386.2_2 IPv6 broken in Dual WAN - Load Balance

[Darsh-]

Setup: RT-AC5300, two Internet connections, ADSL (Primary, WAN port) and 4G (Secondary, LAN port 1). I'm getting IPv6 via ADSL only. Firmware 386.2_2.

If I disable Dual WAN, IPv6 works in both Native and Static modes, "ping6 www.cisco.com" works from the LAN hosts, and they are accessible from the outside.
If I enable Dual WAN, but leave it in Fail Over mode - IPv6 still works.
If I switch Dual WAN to Load Balance mode - IPv6 stops working on the LAN interface, I can't even ping link local addresses. It still works on the router, "ping6 www.cisco.com" is successful from the router, but not from the LAN hosts.

I've currently downgraded the router back to 384.19 - the latest one on the 384 code, as I'm getting an impression that IPv6 is somehow broken in the 386 line.


Darsh

 

[Vigilans]

It's because dual wan load balance mode uses another function to generate filter rules (filter_setting2), and ICMP_V6, ICMP_V6_LOCAL chains is missing in the generated rule file:

if (ipv6_enabled()) {
        fprintf(fp_ipv6, "*filter\n"
            ":INPUT ACCEPT [0:0]\n"
            ":FORWARD %s [0:0]\n"
            ":OUTPUT ACCEPT [0:0]\n"
#ifdef RTCONFIG_INTERNETCTRL
            ":ICAccept - [0:0]\n"
            ":ICDrop - [0:0]\n"
#endif
#ifdef RTCONFIG_PARENTALCTRL
            ":PControls - [0:0]\n"
#endif
            ":logaccept - [0:0]\n"
            ":logdrop - [0:0]\n",
        nvram_match("ipv6_fw_enable", "1") ? "DROP" : "ACCEPT");
    }

 

[N/A]

It's because dual wan load balance mode uses another function to generate filter rules (filter_setting2), and ICMP_V6, ICMP_V6_LOCAL chains is missing in the generated rule file:

if (ipv6_enabled()) {
        fprintf(fp_ipv6, "*filter\n"
            ":INPUT ACCEPT [0:0]\n"
            ":FORWARD %s [0:0]\n"
            ":OUTPUT ACCEPT [0:0]\n"
#ifdef RTCONFIG_INTERNETCTRL
            ":ICAccept - [0:0]\n"
            ":ICDrop - [0:0]\n"
#endif
#ifdef RTCONFIG_PARENTALCTRL
            ":PControls - [0:0]\n"
#endif
            ":logaccept - [0:0]\n"
            ":logdrop - [0:0]\n",
        nvram_match("ipv6_fw_enable", "1") ? "DROP" : "ACCEPT");
    }

I have the same problem. Would you mind telling me how to fix the filter rules? Thanks in advance.

 

[Vigilans]

I have the same problem. Would you mind telling me how to fix the filter rules? Thanks in advance.

I didn't try to fix the rule (the generated /tmp/filter_rules_ipv6), but just added the rules of ICMP_V6 and ICMP_V6_LOCAL in the wan-event script (at "connected" event, where wan-start script also serves the purpose).

If you try to fix the rules generated by asuswrt-merlin (so to remove the "firewall: apply rules error (xxxx)" line in the router log), you may source the helper script (/usr/sbin/helper.sh, reference https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files#postconf-scripts), and insert lines:
:ICMP_V6 - [0:0]
:ICMP_V6_LOCAL - [0:0]
after
:OUTPUT ACCEPT [0:0]
in file /tmp/filter_rules_ipv6 to fix the rule file.

 

[Jeffrey Young]

Welcome both of you to the forums. Thanks @Vigilans for posting a solution.

Tagging @RMerlin in case this is something that he can add to a future release (if not handled in any closed portions of Asus code).

Cheers to the both of you.

 

[RMerlin]

Thanks, should be fixed for the next release.