How to "NAT" IPv6 like IPv4, or block it

How to "NAT" IPv6 like IPv4, or block it

I'm a new OpenWRT user and I don't know what I'm doing.

Thanks to this forum, I got my OpenWRT router set up so when I plug it into my ISP's router, and then connect devices to the OpenWRT router's wifi, the ISP router doesn't see which individual devices are connected. I think this is because of NAT for IPv4. I also got OpenVPN running on the router so these devices have their IPv4 traffic going through the VPN.

Now I'm wondering about IPv6. I assume the ISP router still sees individual devices that have IPv6 addresses, because the OpenWRT router doesn't do NAT for IPv6. I also don't know if IPv6 traffic from these devices (whether they have their own IPv6 addresses or not) is bypassing the OpenWRT router and VPN and going straight to the ISP router.

I want the OpenWRT router to do the same things for IPv6 that it does now for IPv4, i.e. make all devices appear as one, and send all traffic through the VPN. Or just completely block IPv6 if that's easier.

I think the first step is to confirm that the router doesn't handle IPv6 the way I want. But I don't even know how to tell if my devices have IPv6 addresses. One is a phone and it says in its wifi settings that it has both IPv4 and IPv4 addresses, but neither the OpenWRT router nor the ISP router show any devices with IPv6. (In Status -> Overview -> Active DHCP Leases, I saw some devices with IPv4, and there is nothing under Active DHCPv6 Leases.) And for the VPN, I would normally check the public IP address using a website with IPv4, but I don't know how to do that with IPv6.

Thanks!

Have u read https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6?

If u're new to IPv6, it's high recommended to study it first, because it's much more complex to IPv4.

To diagnose IPv6 situation, first choose 1 device to make the tests. The same command to see IPv4 address should show IPv6 too.

Any whatismyip service will show u ur public IPv4 and IPv6 addresses, then u compare them to those shown by the device. By default, the device should show internal IPv4 address different from public one. IPv6 shoud show the same prefix and may show different interface ID, because some OS use temporary interface ID for outgoing packages.

If the IPv6 prefix is the same, then u're not using NAT6 and IPv6 is working. If prefix is different, then somehow u had enabled NAT6 and it's working. If it reports no IPv6, then it's not working at all.

I use Pihole stats to see how often I'm using IPv6 compared to IPv4.

1 Like

ifstatus lan will show if ipv6 is enabled on lan interface.
It will be easier to disable ipv6 on lan interface than configuring nat6.

2 Likes

Here's ifstatus lan. I don't know what this means though.

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 83226,
	"l3_device": "wlan1",
	"proto": "static",
	"device": "wlan1",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.2.1",
			"mask": 24
		}
	],
	"ipv6-address": [

	],
	"ipv6-prefix": [

	],
	"ipv6-prefix-assignment": [
		{
			"address": "fdce:c729:2804::",
			"mask": 60,
			"local-address": {
				"address": "fdce:c729:2804::1",
				"mask": 60
			}
		}
	],
	"route": [

	],
	"dns-server": [

	],
	"dns-search": [

	],
	"neighbors": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [

		],
		"dns-search": [

		],
		"neighbors": [

		]
	},
	"data": {

	}

This is a private IPv6 and not routable on the internet. Either your ISP doesn't offer IPv6, or OpenWrt is not able to delegate some ipv6 prefix to the lan.

1 Like

The phone's IPv6 address starts with that prefix, so it must be a private address. I don't have a public IPv6 address according to something like whatismyip.com.

I want to prevent the ISP router from seeing individual devices connected to the OpenWRT router's wifi with their own private IPv6 addresses. And I also want to check if IPv6 traffic is going through the VPN, or just block it. (Even if I don't have a public IPv6 address, I can still have IPv6 traffic, for example I can ping6 any other IPv6 address.)

Well easiest way to do that is just disabling IPv6.

If u want IPv6, it's even more complex to setup when VPN is involved and u wanna use NAT6.

I'd suggest to disable it and study how it works first, to only then start configuring.

1 Like