IPv6 trouble with DHCPv6 Prefix Delegation

proft · December 25, 2020, 8:52pm

LinkSys WRT32X with latest OpenWrt 19.07.5 r11257, Spectrum cable Internet. Had IPv6 working great with DD-WRT on this device using DHCPv6 w/Prefix Delegation, prefix length /64, Radvd enabled.

I followed various advice given in https://openwrt.org/docs/guide-user/network/ipv6/start and other pages including adding new ip6tables rules for DHCPv6 UDP port 546/547, but I can't get the br-wan6 interface to go live and acquire an IPv6 IP. I've tried about every combination.

Is there any way to get some live debug output to see what might be going on? I've tried this but get no output: odhcp6c -v br-wan6 -P 0 -N force

There is also no 'tcpdump' on this build so I can't inspect the raw network traffic.
[Edit: Thanks for the tip on adding 'tcpdump'; I've added capture output below]

Any ideas?

Thanks much!

trendy · December 25, 2020, 9:01pm

Is there a valid reason to bridge the wan interface? This is usually a user error.

opkg update; opkg install tcpdump

proft · December 25, 2020, 9:08pm

The WAN (br-wan) and WAN6 (br-wan6) interfaces are set up out of the box by default, primarily to allow DHCP and DHCPv6, respectively.

Here are config snippets that may be helpful:

/etc/config/network:

config globals 'globals'
        option ula_prefix 'fdce:9dc1:1ccc::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.10.0.1'
        option ip6assign '64'
        option delegate '0'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        list dns '208.67.222.123'
        list dns '208.67.220.123'
        option peerdns '0'
        option type 'bridge'

config interface 'wan6'
        option ifname 'eth1.2'
        option type 'bridge'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '64'

/etc/config/firewall:

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCPv6 (546-to-547)'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option family 'ipv6'
        option src_port '546'

config rule
        option name 'Allow DHCPv6 (547-to-546)'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option src_port '547'

/etc/config/dhcp:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option limit '50'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

proft · December 25, 2020, 9:16pm

Thanks for the tip on adding 'tcpdump'. Here is what I see on the WAN interface that relates to ICMPv6/DHCPv6:

# tcpdump -i eth1.2 -n -vv '(udp port 546 or 547) or icmp6'
tcpdump: listening on eth1.2, link-type EN10MB (Ethernet), capture size 262144 bytes
16:11:17.411651 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::217:10ff:fe8b:6c97 > ff02::1:ff19:984: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::207:11ff:fe19:984
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:97
            0x0000:  0017 108b 6c97


# tcpdump -i eth1 -n -vvv '(udp port 546 or 547) or icmp6'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:13:57.407726 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:bfc0:91::1 > ff02::1:ffc6:5f9b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:bfc0:91:459d:b03c:3c6:5f9b
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82

16:15:03.240144 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 192) fe80::217:10ff:fe8b:6c97 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 192
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:97
            0x0000:  0017 108b 6c97
          mtu option (5), length 8 (1):  1500
            0x0000:  0000 0000 05dc
          prefix info option (3), length 32 (4): 2606:a000:c04:71::/64, Flags [onlink], valid time infinity, pref. time infinity
            0x0000:  4080 ffff ffff ffff ffff 0000 0000 2606
            0x0010:  a000 0c04 0071 0000 0000 0000 0000
          prefix info option (3), length 32 (4): 2606:a000:bfc0:91::/64, Flags [onlink], valid time infinity, pref. time infinity
            0x0000:  4080 ffff ffff ffff ffff 0000 0000 2606
            0x0010:  a000 bfc0 0091 0000 0000 0000 0000
          prefix info option (3), length 32 (4): 2606:a000:404:101::/64, Flags [onlink], valid time infinity, pref. time infinity
            0x0000:  4080 ffff ffff ffff ffff 0000 0000 2606
            0x0010:  a000 0404 0101 0000 0000 0000 0000
          prefix info option (3), length 32 (4): 2606:a000:704:71::/64, Flags [onlink], valid time infinity, pref. time infinity
            0x0000:  4080 ffff ffff ffff ffff 0000 0000 2606
            0x0010:  a000 0704 0071 0000 0000 0000 0000
          prefix info option (3), length 32 (4): 2606:a000:a00:1811::/64, Flags [onlink], valid time infinity, pref. time infinity
            0x0000:  4080 ffff ffff ffff ffff 0000 0000 2606
            0x0010:  a000 0a00 1811 0000 0000 0000 0000

16:16:49.127745 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82
16:16:50.132597 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82
16:16:51.128950 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82
16:16:52.128948 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82
16:16:53.163144 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82
16:16:54.195769 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2606:a000:c04:71::1 > ff02::1:ffa5:119: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2606:a000:c04:71:59fc:376c:cda5:119
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:82
            0x0000:  0017 108b 6c82

16:17:20.469881 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::217:10ff:fe8b:6c97 > ff02::1:ff19:984: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::207:11ff:fe19:984
          source link-address option (1), length 8 (1): 00:17:10:8b:6c:97
            0x0000:  0017 108b 6c97

trendy · December 25, 2020, 9:29pm

That is not correct. wan is not bridged by default, nor is it needed to allow dhcp. And with what have you bridged the eth1.2 ?

This rule is not needed, you are not running a dhcp6 server on the wan interface, are you?

proft:

config rule
        option name 'Allow DHCPv6 (546-to-547)'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option family 'ipv6'
        option src_port '546'

I don't see any dhcp6 solicit to start with.

But first explain why the wan interfaces are bridged and we'll get to the dhcp6.

proft · December 25, 2020, 10:31pm

The WAN interfaces came bridged that way out of the box, in the default configuration. I did not set anything up myself in this regard. The WAN(br-wan) and WAN6(br-wan) interfaces are part of the "wan" firewall zone which consists of "wan:" and "wan6:". Just like the LAN(br-lan) interface which is in the "lan" firewall zone.

Here is the interface config, again--out of the box plus my own IP assignments:

# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr 32:23:03:DF:69:38
          inet addr:10.x.x.1  Bcast:10.x.x.255  Mask:255.255.255.0
          inet6 addr: fdce:9dc1:1ccc::1/64 Scope:Global
          inet6 addr: fe80::3023:3ff:fedf:6938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1097535 errors:0 dropped:154 overruns:0 frame:0
          TX packets:2611087 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:359087001 (342.4 MiB)  TX bytes:3260171627 (3.0 GiB)

br-wan    Link encap:Ethernet  HWaddr 30:23:03:DF:69:38
          inet addr:65.x.x.x  Bcast:65.x.x.255  Mask:255.255.240.0
          inet6 addr: fe80::3223:3ff:fedf:6938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2921272 errors:0 dropped:0 overruns:0 frame:0
          TX packets:948703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2653507158 (2.4 GiB)  TX bytes:350245160 (334.0 MiB)

br-wan6   Link encap:Ethernet  HWaddr 3E:F0:77:60:B9:88
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 32:23:03:DF:69:38
          inet6 addr: fe80::3023:3ff:fedf:6938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:291546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:567018 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:57369080 (54.7 MiB)  TX bytes:672242044 (641.0 MiB)
          Interrupt:37

eth0.1    Link encap:Ethernet  HWaddr 32:23:03:DF:69:38
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:289961 errors:0 dropped:0 overruns:0 frame:0
          TX packets:566856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52052864 (49.6 MiB)  TX bytes:669963455 (638.9 MiB)

eth1      Link encap:Ethernet  HWaddr 30:23:03:DF:69:38
          inet6 addr: fe80::3223:3ff:fedf:6938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3684583 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1042543 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:3330943663 (3.1 GiB)  TX bytes:369730481 (352.6 MiB)
          Interrupt:36

eth1.2    Link encap:Ethernet  HWaddr 30:23:03:DF:69:38
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2921282 errors:0 dropped:0 overruns:0 frame:0
          TX packets:948703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2653507618 (2.4 GiB)  TX bytes:350245160 (334.0 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:21681 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21681 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1876270 (1.7 MiB)  TX bytes:1876270 (1.7 MiB)

mlan0     Link encap:Ethernet  HWaddr 30:23:03:DF:69:3B
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 30:23:03:DF:69:3A
          inet6 addr: fe80::3223:3ff:fedf:693a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17746 errors:0 dropped:0 overruns:0 frame:0
          TX packets:47361 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3690430 (3.5 MiB)  TX bytes:21318294 (20.3 MiB)

wlan1     Link encap:Ethernet  HWaddr 32:23:03:DF:69:39
          inet6 addr: fe80::3023:3ff:fedf:6939/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:797652 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2155997 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:316652121 (301.9 MiB)  TX bytes:2632283656 (2.4 GiB)

proft · December 25, 2020, 10:50pm

I just manually unchecked "Bridge interfaces" in all of the interfaces, which seems to have gotten rid of the br-lan and br-wan interfaces, but still no change on the DHCPv6 side.

So I rebooted the device. Lo and behold, IPv6 now obtains an IP! I also removed both the "546-to-547" and "547-to-546" supplemental firewall rules mentioned in the OpenWrt IPv6 article and things still work fine.

So there must have been something blocking the DHCPv6 packets in the firewall due to the bridge interface? Like I said, I never clicked on those options on initial setup that I can recall (I had to search pretty deeply to find them in order to disable them).

proft · December 25, 2020, 11:07pm

Hmm...now my LAN DHCPv4 leases are no longer working.

proft · December 26, 2020, 12:06am

Had to re-enable the "br-lan" interface and combine eth0.1, wlan0, and wlan1 so that DHCP would work again. Now all is well.

Thanks for the responses.

trendy · December 26, 2020, 1:22am

Then you didn't do a clean installation from DD-WRT. I suggest to do a reset of the device to defaults and start from scratch. Since you are using dhcp for wan and dhcpv6 for wan6 the default configuration will work out of the box. If there are still problems you can post the following for troubleshooting.
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*