ER8411: WireGuard LAN-to-LAN access broken after IPv6 activation/deactivation and reboot
Hardware & Software:
- Router: ER8411 V1, Firmware 1.3.6
- Controller: Omada Software Controller 6.2.10.17 (Docker on OpenMediaVault)
Problem statement:
I have a LAN setup with 3 VLANs. Access to Management VLAN (VLAN 10) is restricted by Gateway ACL to be only possible through Wireguard tunnel. Everything was working perfectly.
Today I tried to setup IPv6 because I received a fixed IPv6/48 range from my internet provider. After activation of IPv6 on my router and for on of the VLANs I experienced some issues. I therefore deactivated IPv6 again and rebooted the ER8411. Since then, my Wireguard access is broken.
Details
Network Setup:
The network is segmented into three VLANs:
| VLAN | Purpose | Subnet |
|---|---|---|
| VLAN 10 | Admin (router, switches, controller) | 192.168.0.0/24 |
| VLAN 20 | Clients (PCs, laptops, NAS servers) | 192.168.2.0/24 |
| VLAN 30 | IoT devices | 192.168.5.0/24 |
Access to VLAN 10 is restricted via Gateway ACL rules — clients in VLAN 20 and VLAN 30 cannot access VLAN 10 directly. The only way to reach VLAN 10 from VLAN 20 is through a WireGuard VPN tunnel (tunnel subnet 10.0.200.0/24, listening port 51820).
Background:
WireGuard VPN was working perfectly for LAN-to-LAN access (VLAN 20 → VLAN 10) for several weeks without any issues. Clients in VLAN 20 could connect via WireGuard and access all hosts in VLAN 10 without problems.
What happened:
- Activated IPv6 on WAN (DHCPv6-PD, Prefix Delegation Size 48)
- Activated IPv6 on VLAN 20 (SLAAC+Stateless DHCP)
- Rebooted ER8411
- Deactivated IPv6 on VLAN 20 and WAN again
- Rebooted ER8411 again
- Since then, WireGuard LAN-to-LAN access is broken
Current symptoms:
- WireGuard handshake works fine (Last handshake: a few seconds ago)
ping 10.0.200.1(WireGuard interface on ER8411) ✅ping 192.168.0.1(VLAN 10 gateway, router itself) ✅ping 192.168.0.x(any other host in VLAN 10) ❌ Timeout- On the server side under Connected Peers, the received traffic is much higher than what the client shows as received — response packets appear to leave the ER8411 but never arrive at the client
- WireGuard tunnel completely deleted and recreated — problem persists
- Tried a different tunnel subnet — problem persists
ACL Rules (unchanged, verified correct):
| Priority | Name | Direction | Policy | Source | Destination |
|---|---|---|---|---|---|
| 6 | Allow-VPN-to-Admin | LAN→LAN | Allow | 10.0.200.0/24 | 192.168.0.0/24 |
| 7 | Deny-Clients-to-Admin | LAN→LAN | Deny | 192.168.2.0/24 | 192.168.0.0/24 |
What I have ruled out:
- ACL rules are correct and in the right order
- IP group for WireGuard subnet is correct (10.0.200.0/24)
- Tunnel recreated from scratch, handshake works, keys are correct
- Windows Firewall is not the issue
- IPv6 fully disabled on WAN and all VLANs
- Multiple reboots of the ER8411 and client PC
Question:
Has anyone experienced a similar issue? Is there a way to reset the internal state of the ER8411 without performing a full factory reset? Could the temporary activation of IPv6 have caused a persistent routing issue that survives reboots?
