IPv6 linkdown but IPv4 linkup on same interface

rainmakerraw · October 2, 2025, 12:40am

After also bouncing eth2 -

vyos@vyos:~$ show ipv6 route
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIPng, O - OSPFv3, I - IS-IS, B - BGP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* ::/0 [1/0] via 2a0e:1d47::22, eth1, weight 1, 00:18:13
C>* 2a0e:1d47::22/127 is directly connected, eth1, weight 1, 00:18:13
L>* 2a0e:1d47::23/128 is directly connected, eth1, weight 1, 00:18:13
C>* 2a0e:1d47:11::/64 is directly connected, eth2, weight 1, 00:00:15
L>* 2a0e:1d47:11::1/128 is directly connected, eth2, weight 1, 00:00:15
C * fe80::/64 is directly connected, eth2, weight 1, 00:00:14
C * fe80::/64 is directly connected, eth1, weight 1, 00:18:11
C>* fe80::/64 is directly connected, ifb0, weight 1, 02:06:51

vyos@vyos:~$ show ipv6 neighbors
Address    Interface    Link layer address    State
---------  -----------  --------------------  -------

…and trying to ping6 the ISP gateway and known up LAN servers:

vyos@vyos:~$ ping6 2a0e:1d47::22
PING 2a0e:1d47::22(2a0e:1d47::22) 56 data bytes
^C
--- 2a0e:1d47::22 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2063ms

vyos@vyos:~$ ping6 2a0e:1d47:11::153
PING 2a0e:1d47:11::153(2a0e:1d47:11::153) 56 data bytes
^C
--- 2a0e:1d47:11::153 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2070ms

I’m at a loss.

L0crian · October 2, 2025, 12:41am

Do you have the firewall configured at all? Do you have any neighbors on eth1 or eth2 now?

rainmakerraw · October 2, 2025, 12:46am

I did paste my full config via Pastebin in the OP, in case you missed it. Here’s the output of show configuration commands | match firewall directly. If there’s a better way (or if you want me to crop out the json version) please do just say. As you can see, I disabled my geoip rules for now in case they were a factor.

vyos@vyos:~$ show configuration commands | match firewall
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
set firewall ipv4 name LAN-TO-LOCAL default-action 'accept'
set firewall ipv4 name LAN-TO-LOCAL description 'IPv4 from LAN to Router'
set firewall ipv4 name LAN-TO-WAN default-action 'drop'
set firewall ipv4 name LAN-TO-WAN description 'IPv4 from LAN to WAN'
set firewall ipv4 name LAN-TO-WAN rule 10 action 'accept'
set firewall ipv4 name LAN-TO-WAN rule 10 description 'Allow established/related'
set firewall ipv4 name LAN-TO-WAN rule 10 state 'established'
set firewall ipv4 name LAN-TO-WAN rule 10 state 'related'
set firewall ipv4 name LAN-TO-WAN rule 20 action 'accept'
set firewall ipv4 name LAN-TO-WAN rule 20 description 'Allow new outbound'
set firewall ipv4 name LAN-TO-WAN rule 20 state 'new'
set firewall ipv4 name LOCAL-TO-LAN default-action 'accept'
set firewall ipv4 name LOCAL-TO-LAN description 'IPv4 from Router to LAN'
set firewall ipv4 name LOCAL-TO-WAN default-action 'accept'
set firewall ipv4 name LOCAL-TO-WAN description 'IPv4 from Router to WAN'
set firewall ipv4 name WAN-TO-LAN default-action 'drop'
set firewall ipv4 name WAN-TO-LAN description 'IPv4 from WAN to LAN'
set firewall ipv4 name WAN-TO-LAN rule 10 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 10 description 'Allow established/related'
set firewall ipv4 name WAN-TO-LAN rule 10 state 'established'
set firewall ipv4 name WAN-TO-LAN rule 10 state 'related'
set firewall ipv4 name WAN-TO-LAN rule 20 action 'drop'
set firewall ipv4 name WAN-TO-LAN rule 20 description 'Drop traffic NOT from trusted countries'
set firewall ipv4 name WAN-TO-LAN rule 20 disable
set firewall ipv4 name WAN-TO-LAN rule 20 log
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'ad'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'at'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'au'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'be'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'ca'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'ch'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'de'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'dk'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'es'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'fi'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'fr'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'gb'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'gr'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'ie'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'is'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'it'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'li'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'lu'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'mc'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'nl'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'no'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'nz'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'pt'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'se'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'sm'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'us'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip country-code 'va'
set firewall ipv4 name WAN-TO-LAN rule 20 source geoip inverse-match
set firewall ipv4 name WAN-TO-LAN rule 30 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 30 description 'Allow DoH/DoT/DoQ to dnsdist'
set firewall ipv4 name WAN-TO-LAN rule 30 destination address '10.100.0.153'
set firewall ipv4 name WAN-TO-LAN rule 30 destination port '443,853'
set firewall ipv4 name WAN-TO-LAN rule 30 protocol 'tcp_udp'
set firewall ipv4 name WAN-TO-LAN rule 40 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 40 description 'Allow DoH/DoT/DoQ to AdGuard'
set firewall ipv4 name WAN-TO-LAN rule 40 destination address '10.100.0.154'
set firewall ipv4 name WAN-TO-LAN rule 40 destination port '443,853'
set firewall ipv4 name WAN-TO-LAN rule 40 protocol 'tcp_udp'
set firewall ipv4 name WAN-TO-LAN rule 50 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 50 description 'Allow HTTPS to Caddy'
set firewall ipv4 name WAN-TO-LAN rule 50 destination address '10.100.0.155'
set firewall ipv4 name WAN-TO-LAN rule 50 destination port '443'
set firewall ipv4 name WAN-TO-LAN rule 50 protocol 'tcp_udp'
set firewall ipv4 name WAN-TO-LAN rule 60 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 60 description 'Allow WireGuard to awg'
set firewall ipv4 name WAN-TO-LAN rule 60 destination address '10.100.0.158'
set firewall ipv4 name WAN-TO-LAN rule 60 destination port '8080'
set firewall ipv4 name WAN-TO-LAN rule 60 protocol 'udp'
set firewall ipv4 name WAN-TO-LAN rule 70 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 70 description 'Allow ICMP - echo-request'
set firewall ipv4 name WAN-TO-LAN rule 70 icmp type-name 'echo-request'
set firewall ipv4 name WAN-TO-LAN rule 70 protocol 'icmp'
set firewall ipv4 name WAN-TO-LAN rule 71 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 71 description 'Allow ICMP - echo-reply'
set firewall ipv4 name WAN-TO-LAN rule 71 icmp type-name 'echo-reply'
set firewall ipv4 name WAN-TO-LAN rule 71 protocol 'icmp'
set firewall ipv4 name WAN-TO-LAN rule 72 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 72 description 'Allow ICMP - destination-unreachable'
set firewall ipv4 name WAN-TO-LAN rule 72 icmp type-name 'destination-unreachable'
set firewall ipv4 name WAN-TO-LAN rule 72 protocol 'icmp'
set firewall ipv4 name WAN-TO-LAN rule 73 action 'accept'
set firewall ipv4 name WAN-TO-LAN rule 73 description 'Allow ICMP - time-exceeded'
set firewall ipv4 name WAN-TO-LAN rule 73 icmp type-name 'time-exceeded'
set firewall ipv4 name WAN-TO-LAN rule 73 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL default-action 'drop'
set firewall ipv4 name WAN-TO-LOCAL description 'IPv4 from WAN to Router'
set firewall ipv4 name WAN-TO-LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 10 description 'Allow established/related'
set firewall ipv4 name WAN-TO-LOCAL rule 10 state 'established'
set firewall ipv4 name WAN-TO-LOCAL rule 10 state 'related'
set firewall ipv4 name WAN-TO-LOCAL rule 20 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 20 description 'Allow ICMP - echo-request'
set firewall ipv4 name WAN-TO-LOCAL rule 20 icmp type-name 'echo-request'
set firewall ipv4 name WAN-TO-LOCAL rule 20 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 21 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 21 description 'Allow ICMP - echo-reply'
set firewall ipv4 name WAN-TO-LOCAL rule 21 icmp type-name 'echo-reply'
set firewall ipv4 name WAN-TO-LOCAL rule 21 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 22 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 22 description 'Allow ICMP - destination-unreachable'
set firewall ipv4 name WAN-TO-LOCAL rule 22 icmp type-name 'destination-unreachable'
set firewall ipv4 name WAN-TO-LOCAL rule 22 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 23 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 23 description 'Allow ICMP - time-exceeded'
set firewall ipv4 name WAN-TO-LOCAL rule 23 icmp type-name 'time-exceeded'
set firewall ipv4 name WAN-TO-LOCAL rule 23 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 31 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 31 description 'Allow ICMP - echo-reply'
set firewall ipv4 name WAN-TO-LOCAL rule 31 icmp type-name 'echo-reply'
set firewall ipv4 name WAN-TO-LOCAL rule 31 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 32 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 32 description 'Allow ICMP - destination-unreachable'
set firewall ipv4 name WAN-TO-LOCAL rule 32 icmp type-name 'destination-unreachable'
set firewall ipv4 name WAN-TO-LOCAL rule 32 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 33 action 'accept'
set firewall ipv4 name WAN-TO-LOCAL rule 33 description 'Allow ICMP - time-exceeded'
set firewall ipv4 name WAN-TO-LOCAL rule 33 icmp type-name 'time-exceeded'
set firewall ipv4 name WAN-TO-LOCAL rule 33 protocol 'icmp'
set firewall ipv4 name WAN-TO-LOCAL rule 40 action 'drop'
set firewall ipv4 name WAN-TO-LOCAL rule 40 disable
set firewall ipv4 name WAN-TO-LOCAL rule 40 log
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'ad'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'at'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'au'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'be'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'ca'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'ch'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'de'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'dk'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'es'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'fi'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'fr'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'gb'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'gr'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'ie'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'is'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'it'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'li'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'lu'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'mc'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'nl'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'no'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'nz'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'pt'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'se'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'sm'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'us'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip country-code 'va'
set firewall ipv4 name WAN-TO-LOCAL rule 40 source geoip inverse-match
set firewall ipv6 name LAN-TO-LOCAL default-action 'accept'
set firewall ipv6 name LAN-TO-LOCAL description 'IPv6 from LAN to Router'
set firewall ipv6 name LAN-TO-WAN default-action 'drop'
set firewall ipv6 name LAN-TO-WAN description 'IPv6 from LAN to WAN'
set firewall ipv6 name LAN-TO-WAN rule 10 action 'accept'
set firewall ipv6 name LAN-TO-WAN rule 10 description 'Allow established/related'
set firewall ipv6 name LAN-TO-WAN rule 10 state 'established'
set firewall ipv6 name LAN-TO-WAN rule 10 state 'related'
set firewall ipv6 name LAN-TO-WAN rule 20 action 'accept'
set firewall ipv6 name LAN-TO-WAN rule 20 description 'Allow new outbound'
set firewall ipv6 name LAN-TO-WAN rule 20 state 'new'
set firewall ipv6 name LOCAL-TO-LAN default-action 'accept'
set firewall ipv6 name LOCAL-TO-LAN description 'IPv6 from Router to LAN'
set firewall ipv6 name LOCAL-TO-WAN default-action 'accept'
set firewall ipv6 name LOCAL-TO-WAN description 'IPv6 from Router to WAN'
set firewall ipv6 name WAN-TO-LAN default-action 'drop'
set firewall ipv6 name WAN-TO-LAN description 'IPv6 from WAN to LAN'
set firewall ipv6 name WAN-TO-LAN rule 10 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 10 description 'Allow established/related'
set firewall ipv6 name WAN-TO-LAN rule 10 state 'established'
set firewall ipv6 name WAN-TO-LAN rule 10 state 'related'
set firewall ipv6 name WAN-TO-LAN rule 20 action 'drop'
set firewall ipv6 name WAN-TO-LAN rule 20 description 'Drop traffic NOT from trusted countries IPv6'
set firewall ipv6 name WAN-TO-LAN rule 20 disable
set firewall ipv6 name WAN-TO-LAN rule 20 log
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'ad'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'at'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'au'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'be'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'ca'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'ch'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'de'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'dk'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'es'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'fi'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'fr'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'gb'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'gr'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'ie'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'is'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'it'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'li'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'lu'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'mc'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'nl'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'no'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'nz'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'pt'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'se'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'sm'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'us'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip country-code 'va'
set firewall ipv6 name WAN-TO-LAN rule 20 source geoip inverse-match
set firewall ipv6 name WAN-TO-LAN rule 30 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 30 description 'Allow DoH/DoT/DoQ to dnsdist IPv6'
set firewall ipv6 name WAN-TO-LAN rule 30 destination address '2a0e:1d47:11::153'
set firewall ipv6 name WAN-TO-LAN rule 30 destination port '443,853'
set firewall ipv6 name WAN-TO-LAN rule 30 protocol 'tcp_udp'
set firewall ipv6 name WAN-TO-LAN rule 40 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 40 description 'Allow DoH/DoT/DoQ to AdGuard IPv6'
set firewall ipv6 name WAN-TO-LAN rule 40 destination address '2a0e:1d47:11::154'
set firewall ipv6 name WAN-TO-LAN rule 40 destination port '443,853'
set firewall ipv6 name WAN-TO-LAN rule 40 protocol 'tcp_udp'
set firewall ipv6 name WAN-TO-LAN rule 50 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 50 description 'Allow HTTPS to Caddy IPv6'
set firewall ipv6 name WAN-TO-LAN rule 50 destination address '2a0e:1d47:11::155'
set firewall ipv6 name WAN-TO-LAN rule 50 destination port '443'
set firewall ipv6 name WAN-TO-LAN rule 50 protocol 'tcp_udp'
set firewall ipv6 name WAN-TO-LAN rule 60 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 60 description 'Allow WireGuard to awg IPv6'
set firewall ipv6 name WAN-TO-LAN rule 60 destination address '2a0e:1d47:11::158'
set firewall ipv6 name WAN-TO-LAN rule 60 destination port '8080'
set firewall ipv6 name WAN-TO-LAN rule 60 protocol 'udp'
set firewall ipv6 name WAN-TO-LAN rule 70 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 70 description 'Allow ICMP - echo-request'
set firewall ipv6 name WAN-TO-LAN rule 70 icmpv6 type-name 'echo-request'
set firewall ipv6 name WAN-TO-LAN rule 70 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 71 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 71 description 'Allow ICMP - echo-reply'
set firewall ipv6 name WAN-TO-LAN rule 71 icmpv6 type-name 'echo-reply'
set firewall ipv6 name WAN-TO-LAN rule 71 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 72 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 72 description 'Allow ICMP - destination-unreachable'
set firewall ipv6 name WAN-TO-LAN rule 72 icmpv6 type-name 'destination-unreachable'
set firewall ipv6 name WAN-TO-LAN rule 72 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 73 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 73 description 'Allow ICMP - packet-too-big'
set firewall ipv6 name WAN-TO-LAN rule 73 icmpv6 type-name 'packet-too-big'
set firewall ipv6 name WAN-TO-LAN rule 73 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 74 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 74 description 'Allow ICMP - time-exceeded'
set firewall ipv6 name WAN-TO-LAN rule 74 icmpv6 type-name 'time-exceeded'
set firewall ipv6 name WAN-TO-LAN rule 74 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 75 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 75 description 'Allow ICMP - parameter-problem'
set firewall ipv6 name WAN-TO-LAN rule 75 icmpv6 type-name 'parameter-problem'
set firewall ipv6 name WAN-TO-LAN rule 75 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 76 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 76 description 'Allow ICMP - nd-neighbor-advert'
set firewall ipv6 name WAN-TO-LAN rule 76 icmpv6 type-name 'nd-neighbor-advert'
set firewall ipv6 name WAN-TO-LAN rule 76 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LAN rule 77 action 'accept'
set firewall ipv6 name WAN-TO-LAN rule 77 description 'Allow ICMP - nd-neighbor-solicit'
set firewall ipv6 name WAN-TO-LAN rule 77 icmpv6 type-name 'nd-neighbor-solicit'
set firewall ipv6 name WAN-TO-LAN rule 77 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL default-action 'drop'
set firewall ipv6 name WAN-TO-LOCAL description 'IPv6 from WAN to Router'
set firewall ipv6 name WAN-TO-LOCAL rule 10 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 10 description 'Allow established/related'
set firewall ipv6 name WAN-TO-LOCAL rule 10 state 'established'
set firewall ipv6 name WAN-TO-LOCAL rule 10 state 'related'
set firewall ipv6 name WAN-TO-LOCAL rule 20 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 20 description 'Allow ICMP - echo-request'
set firewall ipv6 name WAN-TO-LOCAL rule 20 icmpv6 type-name 'echo-request'
set firewall ipv6 name WAN-TO-LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 21 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 21 description 'Allow ICMP - echo-reply'
set firewall ipv6 name WAN-TO-LOCAL rule 21 icmpv6 type-name 'echo-reply'
set firewall ipv6 name WAN-TO-LOCAL rule 21 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 22 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 22 description 'Allow ICMP - destination-unreachable'
set firewall ipv6 name WAN-TO-LOCAL rule 22 icmpv6 type-name 'destination-unreachable'
set firewall ipv6 name WAN-TO-LOCAL rule 22 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 23 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 23 description 'Allow ICMP - packet-too-big'
set firewall ipv6 name WAN-TO-LOCAL rule 23 icmpv6 type-name 'packet-too-big'
set firewall ipv6 name WAN-TO-LOCAL rule 23 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 24 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 24 description 'Allow ICMP - time-exceeded'
set firewall ipv6 name WAN-TO-LOCAL rule 24 icmpv6 type-name 'time-exceeded'
set firewall ipv6 name WAN-TO-LOCAL rule 24 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 25 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 25 description 'Allow ICMP - parameter-problem'
set firewall ipv6 name WAN-TO-LOCAL rule 25 icmpv6 type-name 'parameter-problem'
set firewall ipv6 name WAN-TO-LOCAL rule 25 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 26 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 26 description 'Allow ICMP - nd-neighbor-advert'
set firewall ipv6 name WAN-TO-LOCAL rule 26 icmpv6 type-name 'nd-neighbor-advert'
set firewall ipv6 name WAN-TO-LOCAL rule 26 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 27 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 27 description 'Allow ICMP - nd-neighbor-solicit'
set firewall ipv6 name WAN-TO-LOCAL rule 27 icmpv6 type-name 'nd-neighbor-solicit'
set firewall ipv6 name WAN-TO-LOCAL rule 27 protocol 'icmpv6'
set firewall ipv6 name WAN-TO-LOCAL rule 28 action 'accept'
set firewall ipv6 name WAN-TO-LOCAL rule 28 description 'Allow ICMP - nd-router-solicit'
set firewall ipv6 name WAN-TO-LOCAL rule 28 icmpv6 type-name 'nd-router-solicit'
set firewall ipv6 name WAN-TO-LOCAL rule 28 protocol 'icmpv6'
set firewall zone LAN default-action 'drop'
set firewall zone LAN description 'Local Area Network'
set firewall zone LAN from LOCAL firewall name 'LOCAL-TO-LAN'
set firewall zone LAN from WAN firewall name 'WAN-TO-LAN'
set firewall zone LAN member interface 'eth2'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL description 'Local router services'
set firewall zone LOCAL from LAN firewall name 'LAN-TO-LOCAL'
set firewall zone LOCAL from WAN firewall name 'WAN-TO-LOCAL'
set firewall zone LOCAL local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN description 'Wide Area Network / Internet'
set firewall zone WAN from LAN firewall name 'LAN-TO-WAN'
set firewall zone WAN from LOCAL firewall name 'LOCAL-TO-WAN'
set firewall zone WAN member interface 'eth1'

L0crian · October 2, 2025, 1:00am

I did paste my full config via Pastebin in the OP, in case you missed it

Yeah, I saw that you did but as a general practice, I don’t download people’s configs as a file unless it’s directly on this forum.

Your ipv6 policies for lan-to-local and local-to-lan look fine.

For testing, temporarily remove your qos and ifb redirect:

delete qos
delete interfaces ethernet eth1 redirect

rainmakerraw · October 2, 2025, 1:07am

The link is a pastebin showing the code with syntax highlighting, you can’t download it as a file. After deleting qos and interfaces ethernet eth1 redirect:

vyos@vyos:~$ show ipv6 neighbors
Address    Interface    Link layer address    State
---------  -----------  --------------------  -------
vyos@vyos:~$ show ipv6 route
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIPng, O - OSPFv3, I - IS-IS, B - BGP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* ::/0 [1/0] via 2a0e:1d47::22, eth1, weight 1, 00:44:15
C>* 2a0e:1d47::22/127 is directly connected, eth1, weight 1, 00:44:15
L>* 2a0e:1d47::23/128 is directly connected, eth1, weight 1, 00:44:15
C>* 2a0e:1d47:11::/64 is directly connected, eth2, weight 1, 00:26:17
L>* 2a0e:1d47:11::1/128 is directly connected, eth2, weight 1, 00:26:17
C * fe80::/64 is directly connected, eth2, weight 1, 00:26:16
C * fe80::/64 is directly connected, eth1, weight 1, 00:44:13
C>* fe80::/64 is directly connected, ifb0, weight 1, 02:32:53

I can only successfully ping6 the LAN’s own IPv6 address (2a0e:1d47:11::1), not the ISP gateway or any LAN servers. I feel like I’m missing something obvious at this point, I even asked AI before posting here and it said no errors (for what little that’s worth). VyOS is amazing to work with and it’s much lighter and faster than OPNsense, so I’m really hoping to crack this. It looks like it ‘should’ work, it just doesn’t.

rainmakerraw · October 2, 2025, 1:15am

For what it’s worth, also, the IPv6 firewall statistics are basically 0 bar a few (28) ‘established’ packets at some point; but there’s nothing going ‘through’ the ipv6 firewall, blocked or otherwise. If packets aren’t even hitting the firewall it has to be a L2/3 issue rather than a firewall setup issue?

---------------------------------
ipv6 State Policy

State          Packets    Bytes  Conditions
-----------  ---------  -------  ----------------------------
established         28     2912  ct state established  accept
invalid              0        0  ct state invalid
related              0        0  ct state related  accept

---------------------------------
ipv6 Firewall "name LAN-TO-LOCAL"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  accept    any       any            any                  any

---------------------------------
ipv6 Firewall "name LAN-TO-WAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10               0        0  accept    any       any            any                  any
20               0        0  accept    any       any            any                  any
default          0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "name LOCAL-TO-LAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  accept    any       any            any                  any

---------------------------------
ipv6 Firewall "name LOCAL-TO-WAN"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
default          0        0  accept    any       any            any                  any

---------------------------------
ipv6 Firewall "name WAN-TO-LAN"

Rule       Packets    Bytes  Action    Source    Destination        Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -----------------  -------------------  --------------------
10               0        0  accept    any       any                any                  any
30               0        0  accept    any       2a0e:1d47:11::153  any                  any
40               0        0  accept    any       2a0e:1d47:11::154  any                  any
50               0        0  accept    any       2a0e:1d47:11::155  any                  any
60               0        0  accept    any       2a0e:1d47:11::158  any                  any
70               0        0  accept    any       any                any                  any
71               0        0  accept    any       any                any                  any
72               0        0  accept    any       any                any                  any
73               0        0  accept    any       any                any                  any
74               0        0  accept    any       any                any                  any
75               0        0  accept    any       any                any                  any
76               0        0  accept    any       any                any                  any
77               0        0  accept    any       any                any                  any
default          0        0  drop      any       any                any                  any

---------------------------------
ipv6 Firewall "name WAN-TO-LOCAL"

Rule       Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10               0        0  accept    any       any            any                  any
20               0        0  accept    any       any            any                  any
21               0        0  accept    any       any            any                  any
22               0        0  accept    any       any            any                  any
23               0        0  accept    any       any            any                  any
24               0        0  accept    any       any            any                  any
25               0        0  accept    any       any            any                  any
26               0        0  accept    any       any            any                  any
27               0        0  accept    any       any            any                  any
28               0        0  accept    any       any            any                  any
default          0        0  drop      any       any            any                  any

L0crian · October 2, 2025, 1:16am

Do you have any policy routes configured or anything?

rainmakerraw · October 2, 2025, 1:21am

vyos@vyos:~$ show configuration commands | match policy
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'

No policy routes, just the static routes already posted for my ISP gateways (IPv4 and v6). If I’ve misunderstood the question please feel free to reframe.

L0crian · October 2, 2025, 1:26am

No, policy routes are for “policy based routing”, which you don’t have. If you ever want to see the specific section rather than doing show configuration commands, you can just drop into config mode and run something like show policy, or show firewall, and it’ll just show that section.

At this point, you may just need to spin up a VM and lab this (or do it on a live box if you want). Start slow with just the IPs and routing. See if you can ping, then layer on FW, then QoS, then NAT, and whatever else you’re using, testing along the way.

I can’t recreate your issue with a simple config (except for the potential race condition for the QoS bit). So it very well may just be some random thing you have preventing it.

One quick thing you can check is to disable the offloads (if they’re configured), which often cause more problems than they solve:

delete interfaces ethernet eth1 offload
delete interfaces ethernet eth2 offload

rainmakerraw · October 2, 2025, 1:32am

Thanks so very much for trying to help (and for the conf mode show command tip!). At least it’s not just me who can’t pin this down, I’ve been staring at this for 12 hours now - it’s 2.30am my time! There were no offload commands set btw.

I’ll try your suggestion of pulling it down to the basics on the live box and see what happens. I didn’t see any glaring issue in labbing it, either. Again, thank you. If all else fails I’ll have to just go back to OPNsense for now, but I’m hoping not because I’m in love with VyOS aside from these IPv6 issues. Cheers!

L0crian · October 2, 2025, 1:38am

I may see what your issue is. I just noticed you’re not applying any of your ipv6 firewall policies, you’re only applying your ipv4 ones.

EDIT: At least in the config you sent, but they do seem to be applied in the show firewall op output you pasted. An easy check is to just delete the firewall temporarily and see if your ipv6 traffic starts working.

L0crian · October 2, 2025, 1:56am

Yep, that’s your issue. Add these lines:

set firewall zone WAN from LOCAL firewall ipv6-name 'LOCAL-TO-WAN'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-TO-LOCAL'

set firewall zone LAN from LOCAL firewall ipv6-name 'LOCAL-TO-LAN'
set firewall zone LOCAL from LAN firewall ipv6-name 'LAN-TO-LOCAL'

The show firewall op command seems to be incorrect, because it’ll show policies applied to ipv6 even when there isn’t. I’d recommend changing your polices to have ‘v4’ and ‘v6’ added to the names to avoid that confusion.

rainmakerraw · October 2, 2025, 2:42am

You superstar. I can’t believe I missed that! So many hours down the drain. Well, on the plus side I do at least intimately know the machine inside out now and I’ll be configuring it in my sleep tonight. Well, tomorrow - it’s almost 4am here. Sigh. Thanks again!

L0crian · October 2, 2025, 2:43am

Glad you got it squared away!