IPv6 over two OpenWrt Router

I'm trying to understand how IPv6 works in OpenWrt but i could need some help with my setup.
I've got a VDSL connection and i'm connected via PPPoE and my ISP is using IPv6 via Dual-Stack, so i'm able to obtain a IPv4 + IPv6 address via the default setup. Everything fine so far...

Setup:
VDSL Modem (bridge mode) >> WRT3200ACM@OpenWrt (main Router@PPPoE) >> DIR860L B1@OpenWrt (Switch + AP).
So my main router is the WRT3200ACM and i'm uisng the DIR860L B1 as a smart switch + AP.
I've setup two Networks. 1. normal LAN/Wifi, 2. Guest Lan/Wifi

Default Network Interface WRT3200ACM: 192.168.1.1/24, DHCP ON
DHCP_LAN1

Guest Network Interface WRT3200ACM: 192.168.55.1/24, DHCP ON
DHCP_guest1


Default Network Interface DIR 860L B1: 192.168.1.2/24, DHCP OFF
DHCP_LAN2

Guest Network Interface DIR 860L B1: 192.168.55.2/24, DHCP OFF
DHCP_guest2

Problem:
When connected to my normal LAN/Wifi (WRT3200ACM) i'm able to surf the internet via IPv6+IPv4 but for some reason IPv6 doesn't work when connected to my Guest Network (LAN+Wifi) and the same happens when i'm connected over my DIR 860L. Normal Network=IPv6 partly works (need to connect to my WRT3200ACM in the first place), Guest Network=IPv6 doesn't work.

I don't know much about IPv6 and i can't understand why IPv6 is not working with my Guest Network so i hope that someone is willing to help me.

Which OpenWrt version is running on your devices?

On the WRT3200ACM, check the IPv6 Upstream box on the LuCI start page. What's the length of the Prefix Delegated (the number after '/')?

Try disabling the IPv6 assignment length on the access point, for both interfaces. I believe this should only be enabled on routers. Also see the wiki article.

Are the WRT3200ACM and the DIR860L B1 connected with an ethernet cable? Can you show their switch configurations please?

WRT3200ACM = Lede SNAPSHOT r7829-42dc0e2594 (build of davidc502)
DIR 860L = OpenWrt SNAPSHOT r7540-20c4819c7b (build of Bartvz)

IPv6 Upstream > Prefix Delegated: /56
WRT3200ACM and DIR 860L are connected over Ethernet.
Both have two AP's for my normal private Network (2.4+5GHz) and two AP's for the guest network (2.4+5GHz)

Switch config WRT3200ACM:
switch_wrt

Switch config DIR 860L:
switch_dir

Custom Traffic Rules WRT3200ACM:

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option src 'guest'
	option name 'DNS [Guest]'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option src 'guest'
	option name 'DHCP [Guest]'

config rule
	option proto 'tcp udp'
	option dest_port '80 443'
	option name 'Deny Router Access [Guest]'
	option src 'guest'
	option target 'REJECT'

config rule
	option dest_port '22'
	option name 'Deny SSH Access [Guest]'
	option src 'guest'
	option target 'REJECT'
	option proto 'tcp udp'

config rule
	option name 'Deny Modem Access [Guest]'
	option proto 'all'
	option src 'guest'
	option dest_ip '192.168.254.0/24'
	option target 'REJECT'
	option dest '*'

Custom fw rules WRT3200ACM:

ebtables -A FORWARD --logical-in br-guest -j DROP

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p udp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 53 -j REDIRECT --to-port 53

Custom traffic rules DIR 860L:

config zone
	option name 'guest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'DNS [Guest]'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'DHCP [Guest]'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option src 'guest'
	option name 'Deny Router Access [Guest]'
	option target 'REJECT'
	option dest_port '80 443'

config rule
	option src 'guest'
	option name 'Deny SSH Access [Guest]'
	option dest_port '23'
	option target 'REJECT'

Custom fw rules DIR 860L:

ebtables -A FORWARD -i ! eth0.3 -o eth0.3 -j ACCEPT # allow AP clients to talk to router
ebtables -A FORWARD -i eth0.3 -o ! eth0.3 -j ACCEPT # allow router to talk to AP clients
ebtables -A FORWARD --logical-in br-guest -j DROP

The rest of my setup is pretty much default. If you need any other info let me know.

I'll give this one a try but i think this doesn't explain why IPv6 with my Guest Network isn't working when i'm connected to my WRT3200ACM (wifi).

Thanks for you time! :slight_smile:

I didn't review your firewall rules in detail, but it looks like you reject ICMP and ICMPv6 for the guest network at the WRT3200ACM INPUT chain. Try again without this obstacle. Maybe set up the firewall similar to lan during testing.
Prefix length and switch config look good to me.

The default OpenWRT traffic rules at my WRT3200ACM are still in use... I've only disabled the "Allow-Ping" rule for WAN.
At my DIR 860L there are only the custom traffic rules active as i deleted the WAN interface + WAN firewall zone and added the WAN port to the LAN interface (see switch config).

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

it looks like you reject ICMP and ICMPv6 for the guest network at the WRT3200ACM INPUT chain. Try again without this obstacle.

Hmm i'm not sure what you mean by this...

Here are my Firewall Zone Settings, WRT3200ACM:
firewall_zone

Firewall Zone Settings, DIR 860L:
firewall_zone2

2

1 Like

Oh okay... I've already tried that today but haven't rebooted the router after.
I'll give it another try. Hopefully this won't break my isolated guest setup...

Please also check on your main router the IPv6 addresses shown under Network > Interfaces for the guest interface.

Here are the Interfaces:
interfaces
I'm going to reboot in a few minutes and see if the changes will fix my problem.

It works!! Thank you very much... :slight_smile:
Now i just need to verify if my isolated guest setup still works, so guest clients are still fully isolated between 2.4+5Ghz and between der WRT3200ACM and the DIR 860L.

You're welcome.
For tightened security, you might want to revert guest/Input to reject or drop and allow ICMP/ICMPv6 with more refined custom rules. If you block any ICMP at all, make sure it is dropped, not rejected.

1 Like

Thanks for your tips. I did a quick nmap scan when i was connected to my guest network over my DIR 860L and i could only discover my own host and the two guest network interfaces (192.168.55.1 + 192.168.55.2).
Anyway i will see if i can secure my guest network even more.

Again, thanks for your time and for guiding me in the right direction! It helped a lot and now my guest clients can enjoy IPv6 as well...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.