Thank GOD for point 3.
Still, if my LAN device (eg. my PC) is assigned with public IPv6, how OpenWRT prevents to access it from Internet? Firewall?
Also, what assign that public address to my local device/my PC? ISP or OpwnWRT?
Assuming you're using OpenWRT as your router then it should do it. In most cases (and assuming your ISP had given you a proper sized allocation, i.e. bigger than a /64) then most devices will configure through SLAAC, but you could use DHCPv6 instead if you wanted (altho not on Android devices which can only use SLAAC).
Firewall - then I assume there is one general rule to DROP any incoming (INPUT) packet to addresses in LAN.
If this is true, how FW differentiate PUBLIC WAN address from PUBLIC LAN addresses?
SLAAC - if i get it right, it offers FE80 Link-Local addresses. However my question is: what assigns PUBLIC address to my local device?
Could it be then by DHCP-relay running on OpwnWRT?
The firewall operates on interfaces. It knows which interface is connected to the internet and which are connected to LAN devices (these are the zones you see if you look at the firewall setup). It doesn't matter that devices in the LAN may have public IPv6 addresses, the firewall will still (by default) block any traffic that has arrived at a WAN interface unless it's related to a request made by a LAN device or there is a port forward/traffic rule in place.
SLAAC can work with GUA addresses as well. Ideally your ISP will advertise a /60 or bigger prefix to your router. Your router can then use that prefix to advertise a /64 block of addresses to LAN devices which will use SLAAC to assign an address. But each ISP works differently so it's difficult to be specific without knowing what your ISP does.
My ISP is giving /64 and no RA (DHCPv6), so what I can do is to let OpenWrt WAN6 interface to relay ND to LAN side and then enable SLAAC on my LAN side to keep clients getting public v6 address with same prefix.
Hi,
Thank you all very much for replies.
After some more readings and googling, this is all getting clear now.
Let me go through SLAAC process using @fakemanhk example to see if im getting it right.
ISP assigns to Router public IPv6 address with 64 bit host space - /64.
eg.
WAN host prefix = 2001:abcd::1/64 (Global Unicast address / Public IP)
Network prefix = 2001:abcd::/64 (Subnet)
Because ISP blocks/disallows RA (i guess this might be common scenario), router's WAN6 interface is set to relay ND to LAN.
Host(s) on the LAN, uses SLAAC which is part of IPv6 protocol installed on OS (Win/Linux/other).
SLAAC (on LAN host): uses Neighbor Discovery protocol (ND) to obtain Global Unicast IPv6 address from the router. In other words, SLAAC will try to get (Public) IP for LAN host.
In details:
SLAAC (on LAN host) sends RS multicast message (ICMPv6) to Router asking for IPv6 global unicast prefix.
Router responses with RA message, advertising its WAN IPv6 prefix (Public IP) and network prefix length (Subnet).
SLAAC (on LAN host), based on RA message (point 6), assigns Global Unicast address / Public IP.
Eg. 2001:abcd::7/64 (and GW and DNS).
Additionally:
Local-link address (created in initial phase of SLAAC) is kept for internal communication (within LAN) in case internet connection is down.
This looks strange, your prefix has only first 32 bit non-zero and following by 32 bit zeros?
My home network is: 2400:aaaa:bbbb:cccc::/64 something like this.
Yes, this is what I am doing, and on LAN side I also enabled the NDP relay mode and running RA in server mode, also set RA Flags to NONE.