Basic static ipv6 configuration - It can't be this hard?

Tldr; How do you get a clean install openwrt router to take a /56 ipv6 delegation (static assignment, no slaac or dhcpv6) and break this out to individual /64’s that can be assigned statically to LAN clients to allow these clients to reach the internet? I do not want any form of automatic ip assignment anywhere, I want to assign all IP's as static to all devices and have these devices reach the internet through openwrt.

Begin long post here

I’m sure I’m just being dumb but I’ve spent literally days trying to figure this out and I’m out of ideas. Any help is GREATLY appreciated. I’m extremely new to ipv6 & openwrt please go easy on me :slight_smile:

I have a dedicated server in a colocation environment. The provider has delegated the following /56 to me. There is no SLAAC or dhcpv6 involved I need to configure things manually. I also do not want any form of dhcp in this environment, I would like to use static IP's for all devices.

This is a clean install of openwrt that I’m happy to blow away and start over with if needed.

(IP range changed for privacy)

Delegated from provider: 2606:3240:1000:400::/56

Gateway IP: 2606:3240:1000:400::1

What works:

I can ping the ipv6 internet from openwrt itself.

What doesn’t work:

Clients on openwrt LAN cannot reach the internet. They can only ping the LAN IP of the openwrt router.

What I’m trying to accomplish for now:

All I’m trying to do is break out a single /64 from my delegated /56 to the LAN network and assign IP addresses from this /64 statically to linux devices allowing them to reach the internet through openwrt.

If I assign: 2606:3240:1000:401::1/64 with gateway 2606:3240:1000:400::1 to a linux device and bypass openwrt it can reach the internet no problem.

If I then take 2606:3240:1000:401::1/64 and assign it to the LAN interface in openwrt, assign 2606:3240:1000:401::100/64 to my linux client and point it to 2606:3240:1000:401::1 as it’s new gateway it can no longer reach the internet. The routing stops when it hits openwrt.

Thanks for any help! :slight_smile:

Config files below:

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:8bc2:4f32::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option delegate '0'
        list ip6addr '2606:3240:1000:401::1/64'
        option defaultroute '1’

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '23.69.35.252'
        option netmask '255.255.255.248'
        option gateway '23.69.35.249'
        list dns '1.1.1.1'

config interface 'wan6'
        option device 'eth1'
        option proto 'static'
        option ip6gw '2606:3240:1000:400::1'
        list dns '2606:4700:4700::1111'
        option delegate '0'
        list ip6addr '2606:3240:1000:400::100/64'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'
cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'tailscale'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'tailscale'

config forwarding
        option src 'tailscale'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH-WAN'
        option src 'wan'
        option dest_port '22'
        option proto 'tcp'
        option target 'ACCEPT'

config rule
        option name 'web'
        list proto 'tcp'
        option src 'wan'
        list src_ip '123.62.366.6'
        list dest_ip '34.73.55.252'
        option dest_port '443'
        option target 'ACCEPT'
cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

For a start: Remove the defaultroute option from the lan interface and set it on wan6.

After you have done so and restart the router or at least the network service, post your routing table and test again....

1 Like

There are two ways to do this, either use the internal prefix delegation system, or don't.

  • To use the system, In wan6, set ip6prefix to your /56 prefix. I think you should also remove delegate 0 though that may not make a difference. Then in (each) lan set ip6assign to 64 and ip6hint to what you want for the 8 bits that you control-- start with 01 for a /64.

  • To not use the system you could just add xx01::1/64 as an ip6addr under lan, and a routing table entry will also be made. When someone on the Internet accesses an IP inside that /64, the ISP will send it to the wan interface then the routing table will forward it to lan.

If you intend to run hosts on the LAN such as web servers to service incoming connections, that traffic needs to be allowed in the firewall. By default the firewall only allows lan->wan outgoing.

1 Like

Thank you. I've made the requested changes. The firewall continues to be able to ping ipv6 internet but LAN clients still can not.

root@OpenWrt:~# ip route
default via 23.69.35.249 dev eth1
23.69.35.248/29 dev eth1 scope link  src 23.69.35.252
192.168.99.0/24 dev br-lan scope link  src 192.168.99.1
root@OpenWrt:~# ip -6 route
fd7a:115c:a1e0::/48 dev tailscale0  metric 1024
2606:3240:1000:400::/64 dev eth1  metric 256
2606:3240:1000:401::/64 dev br-lan  metric 256
unreachable fd48:8bc2:4f32::/48 dev lo  metric 2147483647
fd7a:115c:a1e0::e701:6360 dev tailscale0  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev tailscale0  metric 256
fe80::/64 dev br-lan  metric 256
default via 2606:3240:1000:400::1 dev eth1  metric 1024
anycast 2606:3240:1000:400:: dev eth1  metric 0
anycast 2606:3240:1000:401:: dev br-lan  metric 0
anycast fe80:: dev tailscale0  metric 0
anycast fe80:: dev eth1  metric 0
anycast fe80:: dev br-lan  metric 0
multicast ff00::/8 dev eth1  metric 256
multicast ff00::/8 dev tailscale0  metric 256
multicast ff00::/8 dev br-lan  metric 256
cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:8bc2:4f32::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option delegate '0'
        list ip6addr '2606:3240:1000:401::1/64'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '23.69.35.252'
        option netmask '255.255.255.248'
        option gateway '23.69.35.249'
        list dns '1.1.1.1'

config interface 'wan6'
        option device 'eth1'
        option proto 'static'
        option ip6gw '2606:3240:1000:400::1'
        list dns '2606:4700:4700::1111'
        option delegate '0'
        list ip6addr '2606:3240:1000:400::100/64'
        option defaultroute '1'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

Thank you! For now I'm perfectly happy to use static ip's for all devices.

I already had list ip6addr '2606:3240:1000:401::1/64' under my lan - is that not correct?

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option delegate '0'
        list ip6addr '2606:3240:1000:401::1/64'

Could you post theip -6 -br a and ip -6 r from your Linux client?

It shouldn't be, but is your ISP by any chance using an on-link /56 prefix? I'm asking because you said:

The above shouldn't work if your ISP has a sane configuration - another /64 or /127 should be used as a link between you and them, and they need to forward you /56 via your gateway.

Can you test the above, assuming 2606:3240:1000:401::2 is your client device's IPv6 addresses, please enable proxy ndp on the router's wan interface and see if it works:

ip link set eth1 promisc on
ip -6 neigh add proxy 2606:3240:1000:401::2 dev eth1

If the above in fact works, then your ISP has not delegated you a prefix, but set an entire /56 on-link (lan) network for which they expect NDP replies to each IPv6 in it. There are not so complicated ways to work around this but it's much better for both you and the ISP to use a proper setup.

1 Like

The notation is a bit fuzzy regarding the last given digits, as 400 is likely actually 0400.
Meaning 2606:3240:1000:0400:: i.e. 2606:3240:1000:04xx:: as 56 fixed bits.

That shouldn't affect your calculation (as shown so far), but is good to notice.

I would not wonder. Yes, in general someone would expect a prefix for the ISP-to-Customer-Link, and the /56 prefix for the customer site, but I have seen this (a single /56, too.

@routingnoob24
In addition, somethings seams odd at your providers site, too:

bernd@hiten ~ $ traceroute 2606:3240:1000:400::1
traceroute to 2606:3240:1000:400::1 (2606:3240:1000:400::1), 30 hops max, 80 byte packets
 1  * p2003XXX.dip0.t-ipconnect.de (2003:e4:XXXX:XXXX::1)  0.793 ms *
 2  * * 2003:0:8703:f000::1 (2003:0:8703:f000::1)  9.188 ms
 3  2003:0:1400:c000::1 (2003:0:1400:c000::1)  18.297 ms *  19.483 ms
 4  * * *
 5  * * *
 6  ffm-bb2-v6.ip.twelve99.net (2001:2034:1:6c::1)  20.343 ms  19.711 ms *
 7  prs-bb2-v6.ip.twelve99.net (2001:2034:1:c1::1)  26.862 ms  26.824 ms *
 8  * rest-bb1-v6.ip.twelve99.net (2001:2034:1:73::1)  173.010 ms  104.703 ms
 9  atl-bb1-v6.ip.twelve99.net (2001:2034:1:a1::1)  174.229 ms  174.206 ms *
10  * * *
11  * * dls-bb1-v6.ip.twelve99.net (2001:2034:1:ab::1)  160.953 ms
12  * * *
13  windstream-ic-375364.ip.twelve99-cust.net (2001:2035:0:25f8::2)  170.391 ms  171.151 ms  193.880 ms
14  2607:fec0::8f (2607:fec0::8f)  153.913 ms  190.540 ms  179.974 ms
15  2607:fec0::1c7 (2607:fec0::1c7)  186.154 ms  176.687 ms  177.185 ms
16  2600:5001:2831:1::2 (2600:5001:2831:1::2)  152.781 ms  218.391 ms  155.109 ms
^C
bernd@hiten ~ $ ping -c 3 2606:3240:1000:400::1
PING 2606:3240:1000:400::1 (2606:3240:1000:400::1) 56 data bytes
From 2606:3240:0:201::2 icmp_seq=1 Destination unreachable: Address unreachable
^C
--- 2606:3240:1000:400::1 ping statistics ---
3 packets transmitted, 0 received, +1 errors, 100% packet loss, time 2033ms

Your ISP statically assign you a '/56' prefix? If not, the dynamic nature will spoil your party for wanting to statically assign IPv6 to LAN clients.

I think no need to give out a IPv6 gateway. Linux system default should be fine which is in the form of a local link address starting with 'fe80::'. Your LAN clients will send IPv6 to the default (which is your OpenWrt) and properly routed to your ISP.

Quoted from the first message:

Missed that. Problem statement too long. LOL

@routingnoob24

To clarify what I meant, assign "2606:3240:1000:401::1/64" to 'br-lan' on OpenWrt. Assign "2606:3240:1000:401::2" and so on to your LAN devices. Do not assign/override IPv6 gateway on your LAN devices.

I think that should work and solve your issue.