I'm trying to understand how IPv6 works in OpenWrt but i could need some help with my setup.
I've got a VDSL connection and i'm connected via PPPoE and my ISP is using IPv6 via Dual-Stack, so i'm able to obtain a IPv4 + IPv6 address via the default setup. Everything fine so far...
Setup:
VDSL Modem (bridge mode) >> WRT3200ACM@OpenWrt (main Router@PPPoE) >> DIR860L B1@OpenWrt (Switch + AP).
So my main router is the WRT3200ACM and i'm uisng the DIR860L B1 as a smart switch + AP.
I've setup two Networks. 1. normal LAN/Wifi, 2. Guest Lan/Wifi
Default Network Interface WRT3200ACM: 192.168.1.1/24, DHCP ON
Guest Network Interface WRT3200ACM: 192.168.55.1/24, DHCP ON
Default Network Interface DIR 860L B1: 192.168.1.2/24, DHCP OFF
Guest Network Interface DIR 860L B1: 192.168.55.2/24, DHCP OFF
Problem:
When connected to my normal LAN/Wifi (WRT3200ACM) i'm able to surf the internet via IPv6+IPv4 but for some reason IPv6 doesn't work when connected to my Guest Network (LAN+Wifi) and the same happens when i'm connected over my DIR 860L. Normal Network=IPv6 partly works (need to connect to my WRT3200ACM in the first place), Guest Network=IPv6 doesn't work.
I don't know much about IPv6 and i can't understand why IPv6 is not working with my Guest Network so i hope that someone is willing to help me.
On the WRT3200ACM, check the IPv6 Upstream box on the LuCI start page. What's the length of the Prefix Delegated (the number after '/')?
Try disabling the IPv6 assignment length on the access point, for both interfaces. I believe this should only be enabled on routers. Also see the wiki article.
Are the WRT3200ACM and the DIR860L B1 connected with an ethernet cable? Can you show their switch configurations please?
WRT3200ACM = Lede SNAPSHOT r7829-42dc0e2594 (build of davidc502)
DIR 860L = OpenWrt SNAPSHOT r7540-20c4819c7b (build of Bartvz)
IPv6 Upstream > Prefix Delegated: /56
WRT3200ACM and DIR 860L are connected over Ethernet.
Both have two AP's for my normal private Network (2.4+5GHz) and two AP's for the guest network (2.4+5GHz)
ebtables -A FORWARD -i ! eth0.3 -o eth0.3 -j ACCEPT # allow AP clients to talk to router
ebtables -A FORWARD -i eth0.3 -o ! eth0.3 -j ACCEPT # allow router to talk to AP clients
ebtables -A FORWARD --logical-in br-guest -j DROP
The rest of my setup is pretty much default. If you need any other info let me know.
I'll give this one a try but i think this doesn't explain why IPv6 with my Guest Network isn't working when i'm connected to my WRT3200ACM (wifi).
I didn't review your firewall rules in detail, but it looks like you reject ICMP and ICMPv6 for the guest network at the WRT3200ACM INPUT chain. Try again without this obstacle. Maybe set up the firewall similar to lan during testing.
Prefix length and switch config look good to me.
The default OpenWRT traffic rules at my WRT3200ACM are still in use... I've only disabled the "Allow-Ping" rule for WAN.
At my DIR 860L there are only the custom traffic rules active as i deleted the WAN interface + WAN firewall zone and added the WAN port to the LAN interface (see switch config).
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
it looks like you reject ICMP and ICMPv6 for the guest network at the WRT3200ACM INPUT chain. Try again without this obstacle.
Oh okay... I've already tried that today but haven't rebooted the router after.
I'll give it another try. Hopefully this won't break my isolated guest setup...
It works!! Thank you very much...
Now i just need to verify if my isolated guest setup still works, so guest clients are still fully isolated between 2.4+5Ghz and between der WRT3200ACM and the DIR 860L.
You're welcome.
For tightened security, you might want to revert guest/Input to reject or drop and allow ICMP/ICMPv6 with more refined custom rules. If you block any ICMP at all, make sure it is dropped, not rejected.
Thanks for your tips. I did a quick nmap scan when i was connected to my guest network over my DIR 860L and i could only discover my own host and the two guest network interfaces (192.168.55.1 + 192.168.55.2).
Anyway i will see if i can secure my guest network even more.
Again, thanks for your time and for guiding me in the right direction! It helped a lot and now my guest clients can enjoy IPv6 as well...