So I need two LANs. One Port for ADMIN LAN and 3 Ports for OTHERS. I created the ADMIN LAN later. I found out the default 3 Ports for OTHERS is good to go for IPv6 but for the newly created ADMIN LAN, the hosts cannot receive IPv6.
Tested using https://ipv6test.google.com/
My knowledge is limited for OpenWrt and IPv6 so please be gentle. Thanks.
Are you receiving a prefix delegation greater than /64 from your ISP's interface?
if i connect my PC to "LAN" { ports 1,2 & 3}, I pass the ipv6 test but not on the "ADMIN"
DHCP CONFIG =
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '3'
option limit '1000'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'ADMIN'
option interface 'ADMIN'
option leasetime '12h'
option start '80'
option limit '20'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
slh
September 19, 2022, 8:23am
5
Also paste /etc/config/network, make sure to redact personal information (passwords, von credentials, etc).
FIREWALL CONFIG =
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest '*'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest '*'
config zone
option name 'ADMINFW'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'ADMIN'
option forward 'ACCEPT'
config forwarding
option src 'ADMINFW'
option dest 'lan'
config forwarding
option src 'ADMINFW'
option dest 'wan'
config rule
option name 'ADMIN-LAN-DHCP'
list proto 'udp'
option src 'ADMINFW'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'ADMIN-LAN-DNS'
option src 'ADMINFW'
option dest_port '53'
option target 'ACCEPT'
NETWORK CONFIG =
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option ipaddr '10.0.0.1'
option netmask '255.255.252.0'
config interface 'wan'
option proto 'pppoe'
option ipv6 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
option device 'eth0.621'
option username 'XXX@public.maxis.com.my'
option password 'XXX'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '64'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
option device 'eth0.621'
config interface 'ADMIN'
option proto 'static'
option device 'eth4'
option ipaddr '192.168.1.254'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'eth0'
option vid '621'
option name 'eth0.621'
jow
September 19, 2022, 9:31am
8
Add option ip6assign '60'
to your admin interface:
It is located in the Advanced settings
tab. If you do not want to re-delegate IPv6 downstream ("admin" sounds like this is intended to be some kind of access-only network) then setting the assignment length to 64
should also be sufficient.
@jow , I had already tried that. What happens is then IPv6 will swap places from "ADMIN" to the "LAN" . "LAN" then will not have the IPv6 Address.
jow
September 19, 2022, 3:07pm
10
Ah, this sounds as if your upstream is not assigning you a large enough prefix to work with. When you go to the interface overview, is there an IPv6-PD: ...
line in the status of WAN6
or WAN_6
? If yes, how large is the suffix?
I'll have to test it out 3 days later because I'm attending an IoT class. Thanks.
1 Like
jow
September 23, 2022, 7:08am
13
Ah, you only get a single /64 assigned, you can only cover one downstream interface with that
1 Like
can you guide on how configure NDP proxy and use the same subnet for both.