Drop-In Gateway: how to make it ipv6 aware

Hello,

I own an MT-2500 and it has to cooperate with a router of my ISP that provides full ipv6. This is an ipv6 learning project and I already learnt a lot about it. But now I am a bit stuck, maybe someone can give me a hint. By the way, I am also able to configure through LuCi.

I have already set up the MT2500 successfully router mode (WAN in the local network 192.168.178.0/8, LAN DHCP-served 192.168.8.0/8). VPN via wireguard/hide.me, ipv6 is switched off. One client gets ipv4 via dhcp from 192.168.8.0, no leaks (presents to the outside as a pure ipv4, DNS server seems to be the one from hide.me.

Then I re-configured the MT-2500 as Drop-In Gateway with some devices served, connected the client to the 192.168.178.0 network and manually setup to use the MT-2500 as gateway. Works on ipv4 but ipv6 uses directly the ISP ipv6 connection. Client will receive ipv6 addresses and DNS server from the ISP router.

What next steps would you recommend? I think there are two issues:

(1) set a route so that ipv6 traffic will be routed through the vpn tunnel
(2) setup a dhcpv6 server in WAN so that I "overwrite" IPv6 addresses and DNSv6 addresses

Some infos here of the current non-ipv6 drop-in gateway setup:

Current ipv4 route

default via 192.168.178.1 dev eth0 proto static metric 10 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 linkdown 
192.168.178.0/24 dev eth0 proto static scope link metric 10 

This is the ipv6 route when ipv6 is switched on:

default from 2a04:4540:7402:b00::/64 via fe80::464e:6dff:fede:92de dev eth0 proto static metric 512 pref medium
2a04:4540:7402:b00::/56 from 2a04:4540:7402:b00::/64 via fe80::464e:6dff:fede:92de dev eth0 proto static metric 512 pref medium
2a04:4540:7402:b00::/64 dev eth0 proto static metric 256 pref medium
unreachable 2a04:4540:7402:b00::/64 dev lo proto static metric 2147483647 pref medium
fd00:6968:6564:4be::a89:7c52 dev wgclient proto kernel metric 256 pref medium
unreachable fdad:c7ed:22e7::/48 dev lo proto static metric 2147483647 pref medium
default via fe80::464e:6dff:fede:92de dev eth0 proto ra metric 1024 expires 1765sec mtu 1492 hoplimit 255 pref medium

So regarding (1) when I understood correctly, maybe the only problem is that the metric of the default route through the VPN tunnel is 1024 > 512 for the default route in the first line...but even then I haven't found out where it is set this way.

Regarding (2) I am stuck a little bit as well. It seems ipv6 is a bit more flexible with the number of DHCPv6 providers and methods to get addresses (although I mainly want to serve router and DNS server addresses, in the end I don't care what ipv6 address the clients will have.

Thanks for any thoughts on this one, I know it is at the border of GL.iNet and OpenWRT therefore I try it on both forums

BR,
Carsten.

The issue is not the metric, the issue is that there are two default routes.
One system, one default.

To be honest, I am not that familiar with IPv6, yet. Even the metric seems unnecessary high in my opinion. But I really hope they have not changed the network stack, and allow two default routes... This will lead to many problems.

Exit: A quick Google search says it is a rather common issue, if the default route is set by PPPoE and DHCP or DHCP and RA...
But the router can't decide where to route all unknown packets, that is not a reliable state.

This seems not correct. If you are using /8 netmask, both wan and lan will be in the same subnet.

You are right, my mistake.I meant /24 in both cases. BR, C.

Referring to the IPV4 configuration of the router UI, I think the only thing that needs to be done is to configure an IPV6 static address for the WAN port, but in DROP-IN mode, our UI does not support the input of IPV6 static addresses, you can try luci or through SSH configuration.

OK, I am a step further now. So after trying to understand @radishman comment, I think it is
necessary to let the WAN interface be integrated into the network build by my ISP's router. As said, this is ipv6 aware. So started with a clean setup and could use DHCP6 of the ISP router:

• accessed through LAN and setup WAN with ipv4 and ipv6 via DHCP in the UI
• certainly I had to enable Network/IPV6 for this
• added a Wireguard VPN connection, which receives ipv4 and ipv6 addresses/router addresses
• enabled drop-in gateway with "some clients" option
• manually set ipv4 in the client with static address and gateway = ipv4 of the GT-2500
• set ipv6 to automatic (it seems to get an address with the same prefix as the ISP provided)

As a result ipv4 and ipv6 traffic was correctly routed on the MT-2500 commandline itself through the VPN tunnel, as hide.me provides full ipv6 support. I checked that with traceroute and traceroute6 to google.com and watched that the hops will run through the tunnel.

On the client, ipv4 worked well (means tunneled through VPN), but ipv6 was still running through the ISP's router. On a Mac the default router in ipv6 is hard to see, but when I traceroute6 and the ISP's router is the first hop, we know it is wrong. In order to fix that, I configured:

• RA on WAN DHCPv6 in server mode
• RA no flags for the time being, DNS will be a later subject
• as the MT-2500 still wasn't used by the client for ipv6, I set preference of ISP's router RA to low

Now I can see that ipv4 still works and that ipv6 is routed through the MT-2500. Which in theory on command line is reaching google.com via VPN but it will not work on my client. I guess it is a firewall issue, as WAN -> blocked. No idea why this is not happening with ipv4.

As I am even more a newbie on firewall than on ipv6, I need some more hints. After I most probably need to take care of DNS, so that these are provided by the MT-2500/HDCPv6 server, but we will see.

Thanks for reading all this and helping me,
Carsten.

Whether IPV4 or IPV6, there is usually no need to modify the routing rules, you only need to allow the forwarding of the firewall WAN->WAN or WAN->VPN.
On the DHCP side, you may need to distribute the IP address of the MT2500 WAN port as a gateway and DNS to DHCP clients on the LAN.

Sorry, I now tried for several days to find out what the problem is, but there is still no connection
from the client to e.g. google.com via ipv6, although the MT2500 is the router of the client and
the MT2500 is able to reach google.com via ipv6. Some more information:

uci show network

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd10:74ca:XXXX::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.@device[0].macaddr='94:83:c4:2f:XX:XX'
network.@device[1]=device
network.@device[1].name='eth1'
network.@device[1].macaddr='94:83:c4:2f:XX:XX'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.8.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.isolate='0'
network.lan.ip6hint='0000'
network.lan.ip6ifaceid='::1'
network.lan.ip6class='wan6' 'wwan6' 'tethering6' 'modem_2_1_6' 'modem_1_1_6'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].macaddr='94:83:c4:2f:XX:XX'
network.wan_ori=interface
network.wan_ori.device='eth0'
network.wan_ori.force_link='0'
network.wan_ori.classlessroute='0'
network.wan_ori.metric='10'
network.wan_ori.ipv6='1'
network.wan_ori.proto='static'
network.wan_ori.ipaddr='192.168.178.11'
network.wan_ori.gateway='192.168.178.1'
network.wan_ori.vlanid='0'
network.wan_ori.netmask='255.255.255.0'
network.wan_ori.peerdns='0'
network.wan_ori.dns='192.168.178.1'
network.wan_ori.disabled='1'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.device='@wan'
network.wan6.disabled='0'
network.tethering6=interface
network.tethering6.device='@tethering'
network.tethering6.proto='dhcpv6'
network.tethering6.disabled='0'
network.wwan6=interface
network.wwan6.device='@wwan'
network.wwan6.proto='dhcpv6'
network.wwan6.disabled='0'
network.modem_1_1_2_6=interface
network.modem_1_1_2_6.proto='dhcpv6'
network.modem_1_1_2_6.disabled='0'
network.modem_1_1_2_6.device='@modem_1_1_2'
network.policy_direct_rt=rule
network.policy_direct_rt.lookup='main'
network.policy_direct_rt.suppress_prefixlength='0'
network.policy_direct_rt.priority='1100'
network.policy_default_rt_vpn=rule
network.policy_default_rt_vpn.mark='0x8000/0xc000'
network.policy_default_rt_vpn.lookup='8000'
network.policy_default_rt_vpn.priority='1101'
network.policy_default_rt_vpn.invert='1'
network.policy_direct_rt6=rule6
network.policy_direct_rt6.lookup='main'
network.policy_direct_rt6.suppress_prefixlength='0'
network.policy_direct_rt6.priority='1100'
network.policy_default_rt_vpn6=rule6
network.policy_default_rt_vpn6.mark='0x8000/0xc000'
network.policy_default_rt_vpn6.lookup='8000'
network.policy_default_rt_vpn6.priority='1101'
network.policy_default_rt_vpn6.invert='1'
network.policy_default_rt_vpn_ts=rule
network.policy_default_rt_vpn_ts.lookup='main'
network.policy_default_rt_vpn_ts.priority='1099'
network.policy_default_rt_vpn_ts.mark='0x80000/0xc0000'
network.policy_default_rt_vpn_ts.invert='0'
network.wgclient=interface
network.wgclient.proto='wgclient'
network.wgclient.config='peer_32070'
network.wgclient.disabled='0'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='static'
network.wan.ipaddr='192.168.178.11'
network.wan.gateway='192.168.178.1'
network.wan.netmask='255.255.255.0'
network.wan.peerdns='0'
network.wan.force_link='0'
network.wan.metric='10'
network.wan.dns='192.168.178.1'

uci show | grep peer_32070

wireguard.peer_32070=peers
wireguard.peer_32070.group_id='8384'
wireguard.peer_32070.name='hideme_de'
wireguard.peer_32070.listen_port='0'
wireguard.peer_32070.hostname='de-v4.hideservers.net'
wireguard.peer_32070.allowed_ips='0.0.0.0/0,::/0'
wireguard.peer_32070.ipv6_enable='0'
wireguard.peer_32070.presharedkey_enable='1'
wireguard.peer_32070.local_access='0'
wireguard.peer_32070.masq='1'
wireguard.peer_32070.persistent_keepalive='20'
wireguard.peer_32070.private_key='XXX'
wireguard.peer_32070.public_key='XXX'
wireguard.peer_32070.preshared_key='XXX'
wireguard.peer_32070.end_point='193.118.XX.XX:432'
wireguard.peer_32070.address_v4='10.137.XX.XX'
wireguard.peer_32070.address_v6='fd00:6968:6564:4cf::a89:XXXX'
wireguard.peer_32070.dns='10.137.XX.XX,fd00:6968:6564:XXXX::1'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='DROP'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].enabled='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-IGMP'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='igmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-DHCPv6'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='udp'
firewall.@rule[2].dest_port='546'
firewall.@rule[2].family='ipv6'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-MLD'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].src_ip='fe80::/10'
firewall.@rule[3].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-ICMPv6-Input'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[4].limit='1000/sec'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Forward'
firewall.@rule[5].src='wan'
firewall.@rule[5].dest='*'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-IPSec-ESP'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='lan'
firewall.@rule[6].proto='esp'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ISAKMP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].dest_port='500'
firewall.@rule[7].proto='udp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Support-UDP-Traceroute'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest_port='33434:33689'
firewall.@rule[8].proto='udp'
firewall.@rule[8].family='ipv4'
firewall.@rule[8].target='REJECT'
firewall.@rule[8].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.dns_vpn=redirect
firewall.dns_vpn.name='dns for vpn'
firewall.dns_vpn.src='lan'
firewall.dns_vpn.src_dport='53'
firewall.dns_vpn.dest='lan'
firewall.dns_vpn.dest_port='1653'
firewall.dns_vpn.mark='!0x8000/0xc000'
firewall.dns_vpn.proto='tcp' 'udp'
firewall.dns_vpn.enabled='1'
firewall.dns_vpn_guest=redirect
firewall.dns_vpn_guest.name='dns for vpn guest'
firewall.dns_vpn_guest.src='guest'
firewall.dns_vpn_guest.src_dport='53'
firewall.dns_vpn_guest.dest='guest'
firewall.dns_vpn_guest.dest_port='1653'
firewall.dns_vpn_guest.mark='!0x8000/0xc000'
firewall.dns_vpn_guest.proto='tcp' 'udp'
firewall.dns_vpn_guest.enabled='1'
firewall.process_mark=rule
firewall.process_mark.name='process_mark'
firewall.process_mark.dest='*'
firewall.process_mark.proto='all'
firewall.process_mark.extra='-m owner --gid-owner 65533'
firewall.process_mark.target='MARK'
firewall.process_mark.set_xmark='0x8000/0xc000'
firewall.process_mark_dns=rule
firewall.process_mark_dns.name='process_mark_dns'
firewall.process_mark_dns.dest='*'
firewall.process_mark_dns.proto='all'
firewall.process_mark_dns.extra='-m owner --gid-owner 453'
firewall.process_mark_dns.target='MARK'
firewall.process_mark_dns.set_xmark='0x8000/0xc000'
firewall.process_explict_vpn=rule
firewall.process_explict_vpn.name='process_explict_vpn'
firewall.process_explict_vpn.dest='*'
firewall.process_explict_vpn.proto='all'
firewall.process_explict_vpn.extra='-m owner --gid-owner 20000'
firewall.process_explict_vpn.target='MARK'
firewall.process_explict_vpn.set_xmark='0x20000/0x20000'
firewall.wan_in_conn_mark=rule
firewall.wan_in_conn_mark.name='wan_in_conn_mark'
firewall.wan_in_conn_mark.src='wan'
firewall.wan_in_conn_mark.dest='*'
firewall.wan_in_conn_mark.set_xmark='0x8000/0xc000'
firewall.wan_in_conn_mark.target='MARK'
firewall.wan_in_conn_mark.extra='-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
firewall.wan_in_conn_mark.enabled='1'
firewall.lan_in_conn_mark_restore=rule
firewall.lan_in_conn_mark_restore.name='lan_in_conn_mark_restore'
firewall.lan_in_conn_mark_restore.src='lan'
firewall.lan_in_conn_mark_restore.dest='*'
firewall.lan_in_conn_mark_restore.set_xmark='0x8000/0xc000'
firewall.lan_in_conn_mark_restore.target='MARK'
firewall.lan_in_conn_mark_restore.extra='-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
firewall.lan_in_conn_mark_restore.enabled='1'
firewall.out_conn_mark_restore=rule
firewall.out_conn_mark_restore.name='out_conn_mark_restore'
firewall.out_conn_mark_restore.dest='*'
firewall.out_conn_mark_restore.set_xmark='0x8000/0xc000'
firewall.out_conn_mark_restore.target='MARK'
firewall.out_conn_mark_restore.extra='-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
firewall.out_conn_mark_restore.enabled='1'
firewall.swap_wan_in_conn_mark=include
firewall.swap_wan_in_conn_mark.type='script'
firewall.swap_wan_in_conn_mark.reload='1'
firewall.swap_wan_in_conn_mark.path='/etc/firewall.swap_wan_in_conn_mark.sh'
firewall.swap_wan_in_conn_mark.enabled='1'
firewall.glblock=include
firewall.glblock.type='script'
firewall.glblock.path='/usr/bin/gl_block.sh'
firewall.glblock.reload='1'
firewall.vpn_server_policy=include
firewall.vpn_server_policy.type='script'
firewall.vpn_server_policy.path='/etc/firewall.vpn_server_policy.sh'
firewall.vpn_server_policy.reload='1'
firewall.vpn_server_policy.enabled='1'
firewall.glipv6_guest_dhcp=rule
firewall.glipv6_guest_dhcp.name='Allow-DHCP-IPV6'
firewall.glipv6_guest_dhcp.src='guest'
firewall.glipv6_guest_dhcp.target='ACCEPT'
firewall.glipv6_guest_dhcp.proto='udp'
firewall.glipv6_guest_dhcp.dest_port='546:547'
firewall.glipv6_guest_dhcp.family='ipv6'
firewall.glipv6_guest_icmp=rule
firewall.glipv6_guest_icmp.name='Allow-ICMP-IPV6'
firewall.glipv6_guest_icmp.src='guest'
firewall.glipv6_guest_icmp.target='ACCEPT'
firewall.glipv6_guest_icmp.proto='icmp'
firewall.glipv6_guest_icmp.dest_port='58'
firewall.glipv6_guest_icmp.family='ipv6'
firewall.wgclient=zone
firewall.wgclient.name='wgclient'
firewall.wgclient.forward='DROP'
firewall.wgclient.output='ACCEPT'
firewall.wgclient.mtu_fix='1'
firewall.wgclient.network='wgclient'
firewall.wgclient.enabled='1'
firewall.wgclient.input='DROP'
firewall.wgclient.masq='1'
firewall.wgclient.masq6='1'
firewall.wgclient2wan=forwarding
firewall.wgclient2wan.src='wgclient'
firewall.wgclient2wan.dest='wan'
firewall.wgclient2wan.enabled='1'
firewall.lan2wgclient=forwarding
firewall.lan2wgclient.src='lan'
firewall.lan2wgclient.dest='wgclient'
firewall.lan2wgclient.enabled='1'
firewall.guest2wgclient=forwarding
firewall.guest2wgclient.src='guest'
firewall.guest2wgclient.dest='wgclient'
firewall.guest2wgclient.enabled='1'

uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.force='1'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ndp='disabled'
dhcp.lan.ra_management='0'
dhcp.lan.ra_flags='other-config'
dhcp.lan.ra_default='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore_ori='1'
dhcp.wan.start='2'
dhcp.wan.limit='252'
dhcp.wan.leasetime='43200'
dhcp.wan.force='1'
dhcp.wan.ignore='1'
dhcp.wan.ra_flags='none'
dhcp.wan.ra='server'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@domain[0]=domain
dhcp.@domain[0].name='console.gl-inet.com'
dhcp.@domain[0].ip='192.168.8.1'
dhcp.@domain[1]=domain
dhcp.@domain[1].name='console.gl-inet.com'
dhcp.@domain[1].ip='::ffff:192.168.8.1'

selected output from uci show gl*:

gl-dns.@dns[0]=dns
gl-dns.@dns[0].mode='auto'
gl-dns.@dns[0].override_vpn='1'
glconfig.general=service
glconfig.general.mode='router'
glconfig.general.track_ipv6='2001:4860:4860::8844' '2001:4860:4860::8888' '2620:0:ccd::2' '2620:0:ccc::2'
glconfig.general.track_ip='1.1.1.1' '8.8.8.8' '208.67.222.222' '208.67.220.220'
glconfig.general.inited='1'
glconfig.general.autotimezone='1'
glipv6.globals=globals
glipv6.globals.origin_ula_prefix='fd10:74ca:XXXX::/48'
glipv6.globals.enabled='1'
glipv6.wan=interface
glipv6.wan.interface='wan'
glipv6.wan.addrmode='auto'
glipv6.wan.dnsmode='auto'
glipv6.lan=interface
glipv6.lan.dnsmode='auto'
glipv6.lan.lan_ip6addr='fd10:74ca:XXXX::1/64'
glipv6.lan.mode='native'

It is pingable via ipv4 from the client and routes correctly via wireguard:

traceroute to google.com (142.250.181.206), 64 hops max, 52 byte packets
 1  gl-mt2500 (192.168.178.11)  0.881 ms  0.562 ms  0.553 ms
 2  10.137.XX.XX (10.137.XX.XX)  7.997 ms  7.908 ms  7.793 ms
 3  ...

It is not pingable and stuck at the MT2500 when using ipv6:

traceroute6 to google.com (2a00:1450:4005:802::200e) from 2a04:4540:7404:9c00:4163:c15e:8a3c:XXXX, 64 hops max, 12 byte packets
 1  gl-mt2500  0.678 ms  0.624 ms  0.559 ms
 2  gl-mt2500  0.576 ms  0.547 ms  0.586 ms
>

routes on the client:

netstat -nr -f inet6               
Routing tables

Internet6:
Destination                             Gateway                         Flags           Netif Expire
default                                 fe80::9683:c4ff:fe2f:3878%en0   UGcg              en0       
default                                 fe80::%utun0                    UGcIg           utun0       
default                                 fe80::%utun1                    UGcIg           utun1       
default                                 fe80::%utun2                    UGcIg           utun2       
default                                 fe80::%utun3                    UGcIg           utun3       
default                                 fe80::%utun4                    UGcIg           utun4       
::1                                     ::1                             UHL               lo0       
2a04:4540:7404:9c00::/64                link#8                          UC                en0       
2a04:4540:7404:9c00:c20:359f:94a5:c383  68:5:ca:12:a5:71                UHL               lo0       
2a04:4540:7404:9c00:4163:c15e:8a3c:960a 68:5:ca:12:a5:71                UHL               lo0       
2a04:4540:7404:9c00:9683:c4ff:fe2f:3878 94:83:c4:2f:38:78               UHLWI             en0       
2a04:4540:7404:9c00:f4b8:6579:2e2:a02   link#8                          UHLWI             en0       
fd00::/64                               link#8                          UC                en0       
fd00::fe:f5f5:f31b:4392                 68:5:ca:12:a5:71                UHL               lo0       
fd00::464e:6dff:fede:92de               44:4e:6d:de:92:de               UHLWIi            en0       
fdfa:510a:5e38::/64                     link#8                          UC                en0       
fdfa:510a:5e38:0:8ae:1aa9:ee1a:f1c7     68:5:ca:12:a5:71                UHL               lo0       
fdfa:510a:5e38:0:9683:c4ff:fe2f:3878    94:83:c4:2f:38:78               UHLWI             en0       
fdfa:510a:5e38:1::/64                   link#8                          UC                en0       
fdfa:510a:5e38:1:854:5ac6:c329:9e9d     68:5:ca:12:a5:71                UHL               lo0       
fe80::%lo0/64                           fe80::1%lo0                     UcI               lo0       
fe80::1%lo0                             link#1                          UHLI              lo0       
fe80::%en0/64                           link#8                          UCI               en0       
fe80::1075:6bd5:3268:4c14%en0           68:5:ca:12:a5:71                UHLI              lo0       
fe80::1483:f219:8a78:9e0d%en0           94:c:98:29:8c:93                UHLWIi            en0       
fe80::464e:6dff:fede:92de%en0           44:4e:6d:de:92:de               UHLWIir           en0       
fe80::9683:c4ff:fe2f:3878%en0           94:83:c4:2f:38:78               UHLWIir           en0       
fe80::9683:c4ff:fe2f:3879%en0           94:83:c4:2f:38:79               UHLWI             en0       
fe80::%utun0/64                         fe80::741c:641b:21d:4ff5%utun0  UcI             utun0       
fe80::741c:641b:21d:4ff5%utun0          link#9                          UHLI              lo0       
fe80::%utun1/64                         fe80::8185:3088:4f13:2b24%utun1 UcI             utun1       
fe80::8185:3088:4f13:2b24%utun1         link#10                         UHLI              lo0       
fe80::%utun2/64                         fe80::ce81:b1c:bd2c:69e%utun2   UcI             utun2       
fe80::ce81:b1c:bd2c:69e%utun2           link#11                         UHLI              lo0       
fe80::%utun3/64                         fe80::eefe:90f:fa83:5d11%utun3  UcI             utun3       
fe80::eefe:90f:fa83:5d11%utun3          link#12                         UHLI              lo0       
fe80::%utun4/64                         fe80::46d4:8a1b:f369:a56%utun4  UcI             utun4       
fe80::46d4:8a1b:f369:a56%utun4          link#13                         UHLI              lo0       
ff00::/8                                ::1                             UmCI              lo0       
ff00::/8                                link#8                          UmCI              en0       
ff00::/8                                fe80::741c:641b:21d:4ff5%utun0  UmCI            utun0       
ff00::/8                                fe80::8185:3088:4f13:2b24%utun1 UmCI            utun1       
ff00::/8                                fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff00::/8                                fe80::eefe:90f:fa83:5d11%utun3  UmCI            utun3       
ff00::/8                                fe80::46d4:8a1b:f369:a56%utun4  UmCI            utun4       
ff01::%lo0/32                           ::1                             UmCI              lo0       
ff01::%en0/32                           link#8                          UmCI              en0       
ff01::%utun0/32                         fe80::741c:641b:21d:4ff5%utun0  UmCI            utun0       
ff01::%utun1/32                         fe80::8185:3088:4f13:2b24%utun1 UmCI            utun1       
ff01::%utun2/32                         fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff01::%utun3/32                         fe80::eefe:90f:fa83:5d11%utun3  UmCI            utun3       
ff01::%utun4/32                         fe80::46d4:8a1b:f369:a56%utun4  UmCI            utun4       
ff02::%lo0/32                           ::1                             UmCI              lo0       
ff02::%en0/32                           link#8                          UmCI              en0       
ff02::%utun0/32                         fe80::741c:641b:21d:4ff5%utun0  UmCI            utun0       
ff02::%utun1/32                         fe80::8185:3088:4f13:2b24%utun1 UmCI            utun1       
ff02::%utun2/32                         fe80::ce81:b1c:bd2c:69e%utun2   UmCI            utun2       
ff02::%utun3/32                         fe80::eefe:90f:fa83:5d11%utun3  UmCI            utun3       
ff02::%utun4/32                         fe80::46d4:8a1b:f369:a56%utun4  UmCI            utun4

Any ideas what is the problem?

Best Regards,
Carsten.

@radishman here something I found in the syslog when restarting WAN. Please note that I now have enabled PD on my ISP router. Note the

Wed Jul 3 14:49:18 2024 kern.err kernel: [11037.037841] ICMPv6: RA: ndisc_router_discovery failed to add default route

Here the log, maybe you see something suspicious.

Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan' is now down
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for 2a04:4540:7404:9cfd::1 on eth0.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for fd10:74ca:2d9c::1 on eth0.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for 192.168.178.11 on eth0.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.178.11.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Interface eth0.IPv4 no longer relevant for mDNS.
Wed Jul  3 14:49:18 2024 daemon.warn dnsmasq[15732]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan' is setting up now
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.178.11.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: New relevant interface eth0.IPv4 for mDNS.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Registering new address record for 192.168.178.11 on eth0.IPv4.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Registering new address record for 2a04:4540:7404:9cfd::1 on eth0.*.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Registering new address record for fd10:74ca:2d9c::1 on eth0.*.
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan' is now up
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain test
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain onion
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain localhost
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain local
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain invalid
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain bind
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain lan
Wed Jul  3 14:49:18 2024 daemon.info dnsmasq[15732]: using nameserver 192.168.178.1#53
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan6' is now down
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan6' is disabled
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan6' is enabled
Wed Jul  3 14:49:18 2024 daemon.notice netifd: Interface 'wan6' is setting up now
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for fd10:74ca:2d9c:0:9683:c4ff:fe2f:3878 on eth0.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Registering new address record for fe80::9683:c4ff:fe2f:3879 on br-lan.*.
Wed Jul  3 14:49:18 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for 2a04:4540:7404:9cfd::1 on eth0.
Wed Jul  3 14:49:18 2024 kern.err kernel: [11037.037841] ICMPv6: RA: ndisc_router_discovery failed to add default route
Wed Jul  3 14:49:18 2024 user.notice firewall: Reloading firewall due to ifdown of wan ()
Wed Jul  3 14:49:18 2024 user.notice kmwan: config json str={ "op": 3, "data": { "cells": [ "wan" ] } }
Wed Jul  3 14:49:18 2024 kern.debug kernel: [11037.356008] kmwan: Delete node:wan
Wed Jul  3 14:49:18 2024 user.notice firewall: Reloading firewall due to ifdown of wan6 ()
Wed Jul  3 14:49:18 2024 user.notice kmwan: config json str={ "op": 3, "data": { "cells": [ "wan6" ] } }
Wed Jul  3 14:49:18 2024 user.notice firewall: Reloading firewall due to ifup of wan (eth0)
Wed Jul  3 14:49:18 2024 user.notice kmwan: config json str={ "op": 2, "data": { "cells": [ { "interface": "wan", "netdev": "eth0", "track_mode": "force", "addr_type": 4, "tracks": [ { "type": "ping", "ip": "1.1.1.1" }, { "type": "ping", "ip": "8.8.8.8" }, { "type": "ping", "ip": "208.67.222.222" }, { "type": "ping", "ip": "208.67.220.220" } ] } ] } }
Wed Jul  3 14:49:18 2024 kern.debug kernel: [11037.836387] [add_dev_config 287]add node success. iface:wan, dev:eth0, ifindex:2
Wed Jul  3 14:49:20 2024 daemon.info avahi-daemon[4566]: Registering new address record for fd10:74ca:2d9c:0:9683:c4ff:fe2f:3878 on eth0.*.
Wed Jul  3 14:49:20 2024 daemon.info avahi-daemon[4566]: Withdrawing address record for fe80::9683:c4ff:fe2f:3879 on br-lan.
Wed Jul  3 14:49:20 2024 daemon.info avahi-daemon[4566]: Registering new address record for 2a04:4540:7404:9cfd::1 on eth0.*.
Wed Jul  3 14:49:20 2024 daemon.notice netifd: Interface 'wan6' is now up
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain test
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain onion
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain localhost
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain local
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain invalid
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain bind
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using only locally-known addresses for domain lan
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using nameserver fd00::464e:6dff:fede:92de#53
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using nameserver 2a04:4540:7404:9c00:464e:6dff:fede:92de#53
Wed Jul  3 14:49:20 2024 daemon.warn dnsmasq[15732]: ignoring nameserver fd10:74ca:2d9c::1 - local interface
Wed Jul  3 14:49:20 2024 daemon.info dnsmasq[15732]: using nameserver 192.168.178.1#53
Wed Jul  3 14:49:20 2024 user.notice firewall: Reloading firewall due to ifup of wan6 (eth0)

I add the config files here, if this is more readable for you:

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd10:74ca:2d9c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option macaddr '94:83:c4:2f:38:79'

config device
	option name 'eth1'
	option macaddr '94:83:c4:2f:38:79'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option isolate '0'
	option ip6hint '0000'
	option ip6ifaceid '::1'
	list ip6class 'wan6'
	list ip6class 'wwan6'
	list ip6class 'tethering6'
	list ip6class 'modem_2_1_6'
	list ip6class 'modem_1_1_6'
	option ip6assign '64'

config device
	option name 'eth0'
	option macaddr '94:83:c4:2f:38:78'

config interface 'wan_ori'
	option device 'eth0'
	option force_link '0'
	option classlessroute '0'
	option metric '10'
	option ipv6 '1'
	option proto 'static'
	option ipaddr '192.168.178.11'
	option gateway '192.168.178.1'
	option vlanid '0'
	option netmask '255.255.255.0'
	option peerdns '0'
	option dns '192.168.178.1'
	option disabled '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '0'
	option reqprefix 'auto'
	option reqaddress 'try'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '0'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '0'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '0'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config interface 'wgclient'
	option proto 'wgclient'
	option config 'peer_32070'
	option disabled '0'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '192.168.178.11'
	option gateway '192.168.178.1'
	option netmask '255.255.255.0'
	option peerdns '0'
	option force_link '0'
	option metric '10'
	list dns '192.168.178.1'
	option ip6assign '64'

dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	list ra_flags 'other-config'
	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore_ori '1'
	option start '2'
	option limit '252'
	option leasetime '43200'
	option force '1'
	option ignore '1'
	option ra 'server'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

glipv6

config globals 'globals'
	option origin_ula_prefix 'fd10:74ca:2d9c::/48'
	option enabled '1'

config interface 'wan'
	option interface 'wan'
	option addrmode 'auto'
	option dnsmode 'auto'

config interface 'lan'
	option dnsmode 'auto'
	option lan_ip6addr 'fd10:74ca:2d9c::1/64'
	option mode 'native'

In the case of PD, the mode of DROP-IN gateway does not seem to work. ipv6 implements the routing method of address notification, and always chooses the shortest path to configure its own route. Therefore, LAN devices always choose to directly obtain the available address from the ISP router and route it. Slower drop-in gateways are not selected to route data.

Dear @radishman I tried this now with and without DROP-IN mode. I also configured the non DROP-IN version in vanilla OpenWRT. I also tried to play a bit with tcpdump and I now think the problem is not related to DROP-IN or GL.iNet. Anyhow, maybe you can better interpret than me the output of tcpdump. It is correctly receiving and forwarding the ping6 to the wireguard interface but will not receive any reply. I add the actual config of interfaces and firewall. I am now quite sure that I understood PD mechanism.

It could maybe help us to solve the problem of ipv6 DROP-IN as well.

22:24:47.867428 eth1   In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.867428 br-lan In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.867503 wghide Out IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 0, length 16
22:24:47.913505 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 49080, length 197
22:24:47.914048 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 32991, length 185
22:24:47.916725 eth0   Out IP6 2a04:4540:740d:8200:9683:c4ff:fe2f:3878 > wpad.fritz.box: ICMP6, destination unreachable, unreachable port, 2a04:4540:740d:8200:9683:c4ff:fe2f:3878 udp port 55694, length 197
22:24:48.022989 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 60374, length 197
22:24:48.024603 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 39058, length 463
22:24:48.871271 eth1   In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:48.871271 br-lan In  IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:48.871331 wghide Out IP6 2a04:4540:740d:8200:f11a:c66f:5bfc:7b55 > ham11s01-in-x0e.1e100.net: ICMP6, echo request, id 2700, seq 1, length 16
22:24:52.331864 eth1   In  IP6 fe80::105f:952:37db:3129 > fe80::9683:c4ff:fe2f:3879: ICMP6, neighbor solicitation, who has fe80::9683:c4ff:fe2f:3879, length 32
22:24:52.331864 br-lan In  IP6 fe80::105f:952:37db:3129 > fe80::9683:c4ff:fe2f:3879: ICMP6, neighbor solicitation, who has fe80::9683:c4ff:fe2f:3879, length 32
22:24:52.331947 br-lan Out IP6 fe80::9683:c4ff:fe2f:3879 > fe80::105f:952:37db:3129: ICMP6, neighbor advertisement, tgt is fe80::9683:c4ff:fe2f:3879, length 24
22:24:52.331959 eth1   Out IP6 fe80::9683:c4ff:fe2f:3879 > fe80::105f:952:37db:3129: ICMP6, neighbor advertisement, tgt is fe80::9683:c4ff:fe2f:3879, length 24
22:24:52.421375 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 59720, length 146
22:24:52.421783 lo     In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 53800, length 146

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '1'
	option ip6ifaceid '::1'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wghide'
	option proto 'wghidemevpn'
	option server 'de-v4.hideservers.net'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_slaac '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'iMacDevnCarsten'
	option ip '192.168.1.8'
	option hostid '08'
	option duid '000100012da105b36805ca12a571'
	list mac '68:05:CA:12:A5:71'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'hideme'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wghide'

config forwarding
	option src 'lan'
	option dest 'hideme'

And an additional information maybe: when I configure openvpn, it will show the same problem:

I maybe forgot to mention it will work on the router itself, but not for the client. It also works when I disable the VPN tunnel.

00:06:36.266821 eth1  In  IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.266821 br-lan In  IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.266876 tun0  Out IP6 iMacDevnCarsten.lan > ham11s07-in-x0e.1e100.net: ICMP6, echo request, id 3911, seq 0, length 16
00:06:36.282555 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 41537, length 197
00:06:36.284268 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 34542, length 463
00:06:36.285259 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 54324, length 179
00:06:36.286621 lo    In  IP6 localhost > localhost: ICMP6, destination unreachable, unreachable port, localhost udp port 43089, length 185

Have you ever tried setting the MTU of your VPN to 1380 or 1280?
Also, if it is wireguard, check whether the alloweds parameter includes ::0/0?

Thanks for your help, @radishman. As it was a bit problematic to get help on this issue, where three parties are involved: GL.iNet, OpenWRT, and hide.me it took a while to isolate the problem. In the end (as said) I installed vanilla OpenWRT and used a vanilla OpenVPN connection; the problem persisted.

Mike Keitz from OpenWRT Forum pointed me into the right direction:

You will need to NAT the IPv6 into the VPN tunnel. The packets you are sending still have the source IP derived from your ISP's GUI. Without NAT, the VPN provider does not know how to return traffic to you.

In later versions of OpenWrt, IPv6 NAT is simply done by adding option masq6 '1' to the firewall zone that contains the VPN tunnel, the same as masq works for v4.

Adding this option manually did the job. Other things to do in order to do NAT66 don't seem necessary but I currently don't have the knowledge to judge what that means.

In my original setup I was using GL.iNet firmware and hide.me setup script. Most probably I need to analyze the hide.me script and add the option there. When I find the time, I will flush GL.iNet firmware back to the MT-2500 and setup the Drop-In Gateway mode. Maybe it's the same culprit.

Note: this option currently seems not to be available in Luci.

BR,
Carsten.

So, I now set up the MT-2500 with 4.6.2 firmware, install hide.me tools for wireguard on GL.iNet 4 and used a hide.me config file to set up openvpn.

The problem persists in wireguard and openvpn. The packets are routed from the client to the MT-2500 but the ICMP reply doesn't come back.

masq and masq6 are handled by an option in the GL-iNet user interface (IP Masquerading), but they don't seem to have an impact. I compared the options from vanilla and GL.iNet as good as I can (because there are some major differences) but currently don't see anything that would make a change.

BTW: changing MTU doesn't do anything.

So the actual question is (as I am aware that GL.iNet is warning that switching IPV6 on could cause trouble): what currently would hinder incoming ICMP6 replies from getting routed from wgclient/ovpnclient to LAN. I am currently not using Drop-In network!

BR, Carsten.

@hansome can there be a connection with this post?

Short summary so that you don't have to read everything. I had problems setting up Drop-In, but test now in a simple environment ISP Router - WAN MT-2500 LAN - client. PD/62 delegated. Whether OpenVPN or Wireguard is used, ping4 to google.com would work, ping6 not. Problem was the same in vanilla OpenWRT until I found out I have to do NAT66. Then I switched back to GL.Ient 4.6.2 where I found masq6 already set, but still ICMP6 request are routed outbound but no reply. I know IPv6 is not said to be supported, but I thought we can maybe find out why .

BR,
Carsten.

So no-one at GL.iNet does have an idea why a configuration that works on vanilla snapshot does not route IPv6 traffic (at this stage ICMPv6) from LAN to correctly configured WAN6 even NAT66 is configured correctly OOTB (masq6 is enabled)?

BR,
Carsten.