How to get IPv6 working behind Dual Stack configured ISP Modem-Router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey guys,
I am running OpenWRT master on my Netgear R7800 router behind my ISP's Vodafone Station (NOT Unitymedia ConnectBox) Modem-Router.

Since I live in the old Unitymedia region I cannot configure the Modem-Router in Modem mode (Bridge mode). But my ISP thankfully enabled Dual Stack (not DS-lite) for me. However I cannot get IPv6 working for clients connected to my router. The router itself and clients directly connected to the Modem-Router are working fine on IPv4 and IPv6.

Thus I am pretty sure I configured my router to not properly announce a IPv6 route and distribute IPv6 addresses.

I obfuscated my IP and MAC addresses but to keep some relations I used the constant variables X1-X8 for 4byte IP chunks and M1-M6 for 2byte MAC chunks.

Modem-Router config:

### Internet
IPv4-Adresse: <HIDDEN>
Primäre DNS IPv4 Adresse: 80.69.96.12
IPv6 Adresse: 2a02:908:X1:X2:X3:X4:X5:X6
IPv6 Präfix Delegation: 2a02:908:X7:X8::/59
Primäre DNS IPv6 Adresse: 2a02:908:2:a::1,2a02:908:2:b::1

### LAN Netzwerk
IPv4 Netzwerk: 192.168.0.0/24
Default Gateway: 192.168.0.1
IPv6 Netzwerk: 2a02:908:X7:X8::/64
MAC-Adresse: d4:3f:cb:M1:M2:M3

From Wireshark I figured out that clients directly connected to the Modem Router receive the following Router Advertisement

from fe80::d63f:cbff:feM1:M2M3 
Recursive DNS Servers 2a02:908:X7:X8:d63f:cbff:feM1:M2M3
Prefix 2a02:908:X7:X8::/64
Autonomous adress-configuration Flag(A)
Route Information: Medium ::0/0

UPDATE
I found some more info about my Modem-Router under Status > LAN Status:

IPv6 LAN Anschlussdetails

Schnittstelle IPv6 Global Addr IPv6 Link Local Addr
brlan0 2a02:908:X7:X8:d63f:cbff:feM1:M2M3/59 fe80::d63f:cbff:feM1:M2M3/59

and after a click on the i icon:

IPv6 LAN Anschlussdetails
IPv6 DHCP Addr Pool: 2a02:908:X7:X8::/59
IPv6 Standard-Gateway: fe80::201:5cff:feM4:M5M6/59
IPv6 DNS Server: 2a02:908:2:a::1/59

UPDATE END

If I set the WAN6 Interface on my router to DHCPv6 I get
IPv6: 2a02:908:X7:X8::7221/128

The router can ping -6 openwrt.org now successfully.

I also tried this WAN6 configuration:

ip6addr= 2a02:908:X7:X8::7221/64
p6gw= fe80::d63f:cbff:feM1:M2M3
ip6prefix= 2a02:908:X7:X8::/64

which sould be pretty much a static copy of the DHCPv6 config and again the router can ping -6 openwrt.org now successfully.

BUT I tried a number of IPv6 configurations (including static routes and Always announce default router - Announce as default router even if no public prefix is available.) on the LAN interface but never got IPv6 on clients connected to the router working.

How do I have to configure my WAN6 interface and LAN interface to get IPv6 working for clients connecting to my router?

2

A /59 prefix is enough for up to 32 LANs. But in order for your OpenWrt router to receive a prefix delegation from that prefix it requires that the ISP Modem-Router has a DHCPv6 server which supports DHCPv6-PD. (If it doesn't then you can try IPv6 relay as a work-around.)

3

I am pretty sure it does not support DHCPv6-PD..
Can you specify the IPv6 relay as a work-around a little more.

for LAN interface I have:

network.lan.ip6assign=64
dhcp.lan.ra=relay
dhcp.lan.dhcpv6=relay
network.globals.ula_prefix=fd17:70fb:0561::/48

which yields to

IPv6: 2a02:908:X7:X8::1/64
IPv6: fd17:70fb:56f::1/64

but IPv6 for clients is still not working.

Also please note that clients get a public / global IP address with in my delegated Prefix and some IPv6 routes.

4

One can see that The Modem-Router opens up a /64 network for clients. My Router connects to the Modem-Router as a client.

5

I think Unitymedia is the same as Ziggo here in The Netherlands. You'll have to use your Connectbox in order for DS to work.

In my setup, I want OpenWRT to be the default only primary router - but that isn't possible, as you will lose IPv6 connectivity when placing the Connectbox in bridge mode (can be requested via customer support so that the Connectbox functions as modem only). But you can work around this problem.

On your Connectbox, you should disable the firewall and Wi-Fi, assign a reserved local IPv4 address to your R7800 and place the R7800 in your DMZ. Please note that the local IPv4 address needs to be in the DHCP range of your Connectbox, otherwise the DMZ page won't accept the IP address.

So now the Connectbox only serves to OpenWRT as a client. OpenWRT WAN is not limited by the Connectbox: all incoming IPv4 and IPv6 traffic will be routed through your R7800. In case of IPv4 port forwarding, you'll only have to make the forwards in OpenWRT because it's placed in the DMZ. You'll never have to login into your Connectbox again after this. Your R7800 now functions as primary router and the Connectbox is just a dumb hop that just adds a millisecond of latency.

On OpenWRT, start with the default configuration just to be sure. The default configuration is almost perfect. In your LAN (not WAN6) interface settings, go to general settings. Set IPv6 assignment length to /64. This will take a /64 prefix out of the delegated /59 prefix for use as local IPv6 subnet on your R7800. Additionally, you can set an IPv6 assignment hint and IPv6 suffix (e.g. an assignment hint of 0 takes a /64 prefix ending on 0 out of the /59 prefix, a suffix of ::1 will give your OpenWRT router a IPv6 address with the suffix ::1 out of the assigned /64 prefix).

Now navigate to the DHCP server tab and click on IPv6 settings. Router Advertisement-Service and DHCPv6-Service should be on server mode, NDP proxy should be disabled. For me personally, I have the DHCPv6-Service also disabled. Please note that IPv6 devices can be assigned multiple IPv6 addresses, either via stateless auto configuration and / or DHCPv6. Stateless auto configuration is all that your need in home situations (via Router Advertisement-Service). Android doesn't even do DHCPv6 + DNS via DHCPv6, only stateless auto configuration + DNS via Router Advertisements. All modern clients support stateless auto configuration (Windows 10 since the Anniversery Update back in 2016). Also set the Announced DNS server, which should be the IPv6 address of your router or another DNS device in your local network. Please note that most Android devices don't accept ULA addresses (local), only GUA addresses (public IPv6 addresses, starting with 2a02 in your case).

Some additional notes:

  • I have a script that changes the Announced DNS server address when delegated prefix changes. I assume your public IPv6 and IPv4 addresses are dynamic. However, for Ziggo the IPv6 lease time is way shorter then the IPv4 lease time. I need to shut down my Connectbox for days in order for the public IPv4 address to change. The IPv6 prefix can change after a power outage or reboot. I guess it's the same for Unitymedia. This wouldn't be necessary if you use a local ULA address for the DNS server, but yeah Android. Alternatively, you can use a fake IPv6 GUA address for your DNS service.
  • OpenWrt 19.07.2 has a bug in the odhcpd package, in which the routing tables gets messed up and the clients losing IPv6 connectivity after a while. Update the odhcpd package or upgrade to 19.07.3.
  • With Router Advertisement-Service and DHCPv6-Service enabled, your clients gets 3 IPv6 addresses assigned (ULA, DHCPv6 and RA) plus a link local IPv6 address.
  • With Router Advertisement-Service and DHCPv6-Service disabled, your clients gets 2 IPv6 addresses assigned (ULA and RA) plus a link local IPv6 address.
  • If privacy extensions are enabled on the client, you get a few additional temporary preferred addresses for RA, DHCPv6 and ULA (if enabled). This can stack up they are only used temporary (24 hours) and Windows keeps them in memory (but will truncate them after a period).
  • With IPv6, all devices get a global (GUA) address. This doesn't mean they are reachable via the public internet. This is blocked by the OpenWRT firewall by default. In contrast to IPv4 NAT, you'll have to fiddle with the OpenWRT firewall to make them accessible from the public internet.
  • Disabling the firewall on your Connectbox doesn't make your admin page on your Connectbox reachable to the internet. At least, I used some browser screenshot sites to verify that. Mind to verify mine? I don't have other external IPv6 ready connections to test unfortunately.
1 Like
6

Thanks a lot for your comments!!
Later I will take some time to read, understand and test, but for now I have to say:

  • I do not have a Unitymedia ConnectBox but a Vodafone Station. It was false in the 1st post which is why I updated it now. I apologize

  • I can disable the Firewall in the Vodafone Station as well BUT it will automatically reenable itself after 24h due to security measures. :cry: :face_with_symbols_over_mouth:

  • Bridge Mode is currently not available with a Vodafone Station within the former Unitymedia Region. I don't know if Bridge Mode and Dual Stack will be offered in the future which is why I would prefer your solution with Dual Stack enabled and The Modem-Router as Dump Hop in Between.

7

Ouch - I understand why Vodafone does this but that's so annoying. Assuming their customers are dumb. Disabling the firewall and using DMZ are only to prevent a double configuration concerning inbound traffic (if you have services running that needs to be accessible from the outside).

Well just try it anyways. The OpenWRT configuration part still applies. Your R7800 gets a delegated prefix assigned and that's the most important thing. Disable the firewall on your Vodafone Station and when everything is working, maybe you can allow traffic for the whole delegated prefix instead of completely disabling it. The downside is that this can cause troubles if you have a dynamic IPv6 prefix that changes on a reboot / power failure. Alternatively, you can set up a cron job on OpenWRT that simulates a login and disabling the firewall every 24 hours using CURL (if you have the scripting knowledge).

About bridge-mode, well if you had a ConnectBox it wouldn't matter anyway, as you will lose IPv6 in bridge mode. We don't want that.