IPv6 static configuration not working

Hi all,

I have native IPv6, with 56 prefix, connection from my provider. Provider don’t have any dhcpv6, so I am using static configuration.

I follow todo https://wiki.openwrt.org/doc/uci/network6

My settings (relevant part):
root@turris:~# cat /etc/config/network

config interface 'lan’
option ifname 'eth0 eth2’
option force_link '1’
option type 'bridge’
option proto 'static’
option ipaddr '192.168.1.1’
option netmask '255.255.255.0’
option ip6assign '64’
option ip6hint ‘10’

config interface 'wan’
option ifname 'eth1’
option proto ‘dhcp’

config interface 'wan6’
option ifname '@wan’
option proto 'static’
option ip6addr '2a02:XXXX:XXXX:1100::2/64’
option ip6gw '2a02:XXXX:XXXX:1100::1’
option ip6prefix ‘2a02:XXXX:XXXX:1100::/56’

It seems I have all IP addresses correct, including PC which have IP correctly from range 2a02:XXXX:XXXX:1110::/64.

From router I can ping all. Both outside network and PC. From PC I can ping both internal and external IP from my router (2a02:XXXX:XXXX:1110::1 and 2a02:XXXX:XXXX:1100::2) But cannot ping gateway 2a02:XXXX:XXXX:1100::1 and other internet.

I tried also factory reset and still same behaviour.

IPv4 with NAT works fine.

Thanks for help.

I probably can’t really help, but I don’t understand why you followed an OpenWRT howto instead of doing a few clicks in the web UI (Foris). (That seems the way that would most likely be working/tested.)

Without this how-to I didn’t have knowledge to made correct configuration.

In fact, after understanding how to made correct static IPv6 configuration, I used Foris for configuration.

According description of your tests it seems router knows, how to route IPv6 traffic, PCs obtain correct IPv6 config including right IPv6 default gateway. You also ping from PC outside IPv6 address of your router, so routing seems to work. Also router knows, how to send IPv6 traffic to internet, right? Did you try to ping something in internet from your router? If it works, maybe the problem is somewhere else, at higher layer. What about outbound firewall rules for IPv6 traffic?

I didn’t touch firewall, and in Luci it seems forward is allowed. Unfortunately I don’t have deep knowledge to read iptables rules, so may be you can found something inside it.

ip6tables --list
Chain INPUT (policy DROP)
target prot opt source destination
delegate_input all anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
delegate_output all anywhere anywhere

Chain MINIUPNPD (2 references)
target prot opt source destination

Chain accept (38 references)
target prot opt source destination
ACCEPT all anywhere anywhere

Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all anywhere anywhere /* user chain for forwarding */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
zone_guest_turris_forward all anywhere anywhere
reject all anywhere anywhere

Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
input_rule all anywhere anywhere /* user chain for input */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
zone_guest_turris_input all anywhere anywhere
accept all anywhere anywhere

Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere /* user chain for output */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
zone_guest_turris_output all anywhere anywhere
accept all anywhere anywhere

Chain drop (0 references)
target prot opt source destination
DROP all anywhere anywhere

Chain forwarding_guest_turris_rule (1 references)
target prot opt source destination

Chain forwarding_lan_rule (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain forwarding_wan_rule (1 references)
target prot opt source destination

Chain input_guest_turris_rule (1 references)
target prot opt source destination

Chain input_lan_rule (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain input_wan_rule (1 references)
target prot opt source destination

Chain output_guest_turris_rule (1 references)
target prot opt source destination

Chain output_lan_rule (1 references)
target prot opt source destination

Chain output_rule (1 references)
target prot opt source destination

Chain output_wan_rule (1 references)
target prot opt source destination

Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere

Chain zone_guest_turris_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere

Chain zone_guest_turris_dest_accept (1 references)
target prot opt source destination
accept all anywhere anywhere

Chain zone_guest_turris_forward (1 references)
target prot opt source destination
forwarding_guest_turris_rule all anywhere anywhere /* user chain for forwarding /
zone_wan_dest_accept all anywhere anywhere / forwarding guest_turris -> wan /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_guest_turris_dest_REJECT all anywhere anywhere

Chain zone_guest_turris_input (1 references)
target prot opt source destination
input_guest_turris_rule all anywhere anywhere /* user chain for input /
accept tcp anywhere anywhere tcp dpt:domain / guest dns rule /
accept udp anywhere anywhere udp dpt:domain / guest dns rule /
accept udp anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc / guest dhcp rule /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_guest_turris_src_REJECT all anywhere anywhere

Chain zone_guest_turris_output (1 references)
target prot opt source destination
output_guest_turris_rule all anywhere anywhere /* user chain for output */
zone_guest_turris_dest_accept all anywhere anywhere

Chain zone_guest_turris_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere

Chain zone_lan_dest_accept (4 references)
target prot opt source destination
accept all anywhere anywhere

Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all anywhere anywhere /* user chain for forwarding /
zone_wan_dest_accept all anywhere anywhere / forwarding lan -> wan /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_lan_dest_accept all anywhere anywhere

Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all anywhere anywhere /* user chain for input /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_lan_src_accept all anywhere anywhere

Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all anywhere anywhere /* user chain for output */
zone_lan_dest_accept all anywhere anywhere

Chain zone_lan_src_accept (1 references)
target prot opt source destination
accept all anywhere anywhere

Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere

Chain zone_wan_dest_accept (3 references)
target prot opt source destination
accept all anywhere anywhere

Chain zone_wan_forward (1 references)
target prot opt source destination
MINIUPNPD all anywhere anywhere
MINIUPNPD all anywhere anywhere
forwarding_wan_rule all anywhere anywhere /* user chain for forwarding /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
accept ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 / Allow-ICMPv6-Forward /
zone_lan_dest_accept esp anywhere anywhere / @rule[7] /
zone_lan_dest_accept udp anywhere anywhere udp dpt:isakmp / @rule[8] /
accept all anywhere anywhere ctstate DNAT / Accept port forwards */
zone_wan_dest_REJECT all anywhere anywhere

Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all anywhere anywhere /* user chain for input /
accept udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client / Allow-DHCPv6 /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 130 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 131 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 132 code 0 / Allow-MLD /
accept ipv6-icmp fe80::/10 anywhere ipv6-icmptype 143 code 0 / Allow-MLD /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 / Allow-ICMPv6-Input /
accept all anywhere anywhere ctstate DNAT / Accept port redirections */
zone_wan_src_REJECT all anywhere anywhere

Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all anywhere anywhere /* user chain for output */
zone_wan_dest_accept all anywhere anywhere

Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere

I am affraid that my knowledge of iptables is far from sufficient. My idea would be such that in case firewall by chance drops outgoing IPv6 traffic (default input policy is DROP), I can test it by adding one traffic rule via LuCi, which will permit, lets say, all IPv6 traffic from lan to wan.

It would be matter of minutes and we can see if it was firewall or not. Instead of iptables analysis (in my case hours of learning and analysing). Or somebody more fluent in iptables can try it. Or maybe somebody has better idea.

Thanks for help, but unfortunatelly this doesn’t solve the problem. Still same behaviour, even I moved this rule to top. I also try to add temporally rule for allowing all incomming trafic and same.

Problem solved. Error in provider configuration. After provider add route 2a02:XXXX:XXXX:1100::/56 via 2a02:XXXX:XXXX:1100::2/64 everything is working fine.