Inbound IPv6. LAN devices OK. Router not OK

tibbsbrookside · February 27, 2022, 4:43pm

Hi.

I have an ASUS RT-AC58U router that I use with the direct connection from my ISP.

My ISP uses CGNAT, so my network is only routable inbound from the internet using IPv6 (DHCPv6).

I've just replaced the stock firmware with OpenWrt.

Everything generally works fine, except I get no inbound IPv6 traffic (even return traffic) via the WAN to the router, but IPv6 traffic between LAN devices and the internet works fine.

As a basic example, "ping6 ipv6.google.com" works fine from the LAN devices but, on the router there is no return traffic. tcpdump shows the outgoing traffic and nothing coming back.

As another example, if I add a firewall rule to allow inbound 80/tcp from the WAN to the LAN, then I can access web servers on my LAN from the internet, but if I add a firewall rule to allow inbound 80/tcp from the WAN to the router I can't access LuCI and tcpdump shows no incoming traffic.

I can add config details if required but, based on the above, does this suggest a problem with my ISP rather than a problem with the router / OpenWrt?

Thanks in advance.

tibbsbrookside · March 3, 2022, 12:58pm

Gave up trying to get a sensible answer from my provider so, I have changed my config so my OpenWrt router is now sitting behind my ISP router.

For DHCPv6 I have set the wan6 interface to master and enabled "relay" for dhcp, ra & ndp for both the lan and wan6 interfaces.

Everything appears to be working with one exception, I can't access the OpenWrt router from the LAN devices using IPv6.

The LAN configuration doesn't look correct to me.

OpenWrt router:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 10:7b:44:59:9b:1c brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 10:7b:44:59:9b:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fd00::127b:44ff:fe59:9b18/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128 scope global dynamic noprefixroute 
       valid_lft 57625sec preferred_lft 43225sec
    inet6 fe80::127b:44ff:fe59:9b18/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 10:7b:44:59:9b:1c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd81:250d:683a::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::127b:44ff:fe59:9b1c/64 scope link 
       valid_lft forever preferred_lft forever
7: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.12.1/24 brd 192.168.12.255 scope global vpn
       valid_lft forever preferred_lft forever
    inet6 fdf1:e8a1:8d3f:12::1/64 scope global 
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 10:7b:44:59:9b:18 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::127b:44ff:fe59:9b18/64 scope link 
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 192.168.11.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::6564:76d0:e35a:6f2c/64 scope link flags 800 
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 10:7b:44:59:9b:1c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::127b:44ff:fe59:9b1c/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 12:7b:44:59:9b:18 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::107b:44ff:fe59:9b18/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 12:7b:44:59:9b:1c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::107b:44ff:fe59:9b1c/64 scope link 
       valid_lft forever preferred_lft forever

LAN device:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp6s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 00:e0:4c:77:16:f5 brd ff:ff:ff:ff:ff:ff
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 40:8d:5c:52:31:eb brd ff:ff:ff:ff:ff:ff
7: wlp0s20f0u9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:a5:11:36:fc:f3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global dynamic noprefixroute wlp0s20f0u9
       valid_lft 42771sec preferred_lft 42771sec
    inet6 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute 
       valid_lft 57596sec preferred_lft 43196sec
    inet6 fd00::a7fe:e926:12a8:651c/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::cdc3:3798:94cf:d812/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

ula_prefix is:

fd81:250d:683a::/48

Shouldn't the Unique Local Address for the LAN devices be in this subnet so they are the same as the OpenWrt router? If yes, how I do I change this?

Thanks.

openwrtforever · March 3, 2022, 8:45pm

Try this https://saudiqbal.github.io/IPv6/ipv6-home-server-with-dynamic-prefix-for-vpn-web-server-rdp-and-firewall-setup-guide.html

_bernd · March 3, 2022, 9:18pm

I'm not quiet sure if I understand your setup correctly, but you have set the openwrt in a relay mode so your isp box handles dhcpv6 and RA? If yes, then you get the ULA from the isp box and your openwrt does "nothing" with the configured ula.

I assume the openwrts eth1 is the uplink port? then try to access fd00::127b:44ff:fe59:9b18 from your pc to get to the openwrt.

tibbsbrookside · March 3, 2022, 10:14pm

Thanks for the responses.

This may simply be a misunderstanding on my part.

I'm hoping my setup is fairly standard:

ISP Router - OpenWrt Router - Single LAN

It makes sense to me that all the LAN client are getting their IPv6 configuration from the ISP router, as the OpenWrt router is simply relaying.

eth1 on the OpenWrt router is the uplink port connected to the ISP router, and I can connect to the fd00 address from the LAN as suggested.

Because the br-lan device has a fd81 address assigned, I thought all the LAN devices should have fd81 ULAs assigned, as well as the fd00 ULAs, and I should use the fd81 address to connect from the LAN devices.

My knowledge of IPv6 is very sketchy, so apologies if I'm just confusing things.

I have also enabled Privacy Extension on my LAN devices, as per the first suggestion, as this seems to be good practice.