IPv6 internet access only with client side privacy extensions


I have recently enabled IPv6 in my home network. I use my OpenWRT router behind a shitty Vodafone ISP Cable router which does not support Prefix Delegation or anything else. Therefore, I have enabled OpenWRT to act as relay for everything.

If I enable privacy extensions on the clients in my home network, IPv6 internet access works properly. If I disable them, I have no IPv6 internet access. For example in Debian's /etc/network/interfaces:

iface eno1 inet6 auto

--> I have 1 global IPv6 address which works in my internal LAN, but gives me no IPv6 internet access.

iface eno1 inet6 auto
  privext 2

--> I have 2 global IPv6 addresses (1 of them temporary) and have working IPv6 internet access.

What could be the reason for this behavior? Is there anything I can do about it?

Without thinking too hard, it appears that without privext 2 that the clients are relying on DHCPv6 to hand them a GUA, so when they don't get an offer from upstream, they don't have a routable address.

privext 2 probably tells the client not to take a DHCPv6 address (which would be constant, and thus not good for privacy). That is actually bettter in most home situations-- at the router disable DHCPv6 address assignment and use RA/SLAAC exclusively.

Relay mode works by the DHCP system detecting the IP that the client has actually chosen (by its ND activity) and installing a /128 route via lan to each client dynamically. The /64 to the ISP remains on wan. So if a client has an IP but no Internet access, check that it has been entered into the routing table.

Thanks for your responses (which seem to lead in a similar direction). Unfortunately, I am on a business trip but will check my configuration tomorrow evening.

As I am not so proficient in IPv6, what would be the right way forward? Make sure that OpenWRT hands out proper routable addresses via DHCPv6? Or use only RA/SLAAC? Will clients (Mainly Linux + unfortunately 2 Windows business PCs) work with either? Will post my current OpenWRT config tomorrow - don't know what to change there.

Hi again,

2 computers in VLAN 10 are currently online (both with privext 2) and IPv6 works for them.

My current IPv6 neighbors and routing look like this:

IPv6 Neighbours
IP address			MAC address			Interface
a:b:c:d:x:x:x:a7d4	XX:XX:XX:XX:XX:D4	wan6
a:b:c:d:x:x:x:4eb1	XX:XX:XX:XX:XX:A8	(br-vlan10)
a:b:c:d:x:x:x:594	XX:XX:XX:XX:XX:A3	(br-vlan10)

Active IPv6 Routes
Device		Target				Source				Metric	Table	Protocol
wan6		::/0				a:b:c:d:x:x:x:143a	512		main	
wan6		::/0				a:b:c:d::/64		512		main	
wan6		a:b:c:d:x:x:x:a7d4	-					1024	main	
(br-vlan10)	a:b:c:d:x:x:x:4eb1	-					1024	main	
(br-vlan10)	a:b:c:d:x:x:x:594	-					1024	main	
wan6		a:b:c:d::/64		-					256		main	

:143a is the WAN6 interface of my OpenWRT.
:a7d4 is the LAN interface of my Vodafone ISP cable router.
:4eb1 is the temporary interface of my Ubuntu Workstation.
:594 is the temporary interface of my Debian Homeserver.

Basically, it does not seem to look so bad and internet communication works. The interesting thing is that the first IPv6 ping to ipv6.google.com on the Debian Homeserver takes a second (not for DNS, but for the first actual ping), I guess the OpenWRT takes some time for the initial routing setup due to ND?

If I comment out the privext 2 on the Debian Homeserver, its IPv6 internet access stops working and its global IPv6 never again appears in the OpenWRT neighbours and routing table.

Here's my config:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wan6'
	option interface 'wan6'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan10'
	option interface 'vlan10'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option dhcpv4 'disabled'

config dhcp 'vlan20'
	option interface 'vlan20'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
        option dhcpv4 'disabled'

<other internal VLANs with the same config as 10 and 20>