Ipv6 output does not seem to work from TO itself

edavid · August 20, 2020, 9:04am

Hello, trying to debug a DNS problem I got the following status :

kresd   2313 root   28u  IPv6 845414      0t0  TCP 2a01:e0a:2b7:70e0::1:36034->2001:19f0:7402:28c:5400:1ff:fe43:1ec:domain (SYN_SENT)
kresd   2313 root   29u  IPv6 845471      0t0  TCP 2a01:e0a:2b7:70e0::1:44674->ns-382.awsdns-47.com:domain (SYN_SENT)
kresd   2313 root   30u  IPv6 845501      0t0  TCP 2a01:e0a:2b7:70e0::1:48654->ns-763.awsdns-31.net:domain (SYN_SENT)
kresd   2313 root   31u  IPv6 845488      0t0  TCP 2a01:e0a:2b7:70e0::1:55196->ns-1034.awsdns-01.org:domain (SYN_SENT)
kresd   2313 root   32u  IPv6 845396      0t0  TCP 2a01:e0a:2b7:70e0::1:36030->2001:19f0:7402:28c:5400:1ff:fe43:1ec:domain (SYN_SENT)
kresd   2313 root   33u  IPv6 845401      0t0  TCP 2a01:e0a:2b7:70e0::1:36032->2001:19f0:7402:28c:5400:1ff:fe43:1ec:domain (SYN_SENT)
kresd   2313 root   34u  IPv6 845494      0t0  TCP 2a01:e0a:2b7:70e0::1:47510->ns-1418.awsdns-49.org:domain (SYN_SENT)

Indeed I cannot reach those IPv6 addresses from the TO, but I can reach them from a machine behind the TO

So I thought it might be a problem with the OUTPUT chain of my firewall, but in LuCI, the output is on accept.
Relevant parts of ip6tables -v -L are below, and I could not find anything bad in this. SO I am ready to take some hints or help at this (eth1 is my wan interface)

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   416 ACCEPT     all      any    lo      anywhere             anywhere             /* !fw3 */
 376K   35M output_rule  all      any    any     anywhere             anywhere             /* !fw3: Custom output rule chain */
71780 9807K ACCEPT     all      any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_output  all      any    br-lan  anywhere             anywhere             /* !fw3 */
59227 4310K zone_lan_output  all      any    br-INTERNE  anywhere             anywhere             /* !fw3 */
 226K   20M zone_wan_output  all      any    eth1    anywhere             anywhere             /* !fw3 */
 9423  678K zone_Isoles_output  all      any    br-ISOLES  anywhere             anywhere             /* !fw3 */
 9423  678K accept     all      any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 226K   20M output_wan_rule  all      any    any     anywhere             anywhere             /* !fw3: Custom wan output rule chain */
 226K   20M zone_wan_dest_ACCEPT  all      any    any     anywhere             anywhere             /* !fw3 */

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 1287  105K DROP       all      any    eth1    anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
 744K   67M accept     all      any    eth1    anywhere             anywhere             /* !fw3 */

Chain accept (32 references)
 pkts bytes target     prot opt in     out     source               destination         
 953K   83M ACCEPT     all      any    any     anywhere             anywhere             /* !fw3 */