IPv6 add default route to table - UCI equivalent config

Installing and Using OpenWrt
1

I'm trying to configure a default IPv6 route at boot in /etc/config/network to fix IPv6 routing in vpn-policy-routing package issues. I have multiple routing tables and so the default guide on @stangri FAQ doesn't work for me.

Here's what I tried:

config route6
        option interface 'vpsgw'
        option table 'vpsgw'
        option target '::/0'

The command that will fix IPv6 for me:
ip -6 route add default dev vpsgw table vpsgw

At router boot that condition doesn't exist so I must have a syntax error perhaps "'::/0' ?

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:ef08:ee27::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.100.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix 'no'
        option defaultroute '1'

config interface 'vpn_privacy'
        option device 'eth0.666'
        option netmask '255.255.255.0'
        option ipaddr '172.66.6.1'
        option proto 'static'

config interface 'wglan'
        option device 'eth0.100'
        option netmask '255.255.255.0'
        option ipaddr '172.100.0.1'
        option ip6assign '64'
        option proto 'static'

config interface 'isolated'
        option device 'eth0.500'
        option netmask '255.255.254.0'
        option ipaddr '192.168.32.1'
        option ip6assign '64'
        option iphint 'AA'
        list ip6class 'local'
        option proto 'static'

config rule 'vpn_privacy_routing4'
        option priority '30000'
        option lookup '30'
        option in 'vpn_privacy'

config rule 'wglan_routing4'
        option priority '30000'
        option lookup '20'
        option in 'wglan'

config rule6 'wglan_routing6'
        option priority '30000'
        option lookup '20'
        option in 'wglan'

config interface 'sharktun'
        option device 'tun0'
        option ip4table '30'
        option ip6table '30'
        option proto 'none'

config interface 'vpsgw'
        option mtu '1350'
        option ip4table '20'
        option ip6table '20'

config wireguard_vpsgw 'wgserver'


config route
        option interface 'lan'
        option table '20'
        option netmask '255.255.255.0'
        option target '192.168.100.0/24'
        option gateway '192.168.100.1'

config route
        option interface 'wan'
        option table '20'
        option netmask '255.255.255.0'
        option target '192.168.12.0/24'

config route
        option interface 'isolated'
        option table '20'
        option netmask '255.255.254.0'
        option target '192.168.32.0/23'
        option gateway '192.168.32.1'


config route6
        option interface 'vpsgw'
        option table 'vpsgw'
        option target '::/0'

These are the routing tables at boot with current configuration (missing the default route on table vpsgw):

# route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
fd25:8911:3113:9525::10/128                 ::                                      U     1024   1        0 vpsgw
::/0                                        ::                                      U     1024   1        0 vpsgw
::/0                                        ::                                      !n    -1     3        0 lo
::/0                                        fe80::de8d:8aff:fe47:b1dd               UG    512    1        0 eth1
::/0                                        fe80::de8d:8aff:fe47:b1dd               UG    512    1        0 eth1
2607:fb90:4021:8890::/64                    ::                                      U     256    1        0 eth1
2607:fb90:4021:8890::/64                    fe80::de8d:8aff:fe47:b1dd               UG    512    1        0 eth1
fe80::/64                                   ::                                      U     256    1        0 eth1
::/0                                        ::                                      !n    -1     3        0 lo
fe80::/64                                   ::                                      U     256    1        0 tun0
::/0                                        ::                                      !n    -1     3        0 lo
::/0                                        ::                                      !n    -1     3        0 lo
::/0                                        fe80::de8d:8aff:fe47:b1dd               UG    512    2        0 eth1
::/0                                        fe80::de8d:8aff:fe47:b1dd               UG    512    1        0 eth1
2607:fb90:4021:8890::/64                    ::                                      U     256    3        0 eth1
2607:fb90:4021:8890::/64                    fe80::de8d:8aff:fe47:b1dd               UG    512    1        0 eth1
2607:fb90:4021:8890::/64                    ::                                      !n    2147483647 1        0 lo
fdc3:ef08:ee27::/64                         ::                                      U     1024   5        0 br-lan
fdc3:ef08:ee27:10::/64                      ::                                      U     1024   4        0 eth0.500
fdc3:ef08:ee27:11::/64                      ::                                      U     1024   1        0 eth0.100
fdc3:ef08:ee27::/48                         ::                                      !n    2147483647 2        0 lo
fe80::/64                                   ::                                      U     256    1        0 eth0.500
fe80::/64                                   ::                                      U     256    1        0 eth0.666
fe80::/64                                   ::                                      U     256    2        0 eth1
fe80::/64                                   ::                                      U     256    1        0 eth0.100
fe80::/64                                   ::                                      U     256    1        0 br-lan
fe80::/64                                   ::                                      U     256    1        0 tun0
::/0                                        fe80::de8d:8aff:fe47:b1dd               UGDA  1024   3        0 eth1
::1/128                                     ::                                      Un    0      7        0 lo
2607:fb90:4021:8890::/128                   ::                                      Un    0      3        0 eth1
2607:fb90:4021:8890:8cc7:baff:fea6:1f0/128  ::                                      Un    0      3        0 eth1
2607:fb90:4021:8890:b5b4:4941:0:cbd/128     ::                                      Un    0      5        0 eth1
fd25:8911:3113:9525::10/128                 ::                                      Un    0      2        0 vpsgw
fdc3:ef08:ee27::/128                        ::                                      Un    0      3        0 br-lan
fdc3:ef08:ee27::1/128                       ::                                      Un    0      4        0 br-lan
fdc3:ef08:ee27:10::/128                     ::                                      Un    0      3        0 eth0.500
fdc3:ef08:ee27:10::1/128                    ::                                      Un    0      7        0 eth0.500
fdc3:ef08:ee27:11::/128                     ::                                      Un    0      3        0 eth0.100
fdc3:ef08:ee27:11::1/128                    ::                                      Un    0      3        0 eth0.100
fe80::/128                                  ::                                      Un    0      4        0 eth1
fe80::/128                                  ::                                      Un    0      3        0 eth0.666
fe80::/128                                  ::                                      Un    0      3        0 eth0.100
fe80::/128                                  ::                                      Un    0      3        0 eth0.500
fe80::/128                                  ::                                      Un    0      3        0 br-lan
fe80::/128                                  ::                                      Un    0      3        0 tun0
fe80::1e13:46a:2e64:cc6/128                 ::                                      Un    0      2        0 tun0
fe80::8cc7:baff:fea6:1f0/128                ::                                      Un    0      5        0 eth1
fe80::d434:f4ff:fea2:4c4c/128               ::                                      Un    0      2        0 eth0.666
fe80::d434:f4ff:fea2:4c4c/128               ::                                      Un    0      2        0 eth0.100
fe80::d434:f4ff:fea2:4c4c/128               ::                                      Un    0      3        0 eth0.500
fe80::d434:f4ff:fea2:4c4c/128               ::                                      Un    0      2        0 br-lan
ff00::/8                                    ::                                      U     256    6        0 br-lan
ff00::/8                                    ::                                      U     256    4        0 eth0.500
ff00::/8                                    ::                                      U     256    1        0 eth0.666
ff00::/8                                    ::                                      U     256    3        0 eth1
ff00::/8                                    ::                                      U     256    4        0 eth0.100
ff00::/8                                    ::                                      U     256    1        0 vpsgw
ff00::/8                                    ::                                      U     256    1        0 tun0
::/0                                        ::                                      !n    -1     3        0 lo
root@meow:~#
2

I'm wondering if this may be a bug or why a config rule6 term conflicts with config route6 ?

The first route6 for this default setting to route table '20' works and gets loaded - then second stanza of route6 gets ignored by openwrt.

config rule6 'wglan_routing6'
        option priority '30000'
        option lookup '20'
        option in 'wglan'

config route6
        option interface 'vpsgw'
        option table 'vpsgw'
        option target '::/0'

Don't think I am doing something wrong in the config but its evident that my route6 config is not being loaded :-/

root@meow:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.3.4-8 running on OpenWrt 21.02.0-rc3.
============================================================
Dnsmasq version 2.85  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         www.webgui.noki 0.0.0.0         UG    0      0        0 eth1

IPv4 Table 201: default via 192.168.12.1 dev eth1
172.66.6.0/24 dev eth0.666 proto kernel scope link src 172.66.6.1
172.100.0.0/24 dev eth0.100 proto kernel scope link src 172.100.0.1
192.168.32.0/23 dev eth0.500 proto kernel scope link src 192.168.32.1
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.1
IPv4 Table 201 Rules:
9996:   from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: default via 10.8.8.6 dev tun0
172.66.6.0/24 dev eth0.666 proto kernel scope link src 172.66.6.1
172.100.0.0/24 dev eth0.100 proto kernel scope link src 172.100.0.1
192.168.32.0/23 dev eth0.500 proto kernel scope link src 192.168.32.1
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.1
IPv4 Table 202 Rules:
9995:   from all fwmark 0x20000/0xff0000 lookup sharktun

IPv4 Table 203: default via 10.1.1.10 dev vpsgw
172.66.6.0/24 dev eth0.666 proto kernel scope link src 172.66.6.1
172.100.0.0/24 dev eth0.100 proto kernel scope link src 172.100.0.1
192.168.32.0/23 dev eth0.500 proto kernel scope link src 192.168.32.1
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.1
IPv4 Table 203 Rules:
9994:   from all fwmark 0x30000/0xff0000 lookup vpsgw
IPv6 Table 201: default from 2607:fb90:4021:8890:b5b4:4941:0:cbd via fe80::de8d:8aff:fe47:b1dd dev eth1 proto static metric 512 pref medium
IPv6 Table 201: default from 2607:fb90:4021:8890::/64 via fe80::de8d:8aff:fe47:b1dd dev eth1 proto static metric 512 pref medium
IPv6 Table 201: 2607:fb90:4021:8890::/64 dev eth1 proto static metric 256 pref medium
IPv6 Table 201: 2607:fb90:4021:8890::/64 via fe80::de8d:8aff:fe47:b1dd dev eth1 proto static metric 512 pref medium
IPv6 Table 201: fe80::/64 dev eth1 proto kernel metric 256 pref medium
IPv6 Table 202: fe80::/64 dev tun0 proto kernel metric 256 pref medium
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -d 192.168.12.0/24 -m comment --comment localnets -c 6349 618392 -j RETURN
-A VPR_PREROUTING -d 192.168.1.0/24 -m comment --comment localnets -c 0 0 -j RETURN
-A VPR_PREROUTING -d 172.66.6.0/24 -m comment --comment localnets -c 0 0 -j RETURN
-A VPR_PREROUTING -d 192.168.100.0/24 -m comment --comment localnets -c 525 51616 -j RETURN
-A VPR_PREROUTING -s 192.168.32.20/32 -m comment --comment qbit -c 0 0 -g VPR_MARK0x020000
-A VPR_PREROUTING -s 192.168.32.23/32 -m comment --comment sonar -c 0 0 -g VPR_MARK0x030000
-A VPR_PREROUTING -s 192.168.32.21/32 -m comment --comment nzb -c 0 0 -g VPR_MARK0x030000
-A VPR_PREROUTING -s 192.168.32.22/32 -m comment --comment radar -c 0 0 -g VPR_MARK0x030000
-A VPR_PREROUTING -m mac --mac-source c6:63:35:f0:0c:66 -m comment --comment win-pve -c 361 71945 -g VPR_MARK0x030000
============================================================
Mangle IPv6 Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m mac --mac-source c6:63:35:f0:0c:66 -m comment --comment win-pve -c 1137 90368 -g VPR_MARK0x030000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x030000
-N VPR_MARK0x030000
-A VPR_MARK0x030000 -c 361 71945 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_MARK0x030000 -c 361 71945 -j RETURN
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
3

A first remark is that if the lan host has 2 GUA, one from wan and one from the vpn prefix, then it will select based on its validity, preference, and metric the source IPv6 address. When the router receives a packet with a GUA source, it is expected to forward it accordingly to the interface which provided the prefix in which the GUA belongs.
Second it is advised to use metrics when installing multiple default routes in the routing table.
Third, better make use of ip -6 ro list table all instead of the deprecated route.
There is this workaround for IPv6, not sure if you have tried it already.
My question is, though, why do you need to install the default route yourself? Isn't the vpn provider pushing it?

1 Like
4

That's good information. I don't think that is the case for me; I am forced to use NAT6 in my network because WAN/ISP does not do prefix delegation. So openwrt is the dhcpv6 server delivering ULA from a /48

config globals 'globals'
        option ula_prefix 'fdc3:ef08:ee27::/48'
config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix 'no'
        option defaultroute '1'

config interface 'wglan'
        option device 'eth0.100'
        option netmask '255.255.255.0'
        option ipaddr '172.100.0.1'
        option ip6assign '64'
        option proto 'static'

config interface 'isolated'
        option device 'eth0.500'
        option netmask '255.255.254.0'
        option ipaddr '192.168.32.1'
        option ip6assign '64'
        option proto 'static'

I'm not familiar, is this a software package I should install or a setting that is toggled in UCI?

Yes, the workaround given there is to define a default IPv6 route. Which gave me a hint on my solution of ip -6 route add default dev vpsgw table vpsgw

openwrt does not like to apply the route6 statement even when I copy paste the workaround verbatim and I am not sure if its because of the rule6 configs at the top of /etc/config/network

vpsgw is a wireguard tunnel interface. In OpenWRT settings for it I do have enabled to setup the routes - however one point to note here is that my wglan interface is set on using route_table 20 and vpn-policy-routing package ignores this and sets up its own /rt_table 202 vpsgw << this 'vpsgw' table has zero ipv6 routes.

My manually adding the route there fixes the problem - because I haven't found a way to override vpn-policy-route defaults of creating its own /rt_tables or static mapping the table IDs I want to certain interfaces.

config interface 'vpsgw'
        option private_key 'x'
        list addresses '10.1.1.10/32'
        list addresses 'fd25:8911:3113:9525::10/128'
        option proto 'wireguard'
        option peerdns '0'
        option mtu '1350'
        option ip4table '20'
        option ip6table '20'
5

This is ifstatus for my wireguard / 'vpsgw' interface that I am adding a route.

# ifstatus vpsgw
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 2102,
        "l3_device": "vpsgw",
        "proto": "wireguard",
        "updated": [
                "addresses",
                "routes"
        ],
        "ip4table": 20,
        "ip6table": 20,
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.1.1.10",
                        "mask": 32
                }
        ],
        "ipv6-address": [
                {
                        "address": "fd25:8911:3113:9525::10",
                        "mask": 128
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "::/0"
                },
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "0.0.0.0",
                        "source": "0.0.0.0/0"
                }
        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

vpn-policy-routing doesn't let me map vpsgw = '20' <- I think if that was possible maybe I wouldn't have to create a duplicate route to a table named 'vpsgw' which has a different unique integer identifier in /rt_tables

@stangri any suggestions or workarounds for that mapping?

6

Alright, thanks for the clarification.

uci set network.wan.metric='10'

Rules do not interfere with routes.

This is not properly configured. In the first post there were configuration parts missing for this and I overlooked it. If you are a client on this tunnel, then you need to allow and route the 0/0 and ::/0. This will solve your problems.

You have mixed your own rules/routes with vpn-pbr. Pick one and proceed with it, removing the other.

2 Likes
7

I don't recommend mixing different PBR methods as it doesn't work well in my experience.
Note that custom metric is only supported by static IPv4/IPv6 and DHCP, but not DHCPv6.
If you decide to use netifd-based PBR, it's best to rely on custom tables and rule priorities.

1 Like
8

thanks this is what I was looking to confirm and clear my possible confusion.

I debugged this further - the vpn-policy-routing package is overriding ANY route6 that may be configured in /etc/config/network

As a test; I added a hotplug script for ifdown / ifup setting up the route. It gets wiped out immediately by @stangri package. I filed a bug with logs and details showing it: https://github.com/stangri/source.openwrt.melmac.net/issues/145

Since my hotplug script ran; it setup the route then 1 second later the tables get recreated on the fly - even if openwrt did setup route6 in the system, VPR will wipe it out.

This explains why the workaround I was trying was not showing up at all for me in the routing tables and I was thinking it was openwrt's fault at not executing the configuration. I think this summarizes it well:

Sun Nov 28 17:25:05 2021 user.notice nat6: Done setting up nat6 for zone="vpsgw" on devices:
Sun Nov 28 17:25:05 2021 user.notice nat6: Restarting ODHCP v6 to fix clients not getting V6 addresses
Sun Nov 28 17:25:05 2021 **user.notice hotplug: gfm Device: vpsgw / Action: ifup**
Sun Nov 28 17:25:06 2021 user.notice vpn-policy-routing [19517]: Creating table 'wan/eth1/192.168.12.1/2607:fb90:4021:8890:b5b4:4941:0:733/128 2607:fb90:4021:8890:4c7a:edff:fe09:adf5/64 fe80::4c7a:edff:fe09:adf5/64'
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Creating table 'sharktun/tun0/10.8.8.8/fe80::44d7:c399:2c77:5707/64' [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Creating table 'vpsgw/10.1.1.10/fd25:8911:3113:9525::10/128' [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'blank' via ignore [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'qbit' via sharktun [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'sonar' via vpsgw [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'nzb-search' via vpsgw [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'radar' via vpsgw [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'localnets' via ignore [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: Routing 'nzb' via vpsgw [✓]
Sun Nov 28 17:25:07 2021 user.notice vpn-policy-routing [19517]: service monitoring interfaces: wan sharktun vpsgw [✓]

For now I have worked around IPv6 bug via:

root@meow:~# cat /etc/hotplug.d/iface/99-VPR-IPv6-fix
# github.com/TheLinuxGuy - workaround https://github.com/stangri/source.openwrt.melmac.net/issues/145

[ "${ACTION}" = "ifup" -a "${DEVICE}" = "vpsgw" ] && {
    logger -t hotplug "Device: ${DEVICE} / Action: ${ACTION}"
    logger -t hotplug "thelinuxguy: working around IPv6 routing bug #145. Waiting 5 seconds."
    sleep 5
    ip -6 route add default dev vpsgw table vpsgw
    logger -t hotplug "thelinuxguy: route added.";
}
[ "${ACTION}" = "ifdown" -a "${DEVICE}" = "vpsgw" ] && {
    logger -t hotplug "Device: ${DEVICE} / Action: ${ACTION}"
    logger -t hotplug "thelinuxguy: cleaning up IPv6 default route. vpn-policy-routing bug #145. "
    ip -6 route add default dev vpsgw table vpsgw
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.