Like

Could it be that your local LAN clients have a firewall which does not allow WG traffic from fd48:XXXX?

It doesn't seem like that's the case, even after disabling the firewall on the LAN host and rebooting it to make sure, I still can't connect to it from a WG peer via IPv6

Options:

1 Like

Thank you! Forcing OpenWRT to announce the default route worked!

I might look into setting up 6in4 eventually too as that looks interesting, but my main purpose of having working IPv6 on the VPN was using it IPv6-only to avoid address space collisions between the local and remote LAN which is almost guaranteed on IPv4.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.