IPv6-PD /60 for downstream OpenWrt router after Orange Slovensko fiber

Hello
I have an issue with obtaining an IPv6 PD greater than /64 in my downstream OpenWrt router.

image709×169 4.1 KB

image1189×929 62 KB

Second router (192.168.0.1) that's connected to the LAN port of the main router and serves my home network (vlans for LAN, IOT, and Guest segments): Xiaomi Mi Router 4A Gigabit Edition, Firmaware: OpenWrt 22.03.0-rc4 r19426
So, I've tried different configurations, but for some reason I always get IPv6-PD /64 on the OpenWrt router. Why?

image1291×935 85.4 KB

I need to obtain at least IPv6-PD /62 on the downstream OpenWrt router.
Any ideas on how to do this, please?

ubus call system board;
uci export network;
uci export dhcp; ip6tables-save -c; ifstatus wan6

BusyBox v1.35.0 (2022-06-10 07:20:21 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.0-rc4, r19426-2b1941e47d
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; ip6tables-save -c; ifstatus wan6
{
        "kernel": "5.10.120",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc4",
                "revision": "r19426-2b1941e47d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0-rc4 r19426-2b1941e47d"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd2d:3982:7f85::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'br-lan.55'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.100.200'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'
        list dns '1.1.1.3'
        list dns '1.0.0.3'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix '60'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'

config bridge-vlan
        option device 'br-lan'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        option vlan '55'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.7'
        option ipaddr '172.16.7.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'GUEST'
        option proto 'static'
        option device 'br-lan.8'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '2'
        option limit '50'
        list dhcp_option ' 6,1.1.1.3,1.0.0.3'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '10'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IOT'
        option interface 'IOT'
        option leasetime '12h'
        option start '2'
        option limit '10'
        list dhcp_option '6,1.1.1.3,1.0.0.3'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config dhcp 'GUEST'
        option interface 'GUEST'
        option leasetime '12h'
        option start '2'
        list dhcp_option '6,1.1.1.3,1.0.0.3'
        option limit '20'
        list ra_flags 'none'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

-ash: ip6tables-save: not found
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 27,
        "l3_device": "wan",
        "proto": "dhcpv6",
        "device": "wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a01:xxxx:xxxx:2500::2",
                        "mask": 128,
                        "preferred": 571,
                        "valid": 571
                },
                {
                        "address": "2a01:xxxx:xxxx:2500:2ad1:27ff:feb1:xxd9",
                        "mask": 64,
                        "preferred": 577,
                        "valid": 577
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a01:xxxx:xxxx:2502::",
                        "mask": 64,
                        "preferred": 571,
                        "valid": 571,
                        "class": "wan6",
                        "assigned": {
                                "IOT": {
                                        "address": "2a01:xxxx:xxxx:2502::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a01:xxxx:xxxx:2500::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 577,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1777,
                        "source": "2a01:xxxx:xxxx:2500:2ad1:27ff:feb1:xxd9/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1777,
                        "source": "2a01:xxxx:xxxx:2502::/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1777,
                        "source": "2a01:xxxx:xxxx:2500::2/128"
                }
        ],
        "dns-server": [
                "2606:4700:4700::1113",
                "2606:4700:4700::1003"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202606470047000000000000000000111326064700470000000000000000001003"
        }
}
root@OpenWrt:~#

One thing is that you should not be using relay in dhcp.

Second thing is that if you allocate /60 on the lan of the Huawei it will never give a /60, but something smaller.
Having said that, third you should either leave reqprefix to auto or reduce it to /62.

Fourth, prefix assignment cannot be achieved with SLAAC, as you have it configured in Huawei.

Thanks, changed to DHCPv6:

new Huawei ipv6 config

image1185×927 60.6 KB

Done. Changed to /62 on the WAN6 for the OpenWrt router, while /60 is allocated on the LAN of the Huawei router:

option reqprefix '62'

option reqprefix '62'

image1126×644 30.1 KB

Could you please clarify, "relay" should not be used for dhcp on wan6 or lan or both on the OpenWrt router?
Anyway, I disabled DHCPv6-Service for wan6, and set "server mode" for DHCPv6-Service on lan:

ipv6 dhcp config

image1127×666 31.5 KB

image1118×926 31.6 KB

Conclusion: after changes described above and of course rebooting Huawei and OpenWrt routers, the issue is not resolved at the moment: WAN6 interface of OpenWrt router still receiving Prefix Delegated /64:

Network Interfaces page of OpenWrt router

image1298×937 79.6 KB

-Current OpenWrt config after all changes is the following:

 OpenWrt 22.03.0-rc4, r19426-2b1941e47d
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board;
{
        "kernel": "5.10.120",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc4",
                "revision": "r19426-2b1941e47d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0-rc4 r19426-2b1941e47d"
        }
}
root@OpenWrt:~# uci export network;
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2d:3982:7f85::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'br-lan.55'
        option ipaddr '192.168.0.1'
        option ip6assign '64'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.100.200'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'
        list dns '1.1.1.3'
        list dns '1.0.0.3'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'force'
        option reqprefix '62'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'

config bridge-vlan
        option device 'br-lan'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        option vlan '55'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.7'
        option ipaddr '172.16.7.1'
        option netmask '255.255.255.0'

config interface 'GUEST'
        option proto 'static'
        option device 'br-lan.8'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# uci export dhcp; ip6tables-save -c; ifstatus wan6
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option start '2'
        option limit '50'
        list dhcp_option ' 6,1.1.1.3,1.0.0.3'
        option leasetime '24h'
        option ra 'relay'
        option dhcpv6 'server'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '10'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IOT'
        option interface 'IOT'
        option leasetime '12h'
        option start '2'
        option limit '10'
        list dhcp_option '6,1.1.1.3,1.0.0.3'
        option ra 'relay'
        option ndp 'relay'
        option dhcpv6 'server'

config dhcp 'GUEST'
        option interface 'GUEST'
        option leasetime '12h'
        option start '2'
        list dhcp_option '6,1.1.1.3,1.0.0.3'
        option limit '20'
        list ra_flags 'none'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option ndp 'relay'

-ash: ip6tables-save: not found
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 3419,
        "l3_device": "wan",
        "proto": "dhcpv6",
        "device": "wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a01:xxxx:xxxx:2500::2",
                        "mask": 128,
                        "preferred": 504,
                        "valid": 504
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a01:xxxx:xxxx:2502::",
                        "mask": 64,
                        "preferred": 504,
                        "valid": 504,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2a01:xxxx:xxxx:2502::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a01:xxxx:xxxx:2500::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 509,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1704,
                        "source": "2a01:xxxx:xxxx:2502::/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1704,
                        "source": "2a01:xxxx:xxxx:2500::2/128"
                }
        ],
        "dns-server": [
                "2606:4700:4700::1113",
                "2606:4700:4700::1003"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202606470047000000000000000000111326064700470000000000000000001003"
        }
}
root@OpenWrt:~#

Please, any other suggestions how to get /62 on the WAN6 of OpenWrt router will be highly appreciated. Thank you.

On wan6 it must be completely switched off, not only in dhcp, but RA and NDP-Proxy as well. Also remove the master option.
In lan interfaces it must be server for RA and DHCP, disabled for NDP-Proxy.

There is not much more to suggest. At the end of the day if the Huawei doesn't allocate a larger prefix there is not much the OpenWrt can do.
Try to allocate a larger prefix in Huawei lan, like a /59 in case it helps.

According to the suggestion above, I did the final changes in config:

• WAN6: RA-Service=disabled, DHCPv6-Service=disabled, NDP-Proxy=disabled, Designated master=off
• LAN: RA-Service=Server, DHCPv6-Service=Server, NDP-Proxy=disabled.

Unfortunately, nothing changed:
the WAN6 prefix delegated on the OpenWrt router remained unchanged at /64 after 2 days (I tried rebooting the routers, changed the prefix to a larger one on the Huawei IPv6 LAN config, etc.)

So, this really seems to be a limitation from my ISP to give only /64 prefix to Lan
(note: if anyone from Orange Slovensko ISP users has been able to get /62 prefix - please reach out to me or send me a private message, please).

Before declaring defeat, you could talk to your ISP and verify with them what we see.

Yeah, I've wrote an email to my ISP's support team about a single /64 prefix delegated from their customer-CPE, and still waiting for a response.
UPD: ISP Orange Slovensko has officially confirmed to me that currently their customer-CPE devices do not support (and therefore cannot provide) an IPv6 Prefix Delegation greater than /64 to the LAN port of the Huawei fiber router.

At the same time, I made pretty good progress on my side.
I found the article Configure DHCPv6c on WAN for multiple PD requests for AT&T fiber? and.... it seems that Orange Slovensko ISP uses the same IPv6 /64 prefix delegation method as AT&T does.

See my test results:

image1332×853 65 KB

IPv6-PD: 2a01:xxxx:xxxx:2503::/64
IPv6-PD: 2a01:xxxx:xxxx:2504::/64
IPv6-PD: 2a01:xxxx:xxxx:2505::/64
IPv6-PD: 2a01:xxxx:xxxx:2506::/64

For those who want to do the same, here is an example of my working /etc/config/network file for OpenWrt 22.03.x: (config. idea has been taken from here and here):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option proto 'static'
	option device 'br-lan.55'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	list ip6class 'wan6lan'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.100.200'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '1.0.0.2'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan'
	option peerdns '0'
	list dns '2606:4700:4700::1112'
	list dns '2606:4700:4700::1002'
	option reqaddress 'try'
	option reqprefix 'no'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'

config bridge-vlan
	option device 'br-lan'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	option vlan '55'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.7'
	option ipaddr '172.16.7.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	list ip6class 'wan6iot'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	list ip6class 'wan6guest'

config device 'vwan1'
	option name 'vwan1'
	option type 'macvlan'
	option ifname 'wan'

config device 'vwan2'
	option name 'vwan2'
	option type 'macvlan'
	option ifname 'wan'

config device 'vwan3'
	option name 'vwan3'
	option type 'macvlan'
	option ifname 'wan'

config interface 'wan6lan'
	option proto 'dhcpv6'
	option peerdns '0'
	option reqaddress 'none'
	option reqprefix 'auto'
	option device 'vwan1'

config interface 'wan6iot'
	option proto 'dhcpv6'
	option peerdns '0'
	option reqaddress 'none'
	option reqprefix 'auto'
	option device 'vwan2'

config interface 'wan6guest'
	option proto 'dhcpv6'
	option peerdns '0'
	option reqaddress 'none'
	option reqprefix 'auto'
	option device 'vwan3'

Install kmod-macvlan module: opkg update && opkg install kmod-macvlan. So, all the 'magic' will be achieved by the kmod-macvlan that allows to create multiple wan6 virtual interfaces (hence to request and obtain multiple IPv6 /64 blocks), and to assign these virtual wan6 interfaces into appropriate DHCPv6 clients via ip6class and ip6assign '64' settings.

image768×121 3.73 KB

• Check the DHCPv6 settings for the LAN, IOT and Guest interfaces, it should be the following: RA-Service = Server Mode, DHCPv6-Service = Server Mode, NDP-Proxy = disabled, RA Flags = Other Config, Enable SLAAC = True.
• Meanwhile, the DHCPv6 settings for the wan6 interface should be: Designated master = disabled, RA-Service = disabled, DHCPv6-Service = disabled, NDP-Proxy = disabled.
• DHCP Server should not be configured for wan6lan, wan6iot and wan6guest interfaces.

Also, make sure that firewall rules allow ipv6 traffic for your new interfaces:

# Restore firewall rules to default
cp /rom/etc/config/firewall /etc/config/firewall
uci delete firewall.@zone[2]
uci delete firewall.@zone[1]
uci delete firewall.@zone[0]
uci delete firewall.@forwarding[0]
uci commit firewall

# Adding new firewall zones
uci add firewall zone
uci set firewall.@zone[-1].name='lan'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci add_list firewall.@zone[-1].network='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='IOT'
uci commit firewall

uci add firewall zone
uci set firewall.@zone[-1].name='wan'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='wan'
uci add_list firewall.@zone[-1].network='wan6'
uci add_list firewall.@zone[-1].network='wan6guest'
uci add_list firewall.@zone[-1].network='wan6iot'
uci add_list firewall.@zone[-1].network='wan6lan'
uci commit firewall

uci add firewall zone
uci set firewall.@zone[-1].name='GUEST'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='GUEST'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='GUEST'
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall

uci add firewall zone
uci set firewall.@zone[-1].name='IOT'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='IOT'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='IOT'
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
service firewall restart

# Adding custom Traffic Rules
# Allow Guest DHCP for ipv6
uci add firewall rule
uci set firewall.@rule[-1].name='Allow Guest_DHCPv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='GUEST'
uci set firewall.@rule[-1].src_port='546'
uci set firewall.@rule[-1].dest_port='547'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall

# Allow Guest DHCP for ipv4
uci add firewall rule
uci set firewall.@rule[-1].name='Allow Guest_DHCP'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='GUEST'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall

# Allow Guest DNS for ipv4 and ipv6
uci add firewall rule
uci set firewall.@rule[-1].name='Allow Guest_DNS'
uci set firewall.@rule[-1].src='GUEST'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
	
# Allow ipv6 traffic to Guest
uci add firewall rule
uci set firewall.@rule[-1].name='Allow IPv6_Guest'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci add_list firewall.@rule[-1].icmp_type='echo-reply'
uci add_list firewall.@rule[-1].icmp_type='echo-request'
uci add_list firewall.@rule[-1].icmp_type='neighbour-advertisement'
uci add_list firewall.@rule[-1].icmp_type='neighbour-solicitation'
uci add_list firewall.@rule[-1].icmp_type='port-unreachable'
uci add_list firewall.@rule[-1].icmp_type='protocol-unreachable'
uci add_list firewall.@rule[-1].icmp_type='router-advertisement'
uci add_list firewall.@rule[-1].icmp_type='router-solicitation'
uci add_list firewall.@rule[-1].icmp_type='time-exceeded'
uci set firewall.@rule[-1].src='GUEST'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].limit='1000/sec'
uci set firewall.@rule[-1].limit_burst='100'
uci commit firewall

# Block Guest access to all networks
uci add firewall rule
uci set firewall.@rule[-1].name='Block Guest-to-All networks'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='GUEST'
uci set firewall.@rule[-1].dest='*'
uci add_list firewall.@rule[-1].dest_ip='192.168.100.0/24'
uci add_list firewall.@rule[-1].dest_ip='192.168.0.0/24'
uci add_list firewall.@rule[-1].dest_ip='fc00::/7'
uci add_list firewall.@rule[-1].dest_ip='fe80::/10'
uci set firewall.@rule[-1].target='DROP'
uci commit firewall

# Allow IOT DHCP for ipv6
uci add firewall rule
uci set firewall.@rule[-1].name='Allow IOT_DHCPv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].src_port='546'
uci set firewall.@rule[-1].dest_port='547'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
	
# Allow IOT DHCP for ipv4
uci add firewall rule
uci set firewall.@rule[-1].name='Allow IOT_DHCP'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall

# Allow IOT DNS for ipv4 and ipv6
uci add firewall rule
uci set firewall.@rule[-1].name='Allow IOT_DNS'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall

# Allow ipv6 traffic to IOT
uci add firewall rule
uci set firewall.@rule[-1].name='Allow IPv6_IOT'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci add_list firewall.@rule[-1].icmp_type='echo-reply'
uci add_list firewall.@rule[-1].icmp_type='echo-request'
uci add_list firewall.@rule[-1].icmp_type='neighbour-advertisement'
uci add_list firewall.@rule[-1].icmp_type='neighbour-solicitation'
uci add_list firewall.@rule[-1].icmp_type='port-unreachable'
uci add_list firewall.@rule[-1].icmp_type='protocol-unreachable'
uci add_list firewall.@rule[-1].icmp_type='router-advertisement'
uci add_list firewall.@rule[-1].icmp_type='router-solicitation'
uci add_list firewall.@rule[-1].icmp_type='time-exceeded'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].limit='1000/sec'
uci set firewall.@rule[-1].limit_burst='100'
uci commit firewall

# Block IOT access to all networks
uci add firewall rule
uci set firewall.@rule[-1].name='Block IOT-to-All networks'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].dest='*'
uci add_list firewall.@rule[-1].dest_ip='192.168.100.0/24'
uci add_list firewall.@rule[-1].dest_ip='192.168.0.0/24'
uci add_list firewall.@rule[-1].dest_ip='fc00::/7'
uci add_list firewall.@rule[-1].dest_ip='fe80::/10'
uci set firewall.@rule[-1].target='DROP'
uci commit firewall
service firewall restart

Note: The IPv6 configuration tab of the main router (Huawei HG8245W5) can be restored to default.

image1368×844 55.7 KB

As a result of this configuration, three (3) ipv6 /64 blocks should be assigned to the LAN, IOT and Guest interfaces accordingly (see "Interfaces" tab in Luci):

image1265×656 44.3 KB

Glad to see you were able to make use of various gems from previous posts to get this working! By the way, here is the wiki blurb I added after I got this solution set up for ATT Fiber: https://openwrt.org/docs/guide-user/network/wan/isp-configurations#fiber

If your Orange Slovensko config is solid, you might also consider writing up your notes as an addition to the wiki for others in the future. Cheers!

Oh man, thanks! I really looked for this AT&T wiki guide, but the link in the original post led me to the wrong page...

Yes, for sure. I will test my config for a while, and will add a note about Orange Slovakia ISP.

Update:
Added this information to the OpenWrt wiki: https://openwrt.org/docs/guide-user/network/wan/isp-configurations#orange_slovensko
@_FailSafe @trendy Please let me know what you think.

Looks like a great community contribution to me--thanks for doing that!

Finally, I've received a response from my ISP.
ISP Orange Slovensko has officially confirmed to me that currently their customer-CPE devices do not support (and therefore cannot provide) an IPv6 Prefix Delegation greater than /64 to the LAN port of the Huawei fiber router.

So it looks like I'll have to deal with the only workaround of getting the multiple /64 prefixes described above.

• Can the Huawei be placed into a bridge mode so you can test OpenWrt being the WAN/WAN6 router? If it is also your ONT/fiber/Ethernet media converter it might have such a setting.

I have to have DHCPv6 server enabled on the network for PDs to issue on downstream routers I've tested (e.g. Verzion G-series devices - my OpenWrt is the ISP-connected device) - I don't recall if SLAAC is enough to address downstream routers without referencing the RFCs.

• BTW a /60 provides sixteen /64 networks if my math serves me correctly - so it should work

It's not. You'll need to try DHCPv6.

See: https://www.arin.net/blog/2018/06/25/common-mistake-dhcpv6/