IPv6 prefix from the VPN server side

Bernd · July 12, 2019, 4:30am

PC2:

C:\Users>tracert -6 openwrt.org

Routenverfolgung zu openwrt.org [2a03:b0c0:3:d0::1af1:1]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  2a02:908:3034:f2e0::1
  2    26 ms    26 ms    25 ms  fdbf:1d37:bbe0:0:72:10:0:1
  3    34 ms    80 ms    65 ms  2a01:4a0:c::1
  4    40 ms    38 ms    40 ms  2a01:4a0:0:2019::31
  5    40 ms    39 ms    41 ms  fra1-edge1.digitalocean.com [2001:7f8::36ed:0:1]
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7    40 ms    39 ms    40 ms  wiki-01.infra.openwrt.org [2a03:b0c0:3:d0::1af1:1]

PC1:

C:\Users>tracert -6 openwrt.org

Routenverfolgung zu openwrt.org [2a03:b0c0:3:d0::1af1:1]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  2a02:908:3034:f2e0::1
  2    26 ms    26 ms    26 ms  fdbf:1d37:bbe0:0:72:10:0:1
  3    42 ms    34 ms    34 ms  2a01:4a0:c::1
  4    41 ms    39 ms    40 ms  2a01:4a0:0:2019::31
  5    40 ms    39 ms    39 ms  fra1-edge1.digitalocean.com [2001:7f8::36ed:0:1]
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7    40 ms    39 ms    40 ms  wiki-01.infra.openwrt.org [2a03:b0c0:3:d0::1af1:1]

The same on PC1 and PC2.

Is this caused by the VPN Policy Routing package?

vgaetera · July 12, 2019, 6:41pm

It is possible.
Otherwise a connection that activates later should supersede the one that activates earlier.
Also IPv4 and IPv6 inside every tunnel work independently and may take different time to activate.
The end result is probably a race condition.

Bernd · July 12, 2019, 8:07pm

I have activated the VPN connections at different times. I also have activated this NAT6 script later.

Everything's the same.

Maybe I can set the IPv6 routes manually.

How do I do that?

stangri · July 13, 2019, 9:49pm

VPR does not in any way interfere with how the tunnel connections are established and legacy/IPv6 assigned.

Can you post/PM me the output of ifconfig tho?

Bernd · July 16, 2019, 5:55am

I have some warning messages.

What do they mean?

root@OpenWrt:~# service firewall restart
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'PP_FW1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'PP_FW1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_PP_FW1_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_PP_FW1_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'PP_FW1'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/etc/firewall.nat6'

vgaetera · July 16, 2019, 6:58am

It looks like you want each of the LAN clients to use different VPN connection.
But IPv4 and IPv6 traffic is routed independently.
That's why you can't use IPv4 addresses to manipulate IPv6 traffic.
You need to either create additional policies for IPv6 addresses or utilize source routing.

Bernd · July 16, 2019, 10:24am

I understand network technology bad.
and I use Googe translator to translate this language.
For me it is difficult to explain the issue. So thank you so much for your help.

What is the simplest method?

Create additional policies for IPv6 addresses or use source routing?

vgaetera · July 16, 2019, 10:39am

Since you have already utilized VPR and it works for IPv4, I suggest to add policies for IPv6 as well.

Bernd · July 16, 2019, 10:47am

How do I add policies for IPv6?

What informations do you need, to help me with this?

vgaetera · July 16, 2019, 11:11am

Find out your LAN client DUIDs and assign static IPv6 leases.
Then duplicate your last 2 policies replacing IPv4 addresses with IPv6.

Bernd · July 16, 2019, 3:07pm

I use Windows 10 on 2 PCs. Since I found only one DHCPv6 DUID on a PC.
Under: HKLM\System\CurrentControlSet\services\TCPIP6\Parameters
I hope that's what you meant.

I have now made 2 entries under /etc/config/dhcp.

Example:

config host
	option mac 'AA:BB:CC:DD:EE:FF'
	option dns '1'
	option name 'DESKTOP-ABCDEFGH'
	option duid '0102030405060708091011121314'
	option ip '192.168.1.112'

config host
	option mac 'FF:EE:DD:CC:BB:AA'
	option dns '1'
	option name 'DESKTOP-HGFEDCBA'
	option duid '1413121110090807060504030201'
	option ip '192.168.1.141'

I hope that it is so correct.

Can you explain that more exactly?

Should I change IPv6 with IPv4 addresses in VPR Package? Which IPv6 do I have to enter there?
Link-Local IPv6 address from PC1 and PC2?

vgaetera · July 16, 2019, 3:24pm

You can also see the DUIDs on the router:

ubus call dhcp ipv6leases

And you are missing the hostid option.

Bernd · July 16, 2019, 5:15pm

OK. I have entered as hostid number 128 for both PCs.

Are the IPv6 LAN entries also in the output of "ubus call dhcp ipv6leases"?

I have 2 entries under Status/Overview/Active DHCPv6 Leases:
2a02:xxx:xxxx:xxxx::128/128
fd12:xxxx:xxxx::128/128

Which IPv6 should I enter in VPR?

vgaetera · July 16, 2019, 5:46pm

This is an IPv6 address suffix, so you should use different numbers for different LAN clients to separate the traffic.

From the same subnet which tracert makes the first hop on the path to the internet.

Bernd · July 16, 2019, 7:25pm

I think I have set all options for static IPv6 leases. If I run "tracert -6 www.google.com" on both PCs, then I have the same IPv6.

I do not know what I'm doing wrong.

Bernd · July 16, 2019, 10:43pm

If I understand IPv6 correctly, then IPv6 consists of prefix, interface identifier and suffix.

When I enter hostid/IPv6 suffix, like here

then that changes the last block of interface identifier and not suffix.

Is that correct?

mikma · July 16, 2019, 10:56pm

Actually it's the last 64 bits since xxxx:xxxx:xxxx:xxxx::20 expands to xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0020