Dual ISP IPv6 configuration help

rmappleby · April 11, 2025, 4:50pm

I'm not sure if what I'm about to ask for even makes sense, so perfectly happy to be educated, or diverted onto better approaches if that makes more sense.

What I'm trying to do is put one machine on my LAN on the static IPv6 prefix from one of my two upstream ISPs, and all the other machines on my LAN on the dynamic IPv6 prefix from my other upstream ISP. Fundamentally I'm trying to avoid the (multi-home) problems of any interface having more than one GUA.

So, is there any way that I can configure OpenWRT to implement this? A sort of blacklist/whitelist based on MAC addresses perhaps? I'm happy to manually configure the networking on the "solo" machine if necessary.

slh · April 11, 2025, 6:51pm

That doesn't work (aside from manual client-side configuration), either the prefix is active on your LAN (with all its auto-configuration) or it isn't.

dlakelan · April 11, 2025, 7:01pm

You can do this just fine with VLANs though. Put the one machine on its own VLAN and put the static prefix there. Put the other machines on a separate VLAN with the dynamic prefix.

patrakov · April 11, 2025, 8:44pm

Please configure two separate LANs. You can do this either through VLANs or using separate bridges, or a combination of both. Then, for each of the LAN, set the ip6class property to the name of the WAN from which it should assign IPv6 addresses.

This is exposed on the Advanced tab of the LAN interface configuration.

rmappleby · April 11, 2025, 10:43pm

Thanks everyone. Really appreciate the help with this - I will set up separate lans with VLANs. Judging from @patrakov screenshot I can spread my ULA across both VLANs to keep internal addressability/connectivty working smoothly too, which is a big help. Will try this out on Sunday and report back!

rmappleby · April 19, 2025, 10:33am

Just to conclude this:
I separated my br.lan into two new devices using VLAN filtering. I then switched my main "lan" interface onto one of those, leaving the other to be used with my second ISP as "lan-new". While doing this I also took the opportunity to extend those across my switches with trunks etc.

Back on the router I got IPv4 working really easily, with private subnets assigned to each VLAN instance, and OpenWRT managing routing between them. All outbound IPv4 traffic went with my default route, which followed the IPv4 priority, and out onto my default (original) ISP as expected.

I then installed the PBR app, which allowed me to create a simple rule for the IPv4 traffic (so that anything from the "lan-new" subnet not destined for a private IP address range goes with my non-default ISP) and that was it for IPv4. Done and working.

IPv6 was more problematic, and although I have a working solution now, I'm not sure why I needed to do it the way I did. Bottom line is I followed @patrakov approach with prefix filters on the interfaces, which appeared to cause prefixes to be selectively assigned correctly, and dhcp6 and RA to configure addresses etc.

But, routing didn't work. From within lan-new I couldn't reach any IPv6 addresses outside, and from outside I couldn't access any IPv6 address within lan-new, despite both being in the same firewall zone. That was equally true for ULA or GUA addresses.

In the end, after a lot of fighting, since I only intend this new subnet to be used by one or two machines, I tried manually creating an absolutely minimal static netplan config on my test ubuntu machine:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      optional: true
      accept-ra: no
      addresses:
        - 192.168.251.212/24
        - "2001:xxx:xxxx:xx00::212/64"
        - "fdb4:0:0:1::212/64"
      gateway4: 192.168.251.1
      gateway6: "2001:xxx:xxxx:xx00::1"
      nameservers:
        search: [my.lan]
        addresses:
          - 192.168.251.1
          - "2001:xxx:xxxx:xx00::1"
          - "fdb4:0:0:1::1"

I added a couple of DNS records for 192.168.251.212 and fdb4:0:0:1::212 to OpenWRT for convenience, and everything works perfectly.

So I suspect somewhere in the morass of IPv6 settings to automatically configure DHCP6 RA NDP etc etc, I misconfigured something. I'd love to understand what, and if anyone can point me to a good guide for setting up multiple routable IPv6 subnets on a recent version of OpenWRT, I'd be delighted to read and understand.

But for me, this now works well enough for my immediate needs. Hope this might help someone else.

egc · April 19, 2025, 10:42am

Without having seen your settings just a wild guess.

Disabling IPv6 source routing is often needed to get a default IPv6 routing via e.g. an alternate interface like VPN, Luci > Network > Interfaces > wan6 > Advanced tab: Disable/untick : IPv6 Source Routing
/etc/config/network add under wan6: option sourcefilter '0'

rmappleby · April 19, 2025, 10:51am

Thanks @egc I will take a look at that next, as it would be good to get it working automatically.