Ipv6 | 1st time setup

Hi,

I recently renewed my 1Gbps fibre with my ISP and was switched to a CGNAT connection. I asked to be switched back to a Dynamic IP and they have kindly actioned my request.

This got me thinking about futureproofing my network. I don't think there are any guarantees that I will remain on a Dynamic IP in the longer term. CGNAT appears to be the only way newer ISPs can expand, so I will probably be forced to move to ipv6 at some point.

I've dipped my toe in the water by creating a new ipv6 WAN interface. This interface uses the same physical interface as my ipv4 WAN connection. Is that the correct method? I did notice there was an option to create an 'alias interface'.

The new ipv6 WAN interface has received three ipv6 addresses via DHCP.

• /128
• /64
• /48

image974×288 15.4 KB

The /128 address can be pinged by some servers, but not others. Is this normal?

Where do I go from here? I presume I will need to configure an ipv6 DHCP server on my LAN interface, but the LAN currently has two ipv6 addresses configured. One is a /60 address associated with my WAN's ipv6 address, but I'm not sure what the other address is.

If I enable ipv6 DHCP on the LAN interface, will 'everything' happen automatically - e.g. will my local devices receive internet routable addresses?

My VLANs are using static ipv4 addresses, so I guess I'll have to assign static ipv6 addresses. Should these be from the /64 or /48 subnets that are assigned to my ipv6 WAN interface?

Will devices default to ipv4 or ipv6? Can OpenWrt be configured to use ipv6 with fall-back to ipv4 as and when required?

Am I going about this in completely the wrong way?

Thanks for any help and advice.

To be clear, that's not entirely accurate:

• The /48 is a Prefix Delegation issued, so that you can assign subnets to other interfaces, etc.

• You'd have to ask the company that provided the tool
• Did you edit IPv6 Ping on your firewall?

• It appears you configured it - did you change anything from defaults?
• By default, OpenWrt should issue IPv6 addresses on LAN with an established wan6 connection

Yes, it should have happened by default.

No, you do not.

• That depends on the device and the software
• OpenWrt should now be accessible by it's IPv4 address too
• Here's 2 sites I'm aware will mention certain lookups are prefering v4 or v6
  • https://www.test-ipv6.com/
  • https://www.ipv6-test.com/

Seems you did pretty good - not really sure why the default wan6 interface was missing from your device, though.

ipv6 DHCP is currently disabled on my BR-LAN interface.

What are the correct/default settings that I should be using?

image922×476 21 KB

None of my VLAN interfaces are currently configured with ipv6 addresses.

image608×702 23.4 KB

See: How to configure ipv6 with slaac+dhcpv6 stateless - #2 by lleachii

I'm using Luci, but I've tried to copy the config.

image907×984 29.1 KB

image905×680 22.6 KB

The RA Flag 'managed config' is unchecked because that page had some debate about the setting.

image917×774 36.2 KB

My PC has received an ipv6 address that is part of the block assigned by my ISP.

Only three devices have currently received ipv6 addresses.

image957×229 6.41 KB

Those are DHCPv6 leases only. The other method a machine receives an IP is via SLAAC. Some devices that get IPv6 addresses only use SLAAC.

I'm trying to configure my VLANs with ipv6 addresses.

This is my current network config.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd94:xxxx:xxxx::/48'
	option packet_steering '1'

config interface 'wan_ipv4'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan_ipv6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'
	option ip6assign '64'
	list ip6class 'wan_ipv6'
	option ip6ifaceid '::1'

config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port 'xxxx'
	list addresses '192.168.x.x/24'
	list addresses 'fdf1:xxxx:xxxx:x::1/64'
	list addresses '2a02:xxxx:xxxx:xxxx:0000:0000:0000:0001/64'

config interface 'vlan20'
	option device 'eth0.20'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.20.1'
	list ip6addr '2a02:xxxx:xxxx:0020:0000:0000:0000:0001/64'
	option ip6prefix '2a02:xxxx:xxxx::/48'
	option ip6gw '2a02:xxxx:xxxx:xxxx::5e6'

config interface 'vlan30'
	option proto 'static'
	option device 'eth0.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	list ip6addr '2a02:xxxx:xxxx:0030:0000:0000:0000:0001'
	option ip6gw '2a02:xxxx:xxxx:xxxx::5e6'
	option ip6prefix '2a02:xxxx:xxxx::/48'

config device
	option name 'wlan0'

I tied connecting a Linux Mint laptop to VLAN30 and I think it used SLAAC to obtain an IPv6 address. I then tried changing it from 'automatic' to 'automatic, DHCPv6 only', but it didn't receive an address.

image1000×174 9.06 KB

Given the use of SLAAC by Android devices, I'm not sure how to proceed with the VLANs.

Do the VLAN interfaces need to have their own static ipv6 addresses assigned and also configured as dhcpv6 servers? How is VLAN data segmentation achieved in an ipv6 network?

Why doesn't SLAAC assign an ipv6 address from the same subnet that's assigned to the vlan interface?

By using different subnets on different VLANs.

To be clear, it's assigning no address after you switched to "DHCPv6 only", correct?

Use ip6assign 64 on each lan-like interface such as the guest vlan30. This will automatically delegate a separate unique /64 to each interface, but all within the /48 pool that you received from the ISP. The interface itself will have ::1 in that /64 prefix, and DHCP or SLAAC on the clients will assign other IPs within the /64. In this use case since you have proper IPv6 support from the ISP, it is not necessary to manually configure IPv6 addresses or prefixes anywhere, and indeed trying to do that is only prone to break things.

Also remove ula_prefix from the configuration, you don't need it here and the ULAs are not doing anything useful.

As a note Windows and other endpoint OS will cycle through mutiple random addresses within their lan /64 as a way to increase privacy and attempt some security through obscurity.

The Linux Mint laptop didn't obtain an address after switching to dhcpv6 only.

Should I apply that option to my Wireguard interfaces? What is the ipv6 equivalent of list allowed_ips '192.168.x.x/32'

config interface 'vpn'
	option proto 'wireguard'
	option ip6assign '64'

config wireguard_vpn 'wgclient'
	list allowed_ips '192.168.x.x/32'

Thanks.

Unfortunately, Wireguard isn't set up to configure IPv6 automatically. Get the LANs working first. Then determine what you want wireguard to do with IPv6.

I've made the changes to the vlans/subnets.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'
	option ip6assign '64'
	option ip6ifaceid '::1'

config interface 'wan_ipv4'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan_ipv6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config device
	option name 'wlan0'

config interface 'vlan20'
	option device 'eth0.20'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.20.1'
	option ip6assign '64'

config interface 'vlan30'
	option proto 'static'
	option device 'eth0.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	
config interface 'vlan40'
	option proto 'static'
	option device 'eth0.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'vlan50'
	option proto 'static'
	option device 'eth0.50'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

All the network interfaces are now receiving ipv6 addresses automatically.

image906×866 97.9 KB

But my laptop isn't receiving an ipv6 address in the same /48 block assigned by my ISP.

image772×384 29.8 KB

I don't currently have an ipv6 DHCP server or RA-Service enabled on any interfaces. Do I need to enable that on every interface - i.e. lan + vlans? Or can it be enabled on the wan_ipv6 interface? Can the interface simultaneously be an ipv6 dhcp client, for the WAN address, and an ipv6 dhcp sever for the downstream network?

image1450×784 88.2 KB

Thanks,

Yes you need a config dhcp block enabling DHCPv6 and RA in server mode on each additional lan-like interface. These can be patterned after the default block for lan. You had lan set up correctly then your latest post shows it disabled, which it should not be.

Just like ipv4, the wan is a DHCP client and the lan(s) are servers.

A delegateable /48 means that the first 48 bits are controlled by the ISP, your router's delegation system controls the next 16 bits, and the last 64 are the interface ID. The base IP of a LAN's /64 will be like this:
XXXX:XXXX:XXXX:YYYY::1
X = bits the ISP controls and sent to you to use. Any packet sent on the Internet with a destination IP that matches the 48 X bits will be routed to your house.
Y = bits selected by OpenWrt's delegation system. These bits control which LAN the packet will be sent to.
::1 the last 64 bits are part of the interface.

Thanks.

Do I just need to enable DHCP or DHCP and RA? Should I tick the designated master option?

Generally both are enabled, though almost all clients will work in a RA only system. Android does not implement DHCPv6 (by design) so RA must be enabled for them.

Do not check Master, that is for wan in relay mode which you're not using.

Thanks.

ipv6 appears to be working.

I disabled ipv4 on my laptop and received an ipv6 address in the correct subnet. My pings were generally successful, but it shows how few sites actually support ipv6. For example, bbc.co.uk doesn't, but dailymail.co.uk does?!?!?

With both ipv4 and ipv6 enabled, it appears to default to ipv6 with fallback to ipv4 - which is quite nifty.

One thing I have noticed, two of my VLANs have been assigned the same subnet IP address.

Is this a known bug?

Those are not the same. You have 0000 and 0001 for the Y bits. The first one absorbed the block of YYYY being all zeros into the double colon notation.

Written out fully without the double colon shortcut, the two LAN IPs are
2a02:XXXX:XX9f:0000:0000:0000:0000:0001
and
2a02:XXXX:XX9f:0001:0000:0000:0000:0001

Doh! I didn't see that extra 1 despite looking at it several times.

Thanks for your help getting this working. I appreciate you taking the time.

That's why I propagate to reuse the numbers!
See you have choosen vlan id 40 and 50. Translate these decimal numbers to hexadecimal and use these as your ip6hint to get nice and clean subnets.

I've added the vlan number as the ip6hint and it has made things a lot clearer.

Thanks for the tip.

** edit **

One final thing, I do like the way that OpenWrt assigns the ipv4 address as the ipv6 address - e.g. 192.168.0.200 becomes :1::200. That certainly helps to identify devices via IP address.