OpenWrt Forum Archive

Topic: IPv6 on Chaos Calmer...

The content of this topic has been archived between 28 Mar 2018 and 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Anaerin
14 Mar 2016, 21:01

I'm running an x86 router with OpenWRT ((git-16.018.33482-3201903) / OpenWrt Chaos Calmer 15.05) and I'm having issues with IPv6.

The router can see and talk to IPv6 sites on the internet just fine:

root@Router:~# traceroute6 www.google.com
traceroute to www.google.com (2607:f8b0:400f:803::2004) from 2001:470:1f16:174::2, 30 hops max, 24 byte packets
 1  anaerin-1.tunnel.tserv1.ywg1.ipv6.he.net (2001:470:1f16:174::1)  84.5 ms  84.347 ms  83.572 ms
 2  ge2-20.core1.ywg1.he.net (2001:470:0:2b8::1)  91.215 ms  84.23 ms  90.422 ms
 3  10ge1-6.core1.msp1.he.net (2001:470:0:2dd::1)  111.456 ms  100.77 ms  100.237 ms
 4  100ge7-1.core1.chi1.he.net (2001:470:0:18e::1)  99.979 ms  99.966 ms  100.152 ms
 5  eqixchi-v6.google.com (2001:504:0:4:0:1:5169:1)  100.005 ms  99.175 ms  100.148 ms
 6  2001:4860::1:0:aa79 (2001:4860::1:0:aa79)  100.894 ms  101.004 ms  100.133 ms
 7  2001:4860::8:0:9150 (2001:4860::8:0:9150)  119.603 ms  119.419 ms  120.486 ms
 8  2001:4860::8:0:b0e2 (2001:4860::8:0:b0e2)  118.673 ms  118.611 ms  118.686 ms
 9  2001:4860::8:0:79e5 (2001:4860::8:0:79e5)  119.624 ms  118.629 ms  118.599 ms
10  2001:4860::1:0:8831 (2001:4860::1:0:8831)  118.753 ms  119.319 ms  118.579 ms
11  2001:4860:0:1::1221 (2001:4860:0:1::1221)  119.669 ms  119.517 ms  118.664 ms
12  den03s10-in-x04.1e100.net (2607:f8b0:400f:803::2004)  119.542 ms  119.466 ms  118.685 ms
root@Router:~#

But my clients aren't getting issued IPv6 addresses:

Robert@ANAERIN-PC C:\Users\Robert
> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Anaerin-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 74-D0-2B-96-1A-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::747b:52e9:a206:ca3b%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : March 8, 2016 4:05:49 PM
   Lease Expires . . . . . . . . . . : March 14, 2016 10:53:48 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 57987115
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-F9-7C-41-74-D0-2B-96-1A-8B
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

ifstatus wan6 gives me:

root@Router:~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 446,
        "l3_device": "6in4-wan6",
        "proto": "6in4",
        "updated": [
                "addresses",
                "routes",
                "prefixes"
        ],
        "metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2001:470:1f16:174::2",
                        "mask": 64
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2001:470:3074::",
                        "mask": 48,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2001:470:3074::",
                                        "mask": 60
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:3074::\/48"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:1f16:174::2\/64"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}

And /etc/config/network reads:

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'

config interface 'wan6'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto '6in4'
        option peeraddr '184.105.255.26'
        option ip6addr '2001:470:1f16:174::2/64'
        option ip6prefix '2001:470:3074::/48'
        option tunnelid '325727'
        option username '<REMOVED>'
        option updatekey '<REMOVED>'

config globals 'globals'
        option ula_prefix 'fd56:0da3:9c31::/48'

root@Router:~#

And /etc/config/dhcp reads:

root@Router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option filterwin2k '1'
        option nonegcache '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option master '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config host
        option name 'Anaerin-PC'
        option mac '74:d0:2b:96:1a:8b'
        option ip '192.168.0.10'

So everything should be fine, right? What am I missing?

(Last edited by Anaerin on 14 Mar 2016, 21:06)

Post #2
hnyman
14 Mar 2016, 21:27

Why do you have "relay" mode on dhcp settings?
I think that it should be "server", as you are not receiving anything dynamically. (You have set the prefix in network settings.)

Post #3
Anaerin
14 Mar 2016, 21:36

I was going off the "Default configuration for Chaos Calmer" on the ipv6 wiki page. Now I have:

root@Router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option filterwin2k '1'
        option nonegcache '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'
        option ra_default '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option master '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config host
        option name 'Anaerin-PC'
        option mac '74:d0:2b:96:1a:8b'
        option ip '192.168.0.10'

But I'm still not getting an IPv6 address:

C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Anaerin-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 74-D0-2B-96-1A-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::747b:52e9:a206:ca3b%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : March 8, 2016 4:05:49 PM
   Lease Expires . . . . . . . . . . : March 15, 2016 2:32:14 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 57987115
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-F9-7C-41-74-D0-2B-96-1A-8B
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled
Post #4
eduperez
14 Mar 2016, 22:43

I have a configuration quite similar to yours but a few details:

  • In /etc/network/config, instead of "option ip6addr '2001:470:1f16:174::2/64'" I have "option ip6addr '2001:470:1f16:174::2'".

  • In "/etc/network/dhcp", I do not have the following lines for the "lan" interface:
            option ra_management '1'
            option ra_default '1'

  • I do not have a "wan6" section in "/etc/network/dhcp".

Post #5
Anaerin
14 Mar 2016, 23:13

Having made the above changes, I'm still not getting anything.

Post #6
eduperez
15 Mar 2016, 08:06

Do you have other clients to test?

Post #7
bolvan
15 Mar 2016, 10:38

I've had for years similar config that uses he.net as tunnel broker. On many devices and many ISPs and it always worked fine.

Just a few moments :

You dont need dhcp6 service if you dont need prefix delegation inside your local network. Disable it. This is all what needed :

config dhcp 'lan'
 option interface 'lan'
 option ra 'server'
 option ra_maxinterval '30'

config dhcp 'wan'
 option interface 'wan'
 option ignore '1'

Ensure odhcpd process is started and running. Restart it for sure : /etc/init.d/odhcpd restart. Ensure its in autostart : /etc/init.d/odhcpd enable
Run "ifstatus lan" to see if you have anything in  "ipv6-prefix-assignment". This is what odhcpd uses to broadcast RAs.
Run wireshark on PC with filter "icmpv6". Look for RAs from the router. Look inside RAs , check if it contain valid prefix and route, router lifetime is not zero, route and prefix lifetime are also not zero.

Dont know what "option maindhcp '0'" means but its not required and may have negative effect.

If you see valid RAs in wireshark but PC does not assign ipv6 address then problem is on the PC side. Assuming PC run windows, run "netsh int ipv6 show int" and find interface id, then run ""netsh int ipv6 show int <interface_id>".  Check if router discovery is enabled. If nothing helps - delete network adapter and let the system redetect it. This will wipe settings to default.

(Last edited by bolvan on 15 Mar 2016, 11:35)

Post #8
hnyman
15 Mar 2016, 11:02

Like bolvan said, the trouble may be with odhcpd. I think that it does not always restart after a network config change, so it may use a stale config unless you restart it or reboot the router.

bolvan wrote:

This is all what needed :

config dhcp 'lan'
...
 option ignore '1'

Ensure odhcpd process is started and running. Restart it for sure : /etc/init.d/odhcpd restart. Ensure its in autostart : /etc/init.d/odhcpd enable

I agree with bolvan's advice otherwise, but disabling also ipv4 dhcp on LAN looks strange... Most users depend on the router to provide ipv4 dhcp service. (unless you are trying to provide an ipv6-only LAN environment.)

(Last edited by hnyman on 15 Mar 2016, 11:03)

Post #9
bolvan
15 Mar 2016, 11:35
hnyman wrote:

but disabling also ipv4 dhcp on LAN looks strange... Most users depend on the router to provide ipv4 dhcp service.

Yes, you're right. I copypasted from my system with non-standard configuration. Of course in most cases dhcp must be enabled for lan.

Post #10
Anaerin
15 Mar 2016, 20:06

Okay, with those changes (thank-you very much, Bolvan) the PC is getting an ipv6 address:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 74-D0-2B-96-1A-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:1f16:174:747b:52e9:a206:ca3b(Preferred)
   IPv6 Address. . . . . . . . . . . : 2001:470:3074:0:747b:52e9:a206:ca3b(Preferred)
   IPv6 Address. . . . . . . . . . . : fd56:da3:9c31:0:747b:52e9:a206:ca3b(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:470:1f16:174:45c6:a6b6:6662:dd32(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:470:3074:0:45c6:a6b6:6662:dd32(Preferred)
   Temporary IPv6 Address. . . . . . : fd56:da3:9c31:0:45c6:a6b6:6662:dd32(Preferred)
   Link-local IPv6 Address . . . . . : fe80::747b:52e9:a206:ca3b%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : March 8, 2016 4:05:49 PM
   Lease Expires . . . . . . . . . . : March 15, 2016 8:18:35 PM
   Default Gateway . . . . . . . . . : fe80::c6e9:84ff:fe05:4110%13
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 57987115
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-F9-7C-41-74-D0-2B-96-1A-8B
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

For the record, so anyone else with this issue can fix it as I did, my config files look like this:

root@Router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option filterwin2k '1'
        option nonegcache '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'
        option ra_maxinterval '30'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config host
        option name 'Anaerin-PC'
        option mac '74:d0:2b:96:1a:8b'
        option ip '192.168.0.10'

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'

config interface 'wan6'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto '6in4'
        option peeraddr '184.105.255.26'
        option ip6addr '2001:470:1f16:174::2'
        option ip6prefix '2001:470:3074::/48'
        option tunnelid '325727'
        option username '<REMOVED>'
        option updatekey '<REMOVED'

config globals 'globals'
        option ula_prefix 'fd56:0da3:9c31::/48'

root@Router:~# ifstatus lan
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 134117,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.0.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "2001:470:3074::",
                        "mask": 60
                },
                {
                        "address": "fd56:da3:9c31::",
                        "mask": 60
                }
        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}

Unfortunately, however, packets are still not being routed properly.
The router can see the IPv6 net just fine:

root@Router:~# ping6 www.google.com
PING www.google.com(den03s10-in-x04.1e100.net) 56 data bytes
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=1 ttl=52 time=119 ms
64 bytes from den03s10-in-x04.1e100.net: icmp_seq=2 ttl=52 time=119 ms

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 119.429/119.440/119.451/0.011 ms
root@Router:~# traceroute6 www.google.com
traceroute to www.google.com (2607:f8b0:400f:803::2004) from 2001:470:1f16:174::2, 30 hops max, 24 byte packets
 1  anaerin-1.tunnel.tserv1.ywg1.ipv6.he.net (2001:470:1f16:174::1)  84.236 ms  84.188 ms  84.317 ms
 2  ge2-20.core1.ywg1.he.net (2001:470:0:2b8::1)  94.671 ms  85.877 ms  84.449 ms
 3  10ge1-6.core1.msp1.he.net (2001:470:0:2dd::1)  93.965 ms  92.055 ms  100.091 ms
 4  100ge7-1.core1.chi1.he.net (2001:470:0:18e::1)  106.129 ms  99.882 ms  101.028 ms
 5  eqixchi-v6.google.com (2001:504:0:4:0:1:5169:1)  99.165 ms  99.083 ms  99.207 ms
 6  2001:4860::1:0:84b4 (2001:4860::1:0:84b4)  101.851 ms  98.908 ms  103.847 ms
 7  2001:4860::8:0:9150 (2001:4860::8:0:9150)  120.949 ms  119.534 ms  121.633 ms
 8  2001:4860::8:0:b0e2 (2001:4860::8:0:b0e2)  119.882 ms  119.028 ms  119.507 ms
 9  2001:4860::8:0:79e5 (2001:4860::8:0:79e5)  119.233 ms  118.469 ms  119.605 ms
10  2001:4860::1:0:8831 (2001:4860::1:0:8831)  118.652 ms  120.388 ms  119.504 ms
11  2001:4860:0:1::1221 (2001:4860:0:1::1221)  119.565 ms  119.539 ms  118.705 ms
12  den03s10-in-x04.1e100.net (2607:f8b0:400f:803::2004)  119.52 ms  119.506 ms  119.526 ms

The PC, however, is a different story:

C:\WINDOWS\system32>tracert -6 www.google.com

Tracing route to www.google.com [2607:f8b0:400f:803::2004]
over a maximum of 30 hops:

  1  Destination net unreachable.

Trace complete.

.
According to wireshark, the reason reported by ICMP is "Source Address failed ingress/egress policy", which sounds like routing or firewall is blocking packets.

Post #11
cmsigler
15 Mar 2016, 20:48

Hi,

The following seems like an obvious suggestion so you may have already tried it.  Your traffic does seem to be firewalled:

https://psg.com/lists/shim6/msg01959.html

I'm not a Windows built-in firewall expert and it causes me problems from time to time when helping clients.  This looks like it may be helpful:

https://msdn.microsoft.com/en-us/librar … s.85).aspx

Maybe it's possible to disable the firewall just for testing, then do a search to figure out how to allow outbound IPv6 traffic of various protocols.

Clemmitt

Post #12
hnyman
15 Mar 2016, 21:30

You might be missing some firewall related things:
1) You have not added the tunnel interface (wan6 in your case, henet in my example) to the wan zone in firewall.
2) Firewall rules are missing the default icmpv6 rules. They could be missing if you have an ancient network config.
3) You have not enabled 6in4 traffic = proto41 to pass through the ipv4 firewall to be processed at the ipv6 firewall.

I am normally using full native ipv6, but I disabled it for testing and activated my he.net tunnel for testing.
My Windows PC gets a quite normally usable he.net 6in4 tunnel with these settings in the router.
After setting all config files, I rebooted the router, which forces Windows to clear its network stack (at least with wired connection), so that it refreshes the network and fetched new addresses via dhcp & ra.
(my example is from Openwrt trunk, but CC15.05 should have quite identical config)

Note: my example uses "henet" as the name for the tunnel interface, not wan6.

/etc/config/network
- define router's tunnel address, routed prefix, and local endpoint
- add/check ip6assign option to lan

config interface 'lan'
        option ipaddr '192.168.1.1'
...
        option ip6assign '60'

config interface 'henet'
        option proto '6in4'
        option mtu '1424'
        option peeraddr '216.66.80.90'
        option ip6addr '2001:3333:27:4444::2/64'
        option ip6prefix '2001:3333:28:4444::/64'
        option tunnelid '1xxxxx'
        option username 'xxxxxxxxxxx'
        option password 'yyyyyyyyyyy'

/etc/config/dhcp
- set lan dhcpv6/ra mode to 'server'
- exclude henet interface from ipv4 dhcp allocation
- check that the default odhcpd parameters are there

config 'dhcp' 'lan'
        option 'interface' 'lan'
...
        option dhcpv6 'server'
        option ra 'server'

config 'dhcp'
        option 'ignore' '1'
        option 'interface' 'henet'
        option 'dynamicdhcp' '0'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

/etc/config/firewall
- add henet interface to wan zone, and
- add a IPv4 rule to accept protocol 41 (= 6in4 encapsulation) from the local Henet tunnel endpoint (my ISP's endpoint below)
- check that the default icmpv6 rules are present 

config 'zone'
        option 'name' 'wan'
        list 'network' 'wan'
        list 'network' 'henet'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'


config rule
        option target 'ACCEPT'
        option name 'HEnet IPv6'
        option src 'wan'
        option src_ip '216.66.80.90'
        option proto '41'

config 'rule'
        option 'name' 'Allow-ICMPv6-Input'
        option 'src' 'wan'
        option 'proto' 'icmp'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'echo-reply'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        list 'icmp_type' 'router-solicitation'
        list 'icmp_type' 'neighbour-solicitation'
        list 'icmp_type' 'router-advertisement'
        list 'icmp_type' 'neighbour-advertisement'
        option 'limit' '1000/sec'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

config 'rule'
        option 'name' 'Allow-ICMPv6-Forward'
        option 'src' 'wan'
        option 'dest' '*'
        option 'proto' 'icmp'
        list 'icmp_type' 'echo-request'
        list 'icmp_type' 'echo-reply'
        list 'icmp_type' 'destination-unreachable'
        list 'icmp_type' 'packet-too-big'
        list 'icmp_type' 'time-exceeded'
        list 'icmp_type' 'bad-header'
        list 'icmp_type' 'unknown-header-type'
        option 'limit' '1000/sec'
        option 'family' 'ipv6'
        option 'target' 'ACCEPT'

(Last edited by hnyman on 15 Mar 2016, 21:34)

Post #13
Anaerin
15 Mar 2016, 22:27
hnyman wrote:

You might be missing some firewall related things:
1) You have not added the tunnel interface (wan6 in your case, henet in my example) to the wan zone in firewall.

Nope, it's in there.

hnyman wrote:

2) Firewall rules are missing the default icmpv6 rules. They could be missing if you have an ancient network config.

Nope, they're in there too.

hnyman wrote:

3) You have not enabled 6in4 traffic = proto41 to pass through the ipv4 firewall to be processed at the ipv6 firewall.

That is quite possible - I don't see those listed in the firewall config. But as it stands the router can already talk to the IPv6 internet on the IPv6 interface, so that means the 6in4 traffic is getting where it needs to. If I was using 6in4 on a client inside the firewall, I would understand this needing to be tunneled.

hnyman wrote:

- check that the default odhcpd parameters are there

These were missing, but odhcpd is now handing out addresses correctly, so I'm leaving them untouched.

hnyman wrote:

/etc/config/firewall
- add a IPv4 rule to accept protocol 41 (= 6in4 encapsulation) from the local Henet tunnel endpoint (my ISP's endpoint below)

config rule
        option target 'ACCEPT'
        option name 'HEnet IPv6'
        option src 'wan'
        option src_ip '216.66.80.90'
        option proto '41'

This part is missing, but as mentioned, I don't think this is necessary. For reference, my firewall config looks like this:

root@Router:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

I'm not sure what the rule for udp:500 is (it was in there by default so I've not touched it).
The icmp6 packet I'm getting back from the router reads:

Frame 2: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits) on interface 0
Ethernet II, Src: Tp-LinkT_05:41:10 (c4:e9:84:05:41:10), Dst: AsustekC_96:1a:8b (74:d0:2b:96:1a:8b)
Internet Protocol Version 6, Src: 2001:470:1f16:174::2, Dst: 2001:470:1f16:174:45c6:a6b6:6662:dd32
Internet Control Message Protocol v6
    Type: Destination Unreachable (1)
    Code: 5 (Source address failed ingress/egress policy)
    Checksum: 0xaa76 [correct]
    Reserved: 00000000
    Internet Protocol Version 6, Src: 2001:470:1f16:174:45c6:a6b6:6662:dd32, Dst: 2607:f8b0:400f:803::2004
        0110 .... = Version: 6
        .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
        Payload length: 72
        Next header: ICMPv6 (58)
        Hop limit: 1
        Source: 2001:470:1f16:174:45c6:a6b6:6662:dd32
        Destination: 2607:f8b0:400f:803::2004
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Internet Control Message Protocol v6
        Type: Echo (ping) request (128)
        Code: 0
        Checksum: 0x8391 [in ICMP error packet]
        Identifier: 0x0001
        Sequence: 15
        Data (64 bytes)
Post #14
cmsigler
15 Mar 2016, 23:46
Anaerin wrote:
Ethernet II, Src: Tp-LinkT_05:41:10 (c4:e9:84:05:41:10), Dst: AsustekC_96:1a:8b (74:d0:2b:96:1a:8b)
Internet Protocol Version 6, Src: 2001:470:1f16:174::2, Dst: 2001:470:1f16:174:45c6:a6b6:6662:dd32

I'm not sure I understand these addresses.  You're running OpenWRT on an x86 router, right?  Is this a TP-Link-branded router?  That's the source in this ICMPv6 error.  Then I guess the destination is an Asus workstation or laptop?  If so, I believe this means it's the OpenWRT router's firewall that is blocking the IPv6 traffic.

I see you have addresses assigned to your Windows client from both assigned subnets:

Temporary IPv6 Address. . . . . . : 2001:470:1f16:174:45c6:a6b6:6662:dd32(Preferred)
Temporary IPv6 Address. . . . . . : 2001:470:3074:0:45c6:a6b6:6662:dd32(Preferred)

I'm not sure this is *wrong* but my on-site he.net IPv6 links are configured differently.  I use the assigned /64 subnet for the LAN side of the gateway router (connected to the ISP) but don't use my assigned /48 on that link at all.  I assign subnets from the /48 to the downstream side of internal non-gateway routers.  This probably doesn't matter but I thought I'd mention it.

Clemmitt

(Last edited by cmsigler on 15 Mar 2016, 23:48)

Post #15
Anaerin
15 Mar 2016, 23:58
cmsigler wrote:
Anaerin wrote:
Ethernet II, Src: Tp-LinkT_05:41:10 (c4:e9:84:05:41:10), Dst: AsustekC_96:1a:8b (74:d0:2b:96:1a:8b)
Internet Protocol Version 6, Src: 2001:470:1f16:174::2, Dst: 2001:470:1f16:174:45c6:a6b6:6662:dd32

I'm not sure I understand these addresses.  You're running OpenWRT on an x86 router, right?  Is this a TP-Link-branded router?

It's a TP-Link branded GBe ethernet card in a former desktop PC (The on-board NIC of that PC is the WAN link).

cmsigler wrote:

That's the source in this ICMPv6 error.  Then I guess the destination is an Asus workstation or laptop?  If so, I believe this means it's the OpenWRT router's firewall that is blocking the IPv6 traffic.

Right, the client is an on-board NIC on an ASUS motherboard. So this means the packets are getting to the router and being bounced, rather than bouncing internally.

cmsigler wrote:

I see you have addresses assigned to your Windows client from both assigned subnets:

Temporary IPv6 Address. . . . . . : 2001:470:1f16:174:45c6:a6b6:6662:dd32(Preferred)
Temporary IPv6 Address. . . . . . : 2001:470:3074:0:45c6:a6b6:6662:dd32(Preferred)

I'm not sure this is *wrong* but my on-site he.net IPv6 links are configured differently.  I use the assigned /64 subnet for the LAN side of the gateway router (to ISP) but don't use my assigned /48 on that link at all.  I assign subnets from the /48 to the downstream side of internal non-gateway routers.  This probably doesn't matter but I thought I'd mention it.

I am using (or trying to use) the /48 I've got allocated for clients, ideally with the /64 used for publicly internet-facing services (for example, a web server or similar). Ideally, I would like only addresses from the /48 used for LAN clients.

Post #16
cmsigler
16 Mar 2016, 00:39

I myself don't see any obvious problems but I'm still fairly new to the UCI firewall.  I'm more acquainted with good old ip6tables.  Have you done 'ip6tables -nvL --line-numbers' to see the raw rules (although complex)?  Maybe look at packet counters to see which rules are blocking things?  Also -- which you already know -- you could insert '-j LOG' ip6tables rules once you understand the chains/rule numbers to debug.  Wish I saw something obvious.

Clemmitt

Post #17
Anaerin
16 Mar 2016, 00:43
cmsigler wrote:

Have you done 'ip6tables -nvL --line-numbers' to see the raw rules (although complex)?  Maybe look at packet counters to see which rules are blocking things?

I have no idea how to read this, but here's the output of the command you specified:

root@Router:~# ip6tables -nvL --line-numbers
Chain INPUT (policy ACCEPT 7 packets, 1214 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    23090 3138K delegate_input  all      *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 delegate_forward  all      *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 8 packets, 1290 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     234K  140M delegate_output  all      *      *       ::/0                 ::/0

Chain MINIUPNPD (2 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain delegate_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 forwarding_rule  all      *      *       ::/0                 ::/0                 /* user chain for forwarding */
2        0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
3        0     0 zone_lan_forward  all      br-lan *       ::/0                 ::/0
4        0     0 zone_wan_forward  all      eth1   *       ::/0                 ::/0
5        0     0 zone_wan_forward  all      6in4-wan6 *       ::/0                 ::/0
6        0     0 reject     all      *      *       ::/0                 ::/0

Chain delegate_input (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        3   456 ACCEPT     all      lo     *       ::/0                 ::/0
2    23087 3137K input_rule  all      *      *       ::/0                 ::/0                 /* user chain for input */
3    20719 2749K ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
4      509 39536 syn_flood  tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02
5     1684  333K zone_lan_input  all      br-lan *       ::/0                 ::/0
6        7  1560 zone_wan_input  all      eth1   *       ::/0                 ::/0
7      670 52487 zone_wan_input  all      6in4-wan6 *       ::/0                 ::/0

Chain delegate_output (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        3   456 ACCEPT     all      *      lo      ::/0                 ::/0
2     234K  140M output_rule  all      *      *       ::/0                 ::/0                 /* user chain for output */
3    22007   38M ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
4     212K  102M zone_lan_output  all      *      br-lan  ::/0                 ::/0
5        8  1636 zone_wan_output  all      *      eth1    ::/0                 ::/0
6      411 34120 zone_wan_output  all      *      6in4-wan6  ::/0                 ::/0

Chain forwarding_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain reject (5 references)
num   pkts bytes target     prot opt in     out     source               destination
1      509 39536 REJECT     tcp      *      *       ::/0                 ::/0                 reject-with tcp-reset
2      167 14407 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1      509 39536 RETURN     tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
2        0     0 DROP       all      *      *       ::/0                 ::/0

Chain zone_lan_dest_ACCEPT (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1     212K  102M ACCEPT     all      *      br-lan  ::/0                 ::/0

Chain zone_lan_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 forwarding_lan_rule  all      *      *       ::/0                 ::/0                 /* user chain for forwarding */
2        0     0 zone_wan_dest_ACCEPT  all      *      *       ::/0                 ::/0                 /* forwarding lan -> wan */
3        0     0 zone_lan_dest_ACCEPT  all      *      *       ::/0                 ::/0

Chain zone_lan_input (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1684  333K input_lan_rule  all      *      *       ::/0                 ::/0                 /* user chain for input */
2     1684  333K zone_lan_src_ACCEPT  all      *      *       ::/0                 ::/0

Chain zone_lan_output (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     212K  102M output_lan_rule  all      *      *       ::/0                 ::/0                 /* user chain for output */
2     212K  102M zone_lan_dest_ACCEPT  all      *      *       ::/0                 ::/0

Chain zone_lan_src_ACCEPT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1684  333K ACCEPT     all      br-lan *       ::/0                 ::/0

Chain zone_wan_dest_ACCEPT (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        8  1636 ACCEPT     all      *      eth1    ::/0                 ::/0
2      411 34120 ACCEPT     all      *      6in4-wan6  ::/0                 ::/0

Chain zone_wan_dest_REJECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 reject     all      *      eth1    ::/0                 ::/0
2        0     0 reject     all      *      6in4-wan6  ::/0                 ::/0

Chain zone_wan_forward (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MINIUPNPD  all      *      *       ::/0                 ::/0
2        0     0 MINIUPNPD  all      *      *       ::/0                 ::/0
3        0     0 forwarding_wan_rule  all      *      *       ::/0                 ::/0                 /* user chain for forwarding */
4        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
5        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
6        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
7        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
8        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
9        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 0 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
10       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 1 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Forward */
11       0     0 zone_lan_dest_ACCEPT  esp      *      *       ::/0                 ::/0                 /* @rule[7] */
12       0     0 zone_lan_dest_ACCEPT  udp      *      *       ::/0                 ::/0                 udp dpt:500 /* @rule[8] */
13       0     0 zone_wan_dest_REJECT  all      *      *       ::/0                 ::/0

Chain zone_wan_input (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1      677 54047 input_wan_rule  all      *      *       ::/0                 ::/0                 /* user chain for input */
2        0     0 ACCEPT     udp      *      *       fe80::/10            fe80::/10            udp spt:547 dpt:546 /* Allow-DHCPv6 */
3        0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 130 code 0 /* Allow-MLD */
4        0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 131 code 0 /* Allow-MLD */
5        0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 132 code 0 /* Allow-MLD */
6        0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0                 ipv6-icmptype 143 code 0 /* Allow-MLD */
7        1   104 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
8        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
9        0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
10       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
11       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
12       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 0 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
13       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4 code 1 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
14       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
15       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
16       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
17       0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136 limit: avg 1000/sec burst 5 /* Allow-ICMPv6-Input */
18     676 53943 zone_wan_src_REJECT  all      *      *       ::/0                 ::/0

Chain zone_wan_output (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1      419 35756 output_wan_rule  all      *      *       ::/0                 ::/0                 /* user chain for output */
2      419 35756 zone_wan_dest_ACCEPT  all      *      *       ::/0                 ::/0

Chain zone_wan_src_REJECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        7  1560 reject     all      eth1   *       ::/0                 ::/0
2      669 52383 reject     all      6in4-wan6 *       ::/0                 ::/0

Does that help any? I've not touched this at all, so this is all chaos calmer OOTB settings.

Post #18
cmsigler
16 Mar 2016, 01:39

Hi,

Anaerin wrote:

Does that help any?

OpenWRT has a well designed firewall system.  Therefore, it's impossible for me to grok wink

If you're willing to go further, try this.

1.) Make sure the firewall is "quiet" for IPv6 traffic (not used by others so unrelated traffic won't get mixed in).
2.) Run this command and save the output to a temporary text file.
3.) Do some IPv6 pings or HTTP connects to IPv6-only websites (ipv6.google.com) which the firewall blocks.
4.) Run the command again and save the output to a second text file.
5.) Use a diff tool or text editor windows to compare the outputs.
6.) Look for changes in the counter columns (pkts and bytes).
7.) This will show you which "REJECT" or "DROP" rule(s) is blocking your traffic.

It might be confusing because so many of these rules jump (chain) from one chain to another and then back.  It hurts my brain tongue  Again, my supposition is that there's a stray IPv6 firewall rule blocking stuff that shouldn't be there.  HTH.

Clemmitt

Post #19
cvmiller
16 Mar 2016, 01:44

Hi There,

There's a couple of things which may be right, but look wrong.

1) You use of addressing. End station networks (where you windows machine is) should always be a /64. Trying to make it otherwise will cause you nothing but problems. With an HE tunnel, you should have a network diagram something like this:

WAN--------------------> router ---------------->LAN
2001:db8:1:1::2/64               2001:db8:1:2::2/64

When using static provisioning from HE, you have to decide which /64 of the /48 they gave you to use for your LAN.

2) Thanks for the ip6tables  output. It takes a bit to wrap your head around ip6tables. What concerns me is that Zero packets are being forwarded at all:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 delegate_forward  all      *      *       ::/0                 ::/0

When I look at my Buffalo router you can see it is forwarding lots of packets

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     891K  654M delegate_forward  all      *      *       ::/0                 ::/0

           

Perhaps you provided this already, but can you show your routing table on the router? using 'ip -6 route'

The lack of forwarding could be the /48 issue, or it could be a routing table issue.

Post #20
cmsigler
16 Mar 2016, 01:50
cvmiller wrote:

1) You use of addressing. End station networks (where you windows machine is) should always be a /64.

2) What concerns me is that Zero packets are being forwarded at all:

Perhaps you provided this already, but can you show your routing table on the router? using 'ip -6 route'

The lack of forwarding could be the /48 issue, or it could be a routing table issue.

Ditto! wink  TIA.

Clemmitt

P.S.: Yeah, I'm starting to convince myself the problem is this:

/etc/config/network:

config interface 'wan6'
        ...
        option ip6prefix '2001:470:3074::/48'

which is OK but you're missing this:

config interface 'lan'
        ...
        option ip6hint 0

so the LAN link subnet isn't a /64 but is instead both a /64 and a /48.  The firewall probably isn't configured to pass traffic with such an address scheme.  HTH.

(Last edited by cmsigler on 16 Mar 2016, 02:10)

Post #21
Anaerin
16 Mar 2016, 02:16
cvmiller wrote:

Perhaps you provided this already, but can you show your routing table on the router? using 'ip -6 route'

The lack of forwarding could be the /48 issue, or it could be a routing table issue.

So far, that's something that hasn't been asked for. So here you go:

root@Router:~# ip -6 route
default from 2001:470:1f16:174::2 dev 6in4-wan6  proto static  metric 1024
default from 2001:470:3074::/48 dev 6in4-wan6  proto static  metric 1024
2001:470:1f16:174::2 dev 6in4-wan6  proto kernel  metric 256
2001:470:1f16:174::/64 dev br-lan  proto kernel  metric 256
2001:470:3074::1 dev br-lan  proto static  metric 1024
2001:470:3074::/64 dev br-lan  proto static  metric 1024
unreachable 2001:470:3074::/48 dev lo  proto static  metric 2147483647  error -101
fd56:da3:9c31::1 dev br-lan  proto static  metric 1024
fd56:da3:9c31::/64 dev br-lan  proto static  metric 1024
unreachable fd56:da3:9c31::/48 dev lo  proto static  metric 2147483647  error -101
fe80::/64 dev ifb0  proto kernel  metric 256
fe80::/64 dev br-lan  proto kernel  metric 256
fe80::/64 dev eth1  proto kernel  metric 256
fe80::/64 dev 6in4-wan6  proto kernel  metric 256

And as suggested, I've added ip6hint 0.

Post #22
cmsigler
16 Mar 2016, 02:32
Anaerin wrote:
root@Router:~# ip -6 route
default from 2001:470:1f16:174::2 dev 6in4-wan6  proto static  metric 1024
default from 2001:470:3074::/48 dev 6in4-wan6  proto static  metric 1024

These default routes have nowhere to go -- there is no 'via fe80::aabb:ccff:fedd:eeff'.  So the routing is messed up?  Thanks to cvmiller for asking for this info.

P.S.: Unless this is how the tunnel is supposed to work.  Let me check my he.net site tunnel...

No, 'via what:ever::1' doesn't appear to be needed for a he.net tunnel.  Sorry for the noise.

Have you rebooted the router after applying the last changes you made?  Any help?  Honestly, I'm much better at hand configuration.  UCI is a professional quality system, but confusing if you're used to the do-it-yourself, Linux-from-Scratch method.

Clemmitt

(Last edited by cmsigler on 16 Mar 2016, 02:47)

Post #23
cvmiller
16 Mar 2016, 03:41

I also see the same subnet being used on the WAN & LAN sides, so the router will not route.

2001:470:1f16:174::2 dev 6in4-wan6  proto kernel  metric 256
2001:470:1f16:174::/64 dev br-lan  proto kernel  metric 256

A router _must_ have different subnets for it to route. It looks to me that you have 2001:470:1f16:174:: assigned to both 6in4-wan6 AND br-lan. This would explain why no packets are hitting the FORWARD filter in ip6tables.

I only have a /64 from HE, but looking at similar lines in my routing table:

2001:470:1c:583::/64 dev 6in4-henet  proto static  metric 5000 
2001:470:1d:583::/64 dev br-lan  proto static  metric 1024

As you can see one is 1c and the other is 1d, therefore they are different prefixes.

Hope this helps.

Post #24
cmsigler
16 Mar 2016, 04:39

cvmiller is of course right.  Thank you smile  On the tunnelbroker.net website, what are your tunnel values for:

Server IPv6 Address:
Client IPv6 Address:

Routed /64:
Routed /48:

You might want to change them a bit to protect the innocent IPv6 subnets wink

Sorry this is dragging on so.  For me, it's really hard to identify these problems when you're not sitting in front of the systems in question.

Clemmitt

Post #25
cvmiller
16 Mar 2016, 05:26

Clemmitt,

My head is getting big here with all your complements ;-)

I agree, it can be difficult to troubleshoot remotely. I think from an ease of support, this is why ISPs have gone with DHCPv6-PD (which OpenWRT supports quite well).

Craig...