Ipv6 configuration

BdN3504 · January 18, 2023, 1:14pm

Recently I received error messages running apt update on one of my hosts connected to a network managed by an openwrt device:

Err:13 http://deb.debian.org/debian bullseye-updates InRelease 
  Cannot initiate the connection to deb.debian.org:80 (2a04:4e42:8e::644). - connect (101: Network is unreachable)

My network setup consists of a VDSL Modem attached to the openwrt device. Apparently ipv6 communication from the host was not possible, so the first thing I checked was if ipv6 communication was possible on the openwrt device. I used the pingv6 feature of the luci web configuration interface and saw that the openwrt could not communicate over ipv6 either.

I then checked the Modem configuration and enabled ipv6 via PPP, which enabled me to ping ipv6 hosts from the modem. After that, I configured the WAN interface of the openwrt device with the luci web interface to use the global ipv6 address of the modem as the gateway and gave the openwrt device an address within the same address space. This change enabled me to ping ipv6 addresses from the openwrt device:

PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=56 time=45.774 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=1 ttl=56 time=22.644 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=2 ttl=56 time=22.901 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=3 ttl=56 time=22.738 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=4 ttl=56 time=22.595 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 22.595/27.330/45.774 ms

How do I need to configure the openwrt device to enable clients to communicate over ipv6?

On my host machine, in the interface dhcp settings, the ipv6 setting is set to auto. As a consequence, the interface has the following addresses:

sudo ifconfig enx047cafecafe
enx047caffecaffe: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.21  netmask 255.255.255.0  broadcast 192.168.5.255
        inet6 fe80::d32b:cafe:cafe  prefixlen 64  scopeid 0x20<link>

So the interface has an ipv6 address but when trying to ping an external ipv6 host I get the following error:

ping6 2a03:b0c0:3:d0::1af1:1                         
ping6: connect: Network is unreachable

I only have a very basic understanding of ipv6, but from my ipv4 knowledge I would assume that my host interface has something like a link local address which has been automatically assigned and it does not have a gateway to which it can route packets for external addresses.

I started wireshark to see if there were any router advertisements, and indeed there were, the openwrt device sends advertisements with a link local address fe80::8401:96ff:cafe:cafe.

How do I make my host respect that router advertisement?

What do I need to configure on the openwrt device to route packets coming from the link local address space to external addresses?

I tried assigning an address in the ipv6 address space of the modem to the lan interface of the openwrt device and use the ipv6 address of the WAN interface of the openwrt device as the ipv6 gateway of the LAN interface, to no avail.

What kind of address do I need to specify for the ipv6 configuration of the LAN interface of the openwrt device?

What do I need to input into the "IPv6 routed prefix" field of both the LAN and the WAN interfaces of the openwrt device?

krazeh · January 18, 2023, 1:35pm

The starting point is what are you getting from your ISP in terms of IPv6 address range? Is it a /64 or are you getting something bigger like a /56 or /48?

BdN3504 · January 18, 2023, 1:48pm

I get /128 addresses, I guess that means a single address, right? Equivalent to a /32 ipv4 address?

trendy · January 18, 2023, 2:46pm

I see a /64 in the lan, pretty lame of your ISP. Give them a call to tell them that a /56 or /60 is expected for residential customers.

BdN3504 · January 18, 2023, 6:55pm

And how do I proceed after the CIDR notation has been changed?

trendy · January 18, 2023, 7:36pm

In a default OpenWrt installation it will work automatically.

BdN3504 · January 18, 2023, 8:40pm

How? Do I need to enable the DHCPv6 server on the modem and configure the openwrt device as a client? Which address pool should be used for the DHCPv6 server to make this work?

AndrewZ · January 18, 2023, 8:51pm

Does your /128 WAN address belong to the /64 LAN subnet?
Can you switch your modem into a bridge mode?

mk24 · January 18, 2023, 9:01pm

Ideally the ISP will send you a prefix pool. One of those prefixes will be installed as the basis for IPv6 addresses on LAN, and the RA / DHCPv6 server will serve them to endpoint PCs. The OpenWrt defaults are set up to do this.

slh · January 18, 2023, 9:17pm

Do you really need to run the vigor 130 in router mode?
You usually have a much better time to use it configured as modem-only, with the PPPoE session being established and terminated on your OpenWrt router (which then forms the public IPv4 endpoint and gets the full IPv6 prefix, to delegate per your policies via DHCPv6-PD).

(the vigor 130 not handing over the prefix properly might already be your issue)

BdN3504 · January 18, 2023, 9:19pm

Yes, the /128 WAN address is part of the /64 LAN subnet.

One of those prefixes will be installed as the basis for IPv6 addresses on LAN, and the RA / DHCPv6 server will serve them to endpoint PCs.

Which ipv6 addresses will the clients on the LAN be assigned, the ones beginning with 2003: or the ones beginning with FE80: ?

Should the DHCPv6 Server on the modem be enabled to serve the addresses to the clients on the LAN?

In my current setup, the openwrt device is connected to the modem via ip, so the WAN interface of the openwrt device has an ip address in the 172.16.8.8/29 subnet as well the LAN interface of the modem. The LAN interface of the openwrt device is part of the 192.168.5.0/24 subnet, all clients get their ip-addresses in that subnet.

I'd like to keep this configuration for ipv6 as well, so ideally I'd have the openwrt devices WAN interface in the same ipv6 subnet as the LAN interface of the modem and serve clients on the LAN interface of the openwrt device with ipv6 addresses part of a different ipv6 subnet.
Does it work that way? I'm confused why the modem has two addresses for each ipv6 interface (WAN and LAN both have the global and local addresses)

AndrewZ · January 18, 2023, 9:24pm

Consider using your modem as a modem (or bridge) and not as a router.

BdN3504 · January 18, 2023, 10:49pm

I tried using the modem as a bridge, but I'm not yet familiar with VLAN tag insertion for WAN interfaces on openwrt, which is required by my ISP. I'm not sure if VLAN tag insertion is happening automatically on the draytek when using MPoA in bridge mode and whether or not I need to configure the VLAN tag insertion for the WAN interface of the openwrt device.

AndrewZ · January 18, 2023, 11:00pm

Please refer to https://www.draytek.co.uk/support/guides/kb-vigor-130-bridge

BdN3504 · January 18, 2023, 11:19pm

I also found that documentation, but I think more fittingly it would be the other document linked on the bottom of that page:

And I would like to know how to set up this 802.1q tagging along with PPPoE on the openwrt device, because when I tried creating a new WAN interface which had tagging enabled, I was unable to reach the device after configuration had been applied.

AndrewZ · January 18, 2023, 11:20pm

From the link I gave you:

The connected router does not need to be configured with a VLAN tag to connect to VDSL

slh · January 19, 2023, 1:43am

You can do the VLAN tagging on the OpenWrt router or the vigor (independently of the PPPoE session and the rest), both works equally well, but I'd prefer doing that on the OpenWrt router (as well). Yes, depending on your router, the configuration syntax varies a bit (swconfig vs DSA vs dedicated interfaces), but it's not rocket science either.

BdN3504 · January 19, 2023, 8:53am

Thank you very much for the suggestion. I tried using your configuration, but it seems the pppoe connection can't be established:

In the logs there are entries documenting that a PPPoE connection attempt is made by the openwrt device which fails due to a PADO timeout.

The line

        option ifname '@wan'

is automatically changed to

       option device '@wan'

but I guess that syntax was changed with an openwrt update sometime.

slh · January 19, 2023, 9:05am

You may have to wait for ~10 minutes, if the ISP has locked onto the DHCP lease of your vigor (and now sees the router for the first time, thinking you'd try two connections at the same time).

I would suggest to switch off modem and router for that time (those 10 minutes, could be more, but 10 minutes are a good start).

BdN3504 · January 19, 2023, 9:06am

I'll try that in the evening. After having put the vigor into bridge mode, how can i access its web interface again?