IPv6 - help for a specific configuration

OW87 · March 20, 2021, 8:56pm

Hello everybody,

I would like to activate IPv6 on my router but some points are not very clear for me.

My current configuration is :
- OpenWRT behind the operator's router // My operator changed it to CGNAT (Carrier-grade NAT) recently without informing
- IPv4 configuration only
- My firewall is restrictive // I've only opened needed ports only (80/443 for example)
- No devices available trough the Internet // Don't need any devices to be available on the Internet

My desired configuration is :
- OpenWRT behind the operator's router
- IPv4 / IPv6 configuration
- restrictive firewall
- No devices available trough the Internet

In fact, I'm worried about the last point.
I've found informations like :
- With the IPv6, the device can now communicate directly on the Internet. We don't need NAT anymore with IPv6. NAT wasn't meant to be in the first place.
I don't know if it is true or I'm understanding it bad ?

Anyway, I really don't want my devices to communicate directly on the Internet.
I prefer that only the router communicate with the Internet.

If my understanding is good, if a device gets a global IPv6 address, it will/can communicate directly on the Internet (without talking about the filtering on the firewall). True ? Otherwise, it won't ?

I'm starting to configure the LAN part and would like to have your advices.

Here is what I've started :
OpenWRT-IPv6
Please, can you tell me if it is correct or it can be configured better for my needs ?

Thank you for your help by advance.

anon50098793 · March 20, 2021, 9:12pm

if you are behind a carrier router your firewall less relevant ( in the context you discuss )
for (upstream)ipv6, if your carrier does not provide said address space... then you need to use a third party... try searching the forums for 'henet' and do some reading first... ( CGNAT may add complexity depending on selected delivery means )

OW87 · March 20, 2021, 9:39pm

Yeah I don't have full hand on the operator router unfortunately.
Sorry I've forgot to tell, the carrier router does tunneling IPv4 trough IPv6(native). It is more of a Dual-Stack Lite tunnel.
I got ipv6 prefix : 2a02:.../56

For the little story :
The change to CGNAT was made recently without informing. Before I could activate only public IPv4 if I wanted. Now I'm forced to pass all over IPv6.
I woud've just disable IPv6 on my computers if it wasn't affecting the connection's speed.
From my test: with IPv6 on my computer I get 750Mb/s whereas without it I get 450Mb/s. It is unfortunate !

dl12345 · March 20, 2021, 9:41pm

I'd change ISP if I were you

OW87 · March 20, 2021, 9:48pm

I thought about it too !
But I'm not mad about the change since It didn't brake anything for me (don't have any devices available trough Internet).

Moreover it's maybe time to me to learn more and configure IPv6. So I'm taking the challenge!

slh · March 21, 2021, 12:29am

henet is a great help, but it doesn't work -at all- on a cgNAT'ed network. Your 6in4 tunnel must be able to accept protocol 41 requests on WAN (IPv4!), but with the tunnel endpoint behind a NAT environment, you can't receive any protocol 41 traffic, making the tunnel impossible.

Sadly ISP devices can be a problem here, as they need to be good enough to provide your OpenWrt router with a prefix - so you depend on two things, instead of two.

the ISP router needs to get an IPv6 address
the ISP needs to acquire an IPv6 prefix (usually /56, better /48)
your OpenWrt router needs to get an IPv6 address (out of prefix assigned to your ISP router) for its WAN
- ideally the ISP router doesn't interfere too much with your ability to open ports (technically to forward-) on the OpenWrt router and/ or the devices behind.
your OpenWrt router needs to acquire an IPv6 prefix from the ISP router (so a smaller subset of the /56 acquired on the ISP router).

1. often works on half decent ISP routers, 2. maybe - but 3. and 4. are often a problem. If you can, avoid the ISP router and use the OpenWrt router directly.

OW87 · March 26, 2021, 8:04pm

The ISP router only get IPv6 public IP. The IPv4 is in Carrier-grade NAT protocol state.
The ISP router gets /56 IPv6 prefix.
Not sure to understand ???
OpenWrt is getting the IPv6 prefix from the ISP router with the last number changing from 0 to 1.
OpenWrt router is getting an IPv6 on the following format "prefix1:xxxx:xxxx:xxxx:xxxx/128" , is it correct ?

OW87 · March 26, 2021, 8:13pm

I've configure the WAN6 interface.

Here is how I've configured it :

I've not configured any Global network options : DHCPv6-2

Taking in account that I don't want my OpenWRT and devices behind it to be available from the Internet for now.
Please, could you guys tell me if it's well configured ?
Thanks again.

murraydr44 · June 7, 2021, 12:04am

Do you get an IPV4 address? Try this: IP Address Lookup & IP Geolocation of 172.97.181.203 Find IP Address Location (ipfind.io)
Conversion form: IPv6 / IPv4 Conversion and Analysis (sans.edu)
Tunnel broker: 4in6 - Wikipedia

dlakelan · June 7, 2021, 4:06am

Good for you! IPv6 is the future. Out of the box OpenWrt does the right thing normally. You'll get a /56 prefix. I'd suggest to set up your LAN so it gets a /64 and then all your devices will have IPv6 access. The firewall prevents any incoming connections to your LAN by default.