Hi, all! Recently, with help from kind forum members, I successfully configured OpenWrt 23 on my Archer A7 router to relay IPv6 from my FRITZ!Box 6660 Cable modem to the devices connected to the Archer's network: How to circumvent IPv6 prefix delegation?

Now, I would like to do the exact same with my other router, a TP-Link WR940N v4 running OpenWrt 18.06.9. (I know it's outdated, but it's still newer than TP-Link's stock firmware by 4 years and there it's already the latest OpenWrt version for the device.)

0. Why relay mode?

My FRITZ!Box is the modem connected to the Internet. In its network, there are two routers: the Archer A7 (OpenWrt 23) and the WR940N (OpenWrt 18).

The problem is that, basically, my FRITZ!Box modem does not receive a sufficient IPv6 prefix from my ISP to allow routers connected to the modem to create IPv6 subnets. Therefore, I'm forced to have the router's clients receive IPv6 addresses directly from the FRITZ!Box instead of from OpenWrt itself.

For more information, see: How to circumvent IPv6 prefix delegation?

1. How I had configured OpenWrt 23 previously

In order to make all devices connected to the Archer A7's network receive global IPv6 addresses, I

• set RA-Service, DHCPv6-Service and NDP-Proxy all to relay mode for the LAN interface
• set the IPv6 assignment length to 64 bits for the LAN interface
• disabled IPv6 masquerading on the WAN zone

Screenshots

grafik1842×1487 180 KB

grafik1287×1607 186 KB

grafik1669×1157 116 KB

Now, I get a 10/10 result on test-ipv6.com and can successfully ping6 any global IPv6 server, when connected to the Archer A7 running OpenWrt 23.

2. How I tried to configure OpenWrt 18

In order to achieve the same result on my TP-Link WR940N v4 running OpenWrt 18, I tried the following:

2.1 Enabling IPv6 relay mode for LAN interface

Just like on the Archer A7, I set RA-Service, DHCPv6-Service and NDP-Proxy to relay mode for the LAN interface and made sure that to “use the built-in IPv6 management”.

Screenshots

image11571×2000 242 KB

grafik1754×841 73.1 KB

2.2 Disabling IPv6 masquerading

In OpenWrt 18, there is no setting to disable masquerading specifically for IPv6 on the WAN zone; masquerading can only be disabled for both IPv4 and IPv6 or be enabled for both. That's why I created a new WAN6 zone (set to “restricted to IPv6 only”) and set the original WAN zone to “restricted to IPv4 only”. On WAN6, I disabled masquarding.

Screenshots

grafik1532×1372 180 KB

grafik1550×709 61.6 KB

grafik1802×783 81.8 KB

grafik1559×1282 122 KB

grafik1533×512 47.8 KB

2.3 Re-configuring the WAN6 interface

In the WAN6 interface's settings, I replaced WAN with WAN6 as the assigned firewall zone and set “request IPv6 address” to force.

Screenshots

grafik1812×909 82.9 KB

grafik1777×1353 166 KB

grafik1774×666 68 KB

grafik1787×640 81.7 KB

3. Result

When connected to the WR940N, IPv6 does not work like on the Archer A7.

• The LAN interface is assigned only a local IPv6 address not suitable to access the global internet.
• pinging my laptop under its local IPv6 address fails:

  root@OpenWrt:~# ping6 fe80:***4
  PING fe80:***4 (fe80:***4): 56 data bytes
  ^C
  --- fe80:***4 ping statistics ---
  1365 packets transmitted, 0 packets received, 100% packet loss
  

• pinging any public IPv6 addresses fails too:

  root@OpenWrt:~# ping6 openwrt.org
  PING openwrt.org (2a03:b0c0:3:d0::1a51:c001): 56 data bytes
  ping6: sendto: Permission denied
  

• test-ipv6.com returns a score of 0/10.

Screenshot

grafik849×687 64.9 KB

How to get IPv6 working?

In this use case, why would the 940 have to route anything? Configure it as a bridged ("dumb") AP. The bridge will pass IPv6 directly to the main router.

IPv6 support has been greatly extended since that version. Relay mode and masq6 did not exist in version 18. The "Masquerade" checkbox then, as it does now, only means v4. IPv6 masquerading was not supported at all in the high-level firewall config. It had to be set up by inserting a custom iptables rule.

I have set up a guest Wi-Fi and guest firewall zone. Would that still work in bridged AP mode?

The WR940N is connected to the FRITZ!Box modem, not to the Archer A7 router. This means that, if my firewall setup doesn't continue to work in bridged AP mode, the WR940N's clients would be directly subject to the FRITZ!Box' network management, which I'd like to avoid (that's why I use OpenWrt in the first place ).

Connecting the WR940N to the Archer A7 is not an option due to a Powerline speed issue, sadly.

Ah, I see. That's unfortunate.

Is this doable or too complicated without expert-level experience? If it's doable and advisable, do you have a tutorial link for that?

Recommended practice for home networks is to use the ISP box only as a link to the Internet, and do all routing through one router that runs OpenWrt. This may not be readily possible with your existing wiring, but it may be by using VLANs to pass multiple networks on one existing Ethernet cable.

The WR940 really is no longer suitable to deploy for any task that involves routing. It could find some use as a bridged AP. You can bridge multiple SSIDs into one Ethernet cable to your main router using VLANs.