IPv6 not working on newly created secondary LAN

allengorden · September 18, 2022, 5:37am

So I need two LANs. One Port for ADMIN LAN and 3 Ports for OTHERS. I created the ADMIN LAN later. I found out the default 3 Ports for OTHERS is good to go for IPv6 but for the newly created ADMIN LAN, the hosts cannot receive IPv6.

Tested using https://ipv6test.google.com/

My knowledge is limited for OpenWrt and IPv6 so please be gentle. Thanks.

lleachii · September 18, 2022, 11:53am

Are you receiving a prefix delegation greater than /64 from your ISP's interface?

allengorden · September 19, 2022, 8:15am

if i connect my PC to "LAN" { ports 1,2 & 3}, I pass the ipv6 test but not on the "ADMIN"

allengorden · September 19, 2022, 8:20am

DHCP CONFIG =


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '3'
	option limit '1000'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'ADMIN'
	option interface 'ADMIN'
	option leasetime '12h'
	option start '80'
	option limit '20'
	option ra 'server'
	option dhcpv6 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

slh · September 19, 2022, 8:23am

Also paste /etc/config/network, make sure to redact personal information (passwords, von credentials, etc).

allengorden · September 19, 2022, 8:24am

FIREWALL CONFIG =


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest '*'

config zone
	option name 'ADMINFW'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'ADMIN'
	option forward 'ACCEPT'

config forwarding
	option src 'ADMINFW'
	option dest 'lan'

config forwarding
	option src 'ADMINFW'
	option dest 'wan'

config rule
	option name 'ADMIN-LAN-DHCP'
	list proto 'udp'
	option src 'ADMINFW'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'ADMIN-LAN-DNS'
	option src 'ADMINFW'
	option dest_port '53'
	option target 'ACCEPT'

allengorden · September 19, 2022, 8:26am

NETWORK CONFIG =


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	option netmask '255.255.252.0'

config interface 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option device 'eth0.621'
	option username 'XXX@public.maxis.com.my'
	option password 'XXX'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '64'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'
	option device 'eth0.621'

config interface 'ADMIN'
	option proto 'static'
	option device 'eth4'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '621'
	option name 'eth0.621'

jow · September 19, 2022, 9:31am

Add option ip6assign '60' to your admin interface:

It is located in the Advanced settings tab. If you do not want to re-delegate IPv6 downstream ("admin" sounds like this is intended to be some kind of access-only network) then setting the assignment length to 64 should also be sufficient.

allengorden · September 19, 2022, 2:45pm

@jow , I had already tried that. What happens is then IPv6 will swap places from "ADMIN" to the "LAN" . "LAN" then will not have the IPv6 Address.

jow · September 19, 2022, 3:07pm

Ah, this sounds as if your upstream is not assigning you a large enough prefix to work with. When you go to the interface overview, is there an IPv6-PD: ... line in the status of WAN6 or WAN_6? If yes, how large is the suffix?

allengorden · September 20, 2022, 10:40am

I'll have to test it out 3 days later because I'm attending an IoT class. Thanks.

allengorden · September 23, 2022, 2:09am

jow · September 23, 2022, 7:08am

Ah, you only get a single /64 assigned, you can only cover one downstream interface with that

allengorden · September 23, 2022, 7:55am

can you guide on how configure NDP proxy and use the same subnet for both.

allengorden · September 25, 2022, 7:48am

anyone????? please..