IPv6 Prefix assigned to wrong WAN Interface

moon · July 16, 2023, 12:25am

Hi,

I am using Dual-WAN, when setting up my router I noticed that IPv6 of my primary WAN Interface was not working, although I got an IP from my provider:

root@OpenWrt:~# traceroute6 -i pppoe-wan ipconfig.io
traceroute6: can't connect to remote host: Network unreachable

When I looked into the assigned IP-Adresses for this interface at first it looked normal it had the provider assigned ip adress.

21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet 87.xx.xx.xx peer 195.xx.xx.xx/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute 
       valid_lft 2591904sec preferred_lft 604704sec
    inet6 fe80::xxxx:xxxx:xxxx:xxxx peer fe80::xxxx:xxxx:xxxx:xxxx/128 scope link 
       valid_lft forever preferred_lft forever

But when I looked again, it suddenly had the prefixes delivered by the ISP to it which is how it is supposed to be, BUT it also had a prefix assigned from the other ISP:

21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet 87.xx.xx.xx peer 195.xx.xx.xx/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 fd46:xxxx:xxxx:10::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a0a:xxxx:xxxx::1/60 scope global dynamic noprefixroute 
       valid_lft 88592sec preferred_lft 88592sec
    inet6 2a02:xxxx:xxxx:xxxx::1/60 scope global dynamic noprefixroute <----- Wrong prefix
       valid_lft 84992sec preferred_lft 41792sec
    inet6 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute 
       valid_lft 2591822sec preferred_lft 604622sec
    inet6 fe80::xxxx:xxxx:xxxx:xxxx peer fe80::xxxx:xxxx:xxxx:xxxx/128 scope link 
       valid_lft forever preferred_lft forever

When I disabled downstream delegation of IPv6 Prefixes for both interfaces this behaviour obviously stopped and I could to tracaeroute6 again over the pppoe Interface.

I don't need downstream delegation as I use the nft map feature for translating my ULA prefix to the particular GUA-prefix.

But someone can explain this behaviour? I couldn't reproduce it even when enabling downstream delegation again. Does it still make sense to file a bug report?

Stefan

_bernd · July 16, 2023, 6:55am

You can set the scope of the down stream delegatation to local...

(You want no GUA on the downstream interface because you want to masquerade or translate from ULA to GUA correct?)

moon · July 16, 2023, 8:42am

Hi @_bernd ,

do you mean
uci set network.lan.ip6class="local"
?

Yep correct I want to have only GUA on on the clients, so I have set ip6class="local" and my clients don't get any ULA-adresses anymore. I am just wondering how the prefix of ISP_B ended up on the Interface of ISP_A

EDIT: Ah I see you mean "IPv6 prefix filter", yep I could try this, but doesn't have this the same effect than just disable prefix delegation at all? That works for me, just wondering what could be wrong in my config that ULA-prefix of ISP_B is ending up on the interface of ISP_A ofc. when I disable downstream delegation at all no prefixes get assigned anymore, but translating the prefix still works as the firewall rule which translates the prefix is created by a script and doesn't care if the interfaces have assigned IPv6 subnets assigned or not

moon · July 16, 2023, 1:03pm

UPDATE: I can reproduce (not excatly) but when I enable Delegate IPv6 prefixes and set the assignment length to 60 on each WAN interface, each interface gets an IPv6 from each ISP. This seems a bit quirky to me, is that how it is supposed to happen?

_bernd · July 16, 2023, 1:35pm

With a dual wan you want prefixes from both ISPs.

(Under the assumption that you have no Provider Independent IP space and speak bgp with your ISPs. Or that you have agreements with your ISPs for transit of the others ISPs IP space, which would be highly uncommon.)

moon · July 16, 2023, 1:51pm

Yes sure, no don't have PI

Whats bothering me is why does the Interface from Provider A does have an IP from Provider B and vice versa? I mean it without PI/transit agreement the ISPs wont route it anyway wont they?

mk24 · July 16, 2023, 1:53pm

ip6assign is for downstream (LAN) interfaces. In your case, none of your interfaces should have an ip6assign configured. Using this setting on a WAN (upstream facing) interface is just plain wrong.

Apparently one of the ISPs is sending you a routable prefix (this is different from what you have been calling the prefix which is part of the WAN GUA). In your case you don't want any GUAs around the LAN so you would not use this routable prefix for anything. ip6assign and ip6class controls the distribution of routable prefixes.

moon · July 16, 2023, 2:06pm

Oh thank you so much for clearing this up facepalm
now I get the tooltip
Assign a part of given length of every public IPv6-prefix to this interface
no wonder why they get IP-Adresses of each others PD

EDIT: They both seem to be sending me routable prefixes, so I am somehow translating them with "snat ip6 prefix to ip6 saddr map"

The strange thing happening that led me to use ip6assign is that doing

traceroute6 -s 2a02:xxxx:xxxx:xxxx::1444 -i lan1 www.google.de
 1traceroute6: sendto: Network unreachable

leads to Network unreachable

but

mwan3 use isp2 traceroute6 www.google.de

which essentially does the same gives a proper trace

but that is another topic

system · July 26, 2023, 2:07pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.