Guests cannot browse IPv6 internet

tectonic · June 7, 2020, 9:47pm

Good evening,

My ISP has enabled IPv6 on my connection, and I can visit IPv6 sites fine from my LAN. However, clients on my guest network never receive an DHCPv6 lease. I'm sure this is something simple, but I can't see it at the moment:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:e716:6c30::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ip6assign '64'
	option ip6hint 'AA'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'
	option ifname 'eth1 eth2'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0'
	option ipv6 'auto'
	option peerdns '0'
	option dns '185.228.168.9 185.228.169.9'
	option username '...'
	option password '...'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2a0d:2a00:1::2 2a0d:2a00:2::2'

config interface 'modem'
	option proto 'static'
	option ifname 'eth0'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'


config interface 'streaming'
	option type 'bridge'
	option proto 'static'
	option ip6assign '64'
    option ip6hint 'BB'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ifname 'eth1.20'

config interface 'guest'
	option proto 'static'
	option ifname 'eth1.100'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ip6assign '64'
    option ip6hint 'CC'  


config interface 'family'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth1.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
    option ip6hint 'DD'

/etc/config/dhcp

config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list server '127.0.0.1#5453'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	option serversfile '/tmp/adb_list.overall'

config dnsmasq 'family'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/family/'
	option domain 'family'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.family'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'family'
	list notinterface 'lo'
	list server '185.228.168.168'
	list server '185.228.169.168'
	option dnssec '1'
	option dnsseccheckunsigned '1'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option leasetime '168h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'streaming'
	option start '100'
	option limit '150'
	option interface 'streaming'
	option instance 'main'
	option leasetime '168h'
	option ra 'server'
	option dhcpv6 'server'

config dhcp 'guest'
	option start '100'
	option limit '150'
	option interface 'guest'
	option instance 'main'
	option leasetime '48h'
	option ra 'server'
	option dhcpv6 'server'

config dhcp 'familysafe'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'family'
	option instance 'family'
	option ra 'server'                           
        option dhcpv6 'server'

Thanks, in advance.

bjlockie · June 7, 2020, 10:07pm

I turned off IPv6 for my internal because it seems too complicated and I am worried about stuff breaking because not everything is IPv6 yet.

Make sure your DHCP Server is the IPv6 one (luci / network/interfaces/lan/edit/DHCP Server).

tectonic · June 8, 2020, 6:33am

Thanks. I'm comfortable with IPv6 being enabled and it works well, and without issue, on my LAN. I'd just like my guests to be handed-out DHCPv6 leases so they can browser IPv6, too.

aboaboit · June 8, 2020, 7:03am

Do you have a /64 from your ISP or something bigger?
With a /48 your config looks good.

tectonic · June 8, 2020, 8:46am

Thanks. I get /48 from my ISP. Like you, I can't see a reason in my config why this wouldn't work for my guest network. I wonder if it might be something VLAN-related.

trendy · June 8, 2020, 8:52am

What is the output of:

ifstatus wan6; ifstatus guest

tectonic · June 8, 2020, 10:12am

thanks. Some details obfuscated:


{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 46625,
	"l3_device": "pppoe-wan",
	"proto": "dhcpv6",
	"device": "pppoe-wan",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "redacted",
			"mask": 64,
			"preferred": 1728,
			"valid": 17928
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a02:redacted::",
			"mask": 48,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a02:redacted:aa::",
					"mask": 64
				},
				"streaming": {
					"address": "2a02:redacted:bb::",
					"mask": 64
				},
				"guest": {
					"address": "2a02:redacted:cc::",
					"mask": 64
				},
				"family": {
					"address": "2a02:redacted:dd::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "redacted",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 17928,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::d2f0:dbff:fe6c:e000",
			"metric": 512,
			"valid": 1128,
			"source": "2a02:redacted::/48"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::d2f0:dbff:fe6c:e000",
			"metric": 512,
			"valid": 1128,
			"source": "redacted/64"
		}
	],
	"dns-server": [
		"2a0d:2a00:1::2",
		"2a0d:2a00:2::2"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"2a02:8010:1:0:212:23:3:100"
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700102a028010000100000212002300030100"
	}
}
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 40884,
	"l3_device": "br-guest",
	"proto": "static",
	"device": "br-guest",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "10.0.0.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2a02:redacted:cc::",
			"mask": 64,
			"local-address": {
				"address": "2a02:redacted:cc::1",
				"mask": 64
			}
		},
		{
			"address": "fdf3:e716:6c30:cc::",
			"mask": 64,
			"local-address": {
				"address": "fdf3:e716:6c30:cc::1",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

mpa · June 8, 2020, 11:10am

Please post your firewall configuration. I suspect input from the guest zone might be dropped/rejected.

tectonic · June 8, 2020, 7:42pm

Thanks. Here it is:

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '52000'
	option name 'Allow-Wireguard-Inbound'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option name 'Allow-Plex-Inbound'
	option proto 'tcp'
	option dest_port '2096'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'guest_dhcp'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'guest_dns'
	option src 'guest'

config rule
	option src 'guest'
	option name 'Disable Modem Access Guest'
	option dest 'wan'
	option dest_ip '192.168.2.1'
	option target 'DROP'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'family_dhcp'
	option src 'family'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'family_dns'
	option src 'family'

config rule
	option name 'Disable Modem Access Family'
	option src 'family'
	option dest 'wan'
	option dest_ip '192.168.2.1'
	option target 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan streaming wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'modem wan wan6 mullvad'

config include
	option path '/etc/firewall.user'

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan'

config redirect 'adblock_dns'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option name 'Adblock DNS'
	option dest_ip '192.168.10.1'

config zone
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config redirect
	option target 'DNAT'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_ip '10.0.0.1'
	option dest_port '53'
	option name 'Adblock DNS Guest'

config zone
	option name 'family'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'family'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'family'

config redirect
	option target 'DNAT'
	option src 'family'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option name 'Adblock DNS Family'
	option dest_ip '192.168.30.1'

config rule
	option enabled '1'
	option name 'block-dash'
	option src '*'
	option src_mac 'AC:63:BE:B5:CB:05'
	option dest 'wan'
	option target 'REJECT'

config rule
	option name 'Allow-Guest-NDP-Input'
	option src 'guest'
	option target 'ACCEPT'
	option family 'ipv6'
	list proto 'icmp'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-solicitation'

config rule
	option name 'Allow-Family-NDP-Input'
	option src 'family'
	option target 'ACCEPT'
	option family 'ipv6'
	list proto 'icmp'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-solicitation'

tectonic · June 8, 2020, 7:45pm

Oddly, when I connect to my 'streaming' interface (192.168.20.1; which is in the lan firewall zone), I don't get an IPv6 address either. Only the lan interface in the lan firewall zone seems to be dishing-out IPv6 addresses properly...

aboaboit · June 8, 2020, 8:22pm

I don't know why I have some rules with
option proto 'tcp udp'
and others with

list proto 'tcp'
list proto 'udp'

but it seems to be irrelevant to your problem.

One notable difference I see in my dhcp config is that I have:

option force '1'
option ra_management '1'

in lan and guest

Excerpt from /etc/config/dhcp for those two zones:

config dhcp 'lan'
        option interface 'lan'
        option limit '100'
        option leasetime '24h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'
        option start '11'

config dhcp 'guest'
        option interface 'guest'
        option limit '100'
        option leasetime '30m'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'
        option start '11'

tectonic · June 8, 2020, 8:39pm

thank you! I'll add the additional options and see if it kicks it all into life... will report back.

openwrtforever · June 9, 2020, 1:17am

This is an extremely bad advice, never advice someone to turn off IPv6, everything is moving to IPv6. I love IPv6 and refuse to buy anything now that does not support it.

tectonic · June 9, 2020, 7:44am

no luck; same symptoms: lan interface in the lan firewall zone; all good - IPv6 browsing works fine. Every other interface (in the lan zone; or otherwise): no DHCPv6 assignment.

Nocte · June 9, 2020, 9:15am

Since your setup does not look so bad you might want to dig a bit deeper? You could try checking if the expected messages do exist in your network or even if any ipv6 traffic does exist. If ip link
does show your guest interface as br-guest as it does for me then you could use:

tcpdump -n -i br-guest ip6

and look out for something like router advertisement your router should periodically sent (about 10 minutes for me):

08:39:41.960958 IP6 fe80::wwww:xxxx:yyyy:zzzz > ff02::1: ICMP6, router advertisement, length 176

Just to be clear. We are talking about you guest devices having link local addresses (fe80:...) but no local addresses (fdxx:...) or global addresses (2003:... or other)?

edit:
if you give it a try then also do the same on your lan interface for comparison.

tectonic · June 9, 2020, 9:38am

thanks, @Nocte: that's really helpful advice. I'll do some more investigation over the next few days and see what can be uncovered.

They're not getting anything: just IPv4.

trendy · June 9, 2020, 9:52am

If there are no link local addresses it means that IPv6 is not enabled.

tectonic · June 9, 2020, 10:04am

Does that mean there's some error in my configs somewhere? IPv6 is enabled on my connection by my ISP (wiht /48 prefix delegation), and I get link local, local and global addresses on my lan interface. But definitely just IPv4 on the other interfaces.

I'll do some more digging as suggested by @Nocte before taking-up any more of your time. Given what you've said, though, it's probably something silly my side which is affecting those interfaces.

krazeh · June 9, 2020, 10:10am

How are your devices connected to your OpenWRT router? Directly? Through a switch? If it's the latter is the switch managed or unmanaged?

I've noticed you're using vlan tagging for 'streaming', 'guest', and 'family', but are using the same interface untagged for 'lan'. It's not ideal to have both tagged and untagged traffic on the same interface.

Nocte · June 9, 2020, 10:11am

You may want to read up on ipv6 SLAAC. An link local address always needs to exist. That should not even be an issue with your dhcp or firewall config. Check with

ip -6 addr show br-guest

(should always list at least one ipv6 address)

Furthermore you can double check if your dhcp server is running:

ps w | grep dhcp
 1407 root      1516 S    /usr/sbin/odhcpd
24664 root      1212 S    grep dhcp