IPv6 No Prefix Delegating for LAN

Axent1987 · January 31, 2025, 2:02am

Hello.
I am using custom board with Openwrt. I have the next connection diagram:
PC<----->(LAN)Openwrt Router(WAN)<------>ISP Router
I configured the network and firewall for DHCPv6. And this works well (but only for WAN port).
I can use access for IPv6 only inside the OWRT Router using the WAN.
But I can't ping any IPv6 from LAN side (from my PC).
I figured out that I don't have normal Prefix Delegation for wan6.
Not always. Sometimes magic happens and I can see IPv6-PD in my 'br-lan' interface (hence I have access to IPv6 through LAN). But in common case and more often I have only WAN to access the IPv6.
I researched different similar topics, but it didn't help.
I am wondering why sometimes I have normal PD (delegated prefix)(IPv6 access from LAN enabled), and in other connection attempt - it's missing. (IPv6 only on WAN)?!
What is wrong? Thanks

/etc/config/network

config device
	option name 'eth0'

config device
	option name 'wan'

config device
	option name 'lan'

config device
	option name 'br-lan'
	option type 'bridge'
	option ports 'lan'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdca:cd5b:b5b2::/48'
	option packet_steering '1'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.113.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'
	option mtu '1342'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option apn_override '0'
	option apn 'firstnet-broadband'
	option auth 'none'
	option iptype 'ipv4v6'
	option mtu '1342'
	option metric '10'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
    list network 'wwan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/etc/awc/dhcp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option cachesize '1024'
	option dnsforwardmax '1024'
	option dhcpscript '/sbin/dhcp-script.sh'
	list server '8.8.8.8'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	option ra_dhcp '1430'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option limit '100'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/etc/awc/dhcp/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Thanks.

mk24 · January 31, 2025, 2:16am

PD should appear on the wan interface. Then part of the prefix (up to /60 in this case since that is the ip6assign size) should appear as the lan IPv6 address.

Run ifstatus wan6 to see if a prefix was received from the ISP and what size. If it is less than /60 set ip6assign 64 on lan. That would be a good idea anyway unless you plan to connect additional routers downstream on the lan.

Axent1987 · January 31, 2025, 2:35am

Seems I didn't ask question correct in some details.
So, in 'ifstatus wan6' I don't have any prefix ("ipv6-prefix" field is empty).

        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],

That seems cause the problem. In this case I have IPv6 working only on WAN side (even with empty prefix), but I don't have IPv6 on LAN. When PD is assigned (sometimes this magic happens as I mentioned in head-post), I have fully working IPv6 pipe. But you point me a problem that I don't have PD on WAN side even, although IPv6 ping works fine on WAN port without PD (LAN is shut down and works only with assigned PD).
What could the reason that I don't have PD?
Thanks.

Axent1987 · January 31, 2025, 2:43am

From Internet I also noted that this (no PD) could cause with wrong MTU size expected. I have some question, does ISP can use different values of MTU or not?