Configuring IPv6 LAN with IPv4 WAN

Hello Guys,

I've read several topics about configuring IPv6 and also the guides here https://openwrt.org/docs/guide-user/network/ipv6/configuration , but I struggle to find out how to configure an IPv6 LAN.

My setup is as following:
1/ An ISP router to which I have no admin access, and which gives IPv4 address via DHCP and MAC filtering to my first OpenWRT router.
2/ My first OpenWRT router receives IPv4 address via WAN interface and has IPv4 LAN.
3/ A second OpenWRT router for test purposes connected to the first OpenWRT LAN through wired connection and DHCP.

Both routers have default configuration(reset then this morning), except the first one LAN subnet is 10.0.0.1/64 and the second 192.168.1.1/64 to avoid issues.

When I connect to the 2nd OpenWRT via my Mac, I got IPv4 and IPv6 addresses. But when I disable IPv4 on the Mac via Configure IPv4 set to 'Off', I have no internet connectivity.
I noticed that the Mac doesn't receive a Router(Gateway) address, so I configured it manually to the IPv6 address shown in LUCI > Interfaces > for the LAN interface. Same also configured for DNS.

Mac shows me that I'm connected to the router but still I have no internet. Maybe I have to configure Jool from the following guide, to connect to IPv4 network via IPv6 through NAT64/DNS64?

Wanted to ask first before messing the things more :smiley:

Thank you!

Do you receive IPv6 addresses from your ISP?

Otherwise I'm not sure what you're asking.

No, I don’t receive an IPv6 address from my ISP. I thought I can configure local IPv6 network which will then be translated to IPv4 via NAT64/DNS64.

That's not what NAT64 is for. NAT64 is a way for a fully V6 network to access a "legacy" website or other service that is V4 only. This is done by converting the site's IPv4 address to a special V6 IP that encodes the V4 IP as some of its bits.

The DNS64 does this. Ordinary DNS will return only a V4 IP for a V4-only site. DNS64 recognizes that the site is V4 only then formulates and returns the special V6 IP. When a request to this IP reaches the edge of your network, the NAT64 server (e.g. jool) intercepts it and converts it to a request on an IPv4 Internet connection. The user's PC and the LAN treats it as a V6 site.

Since you already have a V4 link all the way through your LAN, such sites can be reached directly as it is.

The main reason to set up V6 in your LAN is so that users can reach websites on the V6 Internet. That requires a link to the V6 Internet, either an ISP that offers V6, or a tunnel to something beyond your ISP that has a connection to the V6 Internet.

3 Likes

Actually the reason to set up a V6 in my LAN is to see how applications work in IPv6 environment( something I don't have access to, that's why I would like to simulate it ). It's for testing purposes, where I can see the DNS, TLS and other communication via TCPDump or similar software, where source and destination are v6 addresses.

You can get IPv6 connectivity thru a tunnel like tunnelbroker.net

4 Likes

typo 10.0.0.1/24 and 192.168.1.1/24 ??

But does not really matter, since your actual problem is IPv6:
My guess is, your ISP does not give you any IPv6 prefix delegation other than /64 (if at all). Then your only left over chance is to use IPv6 relay, to have internet routable IPv6 on the LAN side:

configure it, to have working Internet-working IPv6 on the OpenWRT LAN side (assuming your ISP gives you at least a single /64 prefix)

2 Likes

I think what @lleachii shared is what I was looking for. I've configured the HE.net tunnel following the guides and now I have IPv6 ping to openwrt.org from the router.

Unfortunately I can't have my Mac working with it. When I try to use ping6 command I got "No route to host":

ping6 openwrt.org
ping6: UDP connect: No route to host

Is there any specific client side configuration? I noticed that there is no Gateway in the IPv6 settings of the client when I set the configuration to "Automatic"(I assume via DHCP), is this expected?

There is also an option to disable the IPv4 on the Mac and leave the IPv6 only for the network interface. If I do this, I have no connectivity, so I assume I need something done on the client as well. Any ideas would be appreciated :slight_smile:

Yes, clients should have the gateway of the OpenWrt's LAN - but this may come via RA and not DHCPv6.

Try traceroute openwrt.org from both the client and router.

Please clarify. Doesn't matter if it's IPv4 or IPv6, you can make rules based on MAC.

1 Like

I have IPv4 tracerouter from both the router and the client(Mac), but I have IPv6 traceroute6 and ping6 only through the router. In the client I have:

traceroute6 openwrt.org
connect: No route to host

I'd set the DNS addresses on the client to the ones mentioned as DNS Resolvers in the HE.net website, but the that didn't help. They are IPv4 and IPv6 similar to the ones shown on the picture of this guide https://openwrt.org/docs/guide-user/network/ipv6/ipv6tunnel-luci

  • I meant traceroute6, my apologies
  • I seems your HE tunnel or LAN are not yet configured correctly

Can you provide the output of:

cat /etc/config/network

and

cat /etc/config/dhcp

Also, do you block inbound ICMPv4 Echo-Request (i.e. ping) on WAN?

1 Like

Sure, here they are:

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd81:29f9:9f60::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'

config device
	option name 'eth0.2'
	option macaddr 'b0:be:76:38:bf:1c'
	option ipv6 '1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option proto '6in4'
	option peeraddr '216.66.80.30'
	option ip6addr '2001:470:1f0a:4bc::2/64'
	list ip6prefix '2001:470:7315::/48'
	option tunnelid '882877'
	option username 'fr1nklyn'
	option password '**********
	option mtu '1480'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'
# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

No, I don't block the ICMP packets on WAN.

Remove ip6class local from the lan interface. This is telling the lan to not use addresses routable to wan6, which the opposite of what you need. I would also comment out ula_prefix so your IP addressing isn't cluttered up with ULAs that are not doing anything useful in this use case.

The lan should have a /64 out of the /48 on the wan6. This will also be distributed to clients. Check the IP address and routing status on the Mac that resulted from DHCP. The ipv6 default route for endpoints (LAN client machines) should be the link-local of the router's LAN, which is derived from the router's MAC address.

3 Likes

Ok, so removing the ip6class local made a difference and client now receives 3x IPv6 addresses over DHCPv6. I also commented out the ula_prefix.

Now when I attempt to ping6 openwrt, I don't see the error in terminal "ping6: UDP connect: No route to host", but I see the regular ping line. Unfortunately without response:
PING6(56=40+8+8 bytes) 2001:470:7315:0:f5d0:2cbc:7f78:6731 --> 2a03:b0c0:3:d0::1af1:1

Filtering icmpv6 in Wireshark shows that client sends ICMPv6 packets but gets no response.

On the client side, there are the standard network options for the interface "Automatic" and "Manual", and also "Link-Local Only". For the latter I receive no Gateway address and I return back to the error "ping6: UDP connect: No route to host" when I attempt to ping.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.