OpenWrt Forum Archive

Topic: Buffalo WZR-HP-G300NH Passing packets between subnet and 6in4 tunnel?

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

I can use my router to ping ipv6 websites over the Internet via HE 6in4 tunnel. 

I have also allocated a /48 prefix and setup two ipv6 subnets, one for a LAN and one for a DMZ.

(Prefixes)
LAN - 2001:470:bc0e:1::/64
DMZ -2001:470:bc0e:2::/64

Internally to these subnets I have also assigned my router the following ipv6 addresses on the LAN and DMZ respectively:

LAN - 2001:470:bc0e:1::1/64
DMZ - 2001:470:bc0e:2::1/64

Within these subnets I have configured clients, a webserver on the DMZ and a Windows 7 box on the LAN:

Win7 (LAN) - (IPv6 Address Assigned by RADVD)
Linux Webserver (DMZ) - 2001:470:bc0e:2::250

Now while I can indeed ping the address of the router from each of the machines on the subnet, it appears that I am unable to reach the external ipv6 Internet from the clients, even when trying to ping6 the address (not the domain) of a site like ipv6.google.com.

My first thought was that this had something to do with the routing tables on the clients, and I tried checking the default gateway via the ip -6 route list command:

user@dmz-host~$ ip -6 route list
2001:470:bc0e:2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2001:470:bc0e:2::1 dev eth0 metric 1024

Which leads me to believe that maybe the router isn't forwarding my packets to the 6in4 tunnel...

I don't understand why this doesn't work, does it have something to do with my firewall, or the fact that I'm using subnets within the /48 prefix?

I've already posted my question's details at the Hurricane Electric Forums and gotten a few responses concerning it.

To spare you the details, over at Hurricane Electric one person pinged my /48 successfully and another suggested I take a look at the the values of /proc/sys/net/ipv6/conf/*/forwarding as specified in the OpenWRT Wiki page about ipv6, which I have already set as seen below:

/proc/sys/net/ipv6/conf/6in4-henet/forwarding 2
/proc/sys/net/ipv6/conf/all/forwarding 1
/proc/sys/net/ipv6/conf/br-lan/forwarding 2
/proc/sys/net/ipv6/conf/default/forwarding 1
/proc/sys/net/ipv6/conf/eth0.1/forwarding 1
/proc/sys/net/ipv6/conf/eth0.2/forwarding 2
/proc/sys/net/ipv6/conf/eth0/forwarding 1
/proc/sys/net/ipv6/conf/eth1/forwarding 1
/proc/sys/net/ipv6/conf/lo/forwarding 2
/proc/sys/net/ipv6/conf/mon.wlan0/forwarding 1
/proc/sys/net/ipv6/conf/pppoe-wan/forwarding 2
/proc/sys/net/ipv6/conf/sit0/forwarding 1
/proc/sys/net/ipv6/conf/wlan0/forwarding 1

Still I haven't had any success pinging anything with ipv6 other than ping6ing the the router itself from the client and vice versa.

(Last edited by leeand00 on 3 Dec 2011, 07:11)

Paste your current network and firewall config please.

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'
    option 'ip6addr' '2001:470:bc0e:1::1/64'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'pppoe'
    option 'username' '-----------'
    option 'password' '------------'

config 'switch'
    option 'name' 'rtl8366s'
        option 'enable' '1'
        option 'enable_vlan' '1'
        option 'reset' '1'

config 'switch_vlan' 'eth0_1'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5t'

config 'switch_vlan' 'eth0_2'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3 5t'

config 'interface' 'dmz'
       option 'ifname' 'eth0.2'
       option 'proto' 'static'
       option 'ipaddr' 192.168.2.1
       option 'netmask' 255.255.255.0
       option 'ip6addr' '2001:470:bc0e:2::1/64'

config 'interface' 'henet'
    option 'proto' '6in4'
    option 'tunnelid' '------------'
    option 'password' '------------'
    option 'peeraddr' '216.218.224.42'
    option 'ip6addr' '2001:470:1f0e:ea7::2/64'
    option 'username' '---------------------------------'

/etc/config/network -



config 'wifi-device' 'radio0'
    option 'type' 'mac80211'
    option 'channel' '11'
    option 'macaddr' '---------'
    option 'hwmode' '11ng'
    option 'htmode' 'HT20'
    list 'ht_capab' 'SHORT-GI-40'
    list 'ht_capab' 'DSSS_CCK-40'
    option 'txpower' '27'
    option 'country' 'US'
    option 'disabled' '0'

config 'wifi-iface'
    option 'device' 'radio0'
    option 'network' 'lan'
    option 'mode' 'ap'
    option 'encryption' 'psk2'
    option 'key' '--------'
    option 'ssid' 'dd-wrt'

/etc/config/wireless -



config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'drop_invalid' '1'

config 'zone'
    option 'name' 'dmz'
    option 'network' 'dmz'
    option 'input' 'REJECT' #By default, stop anything coming from the DMZ
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'


# Allow the DMZ to use the router as a DNS server
config 'rule'
        option 'src' 'dmz'
        option 'proto' 'tcpudp'
        option 'dest_port' '53'
        option 'target' 'ACCEPT'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'network' 'wan henet'
    option 'log' '1'

config 'zone'
    option 'name' 'wan6'
    option 'network' 'henet'
    option 'family' 'ipv6'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'rule'
        option 'src' 'wan'
        option 'proto' '41'
        option 'target' 'ACCEPT'

config 'forwarding'
    option 'dest' 'lan'
    option 'src' 'wan6'

config 'forwarding'
    option 'dest' 'wan6'
    option 'src' 'lan'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

#BEGIN ipv6 DMZ Forwarding
#config 'forwarding'
#       option 'dest' 'dmz'
#       option 'src' 'wan6'

#config 'forwarding'
#       option 'src' 'dmz'
#       option 'dest' 'wan6'
#END ipv6 DMZ Forwarding


#Allow the DMZ to access the Internet
#(This works)
config 'forwarding'
        option 'src' 'dmz'
        option 'dest' 'wan'       

#Simple LAN Access from DMZ
config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'dmz'

#New Stuff here
## This appears to have caused a problem...
## every time I request anything on port 80
## I end up requesting the page from my 
## webserver :( 
##
##
##config 'rule'
##       option 'src' 'lan'
##       option 'dest_port' '80'
##       option 'target' 'ACCEPT'
##       option 'proto' 'tcp'

##config 'redirect'
##       option '_name' 'http2lan'
##       option 'src' 'lan'
##       option 'proto' 'tcp'
##       option 'src_dport' '80'
##       option 'dest_ip' 192.168.2.250
       
#   DMZ-to-LAN FTP redirect
config 'rule'
       option 'src' 'lan'
       option 'dest_port' '209'
       option 'target' 'ACCEPT'
       option 'proto' 'tcp'

config 'redirect'
       option '_name' 'ftp2lan'   
       option 'src' 'lan'
       option 'proto' 'tcp'
       option 'src_dport' '209'
       option 'dest_ip' 192.168.2.250
       
#   END DMZ-to-LAN FTP redirect
#End New Stuff here

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'wan'
    option 'dest_port' '32'
    option 'target' 'ACCEPT'
    option 'proto' 'tcp'

#Simple DMZ config...
config 'rule'
        option 'src' 'wan'
        option 'dest_port' 'XXXX'
        option 'target' ACCEPT
        option 'proto' 'tcp'

#Simple DMZ rule...
config 'redirect'
        option '_name' 'http'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' 'XXXX'
        option 'dest_ip' 192.168.2.250

#Simple DMZ rule...
config 'rule' 
        option 'src' 'wan'
        option 'dest_port' '80'
        option 'target' ACCEPT
        option 'proto' 'tcp'

# Allow the LAN to access the DMZ
config 'forwarding'
       option 'src' 'lan'
       option 'dest' 'dmz'
        
config 'redirect'
        option '_name' 'apache'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '80'
        option 'dest_ip' 192.168.2.250

#Simple DMZ config for debian backup machine
config 'rule'
       option 'src' 'wan'
       option 'dest_port' 'ZZZZ'
       option 'target' ACCEPT
       option 'proto' 'tcp'

config 'redirect'
       option '_name' 'http'
       option 'src' 'wan'
       option 'proto' 'tcp'
       option 'scr_dport' 'ZZZZ'
       option 'dest_ip' 192.168.2.251
        

config 'include'
    option 'path' '/etc/firewall.user'

#config 'redirect'

/etc/config/firewall -



# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# IP6 Tables DMZ Forwarding rules...
#ip6tables -A FORWARD -i eth0.2 -j ACCEPT
#ip6tables -A FORWARD -m tcp --ctstate ESTABLISHED,RELATED -j ACCEPT
#ip6tables -A FORWARD -j REJECT

# BEGIN NEW STUFF
# http://www.stuartsheldon.org/blog/2010/07/setting-up-native-ipv6-connectivity-a-network-operators-overview/
ip6tables="/usr/sbin/ip6tables"

#outif="eth0.2"
#inif="6in4-hene"
outif="6in4-hene"
inif="eth0.2"

# Flush Rules
${ip6tables} -F

# We're discovering all the interfaces here
ipv6if=$(ip link show \
         | egrep '^[1-9]' \
         | awk -F':' '{ print $2 }' \
         | sed 's/@.*$//g' )
         
# localhost should still pass everything
${ip6tables} -A INPUT -i lo -j ACCEPT

# Because ICMPv6 is interface specific, and required for any IPv6 connections
# we need to grant icmp6 on all interfaces.  This for loop takes care of that
for i in ${ipv6if}; do
    ${ip6tables} -A INPUT -p icmpv6 -i ${i} -j ACCEPT
done
${ip6tables} -A INPUT -p icmpv6 -j ACCEPT

# Here we allow only IPv6 established connections in to the host
${ip6tables} -A INPUT -i ${outif} -m state \
       --state ESTABLISHED,RELATED -j ACCEPT
       
# We need to let the inside network access the firewall itself
${ip6tables} -A INPUT -i ${inif} -j ACCEPT

# Now here is where we setup our forwarding rules
${ip6tables} -A FORWARD -i ${inif} -j ACCEPT
${ip6tables} -A FORWARD -i ${outif} -m state \
        --state ESTABLISHED,RELATED -j ACCEPT

#Open up tcp port 80 to 2001:470:1f10:ea7::a Insert above drop rules
${ip6tables} -A FORWARD -i ${outif} -p tcp --dport 80 \
           -d 2001:470:1f10:ea7::a  -j ACCEPT
        
# And drop everything else coming in
${ip6tables} -A INPUT -j DROP
${ip6tables} -A FORWARD -j DROP

/etc/firewall.user -

Please let me know if there are any other network configuration files you need to take a look at.

Thank you.

(Last edited by leeand00 on 5 Dec 2011, 05:37)

*bump*

Looks okay so far. What about the radvd configuration?

config 'interface'
        option 'AdvSendAdvert' '1'
        option 'AdvManagedFlag' '1'
        option 'ignore' '0'
        option 'interface' 'lan'
        option 'IgnoreIfMissing' '1'
        option 'AdvSourceLLAddress' '1'
        option 'AdvDefaultPreference' 'medium'
        option 'AdvLinkMTU' '1440' #Should fix large packet problem?

config 'prefix'
        list 'prefix' '2001:470:1f0f:ea7::/64'
        option 'AdvOnLink' '1'
        option 'AdvAutonomous' '1'
        option 'ignore' '0'
        option 'interface' 'lan'

config 'route'
        list 'prefix' '2001:470:1f0f:ea7::/64'
        option 'ignore' '0'
        option 'AdvRouteLifetime' 'infinity'
        option 'interface' 'lan'
- /etc/config/radvd 1/37 2%

config 'interface'
        option 'AdvSendAdvert' '1'
        option 'AdvManagedFlag' '1'
        option 'ignore' '0'
        option 'interface' 'lan'
        option 'IgnoreIfMissing' '1'
        option 'AdvSourceLLAddress' '1'
        option 'AdvDefaultPreference' 'medium'
        option 'AdvLinkMTU' '1440' #Should fix large packet problem?

config 'prefix'
        list 'prefix' '2001:470:1f0f:ea7::/64'
        option 'AdvOnLink' '1'
        option 'AdvAutonomous' '1'
        option 'ignore' '0'
        option 'interface' 'lan'

config 'route'
        list 'prefix' '2001:470:1f0f:ea7::/64'
        option 'ignore' '0'
        option 'AdvRouteLifetime' 'infinity'
        option 'interface' 'lan'
        option 'AdvRoutePreference' 'medium'

config 'rdnss'
        option 'ignore' '0'
        option 'interface' 'lan'

config 'dnssl'
        option 'interface' 'br-lan'
        list 'suffix' ''
        option 'ignore' '1'

config 'route'
        option 'ignore' '0'

- /etc/config/radvd 1/37 2%

(Last edited by leeand00 on 7 Dec 2011, 18:01)

I'm pretty new to radvd...there's likely to be a mistake in there...

The prefix you advertise with radvd does not appear to match the one configured on your lan. Double check you addresses, make sure everything adds up.
Even better, omit the explicit addresses in the radvd config (leave prefix empty), the init script will infer the correct values from the interface configuration then.

I just racked my head for a day about getting traffic from the internal subnet to the outside world. Everything worked after I added a route between the 6in4 interface and the
local subnets:
Add this to /etc/config/network, haven't tried it with Luci:
config 'route6'                                   
        option 'interface' 'lan'                   
        option 'target' '<lan ipv6 addr e.g. 2001...:2cd5/64>'
        option 'gateway' '<local tunnel e.g. 2001...:2/64>'

Hope this helps, AG

RADVD Setup
I tried setting up a basic configuration of radvd as follows:

###### LAN Configuration Section ######

config 'interface'
        option 'interface' 'lan'     #The logical interface name this 
                                     #section applies to.
                                     
    option 'AdvSendAdvert' '1'   #Enable router advertisements and 
                                 #solicitations.
                                 
    option 'AdvManagedFlag' '0'  #Disables the additional stateful 
                                 #administered autoconfiguration 
                                 #protocol.
                                 
    option 'AdvOtherConfigFlag' '0' #Disables the autoconfiguration of
                                    #Additional non address information.
                                    
    option 'ignore' '1'          #Disables any advertisements on this 
                                 #interface.  It must be set to 0 or 
                                 #removed in order to enable radvd for 
                                 #this interface.
                                 
        option 'AdvLinkMTU' '1440' #Should fix large packet problem?

config 'prefix'
       option 'interface' 'lan'    #The logical interface name this
                                   #section applies to.
                                   
       option 'AdvOnLink' '1'      #Specifies that the announced prefix can be
                                   #used for on-link determination
                                   
       option 'AdvAutonomous' '1'  #Indicates that the announced prefix can be
                                   #used for autonomous address configuration.
                                   
       option 'AdvRouterAddr' '0'  #Forced radvd to send the network prefix instead
                                   #of sending the interface address.
                                   
       option 'ignore' '0'         #Disables this prefix declaration.
       
                                   


###### DMZ Configuration Section ######


config 'interface'
        option 'interface' 'dmz'     #The logical interface name this 
                                     #section applies to.
                                     
    option 'AdvSendAdvert' '1'   #Enable router advertisements and 
                                 #solicitations.
                                 
    option 'AdvManagedFlag' '0'  #Disables the additional stateful 
                                 #administered autoconfiguration 
                                 #protocol.
                                 
    option 'AdvOtherConfigFlag' '0' #Disables the autoconfiguration of
                                    #Additional non address information.
                                    
    option 'ignore' '0'          #Disables any advertisements on this 
                                 #interface.  It must be set to 0 or 
                                 #removed in order to enable radvd for 
                                 #this interface.
                                 
        option 'AdvLinkMTU' '1440' #Should fix large packet problem?

config 'prefix'
    option 'interface' 'dmz'    #The logical interface name this section
                    #applies to.
                    
    option 'AdvOnLink' '1'      #Specifies that the announced prefix can
                                #be used for on-link determination.
     
    option 'AdvAutonomous' '1'  #Specifies that the announced prefix can 
                    #be used for autonomous address configuration.
    
    option 'AdvRouterAddr' '0'  #Forced radvd to send the nework prefix
                                #instead of sending interface address.
                            
    option 'ignore' '0'         #Disables prefix declaration.

To create the above /etc/config/radvd I followed the suggestion of the openwrt wiki page on radvd and only added one 'interface' section and one 'prefix' section for each interface.

I left out the prefixes as you suggested, and the wiki page does not suggest them either.   I turned ignore on for the lan.

I turned ignore off for the dmz, since I had a laptop on it waiting to scan with Wireshark for router advertisements. 

The advertisements of type 134 were picked up by Wireshark. 

I then decided to change the laptop from having a static ipv6 ip, to obtaining it's ip from radvd. 

It gets a global ip obtained from radvd:

ubuntu@ubuntu:~$ ip -6 addr show dev eth6
3: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:470:bc0e:2:222:b0ff:fecd:d25f/64 scope global dynamic 
       valid_lft 86304sec preferred_lft 14304sec
    inet6 fe80::222:b0ff:fecd:d25f/64 scope link 
       valid_lft forever preferred_lft forever

Now I tested it, but I still can't ping6 anything further than my router with ipv6 just like the other machines on my network.

-----
I started looking at other options and here are some other things I've tried without success:
-----

Routes on the Client?
Below are my routes, and the default route doesn't appear to me like it's right...as the gateway/router's ip is 2001:470:bc0e:2::1

ubuntu@ubuntu:~$ ip -6 route show dev eth6
2001:470:bc0e:2::/64  proto kernel  metric 256  expires 86285sec mtu 1440
fe80::/64  proto kernel  metric 256  mtu 1440
default via fe80::224:a5ff:fed8:5395  proto kernel  metric 1024  mtu 1440 hoplimit 255
ubuntu@ubuntu:~$

So I tried adding it with:

ubuntu@ubuntu:~$ sudo ip -6 route add default via 2001:470:bc0e:2::1

But that also didn't cause ping6 to work when pinging from my client laptop.  Also I appear to have two default gateways now according to my laptop:

ubuntu@ubuntu:~$ ip -6 route show default
default via fe80::224:a5ff:fed8:5395 dev eth6 proto kernel metric 1024 mtu 1440 hoplimit 64
default via 2001:470:bc0e:2::1 dev eth6 metric 1024

-----
Router tunnel Prefix wrong?
Does this possibly have something to do with the way I've configured my tunnel?  The tunnel is configured to be:

config 'interface' 'henet'
          option 'proto' '6in4'
          option 'tunnelid' '----'
          option 'password' '---------'
          option 'peeraddr' '216.218.224.42'
          option 'username' '....' 
          option 'ip6addr' '2001:470:1f0e:ea7::2/64'

The ip6addr that my tunnel has is the Client IPv6 Address of 2001:470:1f0e:ea7::2/64 from my HE tunnelbroker.net IPv6 Tunnel Endpoint. 

I allocated a /48 prefix, in my tunnel (2001:470:bc0e::/48), and it's in the list of Routed IPv6 Prefixes and that's what my two /64 subnets in the  are based on. 

But I'm a bit confused about why the (2001:470:bc0e::/48) prefix is not being routed.

----
Routes on the Router?
Could it be a problem with the ipv6 default routes on my router?

root@OpenWrt:~# ip -6 route show
2001:470:1f0e:ea7::/64 via :: dev 6in4-henet  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 0
2001:470:bc0e:1::/64 dev br-lan  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2001:470:bc0e:2::/64 dev eth0.2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0.1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev br-lan  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0.2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 via :: dev 6in4-henet  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 0
default dev 6in4-henet  metric 1024  mtu 1280 advmss 1220 hoplimit 0
root@OpenWrt:~#
Alfred Ganz wrote:

I just racked my head for a day about getting traffic from the internal subnet to the outside world. Everything worked after I added a route between the 6in4 interface and the
local subnets:
Add this to /etc/config/network, haven't tried it with Luci:
config 'route6'                                   
        option 'interface' 'lan'                   
        option 'target' '<lan ipv6 addr e.g. 2001...:2cd5/64>'
        option 'gateway' '<local tunnel e.g. 2001...:2/64>'

Hope this helps, AG

Thank you for your input on this matter!

Just to be clear two questions:

Is the 'target' a network prefix?  Or is it something else?

And is the gateway the routed prefix from my tunnel?

I have two routed prefixes according to tunnel broker.net:

Routed /64:2001:470:1f0f:ea7::/64
Routed /48:2001:470:bc0e::/48 [X]

Okay according to the documentation on route6

The 'target' is a routed IPv6 subnet in CIDR notation.

And the 'gateway' specifies,

the IPv6 gateway for this route.

So I set the 'target' option as '2001:470:bc0e:2::/64' the subnet (a subnet of 2001:470:bc0e::/48 as specified in my Routed IPv6 Prefixes)

And I set my gateway to the ip6addr of the 6in4 tunnel...or 2001:470:1f0e:ea7::2

config 'route6'
          option 'interface' 'dmz'
          option 'target' '2001:470:bc0e:2::/64'
          option 'gateway' '2001:470:1f0e:ea7::2'

still doesn't appear to work I get an error: SIOCADDRT: No route to host when I restart the network on my router.  I can't tell if it's complaining about the option 'target' or the option 'gateway'

You don't need static ipv6 routes, that makes no sense. The router already has a default route and clients use the router as gateway. Also having fe80:* addresses on the client is normal

Jow, I agree with you, but an experiment with my configuration shows that if I take out the config route6,
no other changes, I have exactly the problem described above. BTW, the internal net is a /48, but again this should not be necessary, but it fixed my problem.

Don't know why! AG

It fixes your problem because it installs a /64 prefix on the interface which is mandatory for slaac at least. Its equivalent to "option ip6addr 2001:470:bc0e:2::1/64" on the dmz interface. The gateway is unnecessary.

Okay I've done away with the static route6 block suggested by Alfred.  What do you think of my radvd configuration? And the content of the previous post?

I'm sorry, not the previous post, I meant post number 10.

The discussion might have continued from here.