You can check result in Status -> Firewall.
Okay, I've just realized that firewall is present not only on router...
This realization came from the idea that "if IPv6 stack is properly configured on LAN, and all devices get it's own ULA, then I should be able ping them by those addresses", which I immediately did. No logs on router... Very suspicious error message from ping...
Unfortunately, firewall on local machine didn't fired up, and dropped pings silently. It was tough (DO. NOT. EVER. BREAK. THE. NET).
Well, now I can ping local devices by all of their five IPv6 addresses, including link-local and delegated by Yggdrasil! Yaaay!
Also, I've checked that neither forwarding between lan and pan zones nor duplicate "Allow-ICMPv6-etc" rules is not required for this to work - exactly as you said (that's obvious, actually - packets doesn't leave local network).
Then I started to ping router itself and local peer from remote peer by their 300::/64 addresses and enjoyed watching packets hitting firewall on router and logged as rejected. Then, I consecutively enabled "Allow-ICMPv6-{Input,Forward}-Ygg" rules and enjoyed watching rejected packets disappeared from log.
Some conclusions:
- both rules are required for zone to which one assigns
ygginterface - I can ping router successfully
- but still can`t ping any local device behind router
For now, I can confirm remote packets at least hits the firewall rule:
I've tried to enable forwarding to lan zone in settings of pan zone, forwarding from pan to lan, and even disable forwarding, but pings still doesn't reach local devices.
You have to figure that out yourself, you change too many things at a time. What would I do? I would start from working configuration which I described and moved it to the one you need. Step first: move from public to private ones. Step two duplicate all "wan" rules as "pan" and remove those which are not needed.
Thanks for pointing that out! Seems I need to kick service network restart (reload doesn't work), but I guess I could restart the interface too - a more efficient option.
1 Like
Hi, are there any settings available for configuring whether or not the Yggdrasil control socket gets bound?
I am asking as I want to write some stuff that uses yggdrasilctl which at the very least needs a UNIX domain socket bound
Probably you should address this question directly to Yggdrasil developers. I'm a mere user 
Would you, by any chance, know who works on the luci-proto-yggdrasil package?
I'm sorry but I don't.
1 Like