I have open NAT & IPv6 working fine directly from my main router, but any traffic through my second router (OpenWRT) is moderate NAT & IPv4 only. I've been messing with openWRT for over 14 hours in the last two day and I can't seem to get it to work no matter what I do!
Configure the second router as a dumb AP, which makes it a simple wifi to wired bridge. IPv4 and IPv6 from a wifi device will then be passed through to be handled directly by the main router.
That makes everything different. When you do that, the OpenWrt router will become the main router for VPN users, since it's going to single-NAT them into the VPN tunnel. Since the packets will be encapsulated and encrypted as they leave the OpenWrt router, your other router becomes just another untrusted part of the Internet as far as the VPN is concerned. Any NAT in that router and beyond is not apparent when the packets are decapsulated at the VPN server.
Well, I know running the VPN on OpenWRT (as the main) will VPN the whole network & make it use that NAT, IP pool & DNS servers, but my problem is happening when the VPN is off.
Is there a way to
(Scenario 1)
Isolate a ethernet port from the VPN to use to wire to the (ex-main) router to make it the AP without a VPN?
(Scenario 2)
Get IPv6 & open NAT working on OpenWRT (as the secondary/AP) while not using a VPN?
(Endgame/goal)
I want both routers to use IPv6 & open NAT without running a VPN, then be able to toggle the VPN when needed (I know how to toggle the VPN on/off already)
Your scenario without VPN calls for a dumb AP, so there is only one routing step involved, in the main router. A VPN client can run within a dumb AP, providing a separate SSID and/or dedicated Ethernet ports that will route through the VPN, while non-VPN Ethernet and wifi is simultaneously available.
For this use case, wanting to leave the option open to install a VPN client, I'd take a different approach. Leave the router as a lan->wan routing, connect the wan port to the upstream network, but convert wan to a bridge and add a wifi AP to it. This AP will be "dumb" in that it bridges those wireless users upstream with no interaction with anything in the router.
It's also possible to add some Ethernet ports to the wan bridge so they get switched upstream with no routing, like a dumb switch. The way to do that varies by model architecture specifically if it is DSA or sqconfig.
If the inner router in a double NAT scenario does not enable ipv6, then it likely did not get a large enough ipv6 prefix from the outer router.
Keyword for you to research is „ipv6 prefix delegation“.
But it could be, because your provider does not offer a large enough prefix to the outer router, to cover your NAT nesting needs. It the provider does (eg. a commonly used 56 prefix would do) then maybe you can reconfigure/rebalance prefix delegation on both OpenWRT devices, such that the inner router can be ipv6 enabled as well.
btw why nobody mention ipv6 relay ? it's that easy you just need to set the wan interface as master... you don't have total control of it but at least you have ipv6 connection from the main router
IDK, everyone is telling me to do different things...
I don't care which way, I just want to be able to have IPv6, open NAT, VPN access (when needed) & one ethernet port that'll bypass the VPN.
I have no experience in this, so instructions need to be clear (or linked to a page that has them)
There is no right or wrong, but different options to check.
Regarding my PD question and your answer:
your provider does not seem to hand out an ipv6 prefix to your outer router, thats why your router does not list anything regard prefix delegation.
This then means that your outer router cannot hand out ipv6 addresses to your inner router. That is why there is no ipv6 available on your inner router on your cascaded scenario.
That means that in that scenario you wont have ipv6 on your inner router when running cascaded routers.
So my suggestion with trying to mess with prefix delegation will not work for your scenario unfortunately.