DMZ with ipv6 only and a dedicated PD

Installing and Using OpenWrt Network and Wireless Configuration
21

that's better. the field was not empty so i didn't change it.

8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:00:00:00:ea:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.1/24 brd 192.168.12.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2www:xxxx:yyyy:zzz6::1/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever

on the ubuntu server, after reboot, i still have
ping -6 2www:xxxx:yyyy:zzz6::1
ping: connect: Network is unreachable

same issue, under windows.

strange issu, after reboot, on OpenWRT, i can't perform ip r 6

  • ip: invalid argument '6' to 'ip'
22

Remove these.

Do you know what is this doing or you randomly selected it? (It is advertising only DHCPv6 addresses, no SLAAC)

Restart network and post the following:
uci export network; ip -6 addr; ip -6 ro li table all; ip -6 ru
Does the ubuntu get some ipv6? Does it have a route?

23

to be honest not fully, but ipv6 was working fine for all my device (ubuntu, windows, nas and apple. i don't have android device) before trying to create the DMZ.

not anymore, the ubuntu don't get ipv6 address

24 
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.12.1'
        option ip6gw '2a00:xxx:yyy:zzz6::1'
        option ip6prefix '2a00:xxx:yyy:zzz6::/64'
        list ip6addr '2a00:xxx:yyy:zzz6::1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option peerdns '0'
        list ip6prefix '2a00:xxx:yyy:zzz6::/64'
        list ip6prefix '2a00:xxx:yyy:zzz7::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config route6
        option interface 'wan6'
        option target '2000::/3'
        option gateway 'fe80::f6ca:e5ff:fe4c:58fb'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0 5t'
        option vid '24'

config interface 'DMZ'
        option ifname 'eth0.24'
        option proto 'static'
        option ip6gw '2a00:xxx:yyy:zzz7::1'
        option ip6prefix '2a00:xxx:yyy:zzz7::/64'
        list ip6addr '2a00:xxx:yyy:zzz7::1'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxx:yyy:zzz6::1/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
10: eth0.24@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxx:yyy:zzz7::1/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3023:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
11: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:xxx:yyy:zzz0:3223:3ff:fedd:ea10/64 scope global dynamic
       valid_lft 86178sec preferred_lft 86178sec
    inet6 fe80::3223:3ff:fedd:ea10/64 scope link
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::3223:3ff:fedd:ea12/64 scope link
       valid_lft forever preferred_lft forever
default from 2a00:xxx:yyy:zzz0::/64 via fe80::224:d4ff:feae:fc68 dev eth1.2  metric 512
2a00:xxx:yyy:zzz0::/64 dev eth1.2  metric 256
unreachable 2a00:xxx:yyy:zzz0::/64 dev lo  metric 2147483647  error -113
2a00:xxx:yyy:zzz6::1 dev br-lan  metric 256
unreachable 2a00:xxx:yyy:zzz6::/64 dev lo  metric 2147483647  error -113
2a00:xxx:yyy:zzz7::1 dev eth0.24  metric 256
unreachable 2a00:xxx:yyy:zzz7::/64 dev lo  metric 2147483647  error -113
2000::/3 via fe80::f6ca:e5ff:fe4c:58fb dev eth1.2  metric 1024
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.24  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev eth1.2  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast 2a00:xxx:yyy:zzz0:: dev eth1.2 table local  metric 0
local 2a00:xxx:yyy:zzz0:3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
local 2a00:xxx:yyy:zzz6::1 dev br-lan table local  metric 0
local 2a00:xxx:yyy:zzz7::1 dev eth0.24 table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev eth0.24 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev eth1.2 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev eth0.24 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev eth0 table local  metric 0
local fe80::3023:3ff:fedd:ea10 dev br-lan table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1 table local  metric 0
local fe80::3223:3ff:fedd:ea10 dev eth1.2 table local  metric 0
local fe80::3223:3ff:fedd:ea12 dev wlan0 table local  metric 0
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev eth0.24 table local  metric 256
ff00::/8 dev eth1 table local  metric 256
ff00::/8 dev eth1.2 table local  metric 256
ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000008:     from all iif br-lan lookup unspec 12
4200000010:     from all iif eth0.24 lookup unspec 12
4200000011:     from all iif eth1.2 lookup unspec 12
4200000011:     from all iif eth1.2 lookup unspec 12
25

I asked you to remove these.
The same from DMZ interface. Also fix the prefix length in the ip6address in DMZ interface to /64

26

indeed, removing ip6gw and ip6prefix and add /64 to ip6address fixe the problem.

So the only change required was to set IPv6 assignment length to disable.

my ubuntu server can get ipv6 address. in fact 3, this should be link to "stateless + statefull" option.

for my understanding, setting ip6gw and ip6prefix disable some automatic stuff ?

many thank's

27

You cannot use as gateway the address of the interface. It must be the uplink router to the internet. This is already configured in wan6.

You cannot delegate the same prefix you are using on the lan interface. It must be some other prefix.

28

Thank's, every think, seems to be ok.

i will do a summary with LUCI screenshot and description.

29

Find bellow a summary of how to settup a DMZ with two prefixs delegations. One for the LAN and the second for the DMZ.

This setup is mainly based on guide-to-set-up-dmz-via-luci 1

First step : create a new VLAN
Open Network -> Switch to setup a VLAN. To understand your default configuration, find the Switch Ports (for VLANs) section for your router in Table of Hardware. I created an VLAN with id 24, on LAN4 ans link to CPU (eth0).

InkedScreenshot_2021-04-18 lorien - Switch - LuCI(1)_LI
InkedScreenshot_2021-04-18 lorien - Switch - LuCI(1)_LI1175×454 69.5 KB

This action will create an interface named eth0.24

Second step : create a new Interface
Open Network -> Interfaces to setup the DMZ. The main setting is to set IPv6 assignement length to disabled

InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI_LI
InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI_LI1092×1092 104 KB

InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(1)_LI
InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(1)_LI1092×376 34.5 KB

InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(2)_LI
InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(2)_LI1092×202 19.3 KB

InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(3)_LI
InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(3)_LI1092×170 32.1 KB

InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(4)_LI
InkedScreenshot_2021-04-18 lorien - Interfaces - LuCI(4)_LI1092×580 46.4 KB

Third step : settup firewall rule for DMZ
Open Network -> Firewall.

InkedScreenshot_2021-04-18 lorien - General Settings - LuCI_LI
InkedScreenshot_2021-04-18 lorien - General Settings - LuCI_LI1092×750 102 KB

This allow the LAN to get onto DMZ and prohibit DMZ to get onto LAN.

InkedScreenshot_2021-04-18 lorien - General Settings - LuCI(1)_LI
InkedScreenshot_2021-04-18 lorien - General Settings - LuCI(1)_LI1174×360 48.9 KB

30

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.