IPv6 using another router connected to WAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I am new to OpenWRT and my setup is as follows:

From my ISP I must use their router (Orange Livebox Fiber). I have therefore connected a LAN-port form that router to the WAN port of the OpenWRT router.

Internet via IPv4 does work, however getting IPv6 to work gives me problems.

Before I flashes OpenWRT I used the Linksys WRT3200ACM router with stock-firmware and had simply setup IPv6 via "passthrough", which worked. However, the Linksys firmware did not allow me to specify a dedicated IPv6 DNS server (which should be my Pihole).

I have tried to set the DHCP settings (Router Advertisement-Service, DHCPv6-Service, NDP-Proxy) on the LAN-interface to "relay-mode", however without success. I cannot find the setting to correspond with the "passthrough" from before.

Anyone knows how to setup OpenWRT with luci to get IPv6 to work in my setup?

If any more info is needed I will try my best to supply it!

//Edit: The OpenWRT router has IPv6 internet, and I can ping ipv6.google.com when I SSH into the OpenWRT.

2

The problem is probably that the Livebox doesn't support Prefix Delegation:

Therefor, you OpenWrt will get an IPv6-address via SLAAC, but it will not get a separate prefix to distribute to its own downstream clients. Don't even ask why they assign a /56 if you can only use a single /64.

There are two (three) solutions:

  1. Change the Livebox for something else:
    https://vincent.bernat.ch/en/blog/2019-orange-livebox-linux
  2. Run OpenWrt as AccessPoint/Switch. You will have to connect OpenWrt via LAN port (not WAN!) to your Livebox. However, you probably won't be able to use your OpenWrt box to supply clients with your PiHole IP as DNS. Can you set up alternative DNS servers on the Livebox?
  3. Use NDP Proxy. But that is a very ugly hack (in my opinion) and won't really work for SLAAC clients (e.g. Android devices) unless you come up with some rather advanced configuration scripts.

EDIT: A fourth hacky solution I could think of, but don't know if it has been done:

  1. as addition to 2. You'd need to block the Router Advertisements of your Livebox and instead have a local radvd/odhcpd instance running on your OpenWrt distributing their own RDNSS message. Same probably for DHCPv4 messages. Could be heavy on the CPU. (EDIT2: After some further investigation this solution is probably called "DNS hijacking", or more correctly, DNS hijacking could be used to achieve the same)
3 Likes
3 
ifstatus wan6
4

So, after even some more research, I think solution 2 in combination with DNS hijacking is the way to go for now. Your network will still be managed by your Livebox, but your OpenWrt will kind of act like a transparent firewall.

For more details on DNS hijacking with OpenWrt (you'd need to adjust it to include IPv6):
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/forced_dns_redirection

Maybe (depending on the internal design of the network switch in your OpenWrt box) it would be a good idea to actually connect your OpenWrt box via WAN port to your Livebox, but on the OpenWrt box to setup a bridge between WAN and LAN. The reason: depending on the switch design I am not sure if all ethernet traffic will pass the linux firewall or if it will be on a much lower level. In that case, creating a bridge between WAN and LAN would ensure that DNS requests have to pass through the linux kernel and the firewall rules.

Sidenote: this will break DNSSEC. But you could have DNSSEC running on your PiHole (and create an exception in the firewall rules).

If you need more help or have some questions, feel free to ask.

1 Like
5

Thanks for all the help!

It is really annoying that it has to be so involved to make it work (especially since my provider is using CGNAT for IPv4 and so IPv6 should be prioritized...).

I will look into DNS hijacking as @treysis is suggesting. But otherwise I will probably try to even find another provider in the long term that can give me a simple ONT so that I can connect my own router to it.

@vgaetera Just in case here is the output for ifstatus wan6:

root@OpenWrt:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 298501,
	"l3_device": "eth1.2",
	"proto": "dhcpv6",
	"device": "eth1.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:c50f:c4c5:d000:6238:e0ff:fecd:1d48",
			"mask": 64,
			"preferred": 563,
			"valid": 1763
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a01:c50f:c4c5:d000::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 1763,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::be30:d9ff:fe77:1dcd",
			"metric": 512,
			"valid": 563,
			"source": "2a01:c50f:c4c5:d000:6238:e0ff:fecd:1d48/64"
		}
	],
	"dns-server": [
		"fe80::be30:d9ff:fe77:1dcd"
	],
	"dns-search": [
		"home"
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "00170010fe80000000000000be30d9fffe771dcd0018000604686f6d6500"
	}
}

// Edit: @treysis to bridge LAN with WAN should I do this in the interface settings for LAN as shown on the picture, where I activate Switch VLAN: "eth1.2" (wan, wan6)?

1
11230×874 101 KB

6

It seems you have no separate IPv6 prefix and only /64 on the upstream interface.
Perhaps, the only way to provide IPv6 to the clients is utilizing an NDP proxy and/or bridging, but I have no such experience.

7

Yes, that's where I would do it. Haven't done this myself though. You could also try doing it without bridging first to see if that is enough.

@vgaetera Yes, you have to use the OpenWrt as a switch/accesspoint. I have done this in the past when my ISP modem didn't support WiFi and also only gave me a single /64.

1 Like