IPv6 setup - DHCPv6 Issues - Help!

@trendy, Thanks a bunch.

The wan6 interface gets an IPv6 and I can ping ipv6 sites from the router. Not an issue there.

The IPv6 route seems to be correctly there also,

default from 2001:8f8:1349:cbd4::1 via fe80::f68c:ebff:fec7:7f01 dev eth1.2 proto static metric 512 pref medium

However, I don't get an IPv6 lease for my hosts on the LAN. Here is what I get on DHCP, just IPv4, an example below

I have followed this post and tried to add a custom IPv6 prefix under my WAN6 Interface,

As per the post, the WAN side is set to relay for all (RA / DHCP / NDP) , The LAN side is set to server for (DHCP and RA) , and NDP is hybrid.

I tried adding the custom prefix

2001:8f8:1349:cbd4::/56 , under the LAN I set the assignment as 60, here is what it looks like now,

image1297×734 55.4 KB

I setup a host on my LAN to get dhcp and here is what it looks like now, this time it does get a dhcpv6, but the gateway is wrong,

It should be,

Okay, but the point is to check that the router of the ISP delegates correctly a prefix to OpenWrt. And by the looks of it, it doesn't.

This is wrong in many ways. Has your provider assigned you a bigger than /56 prefix or will it conflict with what is assigned on the router of the ISP? Is it static?

The gateway is fine as it will use the link local address of the LAN port of OpenWrt as gateway.
The problem is that if the router of the ISP has not allocated that prefix with prefix delegation and created a static route for it via the OpenWrt it will not work.

Take some steps back, remove the custom prefix and verify that the router of the ISP is delegating prefix.

tcpdump -i eth1.2 -vn udp port 547 &
ifup wan6
[let it collect some packets]
kill `pidof tcpdump`

If it doesn't, although it is configure to, according to the screenshots you posted earlier, you'll have to discuss it with your ISP.
There is the option for relay, but that requires different configuration (the third box here) So don't mix them for now.

Thanks @trendy

Still stuck ! Is it possible to directly relay settings from the Provider's router ? From the Provider's DHCP using SLAAC, I get a public IPv6 routable address on my LAN hosts. I can ping that IPv6 address from outside.

How can I do the same using openWRT in between ? OR I stop using openWRT as a DHCP ? The issue is my LAN hosts on 10.16.0.0/12 use pxeboot to boot the OS. So if I give the openWRT DHCP, I may lose the pxeboot too . .

You could try the relay, but you have not run the tcpdump to verify that DHCP6 is indeed working, which is the best in my opinion.

@trendy , Here we go,

13:30:15.332828 IP6 (flowlabel 0x4ae3c, hlim 1, next-header UDP (17) payload length: 118) fe80::5aef:68ff:fea8:bf7.546 > ff02::1:2.547: [bad udp cksum 0xcc9c -> 0x67ef!] dhcp6 solicit (xid=582793 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 58ef68a80bf7) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
13:30:16.953947 IP6 (flowlabel 0x4ae3c, hlim 1, next-header UDP (17) payload length: 102) fe80::5aef:68ff:fea8:bf7.546 > ff02::1:2.547: [bad udp cksum 0xcc8c -> 0x5ea2!] dhcp6 solicit (xid=8f30d9 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 58ef68a80bf7) (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0))
13:30:18.700936 IP6 (flowlabel 0x4ae3c, hlim 1, next-header UDP (17) payload length: 96) fe80::5aef:68ff:fea8:bf7.546 > ff02::1:2.547: [bad udp cksum 0xcc86 -> 0x6038!] dhcp6 inf-req (xid=55c67d (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_83 opt_94 opt_95 opt_96 opt_83 lifetime) (client-ID hwaddr type 1 58ef68a80bf7) (server-ID hwaddr type 1 f48cebc77f01) (Client-FQDN))

I hope you left it run for some time cause I don't see any response from the DHCP6 server of the router of the ISP.
If you plug another device directly on the router does it acquire DHCP6 settings or only SLAAC? If no, then you should discuss it with your ISP's support first.

@trendy, here is a trace with some more time,

13:31:54.033934 IP6 (flowlabel 0x4ae3c, hlim 1, next-header UDP (17) payload length: 102) fe80::5aef:68ff:fea8:bf7.546 > ff02::1:2.547: [bad udp cksum 0xcc8c -> 0x4f0a!] dhcp6 solicit (xid=1f40e1 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 58ef68a80bf7) (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0))
13:31:55.314970 IP6 (flowlabel 0x4ae3c, hlim 1, next-header UDP (17) payload length: 96) fe80::5aef:68ff:fea8:bf7.546 > ff02::1:2.547: [bad udp cksum 0xcc86 -> 0x928d!] dhcp6 inf-req (xid=89475 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_83 opt_94 opt_95 opt_96 opt_83 lifetime) (client-ID hwaddr type 1 58ef68a80bf7) (server-ID hwaddr type 1 f48cebc77f01) (Client-FQDN))
13:35:29.531003 IP6 (hlim 1, next-header UDP (17) payload length: 105) fe80::5613:79ff:fe87:7538.546 > ff02::1:2.547: [udp sum ok] dhcp6 rebind (xid=c02e63 (elapsed-time 65535) (client-ID hwaddr type 1 541379877538) (IA_NA IAID:3 T1:21600 T2:34560 (IA_ADDR 2001:8f8:1349:cdd3:5aef:68ff:0:fc8 pltime:602638 vltime:861838)) (option-request status-code server-unicast DNS-server DNS-search-list Client-FQDN) (Client-FQDN))
13:45:29.482392 IP6 (hlim 1, next-header UDP (17) payload length: 105) fe80::5613:79ff:fe87:7538.546 > ff02::1:2.547: [udp sum ok] dhcp6 rebind (xid=c02e63 (elapsed-time 65535) (client-ID hwaddr type 1 541379877538) (IA_NA IAID:3 T1:21600 T2:34560 (IA_ADDR 2001:8f8:1349:cdd3:5aef:68ff:0:fc8 pltime:602638 vltime:861838)) (option-request status-code server-unicast DNS-server DNS-search-list Client-FQDN) (Client-FQDN))

Also, I would want you see this, overall it is simple . . I want to run DHCP with IPv4 , IPv6 should relay to the hosts with SLAAC. To ensure SLAAC works, do I need to play with the settings in my WAN also ? or just LAN ? The reason I am asking for WAN because in the forums I have seen people made SLAAC work with modifying WAN settings too.

What should be for LAN and WAN ?

1. RA
2. DHCP Server
3. NDP-Proxy

Announce as default router ? Below is my topology for ease,

image860×337 9.94 KB

Still the same, your OpenWrt is trying from its Link Local address port 546 to contact the multicast address port 547, but there is no response from the router of your ISP from port 547 to OpenWrt port 546.

SLAAC is working with default settings. You should be able to see on the hosts connected to LAN interface the ULA address fdeb:....
Also if you have configured a few hosts to get a specific IP address from DHCPv6, it should also work for the ULA address.
The problem here is that you don't have any prefix delegated from the router of the ISP with Global IPs, so the LAN hosts cannot be routed to the internet.

WAN should be ignored.
LAN should be:
Server
Stateless+Statefull
Disabled.

Better don't touch the WAN yet, unless your ISP tells you to do a relay.

@trendy, Thank you so much as you have been the only following up on this thread

I'll try those settings you suggested. However, what should be under WAN as default ?

RA
DHCP
NDP

Nothing, it should be ignored.

OK , so I am setting everything there as Disabled under WAN

@trendy, So here is my update,

This configuration below seems to work for relay. I get the same dhcpv6 leases as if I would directly connect to my ISP's router,

The trick here is to set the wan6 interface as 'master'.

Now there are 2 issues that I need to sort out. I need outside (Internet) and inside (LAN) connectivity to these IPv6 addresses (Just like I have it when I connect a LAN host directly to my ISP's router)

1. By setting the WAN6 as master, it relays the IPv6 DNS servers to the hosts on my LAN. So if try to ping google.com, it doesn't pick up the IPv4 DNS. I can ping 8.8.8.8 from hosts.

2. If I directly connect to my provider's router, I get a public IPv6 address. It is pingable from Internet. If I connect my LAN hosts via openWRT, it does get a public IPv6 address relayed correctly but the IPv6 addresses are not Pingable from inside(LAN) or even outside(Internet). Here is the IP config of my LAN host now,

    link/ether 1c:1b:0d:23:08:e9 brd ff:ff:ff:ff:ff:ff
    inet 10.16.0.157/12 brd 10.31.255.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 2001:8f8:1349:cf08:e815:c0da:2a3:d6c5/64 scope global temporary dynamic
       valid_lft 603253sec preferred_lft 84458sec
    inet6 2001:8f8:1349:cf08:6035:9320:d8fc:8b37/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 863913sec preferred_lft 604713sec
    inet6 fe80::c537:d4c:a678:935c/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Do I need to add to static routes somewhere ? How can I fix the routing ? I was assuming that the RA relay should have addressed this.

My OpenWRT configuration here,

config dhcp 'wan'
        option ignore '1'

config dhcp 'wan6'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay' ```

From the OpenWRT router connected to my ISP's router, here is what my ip -4 r and ip -6 r looks like,

router:~# ip -6 r
default from 2001:8f8:1349:cf08::/64 via fe80::f68c:ebff:fec7:7f01 dev eth1.2 proto static metric 512 pref medium
2001:8f8:1349:cf08::/64 dev eth1.2 proto static metric 256 pref medium
2001:8f8:1349:cf08::/64 via fe80::f68c:ebff:fec7:7f01 dev eth1.2 proto static metric 384 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth1.2 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium

Here is fe80::f68c:ebff:fec7:7f01 is the local link address of my ISP's router. I can ping and ping6 too google.com with no issues.

Here is what I get on my LAN host connected to OpenWRT

root@lan_host:~# ip -6 r
2001:8f8:1349:cf08::/64 via fe80::58ef:68ff:fea8:bf7 dev enp1s0 proto ra metric 100 pref high
2001:8f8:1349:cf08::/64 dev enp1s0 proto kernel metric 100 pref medium
fe80::/64 dev enp1s0 proto kernel metric 100 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
default via fe80::58ef:68ff:fea8:bf7 dev enp1s0 proto ra metric 100 pref medium

root@lan_host:~# ip -4 r
default via 10.16.0.1 dev enp1s0 proto static metric 100
10.16.0.0/12 dev enp1s0 proto kernel scope link src 10.16.0.157 metric 100
169.254.0.0/16 dev enp1s0 scope link metric 1000

Here is fe80::58ef:68ff:fea8:bf7 is the local link of my OpenWRT.

You need to allow traffic in firewall from wan zone to lan zone. By default it is blocking almost everything, so allow only the protocols/ports that your servers need.

You need to specify on ping to use IPv4, usually with -4 as argument.

@trendy, Thanks

Rules are already permissive as I can ping IPv4 perfectly back and forth.
Wan Zone has both interfaces covered = wan + wan6

One question ? When relaying, we don't need to assign any prefixes ? Global ULA ? or ipv6assign anywhere ?

image1241×742 35.8 KB

Better post the config files rather than screenshots:
uci export network; uci export dhcp; uci export firewall; ifstatus wan6; ifstatus lan

If you are relaying all solicitations are forwarded to the upstream router and OpenWrt is not supposed to assign anything.

@trendy, no problem! I will share the output in a bit.

Quick question, can I temporarily disable the firewall completely on openwrt to ensure nothing is blocked between my ISP router and LAN hosts ?

Best Regards,

If you disable firewall you'll break IPv4.
The way you have it I don't see any reason to block anything. If you insist however, assign the wan and wan6 interfaces in lan firewall zone.

@trendy, so yes, I won't be touching the firewall. Here are the configs you requested above,

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.16.0.1'
	option netmask '255.240.0.0'
	option metric '1'
	option ipv6 'on'
	option gateway '192.168.0.1'
	option force_link '0'
	option dns '192.168.0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	option dns '192.168.0.1'
	option ipv6 'on'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option defaultroute '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'

/etc/config/dhcp

config dnsmasq
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option enable_tftp '1'
	option dhcp_boot 'pxelinux.0'
	option tftp_root '/opt/storage'
	option readethers '1'
	option rebind_protection '0'
	option localservice '0'
	option boguspriv '0'

config dhcp 'wan'
	option ignore '1'

config dhcp 'wan6'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule 'Allow_OpenVPN_Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '443'

config zone 'vpn'
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'

config forwarding 'vpn_forwarding_lan_in'
	option src 'vpn'
	option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
	option src 'lan'
	option dest 'vpn'

config forwarding 'vpn_forwarding_wan'
	option src 'vpn'
	option dest 'wan'

ifstatus lan

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1016,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 1,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "10.16.0.1",
			"mask": 12
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "192.168.0.1",
			"source": "0.0.0.0/0"
		}
	],
	"dns-server": [
		"192.168.0.1"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		
	}
}

ifstatus wan6

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 1037,
	"l3_device": "eth1.2",
	"proto": "dhcpv6",
	"device": "eth1.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2001:8f8:1349:cfcb::2",
			"mask": 128,
			"preferred": 603763,
			"valid": 862963
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2001:8f8:1349:cfcb::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 863996,
			"source": "::/0"
		},
		{
			"target": "2001:8f8:1349:cfcb::",
			"mask": 64,
			"nexthop": "fe80::f68c:ebff:fec7:7f01",
			"metric": 384,
			"valid": 863996,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::f68c:ebff:fec7:7f01",
			"metric": 512,
			"valid": 3596,
			"source": "2001:8f8:1349:cfcb::2/128"
		}
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		"passthru": "00180000"
	}
}

Alright, the OpenWrt looks good, it also got the IPv6 from DHCP (the ::2) address.
Can you show me on a LAN host the following:
ip addr; ip -4 ro; ip -6 ro; ip -6 ru