IPv6 WAN configuration (new residential edge setup)

kps · January 18, 2024, 12:12am

OpenWRT 23.05.2. The device role is an edge router between the upstream bridging modem (ISP provided, so I don't have direct access) and my home network. It also provides local DNS and DHCP (static leases for my internal devices; IPv4 only for now).

I've recently had to switch ISPs; the new ISP has some form of IPv6 support but I'm not sure precisely what, and wan6 never comes up. I followed https://openwrt.org/docs/guide-user/network/ipv6/configuration#native_ipv6_connection

Everything IPv4 works fine, as far as I can tell.

I have minimal IPv6 experience (but did have a deep IPv4 job once), and have never done anything non-trivial with OpenWRT.

I ran ifup wan6; tcpdump -i eth0.2 -U -w ipv6.pcap -c 50 'icmp6 or port 546 or port 547' and see upstream Router Advertisement but no response to DHCPv6:

    1   0.000000 fe80::cad3:a3ff:fe66:3b2f → ff02::2      ICMPv6 70 Router Solicitation from c8:d3:a3:66:3b:2f
    2   0.021254 fe80::217:10ff:fe9a:77ae → fe80::cad3:a3ff:fe66:3b2f ICMPv6 342 Router Advertisement from 00:17:10:9a:77:ae
    3   0.789136 fe80::cad3:a3ff:fe66:3b2f → ff02::1:2    DHCPv6 164 Solicit XID: 0x75fa99 CID: 00030001c8d3a3663b2f
    4   1.909295 fe80::cad3:a3ff:fe66:3b2f → ff02::1:2    DHCPv6 164 Solicit XID: 0x75fa99 CID: 00030001c8d3a3663b2f
    5   4.149277 fe80::cad3:a3ff:fe66:3b2f → ff02::1:2    DHCPv6 164 Solicit XID: 0x75fa99 CID: 00030001c8d3a3663b2f

Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x792b [correct]
    [Checksum Status: Good]
    Cur hop limit: 64
    Flags: 0xc0, Managed address configuration, Other configuration, Prf (Default Router Preference): Medium
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Source link-layer address : 00:17:10:9a:77:ae)
    ICMPv6 Option (MTU : 1500)
    ICMPv6 Option (Prefix information : 2604:5580:40:ab::/64)
    ICMPv6 Option (Prefix information : 2607:f798:804:1aa::/64)
    ICMPv6 Option (Prefix information : 2607:9880:0:ab::/64)
    ICMPv6 Option (Prefix information : 2604:5580:100:d4::/64)
    ICMPv6 Option (Prefix information : 2604:5580:50:ab::/64)
    ICMPv6 Option (Prefix information : fd07:f798:3:4245::/64)
    ICMPv6 Option (Prefix information : 2607:f798:70:10ef::/64)
    ICMPv6 Option (Prefix information : 2607:f2c0:f200:b0d::/64)

mk24 · January 18, 2024, 12:40am

That's really strange, a bunch of disjoint /64s. Also the ISP is advertising "Managed Address configuration" which is an invitation to send a DHCPv6 address request, and it is supposed to respond.

kps · January 18, 2024, 1:30am

Hmm, I hadn't considered the possibility that this might not be my fault. Maybe I'll try to borrow some recent stock consumer router and see how that goes.

mk24 · January 18, 2024, 1:50am

Use the default configuration and let wan6 try to acquire an address, then run ifstatus wan6 to see if it makes any sense.

kps · January 22, 2024, 10:06pm

Following up — it's an upstream problem, not an OpenWRT problem.

_bernd · January 22, 2024, 10:39pm

Have a look at the network option ip6hint in case you have multiple vlans. With that option your are able to number vlans automatically.
Example: you get a /56 from upstream. On each VLAN you set the ip6hint as a hex from 00 to FF and you get nice looking IPv6 subnets for free.

trevormcooper · January 24, 2024, 3:44am

Any chance you could post an example of what this would look like, I actually have a setup I’m working on with 4 vlans and a managed switch with 1 trunked port and 4 ports available, I have 1 vlan per port, is the hint mandatory or just a convenience?

_bernd · January 24, 2024, 6:35pm

Sure.

(I will skip the device/switch config, and will post only the interface section, to illustrate ip6hint, ok?)

# VLAN 16/0x10: net.mgmt
config interface            'vlan16'
    option  device          'br-vlan16'
    option  proto           'static'
    option  ipaddr          '192.168.16.1/24'
    list    ip6ifaceid      '::1'
    list    ip6ifaceid      'eui64'
    option  ip6assign       '64'
    option  ip6hint         '10'

# VLAN 17/0x11: srv.mgmt
config interface            'vlan17'
    option  device          'br-vlan17'
    option  proto           'static'
    option  ipaddr          '192.168.17.1/24'
    list    ip6ifaceid      '::1'
    list    ip6ifaceid      'eui64'
    option  ip6assign       '64'
    option  ip6hint         '11'

# VLAN 64/0x40: admin.clients
config interface            'vlan64'
    option  device          'br-vlan64'
    option  proto           'static'
    option  ipaddr          '192.168.64.1/24'
    list    ip6ifaceid      '::1'
    list    ip6ifaceid      'eui64'
    option  ip6assign       '64'
    option  ip6hint         '40'

I think you got the point. I (re-)use the VLAN-ID on the 3. octet on an ipv4 address, and for ip6hint.

root@cpe:~# for ID in 16 17 64; do ip address show scope global dev br-vlan${ID}; done
8: br-vlan16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 02:00:01:01:00:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.16.1/24 brd 192.168.16.255 scope global br-vlan16
       valid_lft forever preferred_lft forever
    inet6 2003:e4:xxxx:ca10::1/64 scope global dynamic noprefixroute
       valid_lft 72519sec preferred_lft 72519sec
    inet6 fde6:a09a:b373:10::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
10: br-vlan17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 02:00:01:01:00:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.17.1/24 brd 192.168.17.255 scope global br-vlan17
       valid_lft forever preferred_lft forever
    inet6 2003:e4:xxxx:ca11::1/64 scope global dynamic noprefixroute
       valid_lft 72519sec preferred_lft 72519sec
    inet6 fde6:a09a:b373:11::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
16: br-vlan64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 02:00:01:01:00:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.64.1/24 brd 192.168.64.255 scope global br-vlan64
       valid_lft forever preferred_lft forever
    inet6 2003:e4:xxxx:ca40::1/64 scope global dynamic noprefixroute
       valid_lft 72519sec preferred_lft 72519sec
    inet6 fde6:a09a:b373:40::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever

As you can see, the GUA (Global Unique Addr) and ULA (Unique Local Addr) prefixes both "end" in 10, 11, and 40, for VLAN 16, 17, and 64.

Not sure if I understand the question...
ip6hint gets applied and works, if your hint is within the bondary of the prefix-size you get from upstream. Like, you can not set the hint the CFF if you only get a /56.
And you are not required to set it... Not 100% sure about the default behaviour but IIRC then OpenWRT would just iterate the prefixes... Like the first defined VLAN gets the hint 1, the next vlan gets 2 (even maybe the vlanid is 1027 or what ever)...

As I do like "nice" looking numbers I set the hint explicit.

trevormcooper · January 24, 2024, 6:43pm

So I guess if I have vlan 10 @ 192.168.10.1/24 and vlan 20 @ 192.168.20.1/24 (I have 4 total)

Would I use hint 10? Hint 20 hint 30 and hint 40? Or does the number in the hint not matter?

trevormcooper · January 24, 2024, 6:44pm

I’m just referring to my subnets here but they all have ipv6 also

trevormcooper · January 24, 2024, 6:45pm

I get a /56 from my isp I have 4 subnets setup on /60

_bernd · January 24, 2024, 7:06pm

I would use for

VLAN 1 (OpenWrt default for "lan"): 192.168.1.1/24 and option ip6hint '1'
VLAN 2 (OpenWrt default for "wan"): none (wan is mostly proto 'pppe' and wan6 is mostly proto 'dhcpv6')
VLAN 10: 192.168.10.1/24 and option ip6hint 'A'
VLAN 20: 192.168.20.1/24 and option ip6hint '14'

Furthermore: I explicit option ip6assign '64' (on all interfaces), because: on a link where I have also connected an additional router, I set ip6assign to i.e. 59 and ip6hint to 80. Why?

$ sipcalc 2001:db8::/56 -S 59
-[ipv6 : 2001:db8::/56] - 0

[Split network]
Network                 - 2001:0db8:0000:0000:0000:0000:0000:0000 -
                          2001:0db8:0000:001f:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:0020:0000:0000:0000:0000 -
                          2001:0db8:0000:003f:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:0040:0000:0000:0000:0000 -
                          2001:0db8:0000:005f:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:0060:0000:0000:0000:0000 -
                          2001:0db8:0000:007f:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:0080:0000:0000:0000:0000 -
                          2001:0db8:0000:009f:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:00a0:0000:0000:0000:0000 -
                          2001:0db8:0000:00bf:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:00c0:0000:0000:0000:0000 -
                          2001:0db8:0000:00df:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:0000:00e0:0000:0000:0000:0000 -
                          2001:0db8:0000:00ff:ffff:ffff:ffff:ffff

The (second) downstream router then can get a /59 and using the vlaues 0 to 1F to make use of the 32 ipv6 networks (/64).

trevormcooper · January 24, 2024, 7:11pm

so i actually have my entire setup here,

https://forum.openwrt.org/t/pi4-multi-vlan-firewall-config-review/185255

if you are willing, would you take a look and tell me if anything could be configured differently? this is a pi 4 with a usb adapter (wan) and onboard ethernet port (lan)

my available interfaces my vlans x4, wan, and wan6. i believe my isp is giving me a /56. all 4 of my subnets are on the pi, and vlan trunked to my edgerouter (acting as a vlan aware switch)

_bernd · January 24, 2024, 7:20pm

remove the dns settings from all interfaces, except that one which is used for "wan" (or in your case, add this to "wan")
ip6assign: like stated, this is only relevant if you have/will have devices on that vlan which also act as a router, and will not only request an address via dhcpv6 but will also request a delegated prefix. if you have no routers downstream on your vlans, just set ip6assign to 64.
regarding ip6hint: have a look at your current ipv6 addresses and see how the current ip6hint is calculated. i assume they are just incremental(, and maybe even with an offset of 4bit). set the hint however you like (within 0 to ff). I use the vlan id in hex. (not quiet sure because time passes but i think i have picked that up in https://www.oreilly.com/library/view/ipv6-address-planning/9781491908211/)

trevormcooper · January 24, 2024, 7:25pm

i actually did change my dns to the wan! that was a really good one, and if im following you, and in my potential example here,

vlans 10 port 1 on the edgerouter goes out to a dumb switch, so everything on that will still get an ipv6 even with ip6assign64?
vlan 20 port 2. goes to a wifi router in bridge mode, same concept as vlan 10?
vlan30 port 3 is a single work pc, /64
and vlan40 port 4might actually have a downstream router once i setup my test lab (technically my whole lab is a test lab rn lol) so would i be served well with a /59 or somthing on vlan 40?

as for the hints, if they are auto delegated im ok with that, unless theres a performant/or security related reason to set the hint?

_bernd · January 24, 2024, 7:38pm

Yes, ip6assign just states how large the (assigned) prefix should be. See https://openwrt.org/docs/guide-user/network/ipv6/configuration too.

Example: You have a VLAN and for some reason or another you expect to have up to 7 routers down the road. I don't know, maybe a house with 7 parties / roommates. And you want to enable each router to be able to support, lets say, 16 VLANS/Networks. That's 112. Let's round that up to at least 128. You would set ip6assign to 57. (57=64-7, because 2^7=128) And ip6hint can just be set to 80. And the "first" router could only assign 128 networks itself... from 0 to 7F.

On setting ip6assign to 59:
If up to 32 networks are enough for the second router, why not. And set the hint either to 0, or 20, or 40, or to 60, or to 80, .. a0, .. c0, or e0.

Not that I'm aware of. I just like to set them explicit, to have them predictable. Like, if these are just incremental, and I introduce a new vlan in the middle of the current allocations, then each following network gets renumbered. I dislike.

trevormcooper · January 24, 2024, 7:49pm

so in most cases where i MIGHT go 1 more network deep, /59 is more than enough on that single interface, but /60 is not needed on any that aren't getting a further router downstream? just making sure i understand

_bernd · January 24, 2024, 7:56pm

Yeah.
But not quiet sure about "1 more network deep, /59 is more than enough".
If you have a downstream router which just needs to support a single network, then the delegated prefix could just be a single network. The first router would set ip6assign to 63. If you need 4 networks on the second router, then ip6assign should be at least 62. And so on.

Correct.

I'm fine with that

trevormcooper · January 24, 2024, 8:00pm

epic info, thank you, i will update them to /64 for the time being, my test lab will probs be 1 router that im expirimenting with features on to eventually put into production, so at most it would have a full functional copy of my production network (pi+managed switch) i am looking into the gs308e right now, but i think id have to run stock firmware, which for only vlan processing i think im ok with