Menu
What's new
By:
Filters Better Search

wan dhcpv6 blocked by firewall

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

M4tt

New Around Here
I'm using a GT-AX11000 with Merlin version 3004.388.7.

After updating my modem's firmware, my router suddenly stopped getting an IPv6 address. Initially, I thought the modem was to blame, but I have now found out that the built in IPv6 firewall of my asus router is blocking the DHCP request.

In the log, I see that odhcp6c doesn't get a response to the very first request and gets stuck at "Starting SOLICIT transaction (timeout 4294967295s, max rc 0)." As soon as I disable the IPv6 firewall and trigger a WAN reconnect, the router receives an IPv6 address via DHCP-PD (dynamic /64 network).

When I enable the firewall again, odhcp6c stops receiving an IP address, so the firewall obviously blocks the dhcp-request. Strangely, as mentioned this started with the last firmeware update of my Modem, before that IPv6 worked fine for a long time; I suspect that the responses to the dhcpv6-request no longer come from a Link-Local address or something other changed about the dhcp traffic. However, I don't want to leave the firewall disabled. I tried opening port 546 using ip6tables, but that didn't work. Maybe it's not enough, or I'm doing something wrong.

I would appreciate any tips!
 
Last edited:
I would suggest you open the same ports in the v6 firewall as you have open on the v4 firewall.
 
By using tcpdump and setting the firewall dropped packages and odhcpd6c to verbose logging, I was able to fix the issue by putting the following two rules into /jffs/scripts/firewall-start:

Code: 
ip6tables -I INPUT 1 -i eth0 -p udp --sport 546 --dport 547 -s fe80::/10 -d ff02::1:2 -j ACCEPT
ip6tables -I INPUT 1 -i eth0 -p udp --dport 546 -s fe80::/10 -d fe80::/10 -j ACCEPT

I need to put the rules to position 1 of the input chain, as otherwise the regarding traffic is obviously blocked by one of the "stock" firmware rules.

Shouldn't sending dhcpv6 requests to multicast and receiving the answer packets work on WAN without that rules? I haven't changed anything else re the firewall except of the both rules above.
 
Last edited:
You must log in or register to reply here.

Similar threads

John Tetreault
How to open ipv6 firewall to a port on the router?
Replies
4
Views
942
sfx2000
sfx2000
V
IPv6 Passthrough failure on USB WAN
Replies
4
Views
812
Analog-1
A
mekki
Solved UPDATE: No longer required. See thread. - [Feature request] Option for DHCP Query Frequency Backoff Mode
2 3 4
Replies
76
Views
5K
thiggins
thiggins
bengalih
Relationship/function between odhcp6, dhcp6, /sbin/rc
Replies
4
Views
793
bengalih
bengalih
B
Firewall lan - vpn?
Replies
0
Views
411
blast
B
Similar threads
Thread starter Title Forum Replies Date
L ddns is not getting new external cgnat wan ip Asuswrt-Merlin 8
matthew_eli GT-BE98(Pro) LAN/WAN 1 not working if VLAN ID is specified in IPTV for WAN Asuswrt-Merlin 0
I Dual WAN switching detection Asuswrt-Merlin 1
TheLyppardMan Alternative WAN with an RT-AX88U Pro Asuswrt-Merlin 10
E Fail over Wan = high cpu use? Asuswrt-Merlin 5
G Quad 9 WAN DNS Settings Asuswrt-Merlin 10
R Exposed ports on WAN - why? Asuswrt-Merlin 5
R How to setup WAN VLAN for Nokia Optical modem on RT-AC87U? Asuswrt-Merlin 12
F Admin port visible on WAN Asuswrt-Merlin 9
T Open ports on WAN for service running on the router Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 771 (members: 26, guests: 745)
Top