Hello,
I have a OpenWRT Router and I want to delegate a prefix at LAN to a second OpenWRT Router to seperate networks. But I don't understand why it does not work.
Main Router. Version OpenWrt SNAPSHOT r17096-b0483b19f9
But on the OpenWRT router Connected to LAN no IPv6-PD gets used.
Version of the downstream Openwrt OpenWrt 21.02.0-rc3 r16172-2aba3e9784
nobody a idea how to do this?
uci show network; uci show dhcp; uci show firewall; ifstatus wan6
I am not really gifted with IPv6
your screenshots show /64 on the existing WAN interface and /60 on the planned LAN prefix.
As far as I know this will not work.
From my understanding
1.You need <64 on WAN, to be able to delegate a subset to a LAN port at all. 64 cannot be split further, its the smallest prefix net possible, so you cannot delegate, if the router only got 64 on the WAN side
2.The received prefix on WAN side must be a smaller number than the offered prefix on LAN side.
eg Wan 60 and Lan 62 might work.
Hello,
thanks for the response
What does the main router say about IPv6 WAN ?
How large prefix do you get from your ISP?
/48, /56, /60 or /64 ?
The allocation to downstream need to be smaller space (=larger prefix bnumber) than what you originally get from your ISP. If you receive a /64, you can't divide it. E.g. If you receive /60, you should maybe go with /62, etc.
Hmm. You just posted details.
Seems like complicated setup. /56, plus several assigned /62 prefixes ????
Some virtual machine / container setup?
That wan interface is from the downstream OpenWRT which should receive a planned /62 but since I had to switch to /62 on the LAN I request a /64 on the downstream OpenWRT now but that doesn't work either.
I get a /56 from my ISP
It looks fine on the upstream router, what about the downstream one?
Also you need to perform some modifications for other downstream networks:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/extras#ipv6
I have 2 upstreams that are managed via mwan3. I have multiple vlans to which I delegate /62 so I should potentially be able to delegate from that /62 a /64, but that doesn't work and I don't understand why. I wasn't able to find really usefull stuff that would explain to me how to debug this so I ask here.
that doesn't apply here I think because I request from the LAN interface which has access to everything and no firewall restrictions
wow thanks. But that is a big problem. I need this short dhcp leasetime because I get every 24h a new prefix on one of my upstreams and the old one does not get invalidated or so. I'm not really sure what happens I just know that IPv6 is broken then for a long time until clients ask the DHCPv6 server again.
That was fixed in master 8 days ago,
and 7 days ago in 21.02:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=4633471d74589c761a3849bd63935b42ac3cea73
rc3 is too old. It does not contain that fix.
You need to use a self-compiled 21.02 version, or a recent 21.02 snapshot from buildbot.
https://downloads.openwrt.org/releases/21.02-SNAPSHOT/targets/
EDIT:
Or you opkg upgrade the odhcpd application. (you likely have the default -ipv6only variant installed)
opkg update
opkg upgrade odhcpd-ipv6only
on your downstream router, there is the “Request IPv6 prefix length“ setting on the WAN interface on the “General Settings“ tab.
its the
network.wan6.reqprefix='auto'
in your text listing. “auto“ is default
Maybe try a number value instead of “auto“. I remember having some delegation attempts ages ago from SIP router to OpenWRT router and it did not work for me with “auto“.
I had to update up and downstream OpenWRT to get a prefix delegated and now I'm even more confused.
I got one of the two Prefixes delegated downstream in luci but from the log I would say 2.
But no IPv6 appear on the LAN Interface and I don't why.
Output of downstream OpenWRT
root@OpenWrt:~# uci show network; uci show dhcp; uci show firewall; ifstatus wan
6
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.ipaddr='10.133.37.1'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.delegate='0'
network.wan6.reqprefix='63'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth1'
network.@device[1].vid='7'
network.@device[1].name='eth1.7'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv4='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.dhcpv6='server'
dhcp.lan.leasetime='10m'
dhcp.lan.dhcp_option='6,10.133.37.1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 388,
"l3_device": "eth1",
"proto": "dhcpv6",
"device": "eth1",
"metric": 0,
"dns_metric": 0,
"delegation": false,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "Prefix2:f90c::9f6",
"mask": 128,
"preferred": 581,
"valid": 581
},
{
"address": "Prefix1:5b08::9f6",
"mask": 128,
"preferred": 581,
"valid": 581
},
{
"address": "Prefix2:f90c:20c:29ff:fe66:2963",
"mask": 64,
"preferred": 594545,
"valid": 1199345
},
{
"address": "Prefix1:5b08:20c:29ff:fe66:2963",
"mask": 64,
"preferred": 171544,
"valid": 257944
}
],
"ipv6-prefix": [
{
"address": "Prefix1:5b0a::",
"mask": 63,
"preferred": 581,
"valid": 581,
"class": "wan6",
"assigned": {
}
},
{
"address": "Prefix2:f90e::",
"mask": 63,
"preferred": 581,
"valid": 581,
"class": "wan6",
"assigned": {
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "Prefix1:5b08::",
"mask": 64,
"nexthop": "::",
"metric": 256,
"valid": 257944,
"source": "::/0"
},
{
"target": "Prefix2:f90c::",
"mask": 64,
"nexthop": "::",
"metric": 256,
"valid": 1199345,
"source": "::/0"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b0a::/63"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:5b0a::/63"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:f90e::/63"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90e::/63"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b08:20c:29ff:fe66:2963/64"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:5b08:20c:29ff:fe66:2963/64"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c:20c:29ff:fe66:2963/64"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c:20c:29ff:fe66:2963/64"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b08::9f6/128"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b08::9f6/128"
},
{
"target": "Prefix1:5b00::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c::9f6/128"
},
{
"target": "Prefix2:f900::",
"mask": 56,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c::9f6/128"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b0a::/63"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90e::/63"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b08:20c:29ff:fe66:2963/64"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c:20c:29ff:fe66:2963/64"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix1:5b08::9f6/128"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::f415:7aff:fe44:e7ef",
"metric": 512,
"valid": 1782,
"source": "Prefix2:f90c::9f6/128"
}
],
"dns-server": [
"fe80::e8be:28ff:fe1b:2f42"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"passthru": "00170010fe80000000000000e8be28fffe1b2f42"
}
}
You might widen the prefix assingments a bit.
Not sure, but /63 might be too small in reality for proper functionality.
I think that LuCI only shows one PD for an interface:
I have now a /60 on upstream LAN and get a /61 delegated downstream, still no IPv6 on the downstream LAN Interface 
Have you restarted the downstream router after the changes?
What is the downstream settings/status output now? (with the new settings)
Have you increased the LAN ip6assign from /64?
Have you tried with a normal lifetime? (instead of the 10m)
If the lease lifetime is the problem, you might need help from @dedeckeh who fixed the short lifetime problem.
ok forget it. I was stupid I seem to have unchecked Delegate IPv6 prefixes on the wan6 interface while testing.
Thanks everbody for the help this works now
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
