Ipv6: OpenWrt router has valid ipv6, but WLAN clients have not

aanno · September 25, 2020, 9:25am

Hello,

I'm trying to get valid ipv6 for my (openwrt) WLAN clients. So far, I've succeeded in getting ipv6 working on my openwrt device (dir-645):

root@LEDE:~# wget http://ipv6.google.com
Downloading 'http://ipv6.google.com'
Connecting to 2a00:1450:4001:81e::200e:80
Writing to 'index.html'

# ifconfig
br-lan    Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EA  
          inet addr:192.168.11.11  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: 20xx:xxxx:xxxx:ba5::beed/64 Scope:Global
          inet6 addr: 20xx:xxxx:xxxx:ba5::1/64 Scope:Global
          inet6 addr: fe80::beed/64 Scope:Link
          inet6 addr: fe80::bef6:85ff:fec4:beea/64 Scope:Link
          inet6 addr: fd86:18e4:aed5::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:244737 (239.0 KiB)  TX bytes:838604 (818.9 KiB)

br-wan    Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EB  
          inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::bef6:85ff:fec4:beeb/64 Scope:Link
          inet6 addr: 20xx:xxxx:xxxx:ba5:bef6:85ff:fec4:beeb/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18790 errors:0 dropped:2602 overruns:0 frame:0
          TX packets:12462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2769743 (2.6 MiB)  TX bytes:6857091 (6.5 MiB)

eth0      Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EA  
          inet6 addr: fe80::bef6:85ff:fec4:beea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20519 errors:0 dropped:12 overruns:0 frame:0
          TX packets:13819 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3226064 (3.0 MiB)  TX bytes:7069961 (6.7 MiB)
          Interrupt:5 

eth0.1    Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EA  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:17285 (16.8 KiB)

eth0.2    Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EB  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20202 errors:0 dropped:87 overruns:0 frame:0
          TX packets:12462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2839994 (2.7 MiB)  TX bytes:6857091 (6.5 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3755 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3755 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:294911 (287.9 KiB)  TX bytes:294911 (287.9 KiB)

wlan0     Link encap:Ethernet  HWaddr BC:F6:85:C4:BE:EA  
          inet6 addr: fe80::bef6:85ff:fec4:beea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1455 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:265101 (258.8 KiB)  TX bytes:895225 (874.2 KiB)

However, devices connected to my openwrt on WLAN has ipv4 connection to the internet, but ipv6 connection to internet fails.

My scenario is a follows: I'm using a DSL router (fritzbox) to get connected to the internet, for ipv6 dhcpv6 is configured on the DSL router.

I would accept all solutions that would result in ipv6 connection from WLAN devices (connected to openwrt). So I don't care if the dhcpv6 server of the DSL router is relayed or if openwrt uses its own dhcpv6 server. However dhcpv6 must be provided on WLAN.

So I tried different configuration in luci for 'interfaces -> lan -> dhcp server -> ipv6 settings' (server, relay, hybrid). But nothing of this has solved the problem.

Any suggestions?

Kind regards,
aanno

vgaetera · September 25, 2020, 9:35am

ifstatus wan6

?

aanno · September 25, 2020, 9:38am

# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 3906,
        "l3_device": "br-wan",
        "proto": "dhcpv6",
        "device": "br-wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "20xx:xxx:xxxx:ba5:bef6:85ff:fec4:beeb",
                        "mask": 64,
                        "preferred": 3313,
                        "valid": 6913
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "20xx:xxx:xxxx:ba5::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 6913,
                        "source": "::/0"
                },
                {
                        "target": "20xx:xxx:xxxx:ba5::",
                        "mask": 64,
                        "nexthop": "fe80::3681:c4ff:fec9:6d8b",
                        "metric": 512,
                        "valid": 1513,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::3681:c4ff:fec9:6d8b",
                        "metric": 512,
                        "valid": 1513,
                        "source": "20xx:xxx:xxxx:ba5:bef6:85ff:fec4:beeb/64"
                }
        ],
        "dns-server": [
                "fd00::3681:c4ff:fec9:6d8b"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "00170010fd000000000000003681c4fffec96d8b0038001400010010fd000000000000003681c4fffec96d8b005600102001047000260ba53681c4fffec96d8b"
        }
}

trendy · September 25, 2020, 9:50am

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

aanno · September 25, 2020, 9:58am

root@LEDE:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.195",
        "hostname": "LEDE",
        "system": "Ralink RT3883 ver:1 eco:5",
        "model": "D-Link DIR-645",
        "board_name": "dir-645",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ramips/rt3883",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fe80::bef6:85ff:fec4:beea/64'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.11'
        option ip6assign '64'
        option ip6hint 'beef'
        option ip6ifaceid '::beed'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'bc:f6:85:c4:be:ea'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'dir-645'
        option type 'bridge'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'bc:f6:85:c4:be:eb'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config route
        option interface 'lan'
        option target '192.168.10.0'
        option netmask '255.255.255.0'
        option gateway '192.168.10.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option clientid '36AF'
        option ifname '@wan'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/10180000.wmac'
        option txpower '20'
        option channel '1'
        option distance '30'
        option legacy_rates '0'
        option htmode 'HT40'
        option country 'DE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'xxxxxxxxxx'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option wpa_disable_eapol_key_retries '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.11.11'
        option dest_port '80'
        option name 'Wan-Luci'
        option src_ip '192.168.10.0/24'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.11.11'
        option dest_port '22'
        option name 'Wan-Ssh'
        option src_ip '192.168.10.0/24'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'AllowToFritz'
        option family 'ipv4'
        option src_ip '192.168.11.0/24'
        option dest_ip '192.168.10.0/24'

config rule
        option target 'ACCEPT'
        option name 'AllowFromFritz'
        option family 'ipv4'
        option src 'wan'
        option src_ip '192.168.10.0/24'
        option dest_ip '192.168.11.0/24'
        option dest 'lan'
        option proto 'all'

config defaults

config zone
        option input 'DROP'
        option forward 'DROP'
        option name 'wan'
        option output 'DROP'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::bef6:85ff:fec4:beea/64 scope link 
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::bef6:85ff:fec4:beea/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::beed/64 scope link 
       valid_lft forever preferred_lft forever
6: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 20xx:xxxx:xxxx:ba5:bef6:85ff:fec4:beeb/64 scope global dynamic 
       valid_lft 7058sec preferred_lft 3458sec
    inet6 fe80::bef6:85ff:fec4:beeb/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::bef6:85ff:fec4:beea/64 scope link 
       valid_lft forever preferred_lft forever
default from 2001:470:26:ba5::/64 via fe80::3681:c4ff:fec9:6d8b dev br-wan  metric 512 
20xx:xxxx:xxxx:ba5::/64 dev br-wan  metric 256 
20xx:xxxx:xxxx:ba5::/64 via fe80::3681:c4ff:fec9:6d8b dev br-wan  metric 512 
fe80::/64 dev br-wan  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev br-lan  metric 1024 
unreachable fe80::/64 dev lo  metric 2147483647  error -148
local ::1 dev lo table local  metric 0 
anycast 20xx:xxxx:xxxx:ba5:: dev br-wan table local  metric 0 
local 20xx:xxxx:xxxx:ba5:bef6:85ff:fec4:beeb dev br-wan table local  metric 0 
anycast fe80:: dev br-wan table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
local fe80::beed dev br-lan table local  metric 0 
local fe80::bef6:85ff:fec4:beea dev eth0 table local  metric 0 
local fe80::bef6:85ff:fec4:beea dev br-lan table local  metric 0 
local fe80::bef6:85ff:fec4:beea dev wlan0 table local  metric 0 
local fe80::bef6:85ff:fec4:beeb dev br-wan table local  metric 0 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev br-wan table local  metric 256 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000001:     from all iif lo lookup unspec 12
4200000004:     from all iif br-lan lookup unspec 12
4200000006:     from all iif br-wan lookup unspec 12
4200000006:     from all iif br-wan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep 25 09:51 /tmp/resolv.conf
-rw-r--r--    1 root     root           111 Sep 25 09:52 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.10.3
search fritz.box
# Interface wan6
nameserver fd00::3681:c4ff:fec9:6d8b

vgaetera · September 25, 2020, 10:01am

You have a /64 address with no prefix, which means you should use the relay mode:
https://openwrt.org/docs/guide-user/network/ipv6/start#router_advertisement_dhcpv6

aanno · September 25, 2020, 10:05am

Hmm, for me it looks like this is exactly what I'm doing...

aanno:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

vgaetera · September 25, 2020, 10:11am

According to the wiki, it requires to configure both lan and wan6 sections.

trendy · September 25, 2020, 10:29am

master goes to wan6 interface, not lan.
Also remove the bridge from wan interface.

aanno · September 25, 2020, 11:14am

@vgaetera @trendy I tried your suggestion, but no...

Relevant changes:

network

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'dir-645'
        # option type 'bridge'

dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        # option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan6'
        option interface 'wan6'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

#config dhcp 'wan'
#       option interface 'wan'
#       option ignore '1'

Some remarks:

Luci does not create a dhcp/wan6 section. Perhaps this is because wan6 is an alias (dev @wan).
It is not possible to edit (or create) the section with luci.
Luci has created the dhcp/wan section I commented out.
On Luci 'status -> overview', 'Active DHCP Leases' entries can be seen. However, 'Active DHCPv6 Leases' section is empty.
' Associated Stations' section contains an entry with 'Host: HUAWEI_RIO-L01-ea27a134a9.lan (192.168.11.113, fe80::deee:6ff:fed9:7bac)'. Hence it looks like there is a ipv6 local link on the WLAN client, but this is not enough to connect to the internet.

vgaetera · September 25, 2020, 11:30am

Upgrade to the latest stable firmware release if possible.
Remove the type option from the wan interface.
Remove the clientid option from the wan6 interface.
Specify the same ifname for both wan and wan6.

aanno · September 25, 2020, 11:55am

I use the latest firmware and tried your changes, but no.

For reference:

# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fe80::bef6:85ff:fec4:beea/64'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.11'
        option ip6assign '64'
        option ip6hint 'beef'
        option ip6ifaceid '::beed'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'bc:f6:85:c4:be:ea'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'dir-645'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'bc:f6:85:c4:be:eb'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config route
        option interface 'lan'
        option target '192.168.10.0'
        option netmask '255.255.255.0'
        option gateway '192.168.10.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ifname 'eth0.2'

vgaetera · September 25, 2020, 12:20pm

Also remove ip6hint and ip6ifaceid from the lan interface.

In addition, this route looks wrong as the target/netmask overloops the gateway:

trendy · September 25, 2020, 12:37pm

I don't think it is connected. Unfortunately the relay configuration has to be done from command line.

You can leave it as it was.

Not strange.

Link local addresses are, as the name suggests, local only. You cannot use them to reach another network, let alone the internet.
Post once again the uci export network; uci export dhcp and run a tcpdump while connecting a host on the lan to monitor the packet exchange.
tcpdump -i any -evn icmp6 or udp port 547

aanno · September 25, 2020, 3:20pm

tcpdump like requested from device connecting:

blacksnapper]$ sudo tcpdump -i any -evn icmp6 or udp port 547
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:17:12.905056  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 144: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 88) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a03:b0c0:3:d0::168b:9001
17:17:12.905115  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 144: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 88) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a03:b0c0:3:d0::168b:9001
17:17:12.905131  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 144: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 88) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a03:b0c0:3:d0::168b:9001
17:17:12.905141  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 144: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 88) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2a03:b0c0:3:d0::168b:9001
17:17:13.216026 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::91fa:e4db:ee8f:f2f1 > ff02::1:ffc4:beea: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::bef6:85ff:fec4:beea
          source link-address option (1), length 8 (1): 70:85:c2:a4:1b:9f
17:17:13.216475  In bc:f6:85:c4:be:ea ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::bef6:85ff:fec4:beea > fe80::91fa:e4db:ee8f:f2f1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::bef6:85ff:fec4:beea, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): bc:f6:85:c4:be:ea
17:17:18.229574  In bc:f6:85:c4:be:ea ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::beed > fe80::91fa:e4db:ee8f:f2f1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::91fa:e4db:ee8f:f2f1
          source link-address option (1), length 8 (1): bc:f6:85:c4:be:ea
17:17:18.229702 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 80: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::91fa:e4db:ee8f:f2f1 > fe80::beed: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::91fa:e4db:ee8f:f2f1, Flags [solicited]
17:17:23.656913 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::91fa:e4db:ee8f:f2f1 > fe80::beed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::beed
          source link-address option (1), length 8 (1): 70:85:c2:a4:1b:9f
17:17:23.657340  In bc:f6:85:c4:be:ea ethertype IPv6 (0x86dd), length 80: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::beed > fe80::91fa:e4db:ee8f:f2f1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::beed, Flags [router, solicited]
17:17:25.422948 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::91fa:e4db:ee8f:f2f1 > ff02::1:ff00:beed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 20xx:xxxx:xxxx:ba5::beed
          source link-address option (1), length 8 (1): 70:85:c2:a4:1b:9f
17:17:26.473196 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::91fa:e4db:ee8f:f2f1 > ff02::1:ff00:beed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 20xx:xxxx:xxxx:ba5::beed
          source link-address option (1), length 8 (1): 70:85:c2:a4:1b:9f
17:17:27.497159 Out 70:85:c2:a4:1b:9f ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::91fa:e4db:ee8f:f2f1 > ff02::1:ff00:beed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 20xx:xxxx:xxxx:ba5::beed
          source link-address option (1), length 8 (1): 70:85:c2:a4:1b:9f
17:17:28.521319  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 156: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 100) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address fd00::3681:c4ff:fec9:6d8b
17:17:28.521342  In 00:00:00:00:00:00 ethertype IPv6 (0x86dd), length 156: (flowlabel 0x54dba, hlim 64, next-header ICMPv6 (58) payload length: 100) 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3 > 20xx:xxxx:xxxx:ba5:4049:b055:c122:77f3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 20xx:xxxx:xxxx:ba5::beed```

trendy · September 25, 2020, 3:37pm

There was no interesting packet captured here. No router solicitation nor dhcpv6 solicitation.

aanno · September 27, 2020, 8:37am

Thank you for support. It is now working! This are the last things I did:

Luci: 'network -> interfaces -> global network options': I recalcuted the ULA here with this ula calculator from the MAC address of lan (eth0).
Luci: 'network -> firewall -> general settings -> section 'general settings' (sic!): There are two default blocks (and formerly, I configured only the first one, no idea why there are 2). They now both read:
- Enable SYN-flood protection: yes
- Input: accept
- Output: accept
- Forward: reject
I added 2 firefall rules: Luci 'network -> firewall -> traffic rules to allow fe80::/10 to/from lan (no idea if this is really needed)
- AllowToFritz6: Forwarded ipv6, from lan ip fe80::/10, to wan ip fe80::/10
- AllowFromFritz6: Forwarded ipv6, from wan ip fe80::/10, to lan ip fe80::/10
I rechecked that Luci: network -> interfaces -> lan -> edit -> dhcp server -> ipv6 settings is still 'relay mode' for RA, dhcpv6, and NDP and that master is not checked.

For reference:

root@LEDE:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.11'
        option ip6assign '64'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'bc:f6:85:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'dir-645'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'bc:f6:85:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config route
        option interface 'lan'
        option target '192.168.10.0'
        option netmask '255.255.255.0'
        option gateway '192.168.10.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ifname 'eth0.2'

root@LEDE:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan6'
        option interface 'wan6'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'ipv6static'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'ipv6static'
        option ra 'server'
        option ndp 'hybrid'
        option dhcpv6 'server'
        option ra_default '1'
        option ra_management '1'

root@LEDE:~# uci export firewall
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.11.11'
        option dest_port '80'
        option name 'Wan-Luci'
        option src_ip '192.168.10.0/24'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.11.11'
        option dest_port '22'
        option name 'Wan-Ssh'
        option src_ip '192.168.10.0/24'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'AllowToFritz'
        option family 'ipv4'
        option src_ip '192.168.11.0/24'
        option dest_ip '192.168.10.0/24'

config rule
        option target 'ACCEPT'
        option name 'AllowFromFritz'
        option family 'ipv4'
        option src 'wan'
        option src_ip '192.168.10.0/24'
        option dest_ip '192.168.11.0/24'
        option dest 'lan'
        option proto 'all'

config defaults
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option synflood_protect '1'

config zone
        option input 'DROP'
        option forward 'DROP'
        option name 'wan'
        option output 'DROP'

config rule
        option src 'lan'
        option name 'AllowToFritz6'
        list src_ip 'fe80::/10'
        option family 'ipv6'
        list dest_ip 'fe80::/10'
        option target 'ACCEPT'
        option dest 'wan'

config rule
        option src 'wan'
        list src_ip 'fe80::/10'
        option family 'ipv6'
        list dest_ip 'fe80::/10'
        option target 'ACCEPT'
        option dest 'lan'
        option name 'AllowFromFritz6'

trendy · September 27, 2020, 9:30pm

This is a private IPv6, and is not connected to the public you are trying to acquire from the upstream router.

Not sure why there are 2, but they should not matter anyway, as these apply to interfaces which don't belong to any zone.

Definitely not needed, the LAN zone has INPUT/OUTPUT/FORWARD accept, therefore allows everything

fe80 addresses are link local, therefore traffic will not pass from lan to wan using the link local addresses. What the router does is relaying from one network to the other.

system · October 7, 2020, 9:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.