How to get the same ::/64 subnet in two interfaces?

ISP hands out only a /64 (I have tried requesting /56 and /60 through wan)

IPv6-PD: 2...::/64

2 interfaces, only one of them works fine, which is LAN
I want the "guest" network to also be part of this Ipv6 subnet, even thouhg they are in diff ipv4 subnets, their firewall zones are different

I have tried making wan6 the "master" interface for handing out prefix delegates and the other relaying it, to no avail. All I got was breaking the already working v6 in lan, and guest never gets the same subnet

dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_default '1'
        
config dhcp 'iguest'
        option interface 'iguest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        option ndp 'hybrid'

network

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option dns_metric '0'
        list ip6class 'wan_6'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix '60'
        option peerdns '0'
        option sourcefilter '0'
        option norelease '1'
        option ip6assign '64'

config interface 'iguest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.2.1/24'
        list dns '192.168.1.1'

firewall

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        
config rule
        option name 'allow icmpv6 forward guest'
        list proto 'icmp'
        option src 'guestzone'
        option dest '*'
        option target 'ACCEPT'

config rule
        option name 'allow icmpv6 input guest'
        list proto 'icmp'
        option src 'guestzone'
        option target 'ACCEPT'
        option limit '1000/sec'

config rule
        option name 'allow-guest-basics'
        option src 'guestzone'
        option dest_port '53 67-68 546-547 853'
        option target 'ACCEPT'

I also tried this (Relay a single IPv6 /64 prefix into several VLANs - #10 by alexq), but it didn't work here
What can be done ? thansk in advance

You forgot to share your wan6 DHCP config...

this does not seem to be in accordance with the official IPv6 relay configuration, see https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay

Regarding lan IPv6 - it's clear: your lan gets an IPv6 address from the only available IPv6-PD /64.
But @wirelesscapybara, could you please clarify:

• do you want configure IPv6 relay from wan6 to the iguest network? (So, basically, you want to assign an IPv6 address to your iguest network?)
• or do you want to configure an IPv6 relay from your lan network to the iguest network? (I'm not sure if that's possible, perhaps someone can advise here).

You might also try to check whether your ISP allows you to request several IPv6-PD /64 blocks (AT&T method). See IPv6-PD /60 for downstream OpenWrt router after Orange Slovensko fiber - #8 by alexq

wan_6 dhcp is currently unset after resetting to the last working state; I tried setting it as master dhcp in relay; lan in server mode; and finally guest in relay mode. That didn't really work

answering your question, I just want devices that are connected to the guest network to guet public ipv6 addresses in the same (and only) subnet available, the /64 from the ISP. I don't know if that means adding a distinct /128 for the interface itself

Meanwhile I'm trying out the AT&T macvlan tweak to see if I can get more prefixes

Ok, so you have the following on your WAN6 from the ISP:

1. IPv6-PD /64 block that you've assigned/used for the lan network.
2. IPv6 /64 address assigned to your wan6 interface.

Give it another try using this IPv6 relay config https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay, and relay your wan6 IPv6 address to your iguest interface.

No, you should only relay the /64. Relaying the /128 will brick SLAAC and Android devices.

Relay mode uses the prefix of the IP that exists on the master interface (wan). It is primarily for LTE service which routes a whole single /64 to the customer and the customer's router will also be inside that /64. If your wan holds a /128 IP it is not going to work. You won't be using the separate /64 that is offered at all.

A lan in relay mode should not hold any GUA itself. Do not set an ip6assign on these lans. The relayed RAs advertise the GUA prefix with the lan's LLA as the gateway. Set both lans as relay. As far as I can tell, the hybrid option merely tries to autoselect server or relay and offers no functionality that isn't available by setting relay or server directly.

this is what I have now

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 'auto'
        option peerdns '0'
        list dns '45.90.28.39'
        option dns_metric '0'
        option delegate '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option sourcefilter '0'
        option norelease '1'
        list dns '2a07:a8c0::9c:99bc'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option dns_metric '0'
        list ip6class 'wan_6'
        list dns '45.90.28.39'
        list dns '2a07:a8c0::9c:99bc'

config interface 'iguest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.2.1/24'
        list dns '192.168.1.1'

dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
config dhcp 'wan6'
        option interface 'wan6'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iguest'
        option interface 'iguest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

although lan still gets the IPV6-PD, ipv6 connectivity is broken now; guest interface still doesn't get PD nor connectivity

Could you please confirm what exactly you have right now on your wan6 interface?

• IPv6-PD /64 and IPv6 /64 ?
• or IPv6-PD /64 and IPv6 /128 ?

Because as mentioned above, the /128 IPv6 cannot be relayed

Sure

wan6 itself doesn't have anything; wan_6 the virtual interface has both PD and /128

image1820×888 230 KB

In the image, I can see the following on the wan_6:

1. IPv6-PD 28....::/64 (it's used for lan)
2. IPv6 28...:x/64 (that's /64 and ok, I do not see /128).

So, could you please try adjusting your config and attempt to relay this 28...:x/64 not from wan6 but from wan_6 to iguest:

config dhcp 'wan_6'
        option interface 'wan_6'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

I think wan_6 is a virtual interface spawned for ppp protocols, it can't be edited. I tried it anyway; no changes. wan7 (without the underscore) has this config

config dhcp 'wan6'
        option interface 'wan6'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option ignore '1'

Temporary disabling and stopping ther firewall just to check it's not messing something also produced no results

image1800×1372 436 KB

there are the interfaces config; both their dhcp options are the same yet only lan receives an address

image1041×613 123 KB

image1127×678 134 KB

Since your ISP hands out only /64 you will only be able to use it on a single subnet unfortunately, reach out to your ISP and ask them to delegate a /56 as per the RIR recommendations . /64 is the minimum required for slaac. Best Current Operational Practice for Operators: IPv6 prefix assignment for end-users - persistent vs non-persistent, and what size to choose — RIPE Network Coordination Centre

If you live near Chicago, you can try using this service to obtain a proper static public IPv4 address and a /56 of IPv6 via a WireGuard VPN:

If you are elsewhere, then there will be latency issues, but I don't have an equivalent service recommendation.

This is expected: as I said before a relay mode lan does not hold a GUA on the interface itself.

You can remove wan6 it is there by default in the expectation that the wan connection will be dhcp. It is not going to do anything with a pppoe connection.

wan_6 should have been placed in the wan firewall zone automatically but you may want to add it explicitly to be sure. It is showing gray on the status page which means that Luci does not think it is in any firewall zone. I don't know if that is actually the case or not.

thanks, I have removed wan6; wan_6 spawns automatically and stays greyed out in LuCI, as it's a "Protocol: Virtual dynamic interface (DHCPv6 client)". Should I try to manually add it via config file ?

I couldn't get any further without breaking IPV6 for lan. Lan is in server mode form both RA and DHCPV6, while NDP is disabled.
I wish it was possible to relay this to the other guest interface to share the same v6 subnet, but no matter which config I use (relay like the wiki says), it only end up breaking the working interface. I'm kinda lost on how to proceed.

current working config (v6 only for lan)

dhcp

        list server '0::1#5453'
        list interface 'iguest'
        list interface 'iproton'
        list interface 'lan'
        list interface 'wg0'
        option dnssec '1'
        option dnsforwardmax '300'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_default '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iguest'
        option interface 'iguest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

network

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option mtu '1492'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option dns_metric '0'
        list ip6class 'wan_6'
        list dns '45.90.28.39'
        list dns '2a07:a8c0::9c:99bc'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 'auto'
        option peerdns '0'
        list dns '45.90.28.39'
        option dns_metric '0'
        option ip6assign '64'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'
        option mtu '1492'

config interface 'iguest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.2.1/24'
        list dns '192.168.1.1'

config interface 'iproton'
        option proto 'static'
        option device 'br-wg'
        list ipaddr '192.168.3.1/24'

If you set both lans to be relay instead of ip6assign, then all of your endpoints will be in the same /64 (along with wan). The delegated /64 won't be used.

The other thing to try would be to have lan delegated, then relay the prefix that exists on lan to guest. Make lan the relay master instead of wan (wan would be only a client). Relay was really intended for the use case where there is no delegatable prefix from the ISP, only the IP that exists on wan.

The wan_6 interface belongs to the same firewall zone as the parent interface it spawned from, in your case it's wan. If you want to manually control your wan_6 interface DNS etc. then go into your wan >advanced settings then change obtain IPv6 address to manual as per below, apply the changes then edit your wan6 interface and change it to be an alias of your wan, change device type to @wan save and apply

image1050×367 29.6 KB

so I've tried both approaches that mk24 said, and did 13en's suggestion of creating an alias interface for wan6, which by the way worked as is now marked as the same firewall zone in LuCI

Still, the only way I can get working ipv6 connectivity, and only in LAN, is having lan as server mode. Setting it as designated master fails. Setting wan6 as master fails. Setting it as relay fails. Some configurations also break guest's v4 connectivity, although I haven't really been testing it throughly in this aspect; the only way to keep lan with working V6 is setting the ip6assign option to 64

Using ssh I managed to watch tcpdumps of both interfaces, and it seems that the advertisements are going through the interfaces, albeit they use a LLA to communicate - is that right ?

I'm surprised on how difficult it seems to get such a large address space as v6 to be shared between interfaces, and I'm doing this just because I am a v6 enthusiast and want to be ready for "the future" lol. ISP should've handled this better, but unfortunately searching about it only shows few people interested in ipv6, mostly disabling it other than trying to work with it. It works fine in dual stack in the standard modem provided - which obviosuly I'm not using as router right now.

Anyway, the dumps

guest when android connects to it (ipv6 not working, no public address assigned)

13:02:07.325327 IP6 fe80::495d:da4f:2c93:641 > fe80::74fe:ceff:fe8d:8cfe: ICMP6, neighbor solicitation, who has fe80::74fe:ceff:fe8d:8cfe, length 32
13:02:07.325612 IP6 fe80::74fe:ceff:fe8d:8cfe > fe80::495d:da4f:2c93:641: ICMP6, neighbor advertisement, tgt is fe80::74fe:ceff:fe8d:8cfe, length 24

meanwhile lan's working ipv6 looks very active and sharing public addresses

13:03:17.906910 IP6 fe80::76fe:ceff:fe8d:8cfe > fe80::10f7:ee7d:8853:500d: ICMP6, neighbor solicitation, who has fe80::10f7:ee7d:8853:500d, length 32
13:03:17.973036 IP6 fe80::10f7:ee7d:8853:500d > fe80::76fe:ceff:fe8d:8cfe: ICMP6, neighbor advertisement, tgt is fe80::10f7:ee7d:8853:500d, length 24
13:03:18.386680 IP6 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:xxxx > fe80::76fe:ceff:fe8d:8cfe: ICMP6, neighbor advertisement, tgt is 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:xxxx, length 32
13:03:18.386891 IP6 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:xxxx > fe80::76fe:ceff:fe8d:8cfe: ICMP6, neighbor advertisement, tgt is 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:xxxx, length 32
13:03:18.546904 IP6 fe80::76fe:ceff:fe8d:8cfe > 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:yyyy: ICMP6, neighbor solicitation, who has 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:yyyy, length 32
13:03:18.547189 IP62804:xxxx:xxxx:xxxx:xxxx:5125:517e:yyyy > fe80::76fe:ceff:fe8d:8cfe: ICMP6, neighbor advertisement, tgt is 2804:xxxx:xxxx:xxxx:xxxx:5125:517e:yyyy, length 24

My suggestion is you contact your ISP and ask them to delegate a larger prefix to you, even a /60 will be enough to cover all your subnets, the BCOP recommendation is a /56 for residential, there is no reason for any ISP to assign their customers a /64 for their home networks. a /64 is the minimum required for slaac ,your android devices use slaac for ipv6 assignment and will get an IP once the guest interface has a /64 delegated prefix assigned to it. trying to break down a /64 will cause all sorts of issues. Please reach out to your ISP and ask for the large prefix, The issues are on their end.

image1048×1454 276 KB