6in4 : unable to ping6 from / to br-lan clients

gamma-577 · February 26, 2025, 9:12pm

Hello Friends!

I recently switched to Virgin Media (UK) from Sky. I knew VM do not supply ipv6. However there are many cases saying 6in4 runs well on openwrt. I was pretty confident of achieving the same. But destiny is a funny thing, you know.

I followed the instructions here : https://openwrt.org/docs/guide-user/network/ipv6/ipv6tunnel-luci

I had a problem with VM supplied router. Its modem mode has very unstable connection. So I have to revert to the router mode. So I suppressed the wifi and activated DMZ.

The OpenWRT router I use is LinkSys EA8300. It gives me a dashing performance! But for 6in4, there is partial success. I could see the br-lan getting the delegated prefix 2001:470:rrrr::/48. I also see my wifi client laptop getting downstream ipv6 address 2001:470:rrrr:####:####:####:####:####/128. This address persists through LinkSys reboots.

However I can't ping6 to an ipv6 domain. I get error : Destination host unreachable

I tried to use tracert :

C:\Windows\System32>tracert -6 bbc.co.uk
Tracing route to bbc.co.uk [2a04:4e42:400::81]
over a maximum of 30 hops:
  1     2 ms     1 ms     1 ms  2001:470:rrrr::1
  2  Destination host unreachable.
Trace complete.

It seems I can't proceed beyond br-lan. Surely I am missing something. Did I configure dns correctly? Or maybe something else? Here are my listings.

nano /etc/config/dhcp
  2 config dnsmasq
  3         option domainneeded '1'
  4         option localise_queries '1'
  5         option rebind_protection '1'
  6         option rebind_localhost '1'
  7         option local '/lan/'
  8         option domain 'lan'
  9         option expandhosts '1'
 10         option readethers '1'
 11         option leasefile '/tmp/dhcp.leases'
 12         option localservice '1'
 13         option sequential_ip '1'
 14         option localuse '1'
 15         option logqueries '1'
 16         option confdir '/tmp/dnsmasq.d'
 17         option resolvfile '/tmp/resolv.conf.vpn'
 18         list server '208.67.222.222'
 19         list server '208.67.220.220'
 20         list server '1.1.1.1'
 21         list server '1.0.0.1'
 22
 23 config dhcp 'lan'
 24         option interface 'lan'
 25         option start '2'
 26         option limit '253'
 27         option leasetime '12h'
 28         option dhcpv6 'hybrid'
 29         option ra 'hybrid'
 30         option ra_management '1'
 31         option ndp 'hybrid'
 32         list ra_flags 'managed-config'
 33         list ra_flags 'other-config'
 34         list dns '2606:4700:4700::1111'
 35         list dns '2606:4700:4700::1001'
 36
 37 config dhcp 'wan'
 38         option interface 'wan'
 39         option ignore '1'
 40         option start '100'
 41         option limit '150'
 42         option leasetime '12h'
 43
 44 config odhcpd 'odhcpd'
 45         option maindhcp '0'
 46         option leasefile '/tmp/hosts/odhcpd'
 47         option leasetrigger '/usr/sbin/odhcpd-update'
 48         option loglevel '4'

nano /etc/config/network
 
 35 config interface 'lan'
 36         option device 'br-lan'
 37         option proto 'static'
 38         option ip6assign '50'
 39         list ipaddr '192.168.1.1/24'
 40         list ip6class 'wan6'
 41         list ip6class 'local'
 42         list dns '1.1.1.1'
 43         list dns '1.0.0.1'
 44         list dns '192.168.0.1'
 45         list dns '194.168.4.100'
 46         list dns '194.168.8.100'

 65 config interface 'wan6'
 66         option proto '6in4'
 67         option peeraddr 'as supplied by HE'
 68         option ip6addr '2001:470:nnnn:kkkk::2/64'
 69         list ip6prefix '2001:470:rrrr::/48'
 70         option tunnelid 'as supplied by HE'
 71         option username 'my username'
 72         option password 'key supplied by HE'
 73         option mtu '1480'
 74         option ipaddr 'isp supplied public ipv4'
 75

I have a pbr entry routing any local ipv6s (::/0) to any remote ipv6s for all protocols via preroute chain to wan6. I am not sure if I need a new interface HENET.

I have not shown my firewall listing, being too long. Not sure if I need to put special rules for 6in4.

The ipv6 tcpdump over br-lan shows some activity. If I understand correctly, ipv6 packets should not cross br-lan barrier, isn't it? How do I check ipv6 activity beyond br-lan?

How do I ping6 from/to to my lan clients? Any inputs appreciated. Thank you!

-Gamma

brada4 · February 26, 2025, 9:45pm

Go to hurricane website, in one of tabs after login you get OpenWrt template via uci.

lleachii · February 26, 2025, 10:09pm

Also, you must allow ping from the Tunnel Broker checker. Their community documentation gives this IP. Just an FYI if you altered the firewall.

trendy · February 26, 2025, 11:04pm

From tunnelbroker.net

NOTE: When behind a firewall appliance that passes protocol 41, use the IPv4 address you get from your appliance's DHCP service instead of the IPv4 endpoint you provided to our broker.

So you need to make sure that you receive these packets forwarded from the Virgin router and use the private IP in the OpenWrt config.
You can try to ping from the source IP the lan interface has:

ping -6 -I 2001:470:6f:357::1 ipv6.google.com
PING ipv6.google.com(prg03s13-in-x0e.1e100.net (2a00:1450:4014:80f::200e)) from 2001:470:6f:357::1 : 56 data bytes
64 bytes from prg03s13-in-x0e.1e100.net (2a00:1450:4014:80f::200e): icmp_seq=1 ttl=120 time=4.86 ms
64 bytes from prg03s13-in-x0e.1e100.net (2a00:1450:4014:80f::200e): icmp_seq=2 ttl=120 time=4.65 ms

You can capture the packets in tcpdump by filtering the tunnelbroker endpoint:

root@barracuda:[~]#tcpdump -i pppoe-wan -nv host 216.66.86.122
tcpdump: listening on pppoe-wan, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
23:59:51.657397 IP (tos 0x0, ttl 64, id 14416, offset 0, flags [DF], proto IPv6 (41), length 124)
    196.1.115.117 > 216.66.86.122: IP6 (flowlabel 0x7cde5, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:6f:357::1 > 2a00:1450:4014:80f::200e: [icmp6 sum ok] ICMP6, echo request, id 37580, seq 1
23:59:51.662125 IP (tos 0x0, ttl 249, id 12235, offset 0, flags [DF], proto IPv6 (41), length 124)
    216.66.86.122 > 196.1.115.117: IP6 (flowlabel 0x7cde5, hlim 120, next-header ICMPv6 (58) payload length: 64) 2a00:1450:4014:80f::200e > 2001:470:6f:357::1: [icmp6 sum ok] ICMP6, echo reply, id 37580, seq 1

slh · February 27, 2025, 7:37am

6in4 and he.net tunnels are supported well and work, just be aware that not all tunnel endpoints are always fine, nor that they can deliver full performance towards the higher end of the wan speed spectrum.

gamma-577 · February 27, 2025, 6:31pm

Hello Friends!

I found the culprit.

The local ipv4 address field on wan6 should be left blank. This address field appears on : Network --> Interfaces --> wan6 ( edit ) --> General Settings panel.

It then uses current wan address. Since I was using Virgin Media router in dmz mode, I put the isp supplied public ipv4. This caused the trouble. When I removed that address, the ping6s to/from my client laptop came to life.

Thank you all for your guidance and tips.

-Gamma

system · March 9, 2025, 6:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.