Getting WAN IPV6 to work on LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Ive been wracking my brain for hours and have absolutely no idea what to do despite the number posts regarding this issue.

router

PING ipv6.google.com (2607:f8b0:400d:c0f::65): 56 data bytes
64 bytes from 2607:f8b0:400d:c0f::65: seq=0 ttl=43 time=99.399 ms
64 bytes from 2607:f8b0:400d:c0f::65: seq=1 ttl=43 time=97.941 ms
64 bytes from 2607:f8b0:400d:c0f::65: seq=2 ttl=44 time=97.030 ms
64 bytes from 2607:f8b0:400d:c0f::65: seq=3 ttl=44 time=97.350 ms

PC

Pinging ipv6.l.google.com [2607:f8b0:400d:c0f::65] with 32 bytes of data:
Destination net unreachable.
Destination net unreachable.
Destination net unreachable.
Destination net unreachable.

Ping statistics for 2607:f8b0:400d:c0f::65:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        option gateway '192.168.1.254'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
2

It's confusing but after several more hours I finally figured out what's missing and what is needed is out of the box NAT6 support.
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

No such thing as /etc/firewall.d/with-reload/ so I ran the script as part of the Firewall Custom Rules instead.
I can see now the clients are being assigned an IPV6 gateway which they were not before.

3

If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

4

There's basically never a reason for a home user to need NAT6. Never. Really.
It's more likely that you haven't set up prefix delegation properly

1 Like
5

NAT6 is not your answer, your answer is that something isn't working in prefix delegation, and/or your ISP has problems with prefix delegation, such as they are pinning you to the initial /64 you requested and never letting you request a larger prefix, not because they won't give it to you, but because they've put your single /64 into some database that needs to be cleared before you can request a different prefix.

NAT6 is not the answer.

6

Its AT&T Uverse.

image

769d is the local link address and 30a is the Delegated Address/Subnet according to the AT&T Router under the LAN section.

If i put 769d as the gateway, and 30a as the IPv6 routed prefix the router still can ping however the clients cannot. With or without a ULA.

Whats annoying is I cant see what changes are made in windows because the ipv6 ipconfig stays across reboots and there's no way i can find to "release"

Infact no matter what I assign to windows manually will work either.
30a:2c77:1c10::100 as IP, 64 prefix length 769d:dcff:fed9:7681 as the gateway.

dhcpc6 doesn't assign an ipv6-pd.

Even tried the 6rd settings from the router, that works but the clients don't. That one even assigns a ipv6-pd.

6rd-

        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 788,
        "l3_device": "6rd-wan6",
        "proto": "6rd",
        "updated": [
                "addresses",
                "routes",
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": ":30c:a80:10::1",
                        "mask": 28
                }
        ],
        "ipv6-prefix": [
                {
                        "address": ":30c:a80:10::",
                        "mask": 60,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": ":30c:a80:10::",
                                        "mask": 60
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::c53:3151",
                        "metric": 4096,
                        "source": ":30c:a80:10::1\/28"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::c53:3151",
                        "metric": 4096,
                        "source": ":30c:a80:10::\/60"
                }

dhcpc6-

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 2,
        "l3_device": "eth1",
        "proto": "dhcpv6",
        "device": "eth1",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": ":30a:2c77:1c10:224e:7fff:fe74:2bd9",
                        "mask": 64,
                        "preferred": 604788,
                        "valid": 2591988
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": ":30a:2c77:1c10::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591988,
                        "source": "::\/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::769d:dcff:fed9:7681",
                        "metric": 512,
                        "valid": 1788,
                        "source": ":30a:2c77:1c10:224e:7fff:fe74:2bd9\/64"
7

The addresses you're typing in are not ipv6 addresses, so I'm confused. global ipv6 addresses start with 2xxx: and have 8 sections separated by : (unless the :: abbreviation is used). Addresses never start with colons.

I have ATT / Uverse fiber and it gives my ISP equipment a /60 which is only willing to delegate /64, but it will delegate multiple /64s so I have a solution involving wide dhcpv6 to request multiple /64s and put one on lan, one on guest, etc But my router isn't running OpenWRT it's running Debian.

You may have a similar problem though, it might offer you multiple /64s rather than letting you ask for a /61 or whatever.

8

Yeah I'm removing the first 4 digits from the addresses.

9

Looks like making ipv6 changes in OpenWRT is just as annoying. I can disable the adapter and ipv6 continues to work to my surprise unless I reboot. Turns out 6rd doesn't work at all. Everything gets assigned but the RX always remains 0.

10

I'm not sure why you're manually assigning anything

Without changing configuration past enabling DHCP on your WAN interface (and its "WAN6" counterpart), the following should work automatically:

  • Your WAN interface will get
    • An IPv6 link-local address, that may well be used for the upstream route
    • A global IPv6 address, the IA_NA (that is likely not in your IA_PD)
  • Your device will get, by way of RA and DHCPv6 on the WAN interface
    • An upstream route
    • An IA_PD ("prefix delegation") of at least /64 in size
  • Your device will then configure itself to
    • Use one of the addresses in the IA_PD on its LAN interface
    • Advertise a /64 out of your IA_PD on its LAN interface with RAs
    • Advertise an upstream route for IPv6 clients through its LAN interface with RAs
  • Clients of the LAN interface them
    • Self-select one or more link-local IPv6 addresses
    • Self-select a global IPv6 address from the /64 advertised
    • Set up a default route based on the RAs

Note that ULAs have nothing to do with global connectivity. Note that there is no manual configuration required for the router or its clients.

11

After reading a lot more threads and remembering a section on the wiki I think i finally found the solution.

Setting both lan and wan dhcp ipv6 settings to relay and wan as master.

Appears to work!

1 Like
12

@FireCulex, I got it working the same way. However I can't ping IPv6 sites from my LAN hosts. I can definitely do them from my Openwrt router ? Did you add any static ipv6 routes for upstream and downstream connectivity to work

Thanks in advance,