Hello. I have OpenWrt routers at 2 locations. One has a delegated /56 prefix from the ISP, the other one does not have IPv6 support. Both are connected with a ZeroTier network.
How can I delegate a prefix to the remote router?
Unless the remote router uses the same gateway from which the prefix was delegated, it won't do you any good, as there won't be a route to the remote router for your sub-delegation. The ISP's routing table contains an entry which indicates that all traffic on the delegated subnet is to go to the router that accepted the prefix.
Are you ok with all the IPv6 traffic from the remote to come back to your local router, and then get shuttled out its WAN connection? I think that's the only way you can make this work.
Sure. I'm ok with that. I just can't come up with a proper working configuration.
I have not tested it but as an idea...
If you have a a pure layer 2 connection between both routers like with a gre tunnel you could configure router 1 to assign i.e. a /60 and configure router 2 to request an address and a prefix. A default Openwrt install/config should be capable to achieve that. But this only works properly if router 2 has no native IPv6 on its wan otherwise you have to carefully craft your routing table and policies...
Edit: ensure you have configured the mtu properly and accordingly.
This can be done without tunnel inside tunnel. In particular, DHCPv6 works via plain Wireguard tunnels since it is not a layer 2 process like DHCPv4.
- The Wireguard connection must be point to point-- each site's Wireguard interface has exactly one peer, which is the other site. This allows using ::/0 as allowed_ips on both sides instead of the complication of dynamically assigning more specific allowed_ips. Do not set route_allowed_ips on either end though, as routing will be controlled outside of Wireguard.
- Make sure both Wireguard interfaces have a link-local IP that is unique on the link. These can be
fe80::1/64andfe80::2/64since there are only two points on this point to point link. - On the "server" router that is connected to the ISP having a prefix, add 'ip6assign 60` to the Wireguard interface to assign a part of the /56 to Wireguard-- the same as another LAN.
- Configure a DHCPv6 server on the server's Wireguard interface.
- On the client set up an alias interface to be the DHCPv6 client. This interface can replace and act as the default
wan6if the client machine has no IPv6 from its ISP.
config interface 'wan6'
option device '@wg0'
option proto 'dhcpv6'- Change ip6assign on the remote client's LAN to 64 since a /60 received from the server is not enough to fulfill the /60 that LAN requests by default.
The DHCP process should get the prefix over the tunnel and install it as a default route, so that all v6 access from the remote site is VPN back to the server and uses the server's ISP.
4 Likes
@mk24 Thank you so much for very detailed instructions. I followed them, the "client" router is actually getting an IPv6 address now and ping6 google.com works from the router, which is pretty cool.
However, the ipv6-prefix is empty in the output if ifstatus wan6 command, no prefix is delegated to the lan interface and the system log shows this:
daemon.warn odhcp6c[16559]: Server returned IA_PD status 'Not On Link '
I thought this worked, last time I tried it.
In the DHCP6 server, be sure that "ra_flags other_config" is set so a prefix will be requested. Check that the server wg interface has a prefix.