Dhcp6 relay configuration

atanamir · September 12, 2020, 12:31am

Hi all,

I have a openwrt-behind-another-router situation. My ISP requires that I use their gateway/router hardware, which can't be set into gateway more. So, my OpenWRT router is behind another router. I'm trying to get global ipv6 addresses for clients behind my OpenWRT router. Unfortunately my ISP has given me a /64 prefix which, from my elementary understanding of ipv6, is best handled with OpenWRT configured as a relay.

I'm not 100% sure what a relay is, but my understanding is that the clients behind the openwrt router will receive addresses assigned by the outer router -- is that correct?

In any case, I have configured my router as suggested in the documentation found at https://openwrt.org/docs/guide-user/network/ipv6/start#router_advertisement_dhcpv6. However, running wireshark on my client behind openwrt, I don't see any router advertisement packets.

Is relay the right thing for me to do in this case, and, if so, can someone help me out with the config?

My /etc/config/network looks like:

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ifname 'eth0'
        option ip6assign '64'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'

And /etc/config/dhcp:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option dhcpv6 relay
        option ra relay
        option ndp relay
        option master 1

Thanks in advance

vgaetera · September 12, 2020, 12:58am

Check the output:

ifstatus wan6

atanamir · September 12, 2020, 1:10am

Hi,

Here is the output for that:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 1661,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "--omitted--",
                        "mask": 64,
                        "preferred": 55,
                        "valid": 115
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2607:fb90:8374:6b56::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 115,
                        "source": "::\/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::7edb:98ff:fe85:4da2",
                        "metric": 512,
                        "valid": 595,
                        "source": "--omitted--\/64"
                }
        ],
        "dns-server": [
                "fe80::7edb:98ff:fe85:4da2"
        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {
                "passthru": "00170010fe800000000000007edb98fffe854da2"
        }
}

trendy · September 12, 2020, 6:13pm

Correct.

Install tcpudump if not laready installed on the OpenWrt. opkg update; opkg install tcpdump
Then run the following capture and post here the output.
tcpdump -i any -evn icmp6 || udp port 547
Then restart the interface of a lan host, wait until it captures some packets, stop with Ctrl c and post here the output.

openwrtforever · September 12, 2020, 7:53pm

I think "Request IPv6-prefix of length" in Interfaces > WAN6 should be /64 instead of Automatic. Then the relay starts working, I might be wrong, try it if it works.

atanamir · September 12, 2020, 8:34pm

I did as saudiqbal suggested and set the request prefix of length to 64.

As for the tcpdump, it looks like I can't put an attachment in here, so I've put it into a pastebin: https://pastebin.com/iRSAKUeh. I can't really tell if it's working -- my client behind openwrt has a ipv6 address now, but ping -6 www.google.com still fails.

trendy · September 12, 2020, 10:37pm

No need for attachments, you can paste in preformatted text (the </> button).
Other than that I can see just a couple of router solicitations from the OpenWrt towards the ISP which were answered with router solicitations.
Post also the uci export firewall to verify that there is nothing missing there.

atanamir · September 12, 2020, 11:30pm

Firewall:

root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan azurevpn'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 phone4 PHONE6 WAN WAN6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.2'
        option name 'http'
        option src_dport '80'
        option dest_port '80'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.1.2'
        option dest_port '22'
        option name 'ssh'

trendy · September 13, 2020, 12:06am

It does not matter to your original issue, but assigning a client vpn connection to the lan zone is wrong. You could clean up a bit the interfaces list of the wan zone.
Apart from these I don't see any other issue.
Still you need to provide a capture showing that the router solicitation from a lan host was not relayed, or the router advertisement was ignored by OpenWrt.
Run this in one terminal tcpdump -i br-lan -evn -evn icmp6 || udp port 547 and tcpdump -i eth1 -evn icmp6 || udp port 547 on another. Try to keep only one lan host active to request IPv6, otherwise filter the traffic from other mac addresses.