IPv6 prefix delegated to router but no internet connectivity

elwood · January 11, 2023, 12:29pm

Hi there! New user of OpenWrt here.

I'm having some trouble setting up an internet connection in my new apartment.

My OpenWrt router seem to be delegated an /59 ipv6 prefix from my ISP via DHCPv6, but I am unable to get internet connectivity and ping anything outside my own network.

The setup:

ISP -- [Technicolor TC4400-EU cable modem] -- [Ubiquiti Edgerouter X SFP with OpenWrt 22.03] -- LAN

My cable ISP provides an ipv6-only connection and only supports ipv4 through DS-Lite, by tunneling ipv4 in ipv6. Since OpenWrt seem to be one of the only distros/router firmwares with good support of DS-Lite (through the ds-lite package) with auto-configuration, I decided to give it a try.

However, as far as I understand, before DS-Lite can be configured, I need a working native ipv6 connection. This is where I am struggling right now.

I am using a pretty much factory-default installation of OpenWrt 22.03. Only changes I have made is an attempt to sub-delegate my /59 prefix to the LAN as a /64 subnet, using this video as reference.

However, I seem to not be able to reach the internet, not from the router itself nor from any computer connected to it.

root@OpenWrt:~# ping6 -c 5 google.com
ping6: bad address 'google.com'
root@OpenWrt:~# ping6 -c 5 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# nslookup google.com
;; connection timed out; no servers could be reached

root@OpenWrt:~# ip -6 route get 2001:4860:4860::8888
ip: RTNETLINK answers: Network unreachable

This is my /etc/config/network:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	option ip6hint '0'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

Firewall config:

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Ifstatus on wan6:

root@OpenWrt:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 991,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2xxx:3xxx:80xx:8xxx::xxxx",
			"mask": 128,
			"preferred": 85408,
			"valid": 85408
		},
		{
			"address": "2xxx:3xxx:80xx:0xxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604796,
			"valid": 2591996
		},
		{
			"address": "2xxx:8xxx:xxxx:xxxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604800,
			"valid": 2592000
		},
		{
			"address": "2xxx:3xxx:80xx:8xxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604800,
			"valid": 2592000
		}
	],
	"ipv6-prefix": [
		{
			"address": "2xxx:3xxx:84xx:xxxx::",
			"mask": 59,
			"preferred": 85408,
			"valid": 85408,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2xxx:3xxx:84xx:xxxx::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2xxx:3xxx:80xx:0xxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591996,
			"source": "::/0"
		},
		{
			"target": "2xxx:3xxx:80xx:8xxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2592000,
			"source": "::/0"
		},
		{
			"target": "2xxx:8xxx:xxxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2592000,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:84xx:xxxx::/59"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:0xxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:8xxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:8xxx:xxxx:xxxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:8xxx::xxxx/128"
		}
	],
	"dns-server": [
		"2xxx:xxxx::530",
		"2xxx:xxxx::531"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202a010c300000000000000000000005302a010c300000000000000000000005310038001b00030017036e7470036273720a74656c65666f6e69636102646500"
	}
}

Any help would be much appreciated.

jow · January 11, 2023, 1:59pm

Can you provide the output of ifstatus wan6 and ip -6 r s t all ?

hnyman · January 11, 2023, 2:08pm

You might show also the DHCP config file, which has some relevant settings regarding the propagation to LAN.

I would try ipassign "62", a bit wider than 64

elwood · January 11, 2023, 2:13pm

Thank you for the quick response!

root@OpenWrt:~# ip -6 r s t all
default from 2xxx:3xxx:80xx:0xxx::/64 via fe80::xxxx:xxxx:30a7:xxxx dev eth0  metric 512 
default from 2xxx:3xxx:80xx:8xxx::xxxx via fe80::xxxx:xxxx:30a7:xxxx dev eth0  metric 512 
default from 2a02:3xxx:80xx:8xxx::/64 via fe80::xxxx:xxxx:30a7:xxxx dev eth0  metric 512 
default from 2a02:3xxx:84xx:xxxx::/59 via fe80::xxxx:xxxx:30a7:xxxx dev eth0  metric 512 
default from 2a02:8xxx:xxxx::/64 via fe80::xxxx:xxxx:30a7:xxxx dev eth0  metric 512

Sorry, had edited my post before I saw your reply. Copy-pasting the same info again from above.

root@OpenWrt:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 991,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2xxx:3xxx:80xx:8xxx::xxxx",
			"mask": 128,
			"preferred": 85408,
			"valid": 85408
		},
		{
			"address": "2xxx:3xxx:80xx:0xxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604796,
			"valid": 2591996
		},
		{
			"address": "2xxx:8xxx:xxxx:xxxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604800,
			"valid": 2592000
		},
		{
			"address": "2xxx:3xxx:80xx:8xxx:xxxx:xxxx:fe16:xxxx",
			"mask": 64,
			"preferred": 604800,
			"valid": 2592000
		}
	],
	"ipv6-prefix": [
		{
			"address": "2xxx:3xxx:84xx:xxxx::",
			"mask": 59,
			"preferred": 85408,
			"valid": 85408,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2xxx:3xxx:84xx:xxxx::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2xxx:3xxx:80xx:0xxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591996,
			"source": "::/0"
		},
		{
			"target": "2xxx:3xxx:80xx:8xxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2592000,
			"source": "::/0"
		},
		{
			"target": "2xxx:8xxx:xxxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2592000,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:84xx:xxxx::/59"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:0xxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:8xxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:8xxx:xxxx:xxxx:xxxx:xxxx:fe16:xxxx/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::xxxx:xxxx:30a7:xxxx",
			"metric": 512,
			"valid": 12,
			"source": "2xxx:3xxx:80xx:8xxx::xxxx/128"
		}
	],
	"dns-server": [
		"2xxx:xxxx::530",
		"2xxx:xxxx::531"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202a010c300000000000000000000005302a010c300000000000000000000005310038001b00030017036e7470036273720a74656c65666f6e69636102646500"
	}
}

elwood · January 11, 2023, 2:18pm

Sure, is there any benefit to assign a /62 subnet to LAN rather than a /64 subnet, more than having wider address range? Quite new to IPv6, was under the impression that the LAN needed to be a /64 network.

Here's the dhcp config:

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

jow · January 11, 2023, 2:21pm

Hmm, can you try ping6 with an explicit source selection?

ping6 -c 5 -I 2xxx:3xxx:80xx:8xxx::xxxx 2001:4860:4860::8888

Also remove / set to 1 the option delegate '0' in your LAN interface to allow OpenWrt to manage downstream IPv6.

mk24 · January 11, 2023, 2:22pm

The default settings are designed to get online with most ISPs that use DHCP and otherwise comply with standards. Some of the settings that you have changed in lan make no sense. The default ip6assign 60 will work with an ISP that issues a /56. You could change it to 64 if you will not be running additional routers downstream on the LAN.

Prefix delegation has nothing to do with reaching the Internet from the router itself though. For that the important thing is the default route received via RS/RA.

Can you ping the default route target? It is probably inside the cable modem (but if the cable modem is a true bridge, it could be at the ISP at the other end of the cable). If the cable modem is doing any routing internally, it must of course be properly configured.

Note that to ping a link local address it is necessary to specify the interface: ping fe80::xxxx:xxxx:xxxx:xxxx%eth0

Many cable companies lock to the MAC address of your router. If you change to a different router MAC it won't be able to reach the Internet unless that lock is released. In some cases that can be done by turning the cable modem off and leaving it off the network for at least 30 minutes.

elwood · January 11, 2023, 2:33pm

Removed delegate from network config, and changed ip6assign to 62 rather than 64.

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option ip6ifaceid '::1'
	option ip6hint '0'
	option ip6assign '62'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

If I try to ping using an explicit source:

root@OpenWrt:~# ping6 -c 5 -I 2xxx:3xxx:80xx:8xxx::xxxx 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888) from 2xxx:3xxx:80xx:8xxx::xxxx: 56 data bytes

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

trendy · January 11, 2023, 2:43pm

uci del network.lan.defaultroute
uci commit network
ifup lan

elwood · January 11, 2023, 2:50pm

Thanks for your reply.

I believe I won't be running any further downstream routers, so I believe I would be fine with a /64 network. Right now it's however set to /62, as suggested by @hnyman.

If I understand you correctly, I should ping the local link address:

root@OpenWrt:~# ping -c 5 fe80::xxxx:xxxx:30a7:xxxx%eth0
PING fe80::xxxx:xxxx:30a7:xxxx%eth0 (fe80::xxxx:xxxx:30a7:xxxx%3): 56 data bytes

--- fe80::xxxx:xxxx:30a7:xxxx%eth0 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Please tell me if this is incorrect and if else what I should test.

I'm not entirely sure what role the cable modem plays and how this is supposed to work. The TC4400-EU is to my knowledge a "pure" modem without routing functionality, but this is out of my depth. What I did to get the modem online was to enter the MAC address of the cable modem into a form on my ISP's website and after an hour or so it seemingly connected. Do you mean that instead of giving my ISP the MAC address of the cable modem, I should instead give it the MAC address of my router (eth0 interface)?

elwood · January 11, 2023, 2:56pm

Thank you for your reply.

Ran the commands, here's the current network config:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6ifaceid '::1'
	option ip6hint '0'
	option ip6assign '62'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

Unfortunately, still seem to not have any connection to the internet.

root@OpenWrt:~# ping6 google.com
ping6: bad address 'google.com'
root@OpenWrt:~# ping6 -c 5 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

trendy · January 11, 2023, 3:06pm

Can you ping the Technicolor?

hnyman · January 11, 2023, 3:08pm

Out of curiosity, have you rebooted the router?
Just thinking if netifd, odhcp6c or odhpcd needs a harder restart in a IPv6 only situation.

"IPv6 only" is a rather rare initial connectivity situation, so there might be quirks related to it.

Your IPv6 interface status looks rather normal, so I wonder about more exotic "IPv6 only" possibilities about firewall not updated correctly or something like that.

Regarding ping: can you reach the ISP nexthop? ( fe80::xxxx:xxxx:30a7:xxxx ?)

EDIT:
you are masking so much of the addresses that it is hard to figure out...

elwood · January 11, 2023, 3:29pm

Rebooted a few times, did another one right now just to be sure. Didn't seem to change much unfortunately.

Yes, never had experienced this before, quite annoying. Have previously always had an ipv4 connection to fall back to. I recently moved to Germany from abroad and here is seems like most people are using ISP provided router/modem combos ("Fritzboxes") but I thought I would make my own way with my own gear. Although it should be possible in principle with other successful users online, the language barrier and my limited technical knowledge in this area makes it difficult.

I assume you mean this?

root@OpenWrt:~# ping6 -c 5 fe80::xxxx:xxxx:30a7:xxxx
PING fe80::xxxx:xxxx:30a7:xxxx (fe80::xxxx:xxxx:30a7:xxxx): 56 data bytes

--- fe80::xxxx:xxxx:30a7:xxxx ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Sorry, I haven't worked with ipv6 addresses before, so I'm not sure how much masking is neccessary without removing essential information. Please, tell me how I could improve to make it easier to read.

At this point I'm almost willing to doxx myself just to get the issue resolved.

elwood · January 11, 2023, 3:34pm

Sorry, I'm quite new to ipv6, would pinging the modem be the same as pinging the default gateway, i.e. the link-local fe80:: address displayed on the status page in Luci?

root@OpenWrt:~# ping6 -c 5 fe80::xxxx:xxxx:30a7:xxxx
PING fe80::xxxx:xxxx:30a7:xxxx (fe80::xxxx:xxxx:30a7:xxxx): 56 data bytes

--- fe80::xxxx:xxxx:30a7:xxxx ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

trendy · January 11, 2023, 3:37pm

For a start try to change a few characters from the addresses consistently, that means for example change all the 1 into a and all the 5 into b. There are quite a lot of addresses so there might be something suspicious there.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ifstatus wan6; ifstatus lan

hnyman · January 11, 2023, 4:04pm

In my humble opinion, likely nothing needs to be masked. Knowing your current IPv6 address does not help a hacker much. (assuming that the OpenWrt firewall works normally)

On the other hand, knowing your current IPv6 address might enable us to try to ping you, testing where the connectivity breaks. (By default the OpenWrt router answers to the IPv6 pings that are actually needed for route and MTU determination)

(your IPv6 address and the /59 prefix will likely change intermittently in future, so the address is likely temporary in any case)

elwood · January 11, 2023, 4:14pm

Thank you all for your help.

Here's the output of the commands, tried to use find and replace to systematically scramble the ip addresses. Hope its better than earlier.

root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ifstatus wan6; ifstatus lan
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Ubiquiti EdgeRouter X SFP",
	"board_name": "ubnt,edgerouter-x-sfp",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6ifaceid '::1'
	option ip6hint '0'
	option ip6assign '62'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::aaaa:bbbb:fe16:ccc0/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:1234:6001:80e2:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
       valid_lft 2591998sec preferred_lft 604798sec
    inet6 2a02:5678:a0c:0:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
       valid_lft 2591996sec preferred_lft 604796sec
    inet6 2a02:1234:6001:e2:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 2a02:1234:6001:80e2::191/128 scope global dynamic noprefixroute 
       valid_lft 84918sec preferred_lft 84918sec
    inet6 fe80::aaaa:bbbb:fe16:ccc0/64 scope link 
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:1234:9000:720::1/62 scope global dynamic noprefixroute 
       valid_lft 84918sec preferred_lft 84918sec
    inet6 fe80::aaaa:bbbb:fe16:ccc1/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a02:1234:6001:e2::/64 via fe80::dddd:eeee:30a7:ffff dev eth0  metric 512 
default from 2a02:1234:6001:80e2::191 via fe80::dddd:eeee:30a7:ffff dev eth0  metric 512 
default from 2a02:1234:6001:80e2::/64 via fe80::dddd:eeee:30a7:ffff dev eth0  metric 512 
default from 2a02:1234:9000:720::/59 via fe80::dddd:eeee:30a7:ffff dev eth0  metric 512 
default from 2a02:5678:a0c::/64 via fe80::dddd:eeee:30a7:ffff dev eth0  metric 512 
2a02:1234:6001:e2::/64 dev eth0  metric 256 
unreachable 2a02:1234:6001:e2::/64 dev lo  metric 2147483647 
2a02:1234:6001:80e2::/64 dev eth0  metric 256 
unreachable 2a02:1234:6001:80e2::/64 dev lo  metric 2147483647 
2a02:1234:9000:720::/64 dev br-lan  metric 1024 
unreachable 2a02:1234:9000:720::/59 dev lo  metric 2147483647 
2a02:5678:a0c::/64 dev eth0  metric 256 
unreachable 2a02:5678:a0c::/64 dev lo  metric 2147483647 
fe80::/64 dev dsa  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2a02:1234:6001:e2:: dev eth0 table local  metric 0 
local 2a02:1234:6001:e2:aaaa:bbbb:fe16:ccc0 dev eth0 table local  metric 0 
anycast 2a02:1234:6001:80e2:: dev eth0 table local  metric 0 
local 2a02:1234:6001:80e2::191 dev eth0 table local  metric 0 
local 2a02:1234:6001:80e2:aaaa:bbbb:fe16:ccc0 dev eth0 table local  metric 0 
anycast 2a02:1234:9000:720:: dev br-lan table local  metric 0 
local 2a02:1234:9000:720::1 dev br-lan table local  metric 0 
anycast 2a02:5678:a0c:: dev eth0 table local  metric 0 
local 2a02:5678:a0c:0:aaaa:bbbb:fe16:ccc0 dev eth0 table local  metric 0 
anycast fe80:: dev dsa table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
local fe80::aaaa:bbbb:fe16:ccc0 dev dsa table local  metric 0 
local fe80::aaaa:bbbb:fe16:ccc0 dev eth0 table local  metric 0 
local fe80::aaaa:bbbb:fe16:ccc1 dev br-lan table local  metric 0 
multicast ff00::/8 dev dsa table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev eth0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 2a02:1234:9000:720::1/62 iif br-lan lookup unspec unreachable
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1483,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a02:1234:6001:80e2::191",
			"mask": 128,
			"preferred": 84917,
			"valid": 84917
		},
		{
			"address": "2a02:1234:6001:e2:aaaa:bbbb:fe16:ccc0",
			"mask": 64,
			"preferred": 604798,
			"valid": 2591998
		},
		{
			"address": "2a02:5678:a0c:0:aaaa:bbbb:fe16:ccc0",
			"mask": 64,
			"preferred": 604795,
			"valid": 2591995
		},
		{
			"address": "2a02:1234:6001:80e2:aaaa:bbbb:fe16:ccc0",
			"mask": 64,
			"preferred": 604797,
			"valid": 2591997
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a02:1234:9000:720::",
			"mask": 59,
			"preferred": 84917,
			"valid": 84917,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a02:1234:9000:720::",
					"mask": 62
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a02:1234:6001:e2::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591998,
			"source": "::/0"
		},
		{
			"target": "2a02:1234:6001:80e2::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591997,
			"source": "::/0"
		},
		{
			"target": "2a02:5678:a0c::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591995,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::dddd:eeee:30a7:ffff",
			"metric": 512,
			"valid": 9,
			"source": "2a02:1234:9000:720::/59"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::dddd:eeee:30a7:ffff",
			"metric": 512,
			"valid": 9,
			"source": "2a02:1234:6001:e2:aaaa:bbbb:fe16:ccc0/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::dddd:eeee:30a7:ffff",
			"metric": 512,
			"valid": 9,
			"source": "2a02:1234:6001:80e2:aaaa:bbbb:fe16:ccc0/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::dddd:eeee:30a7:ffff",
			"metric": 512,
			"valid": 9,
			"source": "2a02:5678:a0c:0:aaaa:bbbb:fe16:ccc0/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::dddd:eeee:30a7:ffff",
			"metric": 512,
			"valid": 9,
			"source": "2a02:1234:6001:80e2::191/128"
		}
	],
	"dns-server": [
		"2a01:c30::530",
		"2a01:c30::531"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202a010c300000000000000000000005302a010c300000000000000000000005310038001b00030017036e7470036273720a74656c65666f6e69636102646500"
	}
}
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1676,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2a02:1234:9000:720::",
			"mask": 62,
			"preferred": 84917,
			"valid": 84917,
			"local-address": {
				"address": "2a02:1234:9000:720::1",
				"mask": 62
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

trendy · January 11, 2023, 4:27pm

Are you sure that the technicolor is properly set up?
There are 3 slaac and 1 dhcp IPv6 addresses in wan. Normally 1 and 1 are enough. Moreover the network part of the 2nd and 3rd is different that 1st and 4th.

elwood:

3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:1234:6001:80e2:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
    inet6 2a02:5678:a0c:0:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
    inet6 2a02:1234:6001:e2:aaaa:bbbb:fe16:ccc0/64 scope global dynamic noprefixroute 
    inet6 2a02:1234:6001:80e2::191/128 scope global dynamic noprefixroute

Is there any other router advertising in the network?

elwood · January 11, 2023, 4:31pm

Ok, I think you may be right. And as of now, I'm willing to risk it.

Here's the unaltered output of the command given by @trendy.

root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ifstatus wan6; ifstatus lan
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Ubiquiti EdgeRouter X SFP",
	"board_name": "ubnt,edgerouter-x-sfp",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6ifaceid '::1'
	option ip6hint '0'
	option ip6assign '62'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::265a:4cff:fe16:6870/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:3102:8001:80e2:265a:4cff:fe16:6870/64 scope global dynamic noprefixroute 
       valid_lft 2591998sec preferred_lft 604798sec
    inet6 2a02:8071:d00:0:265a:4cff:fe16:6870/64 scope global dynamic noprefixroute 
       valid_lft 2591996sec preferred_lft 604796sec
    inet6 2a02:3102:8001:e2:265a:4cff:fe16:6870/64 scope global dynamic noprefixroute 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 2a02:3102:8001:80e2::191/128 scope global dynamic noprefixroute 
       valid_lft 84918sec preferred_lft 84918sec
    inet6 fe80::265a:4cff:fe16:6870/64 scope link 
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:3102:8470:720::1/62 scope global dynamic noprefixroute 
       valid_lft 84918sec preferred_lft 84918sec
    inet6 fe80::265a:4cff:fe16:6871/64 scope link 
       valid_lft forever preferred_lft forever
default from 2a02:3102:8001:e2::/64 via fe80::1239:e901:30a7:cf70 dev eth0  metric 512 
default from 2a02:3102:8001:80e2::191 via fe80::1239:e901:30a7:cf70 dev eth0  metric 512 
default from 2a02:3102:8001:80e2::/64 via fe80::1239:e901:30a7:cf70 dev eth0  metric 512 
default from 2a02:3102:8470:720::/59 via fe80::1239:e901:30a7:cf70 dev eth0  metric 512 
default from 2a02:8071:d00::/64 via fe80::1239:e901:30a7:cf70 dev eth0  metric 512 
2a02:3102:8001:e2::/64 dev eth0  metric 256 
unreachable 2a02:3102:8001:e2::/64 dev lo  metric 2147483647 
2a02:3102:8001:80e2::/64 dev eth0  metric 256 
unreachable 2a02:3102:8001:80e2::/64 dev lo  metric 2147483647 
2a02:3102:8470:720::/64 dev br-lan  metric 1024 
unreachable 2a02:3102:8470:720::/59 dev lo  metric 2147483647 
2a02:8071:d00::/64 dev eth0  metric 256 
unreachable 2a02:8071:d00::/64 dev lo  metric 2147483647 
fe80::/64 dev dsa  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0  metric 256 
local ::1 dev lo table local  metric 0 
anycast 2a02:3102:8001:e2:: dev eth0 table local  metric 0 
local 2a02:3102:8001:e2:265a:4cff:fe16:6870 dev eth0 table local  metric 0 
anycast 2a02:3102:8001:80e2:: dev eth0 table local  metric 0 
local 2a02:3102:8001:80e2::191 dev eth0 table local  metric 0 
local 2a02:3102:8001:80e2:265a:4cff:fe16:6870 dev eth0 table local  metric 0 
anycast 2a02:3102:8470:720:: dev br-lan table local  metric 0 
local 2a02:3102:8470:720::1 dev br-lan table local  metric 0 
anycast 2a02:8071:d00:: dev eth0 table local  metric 0 
local 2a02:8071:d00:0:265a:4cff:fe16:6870 dev eth0 table local  metric 0 
anycast fe80:: dev dsa table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
local fe80::265a:4cff:fe16:6870 dev dsa table local  metric 0 
local fe80::265a:4cff:fe16:6870 dev eth0 table local  metric 0 
local fe80::265a:4cff:fe16:6871 dev br-lan table local  metric 0 
multicast ff00::/8 dev dsa table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev eth0 table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000000:	from 2a02:3102:8470:720::1/62 iif br-lan lookup unspec unreachable
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1483,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a02:3102:8001:80e2::191",
			"mask": 128,
			"preferred": 84917,
			"valid": 84917
		},
		{
			"address": "2a02:3102:8001:e2:265a:4cff:fe16:6870",
			"mask": 64,
			"preferred": 604798,
			"valid": 2591998
		},
		{
			"address": "2a02:8071:d00:0:265a:4cff:fe16:6870",
			"mask": 64,
			"preferred": 604795,
			"valid": 2591995
		},
		{
			"address": "2a02:3102:8001:80e2:265a:4cff:fe16:6870",
			"mask": 64,
			"preferred": 604797,
			"valid": 2591997
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a02:3102:8470:720::",
			"mask": 59,
			"preferred": 84917,
			"valid": 84917,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a02:3102:8470:720::",
					"mask": 62
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a02:3102:8001:e2::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591998,
			"source": "::/0"
		},
		{
			"target": "2a02:3102:8001:80e2::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591997,
			"source": "::/0"
		},
		{
			"target": "2a02:8071:d00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591995,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1239:e901:30a7:cf70",
			"metric": 512,
			"valid": 9,
			"source": "2a02:3102:8470:720::/59"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1239:e901:30a7:cf70",
			"metric": 512,
			"valid": 9,
			"source": "2a02:3102:8001:e2:265a:4cff:fe16:6870/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1239:e901:30a7:cf70",
			"metric": 512,
			"valid": 9,
			"source": "2a02:3102:8001:80e2:265a:4cff:fe16:6870/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1239:e901:30a7:cf70",
			"metric": 512,
			"valid": 9,
			"source": "2a02:8071:d00:0:265a:4cff:fe16:6870/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1239:e901:30a7:cf70",
			"metric": 512,
			"valid": 9,
			"source": "2a02:3102:8001:80e2::191/128"
		}
	],
	"dns-server": [
		"2a01:c30::530",
		"2a01:c30::531"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202a010c300000000000000000000005302a010c300000000000000000000005310038001b00030017036e7470036273720a74656c65666f6e69636102646500"
	}
}
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1676,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2a02:3102:8470:720::",
			"mask": 62,
			"preferred": 84917,
			"valid": 84917,
			"local-address": {
				"address": "2a02:3102:8470:720::1",
				"mask": 62
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}