IPv6 and OpenWrt question (very specific)

Hey Folks :slight_smile:

Today I got Dual Stack from my ISP and have some specific trouble - first my setup:
First device: a fritzbox (WAN Gateway - doing VOIP and vodoo PPPOE stuff) behind that is my OpenWRT device doing all the stuff for my network...

Setup new WAN6 Interface on WRT with static v6 address and tell br-lan to do ipv6 / stateless DHCP (DNS only) / radvd for v6 allocation (no ULA enabled on my WRT)
On my fritzbox: opened all Ports for OpenWRT device and disabled radvd and dhcpv6 and ULA stuff)
getting all wanted IPv6s but no v6 DNS and no v6 default gateway :frowning:

Now I told my fritzbox to handle all DHCPv6 / radvd (w/o ULA) stuff - and now its working fine

But lets say I want block TCP 2000 for MAC xyz (which is connected to my WRT device) in luci but the default gateway / DNS points to my fritzbox.
Will the port block work if I block it for FORWARD and OUTPUT chain or not (due to default gateway) ?

two general questions for DHCPv6 / radvd and DNS Servers in bigger networks:

  1. Is it correct I dont need one DHCPv6 / radvd server per subnet anymore (like in v4 networks before) - If I understood NDP correctly ?

  2. Whats the best way to setup a DHCPv6 / radvd Server - to keep it simple especially for bigger networks (should the default gateway do all the DHCPv6 / DNSv6 tasks or can it be any other device)...

example: Friend told me - stay away from ULA address (except for admin purposes and connecting facilitys) and only use stateless DHCPv6 and let radvd make its job (except for logging purpose then use statefull)

Hope you can tell me some hints - maybe I can setup v6 more quickly :smiley:

IPv6 and IPv4 firewalling are essentially the same, with the primary difference being that you can’t rely on NAT as a crutch. Blocking potentially “hostile” hosts with MAC or IP addresses is weak, at best. Topology is preferred (VLANs can help here).

Packets that don’t go through forwarding on the OpenWrt box won’t be impacted by its rules.

MAC addresses are only valid on link, so they are of very limited value.

Putting “restricted” hosts on their own VLANs, IPv6 or IPv4, is my preference. Giving them a permanent IP address, DHCP or static is helpful practice as well.

Due to MAC spoofing for example ?

ty, didnt know that :+1:

But generally speaking - regardless to my example above with port blocking:
Is there a difference when DNSv2 and v6 default gateway pointing to another IP address than the packet filters (device) ?
I am not sure if packets will bypass the packet filter coz of different IPs...

Yes, both MAC and IP address can be easily overridden by a "misbehaving" client.

Your network topology will generally define this. It comes down to if the path goes around your OpenWrt router (such as just going through the switch), or through it.

1 Like

just to be clear: That means as long my devices are physically connected to the netfilter device at the end -> the packet filter will ALWAYS check / filter packets - So it doesnt matter that default gateway is ABC or XYZ right ?

That's correct. If they are on their way somewhere, or back from somewhere that is on "side A" your router and your host is on "side B" of your router, they should go through the router.

Now, if your next-hop route isn't link-local, you're going to have some problems. Ok, serious problems as it won't work. The next-hop is just that -- and can be a link-local address even if the destination is global. You can also have every router interface be fe80::1 if you want, since link-local addresses are qualified by interface.

Ok thanks :slight_smile:
until now I thought default Gateway have to point to an netfiler (on the clients) everytime if u want package filtering lol

But I dont understand your second part of text (I think) - damn on the routing side of IPv6 stuff it blasting my mind sometimes
Plenty years of v4 and ugly NAT and now u have to be careful on global, link-local and ULA etc (much stuff to make mistakes u know) :wink:

EDIT @jeff: What do u think about ULAs ? read another advice to enable ULA IPs everytime if u want no changeable v6 Addresses (reason: link-local can be duplicates sometimes)

fe80::1 on the link attached to eth0 is never confused with fe80::1 on the link attached to eth1, even on the same host, as they are link-scope addresses on two different links (assuming you don’t have a cable looping back between the two).

ULAs are great for “static IPs” on your own net. Get used to every interface having more than one IPv6 address, as well as hosts that self-configure them changing them regularly.

OK sure, make sense :smiley:

So for generall (future) Setups: If a host using SLAAC and you want prevent changing v6 adresses -> take ULA
otherwise (with no ULA) disable SLAAC on host and setup fixed v6 (with link-local) ?

Sure you can. If the LAN and WAN interface of OpenWrt are routed, it is much easier. If they are bridged it might be tricky and you might need the help of ebtables. Forward rules are for traffic passing through the router. Output for traffic originating from the router.

  1. In IPv4 you don't need a DHCP server per subnet either. You can relay DHCP requests to a central server. Also there is no RA, rather than the default gateway advertised by the DHCP server. NDP is the equivalent of ARP.
  2. It can be the router or any device in the LAN or even outside of the LAN in some cases.

Think of ULA addresses as the private 192.168.X.Y, 10.X.Y.Z or 172.16-31.X.Y

Thanks for your answer.

Ok, but isnt it routed most of the time ? I mean whats the benefit to bridge between WAN / LAN ? :open_mouth:

Yes, I know - I know also that ULA addresses are available on all local subnets...

I just wanted to know if its better to use ULA address with SLAAC to get a fixed v6 address on host or to disable SLAAC and setup a fixed fe80 address for local ?
Even if the host is on the same router (no more subnets available) and dont need other benefits from ULA :slight_smile:

I am just asking for hints for future v6 setups because I dont used v6 as long and didnt have "long-term experience" with it :slight_smile:

EDIT: Want also know: lets say in 20 years whatsoever IPv4 is completly gone in WAN - better to use ipv6 only in LAN for performance increase (maybe?) or using ipv4 for easier administation anyway ?
OR dont matter - makes no difference in LAN setups ?

Meh, I don't remember what IP addresses I used 10 years ago, and don't care.

The following is my opinion, which may not align with "best practice"

Every interface gets at least one link-local address. In most cases, it doesn't matter. I choose fe80::1 for my upstream routers and fe80::N for downstream ones, for sanity in looking at packet dumps. Multiple link-local addresses, especially with OSes that rotate them, isn't uncommon.

Any device that needs outside IPv6 connectivity gets one from the IA_PD. Self-assigned in most cases. Certain OSes will take multiples and rotate here as well.

Devices that need to accept incoming IPv6 connections (mail and web servers, for example) get a static one from the IA_PD. My servers have their "hot" interfaces segregated on their own VLANs.

The only place I'd use a ULA is with interior device-to-device connectivity that isn't link local (routed), but I haven't run into anything like that at home. Even things like the reverse proxy and the backing servers are link-local to each other.

downstream ones == clients in your example ?

So first time you get your 2001:X / 2003:X v6 dynamic from PD and then you take these for a fixed v6 ?

And hope that Comcrap doesn't rotate them too often

Downstream (routers) are, at least for me, ones that are "further away" from the Internet, such as an isolated net in the garage that is connected to a second router.

I'd suggest to forget about link local addresses (almost) completely, ULA addresses are a better choice. If you standardize on DHCPv6 or SLAAC is a matter of preference, with the slight complication that android devices will only do SLAAC - but mixing DHCPv6 and SLAAC isn't an issue. For everything else, -local- DNS resolution is much more convenient (e.g. ssh router or using http://router/ in your preferred webbrowser doesn't care if you're using IPv4 or IPv6 (clients should prefer IPv6, if available, but that's a transparent implementation detail), nor do you need to remember numeric IP addresses).

Using globally routable IPv6 addresses doesn't only lead to problems if your IPv6 prefix changes, but also whenever your internet link is down at the moment - while using ULA addresses retains the ability to access devices with only local connectivity.

1 Like

Comcrap haha :smiley: didnt hear it ever in my life ^^

I know what you mean - but arent the hosts also available when only fe80 is availabe (ULA disabled) and your internet link is down ?
I didnt see the real benefit here you know ?

2 questions behind that:

  1. radvd is configurable like dhcpv6 - to configurate prefix and v6 addressing pattern ?
  2. Anyone knows which icmpv6 types has to stay open ? On some hosts i like to disable ping reply but most of the times I filtering too much icmpv6 types so (I think) NDP isnt working anymore and didnt get SLAAC addresses anymore...

It is routed most of the time. One bridged scenario would be for transparent firewall, proxy, dns hijacking, traffic mirroring, keeping full functionality of the router of the ISP, but adding some OpenWRT spice.

Personally I don't deal with LL at all. I setup my own ULA with SLAAC and DHCPv6 where applicable.

Inside the LAN I don't see much difference. And no one can tell in 20 years from now how addressing will be. Maybe we'll be using another protocol.