IPv6 Configuration (relay single /64 prefix)

Hi, I did once disable IPv6 (for reasons unknown even to myself). Now I am trying to get IPv6 properly working again and I seem to struggle (also, because I have no proper knowledge of ipv6).
So I managed to get IPv6 addresses for my OpenWRT device:


It can also ping devices on the outernet:

I did some settings for my internal network:


And enabled the IPv6 DHCP:
dhcp
Now internal devices get assigned IPv6 addresses and are able to ping eachother:


But there seems no connection to the outer world:
ping_external

I probably missed something simple but I cannot figure out what it might be. I hope you can help me figuring out, what I might have missed. Also: The wan6 interface shows several /64 networks to be available. The uplink-router (by my ISP) officially does not support prefix delegation but it seems there are some prefixes available. Can I delegate IPs from within that ranges to the devices on my network?
Thank you for your help

Did you add the WAN6 interface to the WAN zone in the firewall config?

Yeah. There is a WAN zone which expands to "WAN" and "WAN6". Forwarding is enabled and for IPv4 it's working.

what does the LAN interface page look like? I'm going to guess that whatever half-assed thing they're doing at your ISP, it's not the case that your router knows that it should assign a certain prefix to the LAN, and so your LAN has only ULA addresses (the fd66:cccb:2e1f::/48 prefix is a local prefix called Unique Local Address, it's a little like the 10.0.0.0/8 range except way bigger)

This is the configuration:



lan3
I thought that (because my ISP router does not really support prefix delegation), the openwrt device would likely do something like NAT with IPv6 as well.

Update: I rebooted the device and it now shows just one uplink IPv6 prefix.
It looks like this: 2003:c1:XXXX:XXXX:XXXX:XXXX:XXXX:35b8/64. I also noticed something else. The IPv6-Page on the wiki states that:

If the router can ping6 the internet, but lan machines get “Destination unreachable: Unknown code 5” or “Source address failed ingress/egress policy” then the ip6assign option is missing on your lan interface.

So I had a look at the interface configuration:

config interface 'lan'
option proto 'static'
option ifname 'eth0.7'
option type 'bridge'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign 64
option ip6hint ffff

So to me it seems like if (off course) can not assign prefixes with a length of /64 to the lan devices as the uplink only got one /64 prefix assigned. My first try was setting ip6assign to something larger (respectively a smaller net) like /90 but that seems not accepted.
So I am still stuck with the issue. Any ideas?

Try the relay mode for ipv6. It is meant for your situation where upstream only gives a /64 prefix.

See the "relay" example for /etc/config/dhcp in wiki:
https://openwrt.org/docs/guide-user/network/ipv6/start#router_advertisement_dhcpv6

Example configuration section for relaying

# cat /etc/config/dhcp
config dhcp wan
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
 
config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay

(And remember to reboot the device after the config change, as odhcpd can be a bit picky.)

Ps. and where did that ip6hint come from? It makes no sense as you only have a single /64 prefix, and likely that is not "ffff"...

1 Like

Thanks a lot! That section on DHCP in the WAN interface was missing and that was all it took!

Ps. and where did that ip6hint come from? It makes no sense as you only have a single /64 prefix, and likely that is not "ffff"...

I guess that was me trying every possible option :smiley:
So I learned a lot and finally it is working. Thanks a lot for your help!

1 Like

Good to also hear that the IPv6 relay mode still works as intended. (There are every now and then questions about it, but hard to test if one already has a proper wide delegated prefix.)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.