Configure DHCPv6c on WAN for multiple PD requests for AT&T fiber?

So you set up a linux bridge br-wan between say eth1 and eth2. eth1 is plugged to the ONT, and eth2 is plugged to the ATT gateway. You disallow forwarding anything coming from the ATT GW other than responses to the 802_1Q queries, but you allow forwarding anything from eth1... fine... But then how do you have the router itself use the same MAC as the ATT gateway and do the DHCPv4 and DHCPv6 work?

maybe you add a veth pair? so the br-wan is eth1,eth2,veth0, and then call veth1 your WAN and set the MAC equal to the ATT GW MAC?

1 Like

You folks are AWESOME! So many ideas. I need coffee :coffee:

2 Likes

I managed to get this working with AT&T's dumb IPv6 setup in IP passthrough mode without needing any additional scripts or wide-dhcpv6.

This is based on pieces from:

Basically, you install kmod-macvlan and set up a macvlan type device (tied to the physical WAN interface) for each prefix you wish to pull from the AT&T gateway's /60 PD. Then you set up an additional interface for each of the macvlan devices you added. Each additional interface is a proto 'dhcpv6' type of /64 size. Finally, your internal interfaces which will receive the IPv6 PDs need to be set to hand out IPv6 addresses only from the corresponding interface you set up for the given PD. This is where the list ip6class ... setting comes into play. See below...

Here's an example of my working /etc/config/network file:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option packet_steering '1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'
	option ip6ifaceid '::1'
	option device 'eth1'
	list ip6class 'WAN6LAN'
	option ip6assign '64'

config interface 'WAN'
	option proto 'dhcp'
	option peerdns '0'
	option device 'eth0'
	option hostname '*'

config interface 'WAN6'
	option proto 'dhcpv6'
	option peerdns '0'
	option device 'eth0'
	option delegate '0'
	option reqaddress 'try'
        option reqprefix 'no'

config interface 'GUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.9.1'
	option ip6ifaceid '::1'
	option device 'eth1.9'
	list ip6class 'WAN6GUEST'

config interface 'IOT'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.99.1'
	option ip6assign '64'
	option ip6ifaceid '::1'
	option device 'eth1.99'
	list ip6class 'WAN6IOT'

config device 'vwan1'
	option name 'vwan1'
	option type 'macvlan'
	option ifname 'eth0'

config device 'vwan2'
	option name 'vwan2'
	option type 'macvlan'
	option ifname 'eth0'

config device 'vwan3'
	option name 'vwan3'
	option type 'macvlan'
	option ifname 'eth0'

config interface 'WAN6LAN'
	option proto 'dhcpv6'
	option peerdns '0'
	option device 'vwan1'
	option reqprefix '64'
	option reqaddress 'none'

config interface 'WAN6GUEST'
	option proto 'dhcpv6'
	option device 'vwan2'
	option reqprefix '64'
	option peerdns '0'
	option reqaddress 'none'

config interface 'WAN6IOT'
	option proto 'dhcpv6'
	option device 'vwan3'
	option reqaddress 'none'
	option reqprefix '64'
	option peerdns '0'

Just make sure that the RA mode on each of the internal interfaces is set to 'server' mode and RA flags are set to "other config":

e.g.

config dhcp 'lan'
	option interface 'lan'
        ...
	option ra 'server'
	list ra_flags 'other-config'

@vgaetera Is it possible to get this written up for AT&T fiber users in the wiki here? https://openwrt.org/docs/guide-user/network/ipv6/start

2 Likes

You could just add a new section to the bottom of that page. Make it "AT&T fiber IPv6 Config Example"

Or you wanting a page like IPv6 with Hurricane Electric but just for AT&T?

Sounds reasonable to me, but it looks like the wiki is closed to general updates. I think @vgaetera was the last one to make edits to it, so hoping somebody can help us help others. :slight_smile:

you can apply there for a wiki account to do edits.

I have wiki edit if you want a page creating and you can edit it when tmomas sorts you an account?

It works! :smile:

for WAN6, option reqprefix 'no' as we don't need it

2 Likes

I’ll test with that as well. For some reason I was thinking that was still desirable for Openwrt itself to have an ipv6 address with a gateway so it could use ipv6 as well. Thoughts?

Another item of note, the MAC address of a MAC-VLAN device changes each time the network service restarts. I ended up setting option macaddr 'xx:xx:xx:xx:xx:xx' for each of the MAC-VLAN devices. I picked a MAC address to populate into each of those devices and just incremented the last character for uniqueness.

The populated MAC addresses then become the client IDs sent in the DHCPv6 PD request at the AT&T GW.

For me, it is getting a SLAAC in the addressing subnet, but it doesn't need its own /64 as we're bypassing that now. I have my four subnets working properly. I'm so pleased

1 Like

Right on! I just made your suggested change and that's perfect for me! I updated the solution post to include the option reqprefix 'no' for WAN6.

I'm having trouble with the DHCPv6 servers on the subnets. All I'm getting on my main lan are SLACC addresses. here is part of my /etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ndp 'hybrid'
	option ra 'server'
	list ra_flags 'other-config'
	option dhcpv6 'server'

it doesn't look wrong. I'm at a loss. the MACVLAN interface owns the PD, though. Is this the problem?

ok, I got it. managed-config was missing

         list ra_flags 'managed-config'
         list ra_flags 'other-config'
1 Like

Alright, take a look at this that I've added to the OpenWrt wiki and let me know what you think!

@dlakelan @davygrvy

1 Like

I wanted to hold-off until I understood it better, but I'm at a loss. The default gateway being advertised on my lan by the DHCPv6 server is unreachable. I tried a different MAC on the lan interface, but still the same behavior.

davygrvy@puukukui:~$ ip -6 route |grep default
default via fe80::6238:e0ff:feca:e009 dev enp3s0 proto ra metric 20100 pref medium

davygrvy@puukukui:~$ ping fe80::6238:e0ff:feca:e009
PING fe80::6238:e0ff:feca:e009(fe80::6238:e0ff:feca:e009) 56 data bytes
ping: sendmsg: Invalid argument
ping: sendmsg: Invalid argument
ping: sendmsg: Invalid argument
^C
--- fe80::6238:e0ff:feca:e009 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2045ms

Was it working and then stopped or the default gateway has never worked with this configuration?

Hasn't worked at all.

I'm bypassing the bridge and going right to the first port if this makes a difference. In /etc/config/network:

config device                                  
        option name 'lan1'                     
        option macaddr '60:38:e0:ca:e0:09'
        option acceptlocal '1'

Ah! Okay, so that was happening for me too and I was banging my head on the wall for a while until I realized the firewall (nftables in my case) was blocking certain IPv6 traffic. For instance, I had to allow DHCPv6 from those additional interfaces I created to the AT&T gateway (via my physical WAN iface).

Also, I was seeing the same issue as you until I made sure my client subnets were able to make the nd-router-solicit ICMPv6 call to the WAN6* interfaces. Once router-solicitation (ICMPv6 type 133) was enabled, I was off to the races!

For reference, here are the complete IPv6 rules that fixed my issue:

chain input {
        type filter hook input priority 0; policy drop;
        ...
        ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate 5/second counter accept comment "IPv6 ICMP"
        ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit } limit rate 10/second counter accept comment "IPv6 ICMP"
        ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit } limit rate 10/second counter accept comment "IPv6 ICMP"
        ...
}
1 Like

Is this for /etc/config/firewall ?

Unfortunately no... I am doing the firewall4 (nftables) deal on my OpenWrt build, so the syntax I shared above is for nftables. Let me see if I can look up the equivalent for iptables (or specifically /etc/config/firewall)...