IPv6 behind ISP Router without Prefix Delegation

mrgenie · January 6, 2017, 1:17pm

One of my ISP supports IPv6 for a while now. Since some ISP which are connected to the VPN network are turning into IPv6 only network (IPv4 only supported through tunnel)
I have no other option then to finally switch to IPv6 everywhere as soon as possible.

I did manage to figure out how to use the IPv6 to the router, assign private local IPv6 within the network and then NAT6 outbound. This is not a nice solution of course. IPv6 was designed to get rid of NAT. I always thought NAT was also some extra protection but an IT specialist pointed out if they wanna get in NAT is not stopping anyone only a proper firewall can do that. So back to: "no NAT 6!"

Although in openWRT info pages it is said everything works out of the box, it doesn't On LEDE it doesn' either. DD-wrt doesn't work at all!

So here's the situation: the router from the ISP gets this (To not be traceable I put xxxx on a few places where HEX should be.

IPv6 GUA: 2a02:xxxx:ce05:2:xxxx:2dff:feaf:xxxx/64
IPv6 LLA: fe80::729f:xxxx:xxxx:b69f/64

Now my LEDE gets at the WAN:
IPv6: 2a02:xxxx:ce05:1:xxxx:c0ff:fef7:c46/64
IPv6: 2a02:xxxx:ce05:1::1/128

The Global network options is defaulted at:
fdf4:acd8:1d42:1234::/64 (I had to put the 1234 and switch /48 to /64) or else dhcp on LAN wasn't working

the LAN now has:
IPv6: fdf4:acd8:1d42:1234::1/64

on the LAN common configuration I changed IPv6 assingment length from 60 to 64

and IPv6 Settings
RA Service SERVER MODE
DHCPv6 SERVER MODE
NDP disabled
DHCPv6 stateless and stateful
and Always announce default router (if i disable this I don't get a gateway at all from the DHCP)

So my clients now get IPv6 and gateway and dns but it's not working.

How to configure LEDE to work with this setup out of the box without using NAT6?

hnyman · January 6, 2017, 1:33pm

As you have a routable /64 prefix from the ISP router, the "relay" mode should work for you. That is meant just for situations where the ISP does not give more than /64.

See the relay example config in https://wiki.openwrt.org/doc/uci/network6#router_advertisement_dhcpv6

Example configuration section for relaying (/etc/config/dhcp)

config dhcp wan6
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay

So you set the wan6 interface to be relay master, and lan to be the slave. (that assumed that you have the default wan6 on the wan LEDE router's wan side)

(Note that you should reboot the router after changing the ipv6 config, as odhcp6c and odhcpd aren't always picking up the config properly without reboot.)

mrgenie · January 6, 2017, 1:53pm

Hello Hnyman and thank you for your fast response.

I got everything set to relay and wan6 is indeed the default (fresh lede install)

odhcp6c and odhcpd are installed and enabled.
ipv6 forwarding is enabled
relaying is enabled according to GUI and /etc/config/dhcp

reboot.

Not working. I really wish to get this working to avoid the NAT6

/etc/config/network

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ip6assign '64'
    option ipaddr '172.22.56.1'
    option netmask '255.255.0.0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

abbradar · January 15, 2017, 12:47pm

Hi,

I was able to solve it by allowing traffic from WAN zone to the router from port 547 (DHCPv6 server) to 547. Turns out relay replies from external DHCP server are blocked by the firewall. I've opened a bug to discuss possible inclusion of firewall rule which allows this by default.

mrgenie · January 16, 2017, 7:03am

Hello Abbradar,

thank you! If that's the case, then indeed a valid and non obvious solution. But WAN to router DHCPv6 isn't that automatically open? I mean, how else can the router get IPv6 Address if it's not? Or do you mean, you forward the DHCPv6 from WAN to LAN?

mrgenie · January 20, 2017, 2:42pm

Hi Abbradar,

i added the IPv6 UDP port 547 src and destination ACCEPT INPUT to device
but that didn't fix the relay for me.

Menion · February 17, 2017, 10:36am

Hi
You are assuming that your ISP router has the ND activated. On some ISP router (like the mine) this is deactivated, which means that only clients that have taked the IPv6 IP directly from the ISP router DHCPv6 can work. In this scenario there is no other solution than NAT6.... The problem with NAT6 is that it is so badly supported by LEDE/OpenWRT and probably due to the "NAT6 is the IPv6 evil story" will never get improved, at least at the point where there will be more and more IPv6 only users in the same situation of you (and me). I had some idea, check my post here: Add more than one IPv6 IP address to WAN for extended SNAT/DNAT
Bye

Menion · February 25, 2017, 8:38am

BTW I'm trying to run DHCPv6 relay, followed the wiki instruction, accept input and forward port 547, but no device in LAN can get any ipv6 address
Any hint here?

C564 · November 17, 2018, 3:48pm

Give it a try like I did: Understanding pushing IPv6 to LAN

Plus, rebooting my router ISP while testing and testing solved a few issues

abdulgig · March 18, 2020, 7:37am

@hnyman, I got my IPv6 SLAAC configuration with this method. My ISP doesn't delegate an IPv6 prefix and I get a default /64 with my IPv6 addresses from my provider's CPE/Router. But there is one issue,

By setting the WAN6 as master, it relays the IPv6 DNS servers to the hosts on my LAN. So if try to ping google.com, it doesn't pick up the IPv4 DNS. I can ping 8.8.8.8 from hosts.
If I directly connect to my provider's router, I get a public IPv6 address. It is pingable from Internet. If I connect my LAN hosts via openWRT, it does get a public IPv6 address relayed correctly but the IPv6 addresses are not Pingable from inside(LAN) or even outside(Internet).