LTE IPv6, default firewall broken

Technical Support for Routers
1

I enabled IPv6 from the modem interface, router says it got IPv6 address, but IPv6 is not routable

image
image742×369 6.84 KB

image
image772×755 25.2 KB

image
image752×784 15.3 KB

I tried both cdc-wdm0 and ttyUSB3, both have the same issue (got IPv6 address, provided IPv6 to LAN, but IPv6 is not routable / failing neighbor discovery on default gateway)

from SSH

root@GL-X750:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::9683:c4ff:fe0a:3415/64 scope link
valid_lft forever preferred_lft forever
5: wwan0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
inet6 2607:fb90:47c3:5723:dcec:3bff:fee1:d357/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::dcec:3bff:fee1:d357/64 scope link
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd25:a9c8:2d04::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fe0a:3415/64 scope link
valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::9683:c4ff:fe0a:3416/64 scope link
valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::9683:c4ff:fe0a:3417/64 scope link
valid_lft forever preferred_lft forever

root@GL-X750:~# ip -6 route
default from 2607:fb90:47c3:5723::/64 via fe80::b0ec:1041:65e2:7049 dev wwan0 proto static metric 512 pref medium
2607:fb90:47c3:5723:xx dev br-lan proto static metric 1024 pref medium
2607:fb90:47c3:5723:xy dev br-lan proto static metric 1024 pref medium
2607:fb90:47c3:5723::/64 dev br-lan proto static metric 128 pref medium
2607:fb90:47c3:5723::/64 dev wwan0 proto static metric 256 pref medium
unreachable 2607:fb90:47c3:5723::/64 dev lo proto static metric 2147483647 error 4294967148 pref medium
fd25:a9c8:2d04::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd25:a9c8:2d04::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev wwan0 proto kernel metric 256 pref medium
default via fe80::b0ec:1041:65e2:7049 dev wwan0 proto ra metric 1024 expires 65382sec hoplimit 255 pref medium

root@GL-X750:~# ip -6 nei
2607:fb90:47c3:5723:xx dev br-lan lladdr 8c:8c:aa:17:xx:xx STALE
2607:fb90:47c3:5723:xy dev br-lan lladdr 8c:8c:aa:17:xx:xx STALE
fe80::3053:51dc:b625:73e dev br-lan FAILED
fe80::e869:d3b3:8ade:f1e1 dev br-lan lladdr 8c:8c:aa:17:xx:xx STALE

2

This is indeed a firewall issue

I did ip6tables -I INPUT -j ACCEPT and IPv6 on the router started working right away,
after ip6tables -I FORWARD -j ACCEPT, IPv6 on LAN started working

default zone_wan_forward chain is not matching anything

This is clearly broken IPv6 firewall rules by default

3

also please add iptables / ip6tables physdev module, this is crucial for IPv6 firewall since for v6 WAN and LAN are effectively bridged.