IPv6 not working on OpenWrt AP

I have open NAT & IPv6 working fine directly from my main router, but any traffic through my second router (OpenWRT) is moderate NAT & IPv4 only. I've been messing with openWRT for over 14 hours in the last two day and I can't seem to get it to work no matter what I do!


@trendy can you help? (I've seen you help others)

Configure the second router as a dumb AP, which makes it a simple wifi to wired bridge. IPv4 and IPv6 from a wifi device will then be passed through to be handled directly by the main router.

1 Like

But I want to be able to use a VPN on the OpenWrt router.

Also, why can't open NAT & IPv6 be passed through while it's smart?
Do I need to make OpenWRT my main (if that's possible)?

When my second router had stock firmware it passed along open NAT & IPv6 perfectly fine...

(I'm not experienced in networking, but can follow instructions)

Edit: Just to make my setup more clear, it's modem, (main/stock) router, then OpenWRT router.
Connected by ethernet cables.

That makes everything different. When you do that, the OpenWrt router will become the main router for VPN users, since it's going to single-NAT them into the VPN tunnel. Since the packets will be encapsulated and encrypted as they leave the OpenWrt router, your other router becomes just another untrusted part of the Internet as far as the VPN is concerned. Any NAT in that router and beyond is not apparent when the packets are decapsulated at the VPN server.

1 Like

Well, I know running the VPN on OpenWRT (as the main) will VPN the whole network & make it use that NAT, IP pool & DNS servers, but my problem is happening when the VPN is off.

Is there a way to
(Scenario 1)
Isolate a ethernet port from the VPN to use to wire to the (ex-main) router to make it the AP without a VPN?

(Scenario 2)
Get IPv6 & open NAT working on OpenWRT (as the secondary/AP) while not using a VPN?

I want both routers to use IPv6 & open NAT without running a VPN, then be able to toggle the VPN when needed (I know how to toggle the VPN on/off already)

Your scenario without VPN calls for a dumb AP, so there is only one routing step involved, in the main router. A VPN client can run within a dumb AP, providing a separate SSID and/or dedicated Ethernet ports that will route through the VPN, while non-VPN Ethernet and wifi is simultaneously available.

How do I make it a dumb AP?

Make sure you start from a factory defaults router.

For this use case, wanting to leave the option open to install a VPN client, I'd take a different approach. Leave the router as a lan->wan routing, connect the wan port to the upstream network, but convert wan to a bridge and add a wifi AP to it. This AP will be "dumb" in that it bridges those wireless users upstream with no interaction with anything in the router.

It's also possible to add some Ethernet ports to the wan bridge so they get switched upstream with no routing, like a dumb switch. The way to do that varies by model architecture specifically if it is DSA or sqconfig.

1 Like

If the inner router in a double NAT scenario does not enable ipv6, then it likely did not get a large enough ipv6 prefix from the outer router.
Keyword for you to research is „ipv6 prefix delegation“.

But it could be, because your provider does not offer a large enough prefix to the outer router, to cover your NAT nesting needs. It the provider does (eg. a commonly used 56 prefix would do) then maybe you can reconfigure/rebalance prefix delegation on both OpenWRT devices, such that the inner router can be ipv6 enabled as well.

Can you explain this more in detail?
(like step-by-step)


what does your Wan6 interface of outer and inner router currently say about ipv6-pd?

btw why nobody mention ipv6 relay ? it's that easy you just need to set the wan interface as master... you don't have total control of it but at least you have ipv6 connection from the main router

I don't think that's the case, because when my second router (OpenWRT) was running stock firmware, is passed it along fine and dandy

I don't have a IPv6-PD.
(This is running all default settings using LAN->WAN)

IDK, everyone is telling me to do different things...
I don't care which way, I just want to be able to have IPv6, open NAT, VPN access (when needed) & one ethernet port that'll bypass the VPN.

I have no experience in this, so instructions need to be clear (or linked to a page that has them)

There is no right or wrong, but different options to check.

Regarding my PD question and your answer:
your provider does not seem to hand out an ipv6 prefix to your outer router, thats why your router does not list anything regard prefix delegation.
This then means that your outer router cannot hand out ipv6 addresses to your inner router. That is why there is no ipv6 available on your inner router on your cascaded scenario.
That means that in that scenario you wont have ipv6 on your inner router when running cascaded routers.
So my suggestion with trying to mess with prefix delegation will not work for your scenario unfortunately.

I guess I'll try to do the "dumb AP" thing...

What make, model, and version is this router? That will affect how the Ethernet ports are configured.