IPv6 on LAN (Dumb AP)

I have 4 dumb APs (OpenWRT) and 1 router (FTTH force me to use it - no OpenWRT).

The router have RA and DHCPv6 enabled (default configuration). My PCs got IPv6. But LAN interfaces on OpenWRT do no (by default). Should i create it? Or no need to that?

It depends on the current configuration.
If lan uses static protocol, that means you assign IPs manually, you can just add the IPv6 the same way.
Otherwise, if lan is using dhcp, or if you anyway want to use dhcp6, then you have to create a new lan6 interface with dhcp6 client protocol and assign it to lan firewall zone.


Configuration example for automatic IPv6 assignment:

config interface 'lan6'               
        option ifname '@lan'          
        option proto 'dhcpv6'         
        option reqprefix 'no'         

The wiki says about reqprefix:

Use 'no' if you only want a single IPv6 address for the AP itself without a subnet for routing

which fits the usecase of a simple AP.


Short answer:
If you have to ask that question, you do not need it. And because I am still not happy with the current state of IPv6 in OpenWrt as LAN client, I do not recommend to do it except you have a reason.

Long answer
mpa explained already what is needed. There is an OpenWrt wiki with more details (and for future vistitors perhaps with more up-to-date information). However, as of today, that wiki entry is not complete as you should also delete the ula_prefix in the globals section of /etc/config/network.

That answers how to do it. Your questions is whether you need it.

Reason a)
You need a global IPv6 address on your OpenWrt, if you use a service which is external to your home network and is IPv6-only. In other words, a IPv6-only service on the Internet. This rare for public services. However, more and more residential Internet Service Providers (ISP) tend to offer just global IPv6 to their customers (terms are DS-Lite or CG-NAT). If you have such a ISP or a friend of yours has such an ISP, you need IPv6 on your OpenWrt.

Reason b)
You need a global IPv6 address on your OpenWrt if you offer a service (on your OpenWrt) to the Internet and you have such a IPv6 ISP or the local network of your user(s) is IPv6-only.

Reason c)
You need a global IPv6 address on your OpenWrt if you offer a service (on your OpenWrt) to the Internet and the local network of your user(s) is IPv6-only.

The latter sound esoteric today. However, I faced that already several times: In a hotel, where the DHCP server for IPv4 crashed, sometimes, IPv6 connectivity still works. Then all you have is IPv6-only. And then it is very handy to offer a VPN via IPv6 from home because you use whole Internet in that hotel.

So, yes, if you have the time and interest, go for IPv6 on your LAN client. It does not hurt, except that OpenWrt has not that one big switch to enable IPv6 but requires several changes (as mpa, the wiki and I explained). By the way, IPv6 on your OpenWrt is not required if you want to access/configure it. For that, you still use IPv4. I hope this clarifies IPv6 a bit. It is nice to have, in some cases it is a must have.


Thank you all for the help.

Yes. Do i need a firewall zone? I had disabled firewall. Indeed, 2 APs (very old, low flash memory) i had a custom image and removed all i dont need. But now i realized i removed odhcp6c. Actually, all deviced do not wave WAN, since i bridge it with LAN.

Lucy do not have this ok? I have to manually edit it.

Yes. I had already done that in all APs.

I know a little about networks, but always used IPv4. Now, my IPs gives me IPv6 and i decided to play with IPv6. But i'm still learning it. Link Local, Unique local, Global IP, etc... With IPv4 and NAT, port forwarding,etc, i knew how to open or protect a device. Now i'm blind. Still trying to figure out how IPv6 works in practice. (How to survive without NAT). Still don't know how to make a PC acessible from the internet or protect it.

In LuCI it is ‘Request IPv6-prefix of length: disabled’ on the general tab ← lan6 ← Network ← Interfaces.

When it comes to your other questions: On a dump AP, you do not have a firewall normally. And you do not have any services on such a dump AP – normally. If you want to access a server on this OpenWrt from the outside, the general Internet, it might be easier (at the start) to go for the default scenario, a WAN router. Which services do you want to offer? Perhaps that helps us better to understand your specific scenario. Just a note: When it comes to Wi-Fi, the access point is transparent; any Wi-Fi client behind the access point looks like attached directly to your upstream router, whether IPv4-only, IPv4/IPv6, or IPv6-only; the IPv6 state of your access point does not matter.

Could u share the reason that ISP forces u to use its ONU as router?

What's the size of global prefix they delegate to u? If it's above /64, a OpenWRT router should be able to recieve a shorter prefix and use it, if ONU router doesn't deny delegating. Then u don't need to set it to bridge mode.

I guess, quirino1977 has a residential/home network with several Wi-Fi access points. If you want to roam seamlessly between those access points, you have to keep your IPv4 and IPv6. Consequently, quirino1977 went not for ‘WAN router’ but instead for ‘Dumb AP’. quirino1977 is that correct? Would have done it the same way. The question is therefore whether quirino1977 really needs IPv6 connectivity on his OpenWrt devices (and if for what).

If you have disabled it then no need.

Then the only way to get the ipv6 is static.

1 Like

Thank you all for the help.

The goal is to understand how IPv6 works. For now, just reaching any simple service (ftp or web server) is fine.

That's what i thought. But nice to confirm.

Someway i'm forced because my OpenWRT router do not have fiber. I could set the ISP device to bridge. But first i need to learn how to config the OpenWRT on IPv6 properly. The main point is that my routers do not have Gigabit ports.So, for now is better to use the IPS as a router. I can delivers 100Mbps to each OpenWRT and Gb to my main PC.
They delegates a /64. I don't got this yet. Why the prefix do not match the WAN Global IP?
Delegated Prefix: 2804:7f2:789:fd5c::/64
Global IPv6 Address - WAN: 2804:7f2:31e:6ea7:dac6:78ff:fe3d:f488/64

You're right. Residential and i have 4 Dumb APs with 802.11r. It's working nice for years with just IPv4. Also, devices do get IPv6 adress. I just want to understand how things works. I don't know why the router have a Global IP that differs from dellegated prefix. On overview Lucy shows:
-Mobile phone IPv4 and IPv6 link local.
-Work's mobile phone, just link local.
-Work's notebook, IPv4 and Global (that matches prefix dellegated prefix).
-Private Notebook, just Link Local (i checked and it got a global that also matches PD).
-My daughter mobile phone, just IPv4.
-The 2 Dumb APs with OpenWRT that i created LAN6, got Global matching PD.

Is it result of 2 APs having LAN6 and 2 not having? Or just depend on the traffic throught APs? As dumb AP should be transparent, i didn't got this different behaviour.

I will have to create another image. I tried installing odhcpd6c but Lucy did not show IPv6 DHCP Client option. Now i realize. Maybe it would work it i insert the network config manually? Or do it requires to be integrated to the firmware?

luci-proto-ipv6 is needed for that.

1 Like

Yeah I also understood he has multiple bridged APs, my wonder is why he's not using a OpenWRT router or some router with better features.

I know pretty well how hard it is to have to turn modem to bridge and then have to learn to setup OpenWRT. My suggestion is to split your job in steps and focus on 1 step per time. I think it's easier to first get OpenWRT as router, because it has more features and freedom, and only then start working with IPv6 and APs.

If your current router device doesn't support GbE, then it's better to focus on buying a better one.

As u have multiple APs, it's also better to work on 1 per time, not all of them together. Choose 1 and focus on it, only when it's properly set u move to the next.

First test it on its RJ45 ports, only then move to WiFi. Choose 1 device, preferably laptop, to make tests. WiFi should have the same results as RJ45, only changing MAC and IP address.

One thing is the IPv6 address the router WAN interface uses, other thing is the prefix it receives. Its address is outside its prefix, the prefix is only used on internal LAN.

If u're having trouble even to install services and had uninstalled some, it's better to reset configs and install a clean image. There are a lot of customizations on OpenWRT, like compiling ur packages and just building a custom image. When building custom image, we can also add to it our config files directly. But first u need to learn the basics, which includes default image, default packages and their default configs.

I'm now using a Subversion repo to keep track of all configs on all my OpenWRT devices and using rsync over SSH to keep files synched. It helps A LOT to keep it all organized and find out when something was changed and what.

Good to know. Already done that and worked fine.

That's the point. I'm still learning IPv6. DIdn't know that. Are Global on the PD acessible from the internet? If not, can it be linke IPv4 "port forward"? If yes, how can i protect my devices? All by traffic rules on firewall now?

I pretend to buy a new Gb port router that supports OpenWRT. But first i need to be more familiarized with IPv6. While i learn it, will keep praying for prices going down a littel bit here. Most (old) devices are twice (or more) the price of 2019. My earns is the same.

I know how it is, it took me a lot of study to learn basics of IPv6. It's too much complex for its own good.

There's no port forwarding on IPv6. There's NPTv6 and NAT6. Regardless, we need proper firewall configuration, which isn't easy to do. There's some privacy extension that makes devices generate temporary interface IDs to use for outbound connections, but it only makes everything more complex. In theory we could have 1 interface ID for each software connection.

Libertarians on Brasil claim it's happening only here... well instead of messing with ur LAN I suggest using VMware, it's much more practical. OpenWRT requires only 160MB RAM and there are some very lean Lix distros for such uses too.

Yes, i read that. One IP for each service. One simple question will make it easier. Are Global IP (PD) reachable from the internet? I understood so.

I'm also in Brazil. Pandemic and Real losing value made things stuff. Just to create a VmWare will take me some time hard to get. It would be easier to use one of the APs to do tests. I also have a Raspberry to mess and can use OpenWRT on it. I thought it would be more similar to IPv4, but it's not. Quite different, even for me that was familiar to IPv4.

Of course IPv6 is reachable. But it's very complex. ISP may be blocking inbound connections, router firewall me be. There's privacy extension to IPv6 that device OS may be using and because of that it may not accept connections to addresses it's using and Internet servers recognize it with.

I gave up trying to receive connections using IPv6, IPv4 works fine for the few services I need listening. Tor in example has very bad IPv6 support and last time I talked to them they were tired of it and were delaying to develop better support.

It seems that some softwares, OS, ISP etc are blocking or rejecting inbound connections because we got used to feel safe under NAT and not care to config firewall, and they fear that hacking will increase if all of a sudden all devices on the world become directly accessible with IPv6. But so much blocking and getting hard to diagnose where it's happening isn't the solution.

We're all having that, IPv6 is too complex to develop and maintain. They tried to solve issues on IPv4 we hardly suffer and created a lot of complexity. And the original solutions didn't work, now we're having to circumvent them, and they became burdens.

Just because you don't understand it, doesn't mean it is.

Privacy extensions is used for outbound connections. If you set up a server it will be either a static IP or a stable assigned by DHCP or the EUI-64.

If you are an average Joe internet user, browsing and chatting, most likely you won't understand why it was created. Because network engineers use a lot of workarounds, which affect connectivity, to circumvent the lack of available IPv4.
For the rest who use incoming connections where nat and cgnat are a headache, it is a progress.

@trendy do you recommend some text, site, book, etc, to people who are already familiar to IPv4, NAT, etc, and want to faster "upgrade" to IPv6?

For free there is this one, but mostly focused on security.
Also: https://tldp.org/HOWTO/Linux+IPv6-HOWTO/


I don't mean I don't understand it. In fact I had studied it, and read IEFT specifications to prove to ISP they must provide /56 prefix.

I mean it's complex. Compared to IPv4. It has too many more business rules. That makes developing softwares for it more complex. More complex software is harder to maintain and review its quality. Software configs may become harder to set. Documentation of software configs must be lengthier, which requires more work to write and harder to read. Softwares may not support all features and modes, as my old Cisco RV340 didn't support ULA when I used it.

NAT wasn't designed to be a security feature, but regardless of that it makes subnet setup easier, because it decouples a subnet from other sibling subnets and WAN. Whatever the ISP configures on its router doesn't affect how we configure our LAN.

If IPv6 is meant to fully replace IPv4, it must be at least as easy and error prone for average Internet user to setup his own router and network services.