IPv6 IP address leak using policy-based routing

You can assign the ip with ip6addr directly.
Or you can use the ip6hint to let it take a chunk from the whole /48 and use the hint suffix for network. Check here.

thanks. I'm going to reset all the changes so far so I'm back in the initial state (IPv4 obeying the vpn-pbr and IPv6 through my ISP), and then make changes one-by-one.

no luck, I'm afraid. Same situation: ping6 from the router over the mullvad interface is fine; but nothing from clients.

I'm going to 'sleep on it' and see if a fresh pair of eyes on it helps.

Thanks for all your assistance.

One last thing, you didn't try the tcpdump. I am curious where the packets are dropped.

23:17:58.263380 IP6 (flowlabel 0xf1c5f, hlim 64, next-header ICMPv6 (58) payload length: 88) fc00:bbbb:bbbb:bb01::39a6 > 2a03:2880:f05c:112:face:b00c:0:2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2a02:xxxx:xxxx:0:xxxx:xxxx:xxx:xxxx
23:17:58.478506 IP6 (flowlabel 0x06669, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb00:7431:928b:31ab:70e3 > 2a00:1450:400e:807::200e: [icmp6 sum ok] ICMP6, echo request, seq 4
23:17:58.932881 IP6 (flowlabel 0x5c2bf, hlim 64, next-header ICMPv6 (58) payload length: 88) fc00:bbbb:bbbb:bb01::39a6 > 2a00:1450:400e:808::200a: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2a02:xxxx:xxxx:0:xxxx:xxxx:xxx:xxxx
23:17:59.478687 IP6 (flowlabel 0x06669, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb00:7431:928b:31ab:70e3 > 2a00:1450:400e:807::200e: [icmp6 sum ok] ICMP6, echo request, seq 5
23:18:00.482485 IP6 (flowlabel 0x06669, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb00:7431:928b:31ab:70e3 > 2a00:1450:400e:807::200e: [icmp6 sum ok] ICMP6, echo request, seq 6

where:

  • fc00:bbbb:bbbb:bb00:7431:928b:31ab:70e3 is my client 2a00:1450:400e:807::200e and 2a00:1450:400e:808::200a are google
  • fc00:bbbb:bbbb:bb01::39a6 is the mullvad interface
    *2a03:2880:f05c:112:face:b00c:0:2 is Facebook, I think (face:b00c)
  • The 'unreachable route' is my ISP

Since you are using /60 mask in lan, then the mullvad interface and lan clients are in the same subnet.
Change the lan to ip6assign /64 and try it again.
Or leave it /60 and change the network prefix to fc00:bbbb:bbbb:bb10::1

Sorry, my IPv6 network calculations are awful. Just so I'm clear:

Mullvad have given me: fc00:bbbb:bbbb:bb01::39a6/128

So, I need to set

config globals 'globals'
	option ula_prefix 'fc00:bbbb:bbbb:bb01::/48'
config interface 'lan'
        ...
        list ip6class 'local'                       
        option ip6addr 'fc00:bbbb:bbbb:bb01::1/60'
        option ip6assign '64'

And then add fc00:bbbb:bbbb:bb01::1/60 to the VPN-PBR

Have I got that right, or am I mistaken?

https://www.tunnelsup.com/subnet-calculator/
The best I've come across.

No, all of them are in the same network.
You know, if it is too complicated just remove the ula_prefix and assign under lan ip6addr fc00:bbbb:bbbb:bb02::1/64 without ip6assign.

Got it. Thanks.

Deleted:

config globals 'globals'
	option ula_prefix 'fc00:bbbb:bbbb:bb01::/48'

and then now I have:

config interface 'lan'
	option type 'bridge'
	option proto 'static'
    list ip6class 'local'                       
    option ip6addr 'fc00:bbbb:bbbb:bb02::1/64'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'
	option ifname 'eth1 eth2'

tcpdump shows:

0:38:13.803778 IP6 (flowlabel 0x39fcc, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb02:715f:f8f2:12ff:9a15 > 2404:6800:4003:c04::71: [icmp6 sum ok] ICMP6, echo request, seq 0
20:38:14.811685 IP6 (flowlabel 0x39fcc, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb02:715f:f8f2:12ff:9a15 > 2404:6800:4003:c04::71: [icmp6 sum ok] ICMP6, echo request, seq 1
20:38:15.815358 IP6 (flowlabel 0x39fcc, hlim 63, next-header ICMPv6 (58) payload length: 16) fc00:bbbb:bbbb:bb02:715f:f8f2:12ff:9a15 > 2404:6800:4003:c04::71: [icmp6 sum ok] ICMP6, echo request, seq 2

so progress, I think? No replies to the ping, though; 100% loss shown on the client.

Huge, now you need to ask Mullvad why isn't there traffic coming back to you.

1 Like

Have done; their support is usually pretty good.

Thanks for hand-holding me through this and for all your patience. Much appreciated. I'm a bit bemused as to why IPv4 PBR 'just works', but IPv6 is so tricky. But I'm very grateful to you for getting me to this stage.

Will report back when I hear back from Mullvad.

1 Like

I may have missed a trick here. My ISP has given me a /48 PD Prefix. So, I guess I can use that to address clients on my LAN (e.g. /60) and then construct the VPN-PBR from that.

Seems to work: tcpdump shows packets from a client, but still - as per my previous post - no reply (still waiting for Mullvad to reply)

This won't work. The delegated prefix from your ISP is GUA and can only be used from the uplink of your ISP.

Mullvad should drop it because the source IP doesn't belong to them. Even if they don't, the reply will come back from ISP and the firewall of OpenWrt will drop it as invalid.

ah, understand. Thanks. I guess, ideally, Mullvad would dish-out a /48 rather than the single /128 so that I can address clients on my LAN.

I was under the impression you were already assigned one. No wonder why it is not working then. You must nat on the mullvad interface and use a neutral ULA prefix for your hosts.

ah, sincere apologies: it wasn't my intention to give you that impression. I did suspect NAT but couldn't get it to work when I tried. I'll have another go now that I know how to force clients to ignore my ISP's PD.

...aaaaaand, just like that; it's solved.

Here are the steps:

uci set dhcp.lan.ra_default='1'
uci commit dhcp
service dnsmasq restart

Force hosts to ignore PD from provider:

list ip6class 'local'

add a route:

config route6
	option interface 'mullvad'
	option target '::/0'

Enable NAT6 with IPv6 masquerading

Add your ULA Prefix to the VPN-PBR; e.g.:

config policy
	option chain 'PREROUTING'
	option name 'Private'
	option interface 'mullvad'
	option proto 'all'
	option src_addr '192.168.10.1/24 fdf3:e716:6c30::1/60'
1 Like

I was about to point you here but it's good you sorted it out.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Just by the way, I've found I don't have to use VPN-PBR for IPv6 at all now (and can't get it working, anyway).

Simply adding the route:

config route6
	option interface 'mullvad'
	option target '::/0'

and then specifying which prefixes get dished-out on which interfaces is enough to direct traffic over my VPN (thanks to NAT66, of course) or WAN.

Inevitably, my stubborness will probably cause me to try and get it working with PBR at some point; but for now, the outcome has been achieved even if the means weren't as I had planned.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.