IPv6: I have multiple GUA /64 on WAN, how can I have separated LAN with each its own /64 and RA+DHCPv6?

IPv6: I have multiple GUA /64 on WAN, how can I have separated LAN with each its own /64 and RA+DHCPv6?

Current situation

My routeur is a Linksys WRT3200ACM, running OpenWRT 23.05.4.

IPv4 and IPv6 are working as expected; using DHCPv4, DHCPv6, and SLAAC.

My ISP is Free (France) and the modem-routeur is a Freebox mini server, on which I have limited administrative possibilities.

The network connection between the ISP’s box and my OpenWRT routeur is made using DHCPv6 with the prefix 2a01:e34:ec15:6030::/64.

My ISP provides me several IPv6 prefixes, but I am currently using only one: 2a01:e34:ec15:6031::/64. I am also using the ULA fd78:cafe:cafe::/48.

What I want to do

I want to evolve the infrastructure for having two separated networks, lan and domotique.

I want to use two IPv6 prefixes, one for each network, and to subnet the ULA prefix by using ca7 and d0d0 (so I have 2 /64 in the /48).

The resulting topology being:

  • bridge br-lan:
    • interfaces: eth3, eth4
    • GUA: 2a01:e34:ec15:6031::/64
    • LUA: fd78:cafe:cafe:ca7::/64
  • bridge br-domotique:
    • interfaces: eht1, eth2
    • GUA: 2a01:e34:ec15:6032::/64
    • LUA: fd78:cafe:cafe:d0d0::/64
  • interface wan:
    • interface: wan
    • GUA: 2a01:e34:ec15:6030:6038:e0ff:fec7:7800/64
RA+DHCPv6: 2a01:e34:ec15:6032::/64     +--------------+   +-----+ IPv6: 2a01:e34:ec15:6030:6038:e0ff:fec7:7800/64 
RA:+DHCPv6 fd78:cafe:cafe:ca7::/64     | br-domotique |   | wan | IPv4: 78.193.86.3/23                           
DHCPv4: 192.168.2.0/24                 +--------------+   +-----+                                                                                            
IPv6: 2a01:e34:ec15:6032::1/64         | eth1         |                                                          
IPv6: fd78:cafe:cafe:ca7::1/64         | eth2         |                                                                 
IPv4 192.168.2.1/24                    +--------------+                                                          
                                                                                                                 
RA+DHCPv6: 2a01:e34:ec15:6031::/64     +--------+                                                                
RA:+DHCPv6 fd78:cafe:cafe:d0d0::/64    | br-lan |                                                                
DHCPv4: 192.168.1.0/24                 +--------+                                                                
IPv6: 2a01:e34:ec15:6031::1            | eth3   |                                                                
IPv6: fd78:cafe:cafe:d0d0::1           | eth4   |                                                                 
IPv4 192.168.1.1                       +--------+                                                                
                                        

The virtual switch is configured and seems ok.

No problem on paper for the network definition: gateway, routes, etc.

My problem

I struggle to create the config using uci, especialy in /etc/config/network and /etc/config/dhcp.

The wan interface correctly receive the two /64 prefixes, but I fail to assign them to the correct bridge interfaces. At best, the br-lan interface is annoucing both of them, but at the cost of loosing IPv4 and IPv6 connectivity on br-domotique.

It looks like a combined problem of network definition and dnsmasq configuration.

I am adding here the current configuration files, tell me if you need something more.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd78:cafe:cafe::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan3'
        list ports 'lan4'
        option acceptlocal '1'
        option ip6segmentrouting '1'
        option macaddr '60:38:E0:C7:78:00'
        option txqueuelen '1000'
        option ipv6 '1'
        option mtu6 '1500'
        option promisc '0'
        option sendredirects '1'
        option multicast '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option broadcast '192.168.1.255'
        option gateway '78.193.87.254'
        option ip6hint 'd0d0'
        list ip6class 'local'
        list ip6class 'wan6'
        option ip6ifaceid '::1'
        list dns '::1'
        list dns '127.0.0.1'
        list dns '192.168.1.1'
        list dns 'fd78:cafe:cafe:d0d0::1'
        list dns_search 'localdomain'
        list dns_search 'intranet.clauzel.eu'

config device
        option name 'wan'
        option macaddr '62:38:e0:c7:78:00'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        list ip6prefix '2a01:e34:ec15:6031::/64'
        list ip6prefix '2a01:e34:ec15:6032::/64'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '8.8.8.8'

config interface 'domotique'
        option device 'br-domotique'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option broadcast '192.168.2.255'
        option gateway '78.193.87.254'
        option ip6hint 'ca7'
        list ip6class 'local'
        list ip6class 'wan6'
        option ip6ifaceid '::1'
        list dns '::1'
        list dns '127.0.0.1'
        list dns '192.168.2.1'
		          list dns 'fd78:cafe:cafe:ca7::1'
        list dns_search 'domotique.localdomain'
        list dns_search 'domotique.clauzel.eu'
        option auto '0'
        option force_link '0'

config route6
        option interface 'wan6'
        option target '2000::/3'
        option gateway 'fe80::f6ca:e5ff:fe43:7ef8'

config device
        option type 'bridge'
        option name 'br-domotique'
        list ports 'lan1'
        list ports 'lan2'
        option mtu '1500'
        option macaddr '60:38:E0:C7:78:00'
        option ipv6 '1'
        option acceptlocal '1'
        option sendredirects '1'
        option txqueuelen '1000'
        option promisc '0'
        option ip6segmentrouting '1'
        option mtu6 '1500'
        option multicast '1'
        option bridge_empty '1'

/etc/config/dhcp

config dnsmasq 'bridge_lan'
        option domainneeded '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/localdomain/'
        option domain 'localdomain'
        option cachesize '10000'
        option leasefile '/tmp/dhcp_lan.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option localuse '1'
        option authoritative '1'
        list server '::1#53000'
        list server '127.0.0.1#53000'
        list server 'fd78:cafe:cafe:d0d0::1#53000'
        list server '192.168.1.1#53000'
        option noresolv '1'
        option strictorder '1'
        option dnsseccheckunsigned '0'
        option dhcpleasemax '300'
        option dnsforwardmax '300'
        list notinterface 'wan'
        list notinterface 'wan6'
        list nointerface 'domotique'
        list interface 'lan'
        option port '53'

config dhcp 'lan'
        option instance 'bridge_lan'
        option interface 'lan'
        option start '2'
        option limit '253'
        option force '1'
        option ra_default '1'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option igmp_snooping '1'
        list dhcp_option '4,192.168.1.1'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '42,192.168.1.1'
        option leasetime '1h'
        list dns 'fd78:cafe:cafe:d0d0::1'
        list dns '192.168.1.1'
        option preferred_lifetime '1h'
        list domain 'localdomain'
        list domain 'intranet.clauzel.eu'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'domotique'
        option interface 'domotique'
        option instance 'bridge_domotique'
        option start '2'
        option limit '253'
        option leasetime '1h'
        option dhcpv4 'server'
        list dhcp_option '4,192.168.2.1'
        list dhcp_option '6,192.168.2.1'
        list dhcp_option '42,192.168.2.1'
        list dns 'fd78:cafe:cafe:ca7::1'
        list domain 'domotique.clauzel.eu'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option preferred_lifetime '1h'
        option ra 'server'
        option dhcpv6 'server'

config dnsmasq 'bridge_domotique'
        option domainneeded '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/domotique.localdomain/'
        option domain 'domotique.localdomain'
        option cachesize '10000'
        option leasefile '/tmp/dhcp_domotique.leases'
        option interface 'domotique'
        option localservice '1'
        option ednspacket_max '1232'
        option localuse '1'
        option authoritative '1'
        list server '::1#53000'
        list server '127.0.0.1#53000'
        list server 'fd78:cafe:cafe:ca7::1#53000'
        list server '192.168.2.1#53000'
        option noresolv '1'
        option strictorder '1'
        option dnsseccheckunsigned '0'
        option dhcpleasemax '300'
        option dnsforwardmax '300'
        list notinterface 'wan'
        list notinterface 'wan6'
        list nointerface 'lan'
        option port '54'

That is an unusual thing for an ISP to do. Are these prefixes statically assigned to your line? If they are, you could create two wan6 interfaces (wan6_1 and wan6_2) aliased to the physical wan. Statically assign one prefix to each. Then you can use ip6class to direct each prefix to a different LAN.

Yes, they are assigned to my internet subscription. I have 8 /64 available.

OpenWRT's aliases are outside my academical network knowledge. How do they work? I can do simple config in OpenWRT, but I am far more familiar with Linux networking.

1 Like

These are all consecutive and in the same /61 so you could configure the /61 on your WAN then let OpenWrt delegate its own /64s. The LANs will end up with one of these same /64s, though in no particular order.

  • in wan, set ip6prefix to 'XXXX:XXXX:XXXX:6030::/61' (replace X with your real address)
  • set wan reqprefix to 0 to prevent DHCP from installing any other prefix.
  • in each lan, set 'ip6assign` to 64.

In the device that you posted a screenshot from, configure all of the "Next Hop" the same, it will be the link local of your OpenWrt router's wan port.

1 Like

ip6hint can be used to assign static network number ordering on the local networks.

2 Likes

Many thanks @mk24 and @_bernd ! It is starting to get better!

While I am confortable with IPv6 on Linux, uci is still puzzling me a bit for specific routing configurations.

New config

wan

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        list ip6prefix '2a01:e34:ec15:6030::/61'
        option reqaddress 'try'
        option reqprefix '0'
        option peerdns '0'
        list dns '8.8.8.8'

br-lan

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option broadcast '192.168.1.255'
        option gateway '78.193.87.254'
        option ip6hint 'd0d0'
        list ip6class 'local'
        list ip6class 'wan6'
        option ip6ifaceid '::1'
        list dns '::1'
        list dns '127.0.0.1'
        list dns '192.168.1.1'
        list dns 'fd78:cafe:cafe:d0d0::1'
        list dns_search 'localdomain'
        list dns_search 'intranet.clauzel.eu'

br-domotique

config interface 'domotique'
        option device 'br-domotique'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option broadcast '192.168.2.255'
        option gateway '78.193.87.254'
        option ip6hint 'ca7'
        list ip6class 'local'
        list ip6class 'wan6'
        option ip6ifaceid '::1'
        list dns '::1'
        list dns '127.0.0.1'
        list dns '192.168.2.1'
        list dns 'fd78:cafe:cafe:ca7::1'
        list dns_search 'domotique.localdomain'
        list dns_search 'domotique.clauzel.eu'

Results

I applied your corrections and restarted the routeur. I am now getting this parameters on the interfaces:

# ip -6 addr show dev wan
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:ec15:6030:6038:e0ff:fec7:7800/64 scope global dynamic noprefixroute
        valid_lft 86260sec preferred_lft 86260sec

wan is ok.

I have an IPv6 in the correct network 6030::/64, using the RA from my ISP’s routeur.

# ip -6 addr show dev br-domotique
11: br-domotique: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:ec15:6030::1/64 scope global noprefixroute
    valid_lft forever preferred_lft forever
    inet6 fd78:cafe:cafe:ca7::1/64 scope global noprefixroute
        valid_lft forever preferred_lft forever

br-domotique has a problem.

I have an IPv6 in the wrong network, 6030::/64 instead of 6031::/64. But the ULA is correct ca7::/64.

# ip -6 addr show dev br-lan
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:e34:ec15:6031::1/64 scope global noprefixroute
        valid_lft forever preferred_lft forever
    inet6 fd78:cafe:cafe:d0d0::1/64 scope global noprefixroute
        valid_lft forever preferred_lft forever

br-lan looks ok.

I have a GUA in the correct network 6031::/64, and the ULA is also correct d0d0::/64.

I understand the numbering of the IPv6 prefixes for br-lan et br-domotique as OpenWRT using numbers from 6030::/64 to 6037:/64 for subneting 6030::/61. And it looks like OpenWRT is using the order of the list of bridges for assigning the networks to the bridges. Not what I want, but I can work with it (I would have to change all the DNS records…).

The main problem being wan and br-domotique being in the same network 6030::/64 ???

Do you have any idea for fixing the incorrect addressing on br-lan?

(Also, the corresponding IPv6 routes are correctly added to the routing table, and dnsmasq needs minor corrections that I can do. So I am nearly there \o/)

Nope.
If you get a /61 then that's 2^3=8.
You can number in total 8 local (v)lan. ip6hint has to be set 0..7.

Edit: fixing off by one mistake.

1 Like

The wan interface has taken the 6030 prefix for internal router uses. You may want to statically assign this rather than trust the upstream device to always issue the same one by RA/DHCP6.

So your lans should be [603]1 and [603]2 etc up to 7. Try using ip6hint 1 on lan and ip6hint 2 on domotique. Results are uncertain when the ip6hint contains '1' bits beyond the field of assignable bits. As @_bernd said, that number of bits is 3 in this case.

You're using list dns improperly. This option is to point to external servers that will be used by default when a name can't be resolved by what is known internally (i.e. to look up public sites). Typically it is placed in a wan interface. Remove all list dns that refer to internal addresses.

A lot of thanks to both of you, @mk24 and @_bernd. I now understand how OpenWRT deals with non-trivial network configurations. I am still looking a lot at the documentation (OpenWRT and dnsmasq), but I am getting comfortable.

The interfaces now have correct addresses : 6030::/64 for wan, 6031::/64 for br-lan, and 6032::/64 for br-domotique. And the corresponding routes are also populated.

Indeed, subnetting the /61 into 8 /64 implies different subnet id; how to use ip6hint was not very clear for me (and also not very clear in the doc, I must say :smile:). A consequence of the change is that I have to update all the DNS records. I was planning to simply add another /64 network, but the reality is different: subnetting a /61, it is! I can live with that. Another side effect is the numbering of the ULA: here again, I will have to adjust the config of software.

The option list dns is incorrect, for sure. I will configure that later: the network services (DNS, NTP, etc) are on a server in the br-lan network.

I think my main problem is solved. Again, many thanks to both of you for your time and explanations.