Global IPv6 addresses not available in LAN

spacefox · August 5, 2022, 11:34pm

I am facing an issue raised in this forum multiple times before, but none of the solutions have worked so far.

My goal is for clients in LAN to be assigned a global IPV6 from the ISP but the RA relaying doesn't seem to work.

My WAN6, configured as a DHCPv6 client, successfully receives a global IPv6. However, clients on LAN only receive local IPv6. As suggested in multiple similar posts, I have set WAN6 as the master and relayed RA, dhcpv6 and NDP accordingly. However, I suspect some issue with the Firewall or DHCP config that causes issues.

I have also read multiple times that the ISP might not support the relaying. How can I verify this and what should I specifically ask for when talking to the ISP?

Here is cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.0.255'
	option device 'br-lan'
	option ip6assign '64'

config interface 'wan'
	option device 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.145'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '<MAC>'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'Home'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'WAN'
config wireguard_Wireguard_VPN

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'Guest'
	option ports '0t 5'

config interface 'Guest'
	option proto 'static'
	option device 'eth0.3'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option gateway '192.168.1.1'
	option ip6assign '64'
	list ip6class 'local'

config interface 'WAN6'
	option proto 'dhcpv6'
	option device 'eth0.2'
	option reqaddress 'try'
	option reqprefix 'auto'
	option ip6assign '64'

Here cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'WAN6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fc00::/6'
	option src 'wan'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'
	option src 'wan'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option src 'wan'
	option limit '1000/hour'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option src 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Guest'
	option output 'ACCEPT'
	list network 'Guest'
	option forward 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'Guest'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'Guest'

config rule
	option name 'Allow LAN2Guest'
	option src 'lan'
	option dest 'Guest'
	option target 'ACCEPT'

Here cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server '8.8.8.8'
	list server '1.1.1.1'
	option logqueries '1'
	option sequential_ip '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'



config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'relay'
	option ndp 'relay'
	option ra 'relay'
	option ra_management '1'

config dhcp 'WAN6'
	option interface 'WAN6'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option master '1'
	option ignore '1'

_bernd · August 6, 2022, 6:55am

Does your ISP hand out only a single /64? If so I assume you need to relay, if not, then try to set I.e. reqprefix 56 and use ip6hint on the interface.

spacefox · August 6, 2022, 8:40am

I think the ISP hands out multiple IPs. I tried setting reqprefix 56 with a ip6hint on WAN6, but it seems like the ISP is remembering my previous requests of 64 and assigned me the same IPv6 with 2a0f:xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy/64

Also interestingly, on my client, now I have a Global IPv6 assigned, also 2a0f:xxxx:xxxx:xxxx:zzzz:zzzz:zzzz:zzzz/64, but I can't ping any external servers and with curl I get:

curl -6 ifconfig.co
curl: (7) Couldn't connect to server

_bernd · August 6, 2022, 10:05am

In an ideal world you have a dedicated /64 on wan for the point to point between ISP and CPE only and in addition a /56 for your lan.
The ip6hint option is intended for your local interfaces only.
The ip6hint is the "number" of your prefix. 1 for :xx01:, 2 for :xx02: and so on
And check the routing table on the router with IP -6 route