Hi, I use the IPv6 relay mode. When I configure it on the "lan" interface, I receive the IP addresses, but when I configure it on the "guest" interface, I don't receive these IP addresses. Where am I missing something?
Are you saying that you configured relay for more than one interface simultaneously?
Let me explain.
When I try to use relay mode in the "guest" interface, IPv6 addresses are not received. However, if I configure it in the "lan" interface, IPv6 addresses work.
1 Like
So to be clear, you're not configuring relay for more than one interface simultaneously on both LAN and Guest?
Please clarify the simultaneous configuration inquiry.
Additionally, can you show your configs:
cat /etc/config/network
cat /etc/config/dhcp
In the initial attempt, I tried using relay mode on the "lan" and "guest" interfaces. I thought that since I activated the mode on both interfaces and it didn't work for the guest, I disabled it on the "lan" interface and only activated relay mode on "guest," but it still didn't work.
I'm using relay mode on the lan at the moment
dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,10.10.10.1'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
option master '1'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'
config dhcp 'mgmt'
option interface 'mgmt'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,1.1.1.1,8.8.8.8'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,8.8.8.8,1.1.1.1'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'
network
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd86:86ed:0e82::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '10'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '30'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
option metric '20'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
option metric '10'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2001:4860:4860::8888'
config interface 'mgmt'
option proto 'static'
option device 'br-lan.20'
option ipaddr '10.20.20.1'
option netmask '255.255.255.0'
option metric '30'
config interface 'guest'
option proto 'static'
option device 'br-lan.30'
option ipaddr '172.172.172.1'
option netmask '255.255.255.0'
option metric '40'
option ip6assign '64'
list ip6class 'local'
Why do you have metrics set (especially on LAN)?
Have you tried removing this?
I've already removed everything, however, relay mode only works on the "lan" interface
1 Like
Make sure your guest interface firewall policies/zone allows the necessary IPv6 ICMP traffic.
2 Likes
Could you explain to me how to do this? Or send the rule? Please. I use the standard ICMP rules
Can you show your config:
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'mgmt'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'mgmt'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Allow-DNS-mgmt'
option src 'mgmt'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-mgmt'
list proto 'udp'
option src 'mgmt'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'mgmt'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Deny-All-guest'
list proto 'all'
option src 'guest'
option target 'REJECT'
Input Reject?
You don't allow input.
I changed it to ACCEPT and it didn't work, but in any case I will leave it in ACCEPT
config rule
option target 'ACCEPT'
option family 'ipv6'
option proto 'icmp'
option src 'guest'
option name 'Allow-ICMPv6_guest'
I'm out of ideas without replicating your setup.
This rule didn't work
UPDATE1: The rule worked
1 Like
What's the IPv6 subnet prefix delegated by the ISP? I'm no expert on this subject, but my ISP gives me /64 prefix, which isn't the standard. And you can only have a single LAN getting IPv6 with a /64.
1 Like
The rule worked.
My ISP gives me /128 and /64
(That's the point of relay and ensuring the OP wasn't attempting to relay the subnet to 2 networks.)
Excellent!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
I would do a few things to simplify, at least for testing.
- Get rid of ULAs entirely.
- ip6assign has no use in a relay situation as there is no delegated prefix from the ISP. Remove ip6assign configs from both lans.
- in a relay situation, both lans will be in the same /64, which means that DHCPv6 needs to be configured with non-overlapping address pools. For simplicity disable DHCPv6 and use only RA/SLAAC. There should be some mechanism in place so that duplicate detection works. If not, the probability of a home network hitting a duplicate within a /64 is very low.
- Place both lan and guest in the lan firewall zone to be sure they have the same rules (for testing)
Run tcpdump on the lans to watch for RA packets and confirm they are advertising correctly.
My mistake was having a rule in the "guest" zone that blocked all ports except for DHCP and DNS. I disabled the rule and changed it to ACCEPT, and it worked.
1 Like