Hi, I'm new to OpenWRT, so pls be patient. The issue I experience is not clearly explained step-by-step in any WiKi, forum thread or blog I read so far. I installed current release OpenWRT 21.02.1 on a dual-band TP-Link WDR4900 v1.3 router behind cable modem & router Hitron CGN3ACR. The TP-Link wlan0 5Hz is setup as wireless Client to the modem & router, and wlan1 2.4Hz is setup as my LAN AP.
This basic setup works fine in IPv4 with default OpenWRT config and obvious Interfaces options tune up. But I can't get IPv6 PC clients to reach internet. I added wwan6 interface with DHCP6 enabled as alias to wwan, and the PC adapters got IP and IPv6 leases. The TP-Link router is registered in the modem GUI with IP and 2 IPv6 addresses. I can ping Google 6 from the router, but not from wired or wireless PCs connected to it. And ipv6-test.com still shows "IPv6 not supported".
I think this topic needs a Wiki page, since default OpenWRT config comes without preconfigured IPv6 support, at least in Wireless STA+AP or STA scenario. Can someone suggest the shortest way to setup IPv6 connection? I don't want the modem to handover IPv6 addresses to the PC clients, they should be assigned for my network by the TP-Link router for improved segment isolation.
Hitron is a modem & router, and its WiFi connection is shared btw several unrelated people. I need to isolate my network segment for better security. I should add that Hitron GUI doesn't offer end user IPv6 options page, but if I connect my PC WiFi adapter directly to Hitron, it receives both IPv4 and IPv6 traffic. The ISP supports DHCPv6 /64 prefix delegation, if its relevant since I need the TP-Link router to assign IPv6 addresses to LAN devices to separate my LAN from the modem & router.
Cont. config:
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru;
ls -l /etc/resolv.* /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.*
root@WDR4900:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.260/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev wlan0 src 192.168.0.260
192.168.0.0/24 dev wlan0 scope link src 192.168.0.260
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev wlan0 table local scope link src 192.168.0.260
local 192.168.0.260 dev wlan0 table local scope host src 192.168.0.260
broadcast 192.168.0.255 dev wlan0 table local scope link src 192.168.0.260
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@WDR4900:~#
root@WDR4900:~# ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd43:5f77:xxxx::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::xxxx:xxxx:xxxx:6bea/64 scope link
valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::fa1a:xxxx:xxxx:xxxx:6be8/64 scope link
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd00:bc4d:xxxx:xxxx:xxxx:xxxx:xxxx:6be9/64 scope global dynamic noprefixroute
valid_lft 535075sec preferred_lft 401218sec
inet6 2607:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:6be9/64 scope global dynamic noprefixroute
valid_lft 604447sec preferred_lft 172447sec
inet6 2607:xxxx:xxxx:xxx::9/128 scope global dynamic noprefixroute
valid_lft 553776sec preferred_lft 121776sec
inet6 fe80::xxxx:xxxx:xxxx:6be9/64 scope link
valid_lft forever preferred_lft forever
default from 2607:xxxx:xxxx:xxx::9 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
default from 2607:xxxx:xxxx56e0:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
default from fd00:bc4d:xxxx:1612::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
2607:xxxx:56e0:xxx::/64 dev wlan0 metric 256
2607:xxxx:56e0:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
unreachable 2607:xxxx:xxxx:xxx::/64 dev lo metric 2147483647
2000::/3 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 1024
fc00::/7 from 2607:xxxx:xxxx:xxx::9 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
fc00::/7 from 2607:xxxx:xxxx:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
fc00::/7 from fd00:bc4d:xxxx:xxx::/64 via fe80::xxxx:xxxx:xxxx:1612 dev wlan0 metric 512
fd00:bc4d:xxxx:1612::/64 dev wlan0 metric 256
unreachable fd00:xxxx:xxxx:xxxx::/64 dev lo metric 2147483647
fd43:5f77:xxxx:xxxx:xxxx:ee44:7954 dev br-lan metric 1024
fd43:5f77:xxxx:xxxx:xxxx:fc52:6ed dev br-lan metric 1024
fd43:5f77:xxxx:xxxx:xxxx:cb2d:9556 dev br-lan metric 1024
fd43:5f77:xxxx:xxxx:xxxx:29f5:709e dev br-lan metric 1024
fd43:5f77:c475::/64 dev br-lan metric 1024
unreachable fd43:5f77:xxxx::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
local ::1 dev lo table local metric 0
anycast 2607:xxxx:xxxx:xxxx:: dev wlan0 table local metric 0
local 2607:xxxx:56e0:xxx::9 dev wlan0 table local metric 0
local 2607:xxxx:56e0:xxx:xxxx:xxxx:xxxx:6be9 dev wlan0 table local metric 0
anycast fd00:bc4d:xxxx:1612:: dev wlan0 table local metric 0
local fd00:bc4d:xxxx:1612:xxxx:xxxx:xxxx:6be9 dev wlan0 table local metric 0
anycast fd43:5f77:xxx:: dev br-lan table local metric 0
local fd43:5f77:xxxx::1 dev br-lan table local metric 0
anycast fe80:: dev eth0.2 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan1 table local metric 0
anycast fe80:: dev wlan0 table local metric 0
local fe80::xxxx:xxxx:xxxx:6be8 dev wlan1 table local metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev eth0 table local metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev br-lan table local metric 0
local fe80::xxxx:xxxx:xxxx:6be9 dev wlan0 table local metric 0
local fe80::xxxx:xxxx:xxxx:6bea dev eth0.2 table local metric 0
multicast ff00::/8 dev eth0 table local metric 256
multicast ff00::/8 dev br-lan table local metric 256
multicast ff00::/8 dev eth0.2 table local metric 256
multicast ff00::/8 dev wlan1 table local metric 256
multicast ff00::/8 dev wlan0 table local metric 256
0: from all lookup local
32766: from all lookup main
4200000001: from all iif lo lookup unspec 12
4200000005: from all iif br-lan lookup unspec 12
4200000009: from all iif wlan0 lookup unspec 12
4200000009: from all iif wlan0 lookup unspec 12
root@WDR4900:~# ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx 1 root root 16 Oct 24 05:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Nov 19 20:30 /tmp/resolv.conf
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 130 Nov 19 06:44 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
I don't see anything delegated to the OpenWrt, although the configuration is correct. Maybe you should specify the prefix length under wwan6 options?
Also the static route is not needed.
The prefix length suggestion didn't work alone. I then set WWAN6 in Relay mode without prefix length specified. In that scenario IPv6 on my PC clients is working fine. It turns out the ISP delegates /64 prefixes, so they are relayed to my LAN Win 10 PCs and other devices.
However, I suspect in the Relay mode all my end PCs are exposed to other Hitron modem & router WiFi clients and the ISP for that matter in IPv6 protocol, and can be exploited since they are placed on the modem & router LAN??? I wanted to have IPv6 network isolated similar to IPv4 behind my OpenWRT router NAT6. It looks like NAT6 and IPv6 masquerading is a more suitable approach for that? Or any other approach to hide my devices behind OpenWRT that allows to use /64 prefixes from the ISP?
I'm not that familiar with IPv6, so my above assumptions may be wrong altogether? Btw, how did you find out from the above config that IPv6 prefix is not delegated? I want to learn the debug process...
Will check traffic with Wireshark. However, I see heavy pen tests of my PCs open ports from LAN when directly connected to the Hitron's WiFi, and am notified by PC Firewall of malicious traffic.Any workaround to /64 ISP's prefix delegation?
The modem & router GUI doesn't have a separate consumer IPv6 config page. It shows a number of IP addresses registered under my OpenWRT router's wlan0 MAC. But I suspect other PCs directly connected to the modem may use exploits and tools to see my PCs MACs behind OpenWRT router in the IPv6 Relay mode, and do pen tests. In fact I had leaks via IPv4 before adding the OpenWRT router when not using VPN, and especially when temp switching the PC firewall off.
This ISP forum thread shows some customers get /56 prefixes using dhcpcd instead of odhcp. But I'm not getting even /64 prefix regardless of wwan6 settings. How I can troubleshoot WHY?
If prefix length is /64, would it be still received by the OpenWRT router and visible at running ifstatus wwan6? This thread Debugging DHCPv6-PD exposes some issues in getting prefixes via odhcp. I couldn't find a reference on how to use dhcpcd instead in OpenWRT?
What they describe in the forum is someone using dhcpcd to get a /56 directly from this ISP. You have the OpenWrt downstream from the main router, which is supposed to ask for a prefix from the ISP and then to delegate some part of it to OpenWrt.
Are you hinting they use the cable modem in Bridge mode, which requires wired connection of an OpenWRT router to it, since the modem & router WiFi is only accessible in Gateway mode? But I can only connect OpenWRT to the modem via WiFi, as no wires run through the house, and the modem WiFi can't be switched off anyway as used by other folks. However, this ISP's post doesn't require switching their modem into Bridge mode to obtain IPv6 prefix by various downstream routers.
So you suggest the modem's FW doesn't allow to obtain or delegate IPv6 prefix for downstream networks in Gateway mode despite OpenWRT Client correctly asks for it via WiFi? But how to check for sure which device is at fault here: the modem or OpenWRT router?
The ISP modem/router should request and get a /56. Then it should delegate a smaller prefix, like /60, to the OpenWrt. You could try to connect the OpenWrt by cable to the ISP modem/router and use it in Brnidge mode to verify that ISP does indeed provide a bigger prefix.