Ipv6 not routed after a while, address marked as deprecated

Hi,

I've started to use IPv6 and new to it. Short story: after a while my OpenWRT router doesn't route anymore to my server using IPv6 addresses, after a reboot it works again.

I'm new to IPv6 and quite certain I haven't yet understood everything but I came so far:

  • before reboot the relevant IP addresses WAN and LAN are marked as deprecated in ip a on the router itself and preferred_lft set to 0sec
  • after reboot the same IP addresses aren't deprecated anymore and preferred_lft is roughly two hundred thousands seconds
  • ip r and ip6tables-save outputs are the same before and after reboot

So, I'm pretty sure that this is the issue, Mr. Google tells me that it leads to the IP addresses not being usable any more, and I probably need to configure something differently but what? I've started to read documentation but it's huge (and complicated) and I don't know where to start. Also many instructions point at the command line where I'm using Lua to configure, it doesn't help either to understand what I'm supposed to do (or what I can do).

Some more information (if I write that something doesn't work, it's before the reboot, after everything works again):

  • my router is TP-Link TL-WDR4300 v1 with OpenWrt 18.06.01
  • the WAN side of my router is behind my provider's router which provides the IPv6 range
  • server is attached to the provider's router, IPv6 address resolves fine with DNS
  • my router can reach the server (using network diagnostics in Lua) but any device attached to the LAN side of the router can't (neither ping nor SSH).
  • server also has an IPv4 address (without DNS name), works fine with ping and SSH
  • my router gets it's WAN address over DHCP from my provider's router
  • DHCPv4 and v6 managed by my router on the LAN side
  • the impacted IP addresses are one on the LAN side (br-lan) and one on the WAN side (eth0.2).
  • AFAIK my provider is using DS-Lite (not sure it's relevant and also not absolutely sure).

Any help, documentation pointer, explanation, etc is welcome. Already a less intrusive approach than rebooting my router would be helpful.

Thanks, Eric

Can you compare ifstatus wan6 while it works with the output when its broken? To me it sounds as if the IPv6 prefix leased by your ISP is somehow expiring and not renewed.

Hi jow,

how would I recognize this?

It takes a few days until the problem appears (which, I just realise, corresponds to the roughly 240,000 seconds aka 3 days or so) and to my eyes the output of ifstatus is more readable but not different from ip a and ip r combined.

Thanks, Eric

Compare that:

ip -6 a; ip -6 r; ip -6 ru; ifstatus wan6

Test when the issue happens:

ping6 ISP_gateway_IPv6
nslookup ipv6.google.com
traceroute6 ipv6.google.com

Also try to update your IPv6-address without reboot:

tcpdump -vni eth0 udp port 546 &
kill -SIGUSR1 $(pidof odhcp6c)

Perhaps I should have started with it but here are the differences explicitly (IPv6 prefix obviously replaced by a dummy dead:beef:pref: https://paste.fedoraproject.org/paste/VeJa6jbmg7j4cYA1RdWevw

I can try your commands but e.g. heise.de (which is also IPv6 site) has never stopped to work.

How about:

ifdown wan6
ifup wan6

Sounds like a workaround, at least it resets the preferred_lft to its start value of ~240k. Let me try this and come back to you in a few days, once the issue has happened.
After that though will come the question how to avoid the issue alltogether.

Do you have the default firewall rules present which allow inbound udp 546 traffic?

Sorry for the delay, but it took some more time to happen this time, with new changes:

  1. no IPv6 traffic went through (not even ping6 heise.de on the router itself.
  2. the IPv6 addresses were not marked as deprecated.
  3. ifdown wan6 & ifup wan6 solved the issue (already better than a full reboot)
  4. as for the firewall rules: ip6tables-save doesn't show any difference before and after (beside times and number of packages) and the rule is IMHO there: -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT

What is interesting is that just before this happened, the router of my provider must have rebooted or be configured anew (its WLAN was shortly gone), so it sounds like a hick-up between my router (OpenWrt) and the router of my provider (crappy one, "Connect Box", closed down OEM of something) after a reboot/reconfiguration of the last one.

The question could be at the end if I can solve the issue on the OpenWRT side or if I'm doomed by my provider's choice of router.

Thanks, Eric

Some ideas:

You should either poke DHCPv6-client or reset WAN6-interface as mentioned above.

Cool links definitely, I didn't know about the hotplug capability, but it won't help because it only reacts to ifup/ifdown of an interface or a device, which is nothing that happens. Remains the possibility to check regularly the link with cron and reset/restart the interface in case of loss. Very ugly to be honest but indeed a possibility... sigh

Do you use the offload feature?
When i enable software offload ipv6 connectivity stops working after some time.
The wan6 interface is still up but no connections can be made, neither from the router or from the hosts in the lan.

I have the a similar issue:
IPv6 lease expires without renewal. After expiring no traffic anymore possible on the router.
Rebooting of the router helps temporarely.
System worked fine before for several months w/o any issue.
Any hints on what the issue is?
Thanks