Interim IPv6 ULA & ISP /64

HillBergMountain · May 27, 2026, 8:28am

Hello all,
I just tried to find something to this topic, but I couldnt find actual info for the latest openwrt.

wan6: get a IPv6 /64 from ISP. prefix-delegation is set off. Literally everything is set off, regarding to ipv6. Curiously there seem to be a IPv6 adress announced by wan6 interface.

lan: get a static ULA-Prefix, delegation is set off. All the devices behind lan get a ipv6 ULA-adress correctly, it seems. RA lifetime is set to 0 manually.

Still I recieve messages like:

[27.05.2026, 10:19:51 MESZ] daemon.warn: odhcpd[1895]: A default route is present but there is no public prefix on lan thus we announce no default route by setting ra_lifetime to 0!

Cant get rid of them and would like to. I think there is something wrong with the configs.

lleachii · May 27, 2026, 9:17am

Are you saying something is broken, or that you intended to disable IPv6. The wording of your post isn't clear.

Get rid of the messages, or get rid of the IPv6 addresses?

Are you willing to share the configs (i.e., network, dhcp, firewall)?

Also, you may want to clarify you desires.

HillBergMountain · May 27, 2026, 9:52am

I disabled IPv6 on wan6.

The messages.

Yes, network dhcp. Firewall is set off at the moment.

/ # cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '000405a025cc49b1ba509b4d81c524c0'
        option packet_steering '1'
        option ula_prefix 'fdff:1e9:7b12:abcd::/64'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option multipath 'off'
        list ipaddr '192.168.100.1/24'
        list ip6class 'local'
        option delegate '0'
        list ip6addr 'fd12:3456:789a::1/64'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option multipath 'off'
        option broadcast '1'
        option delegate '0'
        option hostname '*'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option norelease '1'
        option peerdns '0'
        option multipath 'off'
        option reqprefix 'no'
        option force_link '1'
        option sourcefilter '0'
        option delegate '0'

config interface 'wifiintern'
        option proto 'static'
        option multipath 'off'
        list ipaddr '192.168.200.1/24'

config interface 'wifiextern'
        option proto 'static'
        option multipath 'off'
        list ipaddr '192.168.225.1/24'
        option delegate '0'
        option force_link '0'

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option cachesize '10000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option min_cache_ttl '3600'
        option max_cache_ttl '86400'
        list server '127.0.0.1#5354'
        list server '::1#5354'
        option stripmac '1'
        option stripsubnet '1'
        option nonegcache '1'
        list address '/ams1.dns4all.eu/'
        option logdhcp '1'
        list listen_address '192.168.100.1'
        option authoritative '1'
        list interface 'lan'
        list interface 'wifiextern'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_preference 'medium'
        option dns_service '0'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_lifetime '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '5'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'wifiextern'
        option interface 'wifiextern'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

My desire is:

I would like to have an internal network where devices can communicate with ipv4 oder ipv6. The long run requires ISP to offer IPv6 lower than /64 and then NPT/NT66 the internal ULA-Adresses to the global adresses. Because its more privacy friendly when my ISP cannot see behind the wan-port of the router.

But for that, I need to have a good config that is not throwing out messages in the logs.

egc · May 27, 2026, 10:09am

That triggers the warning and it should be as there is no public prefix.

The best approach is to ignore it.

You can change the settings to announce default route in the DHCP settings

github.com/openwrt/openwrt

odhcpd reports no default IPv6 route and sets RA lifetime to 0 even when a default route is present

opened 03:26AM - 07 May 26 UTC

dhrm1k

target/x86 bug Official Image release/24.10

### Describe the bug odhcpd repeatedly reports that no IPv6 default route is pr…esent and sets RA lifetime to 0, even though the system has a working IPv6 default route over a WireGuard interface. On this VM: - ip -6 route shows `default dev tb29231R64 proto static metric 1` - ifstatus tb29231R64 shows the interface is up and has a `::/0` route - IPv6 connectivity over that interface works - /proc/net/ipv6_route also contains the `::/0` entry for the same interface Despite that, odhcpd logs: No default route present, setting ra_lifetime to 0! It also emits send failures on LAN while doing so. ### OpenWrt version r28959-29397011cc ### OpenWrt release 24.10.4 ### OpenWrt target/subtarget x86/64 ### Device VM ### Image kind Official downloaded image ### Steps to reproduce 1. Boot OpenWrt 24.10.4 on x86/64. 2. Configure IPv6 upstream over a WireGuard interface. 3. Ensure the system has an IPv6 default route via that interface. 4. Keep odhcpd enabled on LAN. 5. Observe logs and route/interface state with: ip -6 route ifstatus tb29231R64 logread | grep odhcpd ### Actual behaviour odhcpd repeatedly logs: daemon.warn odhcpd[2169]: No default route present, setting ra_lifetime to 0! and also emits: daemon.err odhcpd[2169]: Failed to send to ff02::1%lan@br-lan (Network unreachable) daemon.err odhcpd[2169]: Failed to send to ff02::1%lan@br-lan (Address not available) At the same time, the system state shows a working IPv6 default route: 2a11:6c7:f07:15e::/64 dev tb29231R64 proto kernel metric 256 pref medium unreachable fd9f:c7fd:4ea8::/48 dev lo proto static metric 2147483647 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev br-lan proto kernel metric 256 pref medium default dev tb29231R64 proto static metric 1 pref medium ifstatus tb29231R64 also shows: { "up": true, "l3_device": "tb29231R64", "proto": "wireguard", "ipv6-address": [ { "address": "2a11:6c7:f07:15e::2", "mask": 64 } ], "route": [ { "target": "::", "mask": 0, "nexthop": "::", "metric": 1, "source": "::/0" } ] } IPv6 reachability over the interface also works: ping -6 -I tb29231R64 -c 2 2606:4700:4700::1111 ping -6 -I tb29231R64 -c 2 2001:4860:4860::8888 Both succeeded with 0% packet loss. ### Expected behaviour If a valid IPv6 default route is present and usable, odhcpd should detect it and should not set RA lifetime to 0 for that reason. ### Additional info /proc/net/ipv6_route also contains the `::/0` entry for the same WireGuard interface: 5:00000000000000000000000000000000 00 00000000000000000000000000000000 00 00000000000000000000000000000000 00000001 00000002 00000000 00000001 tb29231R64 This looks like a mismatch between: - kernel IPv6 route state - interface status - odhcpd route detection / RA lifetime handling It may be specific to IPv6 upstream carried over WireGuard or to a transient state during LAN/interface events. ### Diffconfig ```text N/A ``` ### Terms - [x] I am reporting an issue for OpenWrt, not an unsupported fork.

lleachii · May 27, 2026, 10:11am

TBH, if you enable masquerade6 on a default configuration, everything should work as you desire. I'm not sure why you decided to "disable" IPv6 in this interim config (BTW, I fixed the title).

Disable ULA

Or proced to setup masq6 on WAN, route the ULA, etc.

(The message is self explanatory.)

HillBergMountain · May 27, 2026, 10:13am

I read that this requires PD to all downstream devices. I "have" no default route of ISP Prefixes at the moment. The goal is to seperate the lan-network from the global/routable IPv6 of wan6.

lleachii · May 27, 2026, 10:19am

You only need PD on downstream routers.

Because you've altered your configurations (I'm guessing you're aware of this).

To be clear, this can be done with a /64.
It's not clear if you've tested requesting an appropriate delegation as of yet

HillBergMountain · May 27, 2026, 10:36am

ok guys,

how would you doing this:

make LAN devices communicate via ULA (only non-routable, private adresses) and SEPARATE the global WAN IPv6 from lan?

lleachii · May 27, 2026, 10:36am

It might help to clarify why you're making an "interim configuration".

Clarify this phease. WAN and LAN are already separate interfaces. It's not clear what you mean here.

You want to perform NAT for IPv6 like IPv4 (even though a firewall makes this unnecessary), instead of having GUAs assigned directly to LAN clients, correct?

HillBergMountain · May 27, 2026, 11:17am

Yes.

Would you pls explain this? What do I need to do, that my ISP can only see to the wan-door and not behind it?

krazeh · May 27, 2026, 11:44am

What do you think your isp would be able to see if you gave devices globally addressable ipv6 addresses?

lleachii · May 27, 2026, 11:58am

With a default configuration, all one needs to do is:

Enable IPv6 masquerade on the WAN interface

Test and let us know.

(That should be it, but you may have to create a route for the ULA to use WAN. Test first and report the result.)

HillBergMountain · May 27, 2026, 11:59am

IPv6 is end to end adressing. It looks through routers.

What do you think ISPs can see then? Probably not the pictures of my mum showering, right? Phew!

Its about a little bit more privacy. Since someone is using DoT or DoH this would be a bit more private surfing, too. If someone is using VPN, this probably would be the best to keep out the ISPs gaining knowledge of someones online-behavior or topology.

HillBergMountain · May 27, 2026, 12:02pm

I'll do and come back here! Thanks!

lleachii · May 27, 2026, 12:03pm

This statement is very...non-technical.

You do realize your public IPv6 subnet/PD is still the same source router, hence still identifying the source of the traffic nonetheless. Since it's opposite of usual in the IPv6 world, that behavior is easily identified.

NAT was never a privacy or firewalling invention (originally), it was designed to damper or slow exhaustion of public IPv4 addresses. Unless you're suggesting security through obscurity - most engineers reject that as false.

_bernd · May 27, 2026, 12:16pm

If you really want only ula on lan, but still be able to reach global IPv6 wan then you need network prefix translation (npt) configured.

_bernd · May 27, 2026, 12:17pm

And so does ipv4! It was only the introduction of NAT in 1995 because even back then we would have run out of global ipv4 addresses....

HillBergMountain · May 27, 2026, 12:30pm

But here today now I'm adressing my devices with 192.168.x.x and the isp is not able to see which adress is initializing a connection, is not able to make a topology, because of natting. Thats definitely a privacy enhancer, if only a little, but it is. You probably know Amazons Eeco? ISP are selling our data like every companies which want to make money do likely, and the main reason I'm doing all this router-s*** is because I dont want to be spied on. It grows me grey hairs honestly.

If we have more and more IPv6 in future: I dont want its features. I want all this crap behaves privacy by default, no compromises, no technically bla bla. Call me idealist.

HillBergMountain · May 27, 2026, 12:32pm

GrapheneOS is never invented for degoogling, but makes a great job on it!

egc · May 27, 2026, 12:33pm

Yes recommend to use that, just as an adblocking package

Yes if you do not trust your ISP I would certainly recommend it

But not using GUA's does not add much as the Masquerading will show your GUA anyway so that is just tin foil hat stuff