fw3 does not support IPv6 ULA → GUA NETMAP/NAT66 for WireGuard interfaces (packets dropped at wg0)

[siva-542]

Hi team,

I am facing an issue with IPv6 ULA clients behind WireGuard when trying to reach the public Internet through my OpenWrt router.

Setup
Device: PR60X (OpenWrt-based)
WAN6: has delegated prefix 240b:10:b00:1220::/60 (GUA)
WireGuard interface (wg0) is configured with:
ULA: fdea:a732:e7de:5552::/64
GUA (manually added): 240b:10:b00:1222::1/64

Problem
VPN clients get ULA addresses (fdea:a732:e7de:5552::/64)
When they ping public IPv6 hosts (e.g. dns.google), the router itself (wg0) immediately replies with:
ICMPv6 Destination Unreachable, unreachable route
Packets never leave the wg0 interface towards eth0 (WAN).

What I tried

Manually adding ip6tables NAT rules:

Outbound ULA → GUA

ip6tables -t nat -A POSTROUTING -o wg0 -s fdea:a732:e7de:5552::/64
-j NETMAP --to 240b:10:b00:1222::/64

Inbound return traffic

ip6tables -t nat -A PREROUTING -i eth0 -d 240b:10:b00:1222::/64
-j NETMAP --to fdea:a732:e7de:5552::/64

But this only works if the packets make it out of wg0.
In practice, they are dropped inside wg0.

[brada4]

Stateless transform is not the strong side of OpenWrt.
both rules shall be prerouting, your query is about iptables usage, not fw3 defect. Plese close and seek assistance in some user forum.