Greetings !
I'm trying to establish IPv6-only WiFi network in my home.
As my provider is IPv4 only and NAT'ed without white IPv4 address - I had to get tunnel from Hurricane Electric (/48) and setup WireGuard IPv6 - which provides me with /64 address on OpenWrt.
What I really stuck - how to share these /64 via WiFi ? As I see I cannot do it from web UI - WiFi devices shares only "lan" interface (UI doesn't offer option to select wg_ipv6 interface).
May anyone give me hints ?
System information is below.
Thanks a lot !
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.4",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd39:1e87:4b3d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wg_ipv6'
option proto 'wireguard'
option private_key 'GEV8HBhM3DhSYL0PXIGRLaeKVOG8lvYYIJk80iLTen8='
list addresses '[hidden by author]::/64'
config wireguard_wg_ipv6
option description 'WG_IPv6_Connection'
option public_key '9rhoTZgok8wslF+NMKJbiHQgZIt5X8euG3bNYer+hTI='
list allowed_ips '2000::/3'
option endpoint_host '[hidden by author]'
option endpoint_port '51820'
config device
option type 'bridge'
option name 'br_ipv6'
list ports 'wg_ipv6'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '36'
option band '5g'
option htmode 'VHT80'
option country 'TR'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option network 'lan'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_ipv6'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
You need a separate /64 for another interface. You can't use the same subnet as on the wireguard interface, since WireGuard is a routed protocol. You also can't add
wg_ipv6 to a bridge for this reason.
If you have got a /48 then I recommend routing a /56 (or /52 but at least a /60) to the OpenWrt device. The /64 you use on the wg interface shouldn't be within this prefix.
Then add another static interface as an alias for wg_ipv6. This allows you to configure the routed /56 as a "IPv6 routed prefix" on this new interface. And this in turn allows you to use "IPv6 prefix assignment length" on the interface you want to provide IPv6. This can be your regular lan interface or any other interface. The assignment can be /64 or larger, such as /60 if you want to delegate a prefix to a router in the interface. That should automatically configure a IPv6 prefix from your assignment.
Also if you did post your actual private key then you need to replace it.
If you are going to use the WireGuard interface similar to an IPv6 WAN, then you need two IPv6 prefixes, both on the "WAN" interface which is wg_ipv6 in your case, and a separate IPv6 prefix that's routed to OpenWrt and can be used on your lan and other local interfaces.
Yes
The new static interface is only needed because you can't add an IPv6 routed prefix to a WireGuard interface. You can't use on for example Wifi, for that you need another interface or you can use your regular lan if you want dual-stack it.
option type bridge within a config interface is the deprecated old syntax. Bridges are now declared separately. Remove that line.
As noted, don't try to bridge anything else with the wireguard interface, you're going to route to it.
though you probably do want a bridge for the local IPv6 users, which may be wired (if your hardware has an available Ethernet port) or wireless.
I would rewrite as follows:
config device
option type 'bridge'
option name 'br-ipv6_users`
config interface 'ipv6_users'
option device 'br-ipv6_users'
option proto 'static'
option ip6assign '64'
This bridge is initially empty. Connect at least one wifi AP to it in /etc/config/wireless with option network ipv6_users. Note that the /etc/config/wireless you posted has two APs on the same radio with the same SSID, which is not valid.
The ipv6_users interface also needs an RA and / or DHCPv6 server started on it in /etc/config/dhcp. For a /64 serving endpoints in a home network I suggest running RA only.
Next since everything on the wireguard interface is manually configured, it is probably going to be necessary to add an option prefix '<myprefix::/56>' to the wireguard interface to get the prefix entered into the UCI delegation system (so that option ip6assign on other interfaces can pull sub-prefixes out). This should also set up appropriate routes etc. If the wireguard interface is going to have a GUA address (it does not need one, only a link-local), it should be only a /64 or /128 and be outside the prefix block that is being routed in.
After setting all that up, use ip addr show and ifstatus <interfacename> to see if addresses are being assigned and delegated properly. Then investigate the v6 routing with ip -6 route show.
If I'm right the reason you are not getting an address is because your lan is asking for a DHCP address as though it were a wan interface instead of being static and handing them out as a lan interface should...
Great, thank you.
You do indeed have your ethernet on the lan interface. You need to add an interface, name it wan, and put your ETH0 in it. Make sure that also removes it from the lan. It should be a DHCP Client. it needs to get an ip address from your ISP .Your radio0 needs to be in the lan which is in devices and needs editing.
Your lan needs to be set to static and you need to assign a starting ip address. You can leave it as a bridge; we may need it. In it the settings you need to use the wan's assigned ip address as the gateway address.
Now, remove the screenshot; you included your ipv6 address and it need not be in the wild.
The good news is this is a Pi. If needed the sd card can be flashed again. You do not need to worry about bricking the Pi; because you can't and it might be easier to start fresh than to try to clean it up.
When you first booted it was set up and all that needed to be done was enabling the radio so you could get into the router and move the eth0 over to a new interface named wan.
You do indeed have your ethernet on the lan interface. You need to add an interface, name it wan, and put your ETH0 in it. Make sure that also removes it from the lan. It should be a DHCP Client. it needs to get an ip address from your ISP .
I'm pretty sure I'm getting my IP already from ISP (and its router). The address is from 192.168.1.XX network. I'm logged now via ssh on this interface. Why my LAN (eth0 I mean) has to be modified ? It works already with "raw" internet connection from ISP. I just want to share WireGuard IPv6 connection.
In local network topology eth0 is already behind the ISP router. Ok, thank you.
Sorry, but the original question is still unclear for me - I can't get IP address in WiFi network from RPi/OpenWRT device.
