IPV6 setup behind TMOBILE Home Internet router

I was able to Ping and Traceroute both (ipv4 and ipv6) successfully from the openwrt network diagnostic tool

Correct, it is set with master '1'

Everything works in the diagnostic, for ipv4 and ipv6

I don't have the config odhcp information, please could you share

Well, the openwrt router is not using its wireless radios, I have an Asus router downstream in AP mode managing wireless access for the clients, could this be the problem? The MT6000 can't reach my outside cameras, the Asus can, that's the reason for the setup

Update: I checked with a cable connected directly to the router, same result as with wireless and the AP

What is the line list network 'lan6'? Should it be wan6? I don't have it in my firewall file

In the IPv6 upstream section in LuCI Overview, I have the following (even before configuring IPv6 in the dhcp, network and firewall files, this information was already here):

Protocol: DHCPv6 client
Address: 2607:......../128
Address: 2607:......./64 (last 4 same as the MAC, as you mentioned)
Gateway: fe80:......
DNS 1: fe80:.........
Connected: 0h 22m 40s

Device: Ethernet Adapter: "eth1"
MAC address: ......... (last 4 same as the second IPv6 address)

Lan6 for the firewall entry is correct. Without it, your firewall may be blocking ipv6 going to your devices.

Using Luci go to Network - Interfaces - Wan6 - DHCP - Firewall and select Lan and Lan6 together. That should turn on the ipv6 firewall and you can check the setting with the CLI interface to see if the entry stuck.

I'm not at my computer and so I will update this note tonight if I've given incorrect instructions.

Catching up on older questions: The odhcp settings are pure default settings. No changes needed for ipv6.

It is good that ipv6 ping works from the network diagnostics tab. This means that you should be able use ipv6 on your LAN. Check that you have enabled the Lan6 firewall, then I recommend that you disconnect all others devices from your openwrt router and connect a laptop using a wired interface. Check to see if the laptop has been issued an external ipv6 address (e.g. ifconfig or ipconfig) and then try to ping -6 ipv6.google.com. If that works, then try test-ipv6.com.

Please report the results of these tests.

Do not try to connect to the openwrt router through an AP. The AP requires a little bit of additional setup and you are not ready for that yet. First, try to make an isolated laptop work with ipv6.

This is what I have lan, wan and wan6, but no lan6

In total I only have 3 interfaces, no Lan6

I am using my laptop connected directly to the openwrt router

Sorry, look at the LAN interface firewall setting and try to add Lan6.

Same, I don't have Lan6, I only have Lan, Wan, Wan6, do I have to create Lan6? I have not seen anything about Lan6 before, maybe I am missing something, thank you for all the help, it is veery much appreciated :slight_smile:

I think we are close, at some point my laptop worked and passed test-ipv6.com, I don't know why and how, I didn't do anything special, then randomly stopped working, this was connected wireless via the AP, then it stopped, I checked with other devices none worked, wireless and wired

Ok, skip the lan6 business. That may be part of the setup for making an AP work. I will check when I am back at my computer, tonight.

Do you have an ipv6 address on the laptop? Do ping www.google.com and ping -6 ipv6.google com both work from the laptop?

[Update: the lan6 business is part of setting up an AP. My mistake. Ignore this instruction for the base station.]

Each device in the network connected wireless via the AP or directly via ethernet cable, get the following IPv6 addresses:

2607:fb90:.....
2607:fb90:....
fd15:4b0c:....

Only the regular ping, IPv6 ping doesn't work. The laptop no longer works with IPv6, it was only for a short period of time.

To me this seems to be a Firewall problem, because all devices are getting the correct IPv6 addresses, it seem the FW doesn't allow them to go out as IPv6 entity, I am not an expert but this is my intuition.

Firewall rules and setup is the standard/default OpenWrt from new installation:

I admire your determination to keep trying. I will build up a new installation from scratch and test it on a couple of different routers and I will post the complete /etc/config/dhcp and /etc/config/network files to this forum once I have a completely clean set of config files. Please give me five ...

You are the best, thanks a lot

I am still trying to find the bare bones simplest configuration that works. Still working on it ...

P.S. Don't forget to reboot the TMobile router, and the OpenWRT devices after making significant changes to the ipv6 setup on you LAN. I've noticed that the TMobile device doesn't always behave nicely to OpenWRT configuration changes, so reboot everything including the TMobile device and let them go through their full setup procedure.

Agree, a simple, clear, repeatable and straight forward configuration will be great.

Yes, I always reboot all devices, thank you

Here are the settings required to run IPV6 on an OpenWrt router and an AP when they sit behind a TMobile Home Internet box (e.g. Arcadyan KVD21). This is basically IPV6 "Relay" mode on the router and an AP but includes a Lan6 interface on the AP to handle the IPV6 communications. The settings for both the router and AP are shown side by side, below. The settings for the router are the same if you choose to run without an AP. The starting point for these configurations are the OpenWrt 23.05.4 default settings with the minimum adjustments required to make IPV6 work in the TMobile environment. You can add VLANS, guest networks, MWAN3, etc, but these things are not shown here.

Network Configuration:

Router: /etc/config/network                 Access Point: /etc/config/network
config interface 'loopback'                 config interface 'loopback'
    option device 'lo'			                option device 'lo'
    option proto 'static'		                option proto 'static'
    option ipaddr '127.0.0.1'	                option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'	                option netmask '255.0.0.0'

config globals 'globals'                    config globals 'globals'
    option ula_prefix 'fdXX::/48'               option ula_prefix 'fdYY::/48'

config device                               config device
    option name 'br-lan'                        option name 'br-lan' 
    option type 'bridge'                        option type 'bridge'
    list ports 'ethXX'                          list ports 'ethYY'
    list ports 'ethXX'                          list ports 'ethYY'
    list ports 'ethXX'                          list ports 'ethYY'
    list ports 'ethXX'                          list ports 'ethYY'

config interface 'lan'                      config interface 'lan'
    option device 'br-lan'                      option device 'br-lan'
    option proto 'static'                       option proto 'static'
    option ipaddr '192.168.1.1'                 option ipaddr '192.168.1.NN'
    option netmask '255.255.255.0'              option netmask '255.255.255.0'
    option ip6assign '60'                       option ip6assign '60'
							                    option gateway '192.168.1.1'
							                    list dns '192.168.1.1'
							
							                config interface 'lan6'
							                    option device '@lan'			
                                                option proto 'dhcpv6'
                                                option reqaddress 'try'
                                                option reqprefix 'auto'

config interface 'wan'					    config interface 'wan'
    option device 'ethXX'					    option device 'ethYY'
    option proto 'dhcp'					        option proto 'dhcp'
							                    option auto '0'

config interface 'wan6'					    config interface 'wan6'
    option device 'ethXX'					    option device 'ethYY'
    option proto 'dhcpv6'					    option proto 'dhcpv6'
    option reqaddress 'try'				        option reqaddress 'try'
    option reqprefix 'auto'				        option reqprefix 'auto'
							                    option auto '0'

DHCP Configuration

Router:  /etc/config/dhcp 					Access Point: /etc/config/dhcp
config dnsmasq						        config dnsmasq
    option domainneeded '1'			            (same as at left)
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option cachesize '1000'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'
    option ednspacket_max '1232'
    option filter_aaaa '0'
     option filter_a '0'

config odhcpd 'odhcpd'					    config odhcpd 'odhcpd'
    option maindhcp '0'					        (same as at left)
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

config dhcp 'wan'						    config dhcp 'wan'
    option interface 'wan'					    (same as at left)
    option ignore '1'	

config dhcp 'lan'						    config dhcp 'lan'
    option interface 'lan'					    option interface 'lan'
    option start '100'					        option start '100'
    option limit '150'					        option limit '150'
    option leasetime '12h'				        option leasetime '12h'
    option dhcpv4 'server'				        option dhcpv4 'server'
    option dhcpv6 'relay'					    option dhcpv6 'relay'
    option ra 'relay'					        option ra 'relay'
    option ndp 'relay'					        option ndp 'relay'
     option ignore '0'				 	        option ignore '1'

config dhcp 'wan6'					         config dhcp 'lan6'
    option interface 'wan6'				        option interface 'lan6'
    option dhcpv6 'relay'					    option dhcpv6 'relay'
    option ra 'relay'					        option ra 'relay'
    option ndp 'relay'					        option ndp 'relay'
    option ignore '0'					        option ignore '1'
    option master '1'		  			        option master '0'

All firewall configurations are the same except the following change to include lan6 in the lan firewall zone on the AP.

Router:  /etc/config/firewall			    Access Point: /etc/config/firewall

config zone						            config zone
    option name 'lan'					        option name 'lan'
    option input 'ACCEPT'					    option input 'ACCEPT'
    option output 'ACCEPT'				        option output 'ACCEPT'
    option forward 'ACCEPT'				        option forward 'ACCEPT'
    list network 'lan'					        list network 'lan'
       							                list network 'lan6'

As mentioned previously in this thread, these settings will allow IPV6 to work for most laptops, phones, and iot devices. However, a few older Apple and Android devices ( < 2017 (ish) ) will not be happy with these settings when put behind a TMobile Home Internet box. There are two solutions to this problem. 1.) Put the old devices on an ipv4-only Guest network, or 2.) change the settings on the AP to enable RA messages and SLAAC. Solution 2 does not work if you make the change on the router; this trick only works if you have a router and an AP and you make the change on the AP. In fact, if you have multiple APs in your network then only make the change to enable SLAAC on one AP and leave all the the others in 'Relay' mode.

Router:  /etc/config/dhcp 					Access Point: /etc/config/dhcp

config dhcp 'lan'						    config dhcp 'lan'
    option interface 'lan'					    option interface 'lan'
    option start '100'					        option start '100'
    option limit '150'					        option limit '150'
    option leasetime '12h'				        option leasetime '12h'
    option dhcpv4 'server'				        option dhcpv4 'server'
    option dhcpv6 'relay'					    option dhcpv6 'relay'
    option ra 'relay'					        option ra 'hybrid'
    option ndp 'relay'					        option ndp 'relay'
    option ignore '0'				 	        option ignore '1'

Thank you very much, I will definitely test it this weekend

Mixed results:

Windows, Linux (Debian), Android all works right away without any issues.
Apple devices is very random and unreliable results with test-ipv6.com

  • Some Apple devices worked right away, after a reboot they will stop working
  • If I enable iCloud Private Relay IPv6 will work only from Safari, other browsers will fail
  • iPhone started working right away, reboot and stopped working, same with MacBook and iPad

Bottom line, there is something going on with the Apple devices, sometimes randomly they will work, then suddenly, after a reboot they will stop working.

All devices (Apple, Windows, Linux, Android) get 3 IPs (2607, 2607, fd15) and only non-Apple devices work.

One MacBook started working right away, with Private Relay off, but it was because it had acquired a 4th IP fdda, but then after a reboot it never got it again, never pass the test again.

Honestly, I am more confused than before, the majority of my devices are Apple, therefore I might have to turn off IPv6.

Any thoughts on what might be going on with the Apple devices? Thank you

Life never gets dull :slightly_smiling_face:

The apple devices in my house work fine, but I only have iPads. No MacBooks. My most troublesome device is an old Android display.

You didn't say whether you are in pure Relay mode or if you have an AP with option relay set to hybrid. I presume you have tried both. Since I don't have this particular problem, I can only propose that you try the following:

Using LUCI on your dumb AP, go to Network => Interfaces => Lan (edit) => DHCP Server tab => IPV6 Setting Tab => RA Service menu to hybrid => IPv6 Setting Tab

On this tab, make sure that Enable SLAAC is checked, then for RA Flags try other config, managed config, (one or both) and finally try no flags.

Neighbor discovery on IPv6 can sometimes take a long time. Put your router and AP in a configuration that you like and go have a cup of coffee. Maybe two. While you are drinking that cup of coffee, use the Network diagnostics tool in LUCI to make sure that IPv6 ping and route are working correctly. If everything works then test the system again (after a nap) to see if your troublesome devices have magically come to life.

If all else fails, you might consider putting your troublesome devices on an IPv4-only guest network.

My AP is not OpenWrt, it’s an Asus, when in AP mode there is nothing to configure, it just Passthrough the information between the clients and the OpenWrt router (MT6000).

Some Apple devices after some time start working magically, I wasn’t aware of the neighbor discovery concept in IPv6, maybe that’s what happening, please could you explain a little bit.

Again thanks a lot for all the help

The other weird thing is that the MT6000 only shows IPv4 DHCP active leases, no IPv6 DHCP active leases, is it suppose to be like that?

There shouldn't be any IPv6 DHCP leases listed on your router or AP. You aren't using DHCPv6. Instead, each device is using an address that is composed of the TMobile prefix and a suffix that is based on the MAC address of your device. One and only one public address per device.

An obvious experiment would be to unplug your ASUS device and then see if your Apple devices work with the OpenWrt Router alone. It is possible that the ASUS device is trying to manage the IPv6 addresses on your LAN and interfering with the actions of the TMobile + OpenWrt devices.

IPv6 allows devices to know about its neighbors and to find their addresses. You can explore and watch IPv6 work with a few of the following commands:

Linux                             Windows
ifconfig                          ipconfig
ip -6 addr show                   ipconfig /all
ip -6 route show                  route print -6
ip -6 neigh show                  netsh interface ipv6 show neighbors
ip link show                      netsh interface ipv6 show subinterface