DMZ with ipv6 only and a dedicated PD

Hi,

I am trying to create a DMZ with ipv6 only. My ISP can provide to me 6 PD. I already take one for my LAN (2a00:xxx:yyy:a006/64), i would expect to take a second one for the DMZ (2a00:xxx:yyy:a007/64).

Before to break every, I am trying to understand how the stuff work.
I read some threads, mainly guide-to-set-up-dmz-via-luci

Interface -> WAN6
In Interface -> WAN6 -> Advanced Settings -> Custom delegated IPv6-prefix, I can add a second prefix.
My first question: is it possible to have 2 DP, one for LAN and one for DMZ ?

By reading linksys_wrt3200acm, I know that I have two predefines VLAN

• VLAN id 1 : for LAN1, LAN2, LAN3, LAN4 and eth0 (CPU)
• VLAN id 2 : for WAN and eth1 (CPU)

Network -> Switch
So I have to create a new VLAN id, choose a LAN (from 1 to 4), assign it and a CPU to the new VLAN id. For example, VLAN id 24, LAN4 and eth0.

Screenshot_2021-04-13 lorien - Switch - LuCI1175×455 24.6 KB

My second question: Should I choose eth0 or eth1?

Network -> Interfaces

I have to create a new interface named DMZ, with protocol = “static address” and Interface = “eth0.24”.

After that, because i don’t need ipv4, I have to set

• General Settings -> IPv6 assignment length = 64
• Firewall Settings -> Create / Assign firewall-zone = DMZ
• DHCP Server -> Advanced Settings -> Dynamic DHCP = uncheck
• IPv6 Setting -> Router Advertisement-Service = server mode
• IPv6 Setting -> DHCPv6-Service = server mode
• IPv6 Setting -> DHCPv6-Mode = stateful-only
• IPv6 Setting -> Always announce default router = check
• IPv6 Setting -> Announced DNS servers = 2a00:xxx:yyy:a007::1. Where 2a00:xxx:yyy:a007/64 will be the PD for the DMZ.

My third question, what do you think of these settings?

Network -> Firewall

I have to edit the DMZ zone :

• General Settings -> Covered networks = DMZ
• General Settings -> Allow forward to destination zones = WAN
• General Settings -> Allow forward from source zones = LAN
• Advanced Settings -> Covered devices = eth0.24
• Advanced Settings -> Restrict to address family = IPv6 only

My fourth question: I don’t know what to add in “Firewall -> Port Forwards” and “Firewall ->Traffic Rules”?

A last question, with the given setting that allow LAN to DMZ and with GUA ipv6 only in DMZ. What happen if from my LAN a want to access to the webserver in the DMZ ?
The LAN connection will go directly to the DMZ webserver without going to internet (WAN).

Thank’s for your help.

The DMZ is evidently for some servers of some kind. What kind of servers, what ports do they listen on?

Just add traffic rules that allow forwarding traffic with the particular destination ports from WAN to DMZ. done!

thank's for your feedback.

when i add the second PD to WAN6 and i try to apply.
after a couple of second i saw Failed to confirm apply within 90s, waiting for rollback…

After reloading.
LAN has only an IPv4 address and DMZ has two IPv6 address. and i loose ipv6 on the LAN.

to fixe this issue, i delete the second DP and i reboot OpenWRT.

it seems there is trouble with the second PD. I don't see where to set the PD for LAN and PD for DMZ !

how big is the PD you get? Just up to 6 /64 networks? You can't get some kind of /60 or such?

I don't actually know how OpenWrt handles this situation. I moved to a Debian router and wide-dhcpv6-client to request individual /64s from the stupid device ATT gave me (which reserves 4 for itself and will hand out 4)

I can get 7 full /64 prefix delegation from

• 2a01:xxxx:yyyy:zzz1::/64
• to
• 2a01:xxxx:yyyy:zzz7::/64

i don't see where to set the dedicated /64 for the LAN and the one for DMZ.
in the furtur, i plan to set another dedicated /64 for a wifi GUEST.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

Hi,

thank's for your help.
to be able to rollback, i delete everythink link to the DMZ.

you will find first my current configuration and secondly the configuration after adding the second prefix under Interfaces » WAN6 » Advanced Settings » Custom delegated IPv6-prefix.
and also a screenshots.

before adding the second prefix

{
        "kernel": "4.14.221",
        "hostname": "lorien",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,rango",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ipaddr '192.168.12.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option peerdns '0'
        list ip6prefix '2a00:xxx:yyy:zzz6::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config route6
        option interface 'wan6'
        option target '2000::/3'
        option gateway 'fe80::f6ca:e5ff:fe4c:58fb'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0 5t'
        option vid '24'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option domain 'mydomaine.name'
        option local '/mydomaine.name/'
        list server '0::1#5453'
        list server '127.0.0.1#5453'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        option ra_management '2'
        list dhcp_option '6,192.168.12.8,192.168.12.1'
        list domain 'mydomaine.name'
        list dns '2a00:xxx:yyy:zzz6::1208'
        list dns '2a00:xxx:yyy:zzz6::1'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '00:01:01:01:01:B5'
        option dns '1'
        option name 'moria'
        option ip '192.168.12.12'
        option hostid '1212'
        option duid '000000089bc0b1b500089bc0b1b5'

config host
        option mac '00:01:01:01:01:C9'
        option dns '1'
        option name 'mp620'
        option ip '192.168.12.15'
        option hostid '1215'

config domain
        option name 'lorien'
        option ip '2a00:xxx:yyy:zzz6::1'

config domain
        option name 'moria'
        option ip '2a00:xxx:yyy:zzz6::1212'

config cname
        option cname 'ns0.mydomaine.name'
        option target 'lorien.mydomaine.name'

config cname
        option cname 'ns2.mydomaine.name'
        option target 'imladris.mydomaine.name'

config cname
        option cname 'nas0.mydomaine.name'
        option target 'moria.mydomaine.name'

config host
        option mac '00:01:01:01:01:42'
        option dns '1'
        option name 'imladris'
        option hostid '1208'
        option ip '192.168.12.8'
        option duid '000000000000000000000000009c'

config cname
        option cname 'ntp.mydomaine.name'
        option target 'lorien.mydomaine.name'

config host
        option mac '00:01:01:01:01:87'
        option name 'lumbar'
        option dns '1'
        option ip '192.168.12.4'
        option hostid '1204'
        option duid '0000000000000000000000000027'

config cname
        option cname 'mail.mydomaine.name'
        option target 'lumbar.mydomaine.name'

config mxhost
        option domain 'mydomaine.name'
        option relay 'mail.mydomaine.name'
        option pref '10'

config txt-record

config txt-record

config host
        option mac '00:01:01:01:01:27'
        option dns '1'
        option name 'pelargir'
        option ip '192.168.12.10'
        option duid '000000000000000000000000009f'
        option hostid '1210'

config cname
        option cname 'photos.mydomaine.name'
        option target 'pelargir.mydomaine.name'

config dhcp 'DMZ'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'DMZ'
        option ra_management '2'
        option ra 'server'
        option dhcpv6 'server'
        option dynamicdhcp '0'
        list domain 'mydomaine.name'
        list dns '2a00:xxx:yyy:zzz7::1'
        option ra_default '1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxx:yyy:zzz6::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxx:yyy:zzz0:3223:3ff:fedd:ea10/64 scope global dynamic
       valid_lft 86012sec preferred_lft 86012sec
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::3223:3ff:fedd:ea12/64 scope link
       valid_lft forever preferred_lft forever
default from 2a00:xxx:yyy:zzz0::/64 via fe80::224:d4ff:feae:fc68 dev eth1.2  metric 512
2a00:xxx:yyy:zzz0::/64 dev eth1.2  metric 256
unreachable 2a00:xxx:yyy:zzz0::/64 dev lo  metric 2147483647  error -113
2a00:xxx:yyy:zzz6::/64 dev br-lan  metric 1024
unreachable 2a00:xxx:yyy:zzz6::/64 dev lo  metric 2147483647  error -113
2000::/3 via fe80::f6ca:e5ff:fe4c:58fb dev eth1.2  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth1.2  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast 2a00:xxx:yyy:zzz0:: dev eth1.2 table local  metric 0
local 2a00:xxx:yyy:zzz0:3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
anycast 2a00:xxx:yyy:zzz6:: dev br-lan table local  metric 0
local 2a00:xxx:yyy:zzz6::1 dev br-lan table local  metric 0
anycast fe80:: dev eth1.2 table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev eth0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev br-lan table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1 table local  metric 0
local fe80::3223:3ff:fedd:ea12 dev wlan0 table local  metric 0
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev eth1.2 table local  metric 256
ff00::/8 dev eth1 table local  metric 256
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2a00:xxx:yyy:zzz6::1/64 iif br-lan lookup unspec unreachable
4200000001:     from all iif lo lookup unspec 12
4200000008:     from all iif br-lan lookup unspec 12
4200000010:     from all iif eth1.2 lookup unspec 12
4200000010:     from all iif eth1.2 lookup unspec 12

after adding the second prefix

{
        "kernel": "4.14.221",
        "hostname": "lorien",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,rango",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ipaddr '192.168.12.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option peerdns '0'
        list ip6prefix '2a01:e34:ecb2:a156::/64'
        list ip6prefix '2a01:e34:ecb2:a157::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config route6
        option interface 'wan6'
        option target '2000::/3'
        option gateway 'fe80::f6ca:e5ff:fe4c:58fb'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0 5t'
        option vid '24'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option domain 'laumei.eu'
        option local '/laumei.eu/'
        list server '0::1#5453'
        list server '127.0.0.1#5453'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        option ra_management '2'
        list dhcp_option '6,192.168.12.8,192.168.12.1'
        list domain 'laumei.eu'
        list dns '2a01:e34:ecb2:a156::1208'
        list dns '2a01:e34:ecb2:a156::1'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '00:08:9B:C0:B1:B5'
        option dns '1'
        option name 'moria'
        option ip '192.168.12.12'
        option hostid '1212'
        option duid '000000089bc0b1b500089bc0b1b5'

config host
        option mac '00:1E:8F:79:B7:C9'
        option dns '1'
        option name 'mp620'
        option ip '192.168.12.15'
        option hostid '1215'

config domain
        option name 'lorien'
        option ip '2a01:e34:ecb2:a156::1'

config domain
        option name 'moria'
        option ip '2a01:e34:ecb2:a156::1212'

config cname
        option cname 'ns0.laumei.eu'
        option target 'lorien.laumei.eu'

config cname
        option cname 'ns2.laumei.eu'
        option target 'imladris.laumei.eu'

config cname
        option cname 'nas0.laumei.eu'
        option target 'moria.laumei.eu'

config host
        option mac 'DC:A6:32:BA:11:42'
        option dns '1'
        option name 'imladris'
        option hostid '1208'
        option ip '192.168.12.8'
        option duid '00020000ab11bacce236fda9e49c'

config cname
        option cname 'ntp.laumei.eu'
        option target 'lorien.laumei.eu'

config host
        option mac 'DC:A6:32:E2:7C:87'
        option name 'lumbar'
        option dns '1'
        option ip '192.168.12.4'
        option hostid '1204'
        option duid '00020000ab11ce57e231f666c727'

config cname
        option cname 'mail.laumei.eu'
        option target 'lumbar.laumei.eu'

config mxhost
        option domain 'laumei.eu'
        option relay 'mail.laumei.eu'
        option pref '10'

config txt-record

config txt-record

config host
        option mac '90:E6:BA:F2:84:27'
        option dns '1'
        option name 'pelargir'
        option ip '192.168.12.10'
        option duid '00020000ab116e7fcbb95cf4cb9f'
        option hostid '1210'

config cname
        option cname 'photos.laumei.eu'
        option target 'pelargir.laumei.eu'

config dhcp 'DMZ'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'DMZ'
        option ra_management '2'
        option ra 'server'
        option dhcpv6 'server'
        option dynamicdhcp '0'
        list domain 'laumei.eu'
        list dns '2a01:e34:ecb2:a157::1'
        option ra_default '1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:ecb2:a157::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2a01:e34:ecb2:a156::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:ecb2:a150:3223:3ff:fedd:ea10/64 scope global dynamic
       valid_lft 86340sec preferred_lft 86340sec
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::3223:3ff:fedd:ea12/64 scope link
       valid_lft forever preferred_lft forever
default from 2a01:e34:ecb2:a150::/64 via fe80::224:d4ff:feae:fc68 dev eth1.2  metric 512
2a01:e34:ecb2:a150::/64 dev eth1.2  metric 256
unreachable 2a01:e34:ecb2:a150::/64 dev lo  metric 2147483647  error -113
2a01:e34:ecb2:a156::/64 dev br-lan  metric 1024
unreachable 2a01:e34:ecb2:a156::/64 dev lo  metric 2147483647  error -113
2a01:e34:ecb2:a157::/64 dev br-lan  metric 1024
unreachable 2a01:e34:ecb2:a157::/64 dev lo  metric 2147483647  error -113
2000::/3 via fe80::f6ca:e5ff:fe4c:58fb dev eth1.2  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth1.2  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast 2a01:e34:ecb2:a150:: dev eth1.2 table local  metric 0
local 2a01:e34:ecb2:a150:3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
anycast 2a01:e34:ecb2:a156:: dev br-lan table local  metric 0
local 2a01:e34:ecb2:a156::1 dev br-lan table local  metric 0
anycast 2a01:e34:ecb2:a157:: dev br-lan table local  metric 0
local 2a01:e34:ecb2:a157::1 dev br-lan table local  metric 0
anycast fe80:: dev eth1.2 table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev eth0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev br-lan table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1 table local  metric 0
local fe80::3223:3ff:fedd:ea12 dev wlan0 table local  metric 0
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev eth1.2 table local  metric 256
ff00::/8 dev eth1 table local  metric 256
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2a01:e34:ecb2:a156::1/64 iif br-lan lookup unspec unreachable
4200000000:     from 2a01:e34:ecb2:a157::1/64 iif br-lan lookup unspec unreachable
4200000001:     from all iif lo lookup unspec 12
4200000008:     from all iif br-lan lookup unspec 12
4200000010:     from all iif eth1.2 lookup unspec 12
4200000010:     from all iif eth1.2 lookup unspec 12

InkedScreenshot_2021-04-14 lorien - Interfaces - LuCI_LI.1174×720 90.3 KB

it seems also that all the device on the LAN have now 2 IPv6 address

nslookup lumbar
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      lumbar
Address 1: 192.168.12.4
Address 2: 2a00:xxx:yyy:zzz7::1204
Address 3: 2a00:xxx:yyy:zzz6::1204

Normally they should provide you a /60 or /61 instead of 6 /64. Very cheap and stupid of them.
Problem here is that the interfaces with ip6assign set into something other than 0 will try to get one chunk of the delegated prefix. This works fine in most cases, since a sane ISP assigns a /56 or /48, so the lan can get a /64 (or /60 forfurther delegations) and other interfaces can also get another chunk.
Using the custom delegated prefix field, it means that the ISP is not delegating the prefix by DHCP, rather than has a static route pointing to your router for these prefixes. So in this case you are expected to assign the ipv6 addresses statically, not by automatic assigning.

I have to set the next hop for each /64. See bellow (in french)

InkedScreenshot_2021-04-14 Freebox OS_LI780×901 102 KB

i have not sure to understand what you means by that.
you means that, if i want two PD (one for LAN and one for DMZ), i have to statically define all ipv6 for any device in my LAN ?

No you just have to statically assign the prefixes to each OpenWrt interface. Basically just put static IPv6 addresses on WAN, LAN and on DMZ manually

Great to read that !

how can i do that ?
Interfaces >> LAN >> General Settings >> Procotol is already set to Static Address.
there is no field to set the ipv6 prefix for LAN.

can i add some parameters in a configuration file ?

i don't see a clair option in dhcp

It's a good question. It's not so obvious in the docs... based on this: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.essentials

I think in /etc/config/network you could do things like:

option ip6addr 'abc:123::456/64'

on each interface.

I made some test.

i add ip6addr for each interfaces. but if i made any modification on any interface that require to click on "save & apply", the file /etc/config/network seems to be rewrited and both ip6addr disapears.

because DMZ has 2 gateway, i also try to add ip6gw option without any result.

After reboot, i have the following result

• DMZ has 2 gateway
• LAN has no gateway
• WAN6 display only one DP even there is 2 DP in /etc/config/network

InkedInkedScreenshot_2021-04-14 lorien - Interfaces - LuCI(1)_LI1174×842 110 KB

Anyway, it seems that my ipv6 network in LAN operate normaly

If you configure in Luci, then you need to edit the lan interface, change IPv6 assignment length from 64 to disabled, and you'll see that new rows will be added.

Now you can configure the static IPv6 for this interface.

Many thank's, it's realy better.

That is strange is i can't ping the gateway :

• ping 2www:xxxx:yyyy:zzz6::1 >> icmp_seq=1 Destination unreachable: Address unreachable
• run ip a don't display 2www:xxxx:yyyy:zzz6::1 address.

InkedScreenshot_2021-04-15 lorien - Interfaces - LuCI_LI1092×444 51.4 KB

InkedInkedScreenshot_2021-04-15 lorien - Interfaces - LuCI(1)_LI1174×842 106 KB

Where are you pinging from?

from a server (ubuntu) inside the LAN in the same DP.

With all these changes have you restarted the ubuntu networking so it's not using old outdated prefixes etc?

Also are you saying ip a on the router doesn't show the addresses? Or on ubuntu

on the OpenWRT router.

nano /etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.12.1'
        option ip6gw '2www:xxxx:yyyy:zzz6::1'
        list ip6addr '2www:xxxx:yyyy:zzz6::/64'
        option ip6prefix '2www:xxxx:yyyy:zzz6::/64'

it is still the case after reboot.

That's not an address it's a network you should have ::1/64 at the end just like in the gw

I'm not sure if you want the gw address it's not clear to me if that's what is advertised on the LAN or if it changes the routers routing tables