IPv6 wan connections working only on router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone!

I am trying to configure my network to be fully ipv6 compatible.
I have already configured local ipv6 network. Lan ipv6 works fine, I can connect to my machines and router locally via ipv6.
I have configured my ipv6 wan (it is a native ipv6 connection provided via dhcpv6). I can ping e. g. ipv6.google.com from router, but I can not ping it from my computer connected to router. I have read the lede ipv6 basics, but I do not obtain “Destination unreachable: Unknown code 5”. There is simply no output.
I have to admit, that I could mess something with ipv6 config. I don't feel it in 100% yet.

I have a LEDE's default firewall config + a rule for inbound vpn connections.

below is a fragment of my router's /etc/config/network:

config globals 'globals'
	option ula_prefix 'fd00::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option ifname 'eth0 tap0'
	option ip6assign '64'
	option dns '2001:4860:4860::8888 8.8.8.8'

config interface 'wan'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '8.8.8.8'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option ip6prefix 'fd00:fd00::/48'
1 Like
2

How is the first router configured? Prefix delegation?
(as this LEDE router seems to be behind the router that is also doing IPV4 NAT and probably also IPv6 prefix assignation.

Assigning a link-local fd00 prefix for your wan6 looks strange

What is your odhcpd config in /etc/config/dhcp, in lan and odhcpd sections?

Should be something like

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
3

My dhcp config file is almost identical with your snippet:

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option logqueries '1'
option nonwildcard '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

config domain
option name 'archpc'
option ip '192.168.2.22'

The first router is provided by my ISP (orange). I can log in, but I have seriously no option to change anything ipv6 related. In Lan info tab there is (I changed it for purpose of this post ofc):

adres GUA IPv6 aaaa:bbbb:ccc:dddd:1111:2222:3333:4444
prefiks IPv6 aaaa:bbbb:ccc:dddd::/56.

The problem is that my LEDE router does not get a ipv6 prefix. In overview -> wan6 status there is no info about ipv6 prefix. There is address, gateway and dns.
I guess I have to set up a nat6 to solve this problem. Or maybe can I configure my LEDE with static ipv6 and somehow configure delegated prefix manually?

edit: also the orange router has disabled dhcpv6, so I get an stateless address on LEDE.

4

for this kind of error, you can try:

route -A inet6 add 2000::/3 route -A inet6 | grep ::/0 | awk 'NR==1{print"gw "$2" dev "$7}'

so it's using 2000::/3 instead of ::/0

I can work by using this kind of change, good luck

5

Is there anyone who can help? I have the same issue on my XiaoMi Mini router.

  1. on the router I can ping or traceroute ipv6 sites. But I can't traceroute ipv6 sites if I add the wrong '-s xxx' option. For example:
    traceroute -6 2001:470:806d:1::10 [-s 240e:****:cf4c:7c00:6609:80ff:fe70:ed6] works, but
    traceroute -6 2001:470:806d:1::10 -s 240e:****:cfe2:100::1 does not work.
  2. on my local PC, I can't ping through the default gateway 240e:****:cf4c:7c00:6609:80ff:fe70:ed6
  3. after I changed some configs in the router, I did get closer to the solution: I can ping through the default gateway, but I can't traceroute ipv6 sites. The traceroute seems to be able to move ahead by only one hop:
C:\WINDOWS\system32>tracert -6 2001:470:806d:1::10

Tracing route to 2001:470:806d:1::10 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  240e:****:cfe2:100::1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  ...

And I don't know which config that I have modified affected the result.
This issue occurs both on openwrt-18.06.5 and 19.07.3.

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd0:5f55:5612::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '66:09:80:**:0e:d6'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '64:09:80:**:0e:d6'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 0 1 2 3'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config route6 'default'
        option interface 'eth0.2'
        option target '::/0'
        option gateway 'fe80::1'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

ip -6 r

default from 240e:****:cf4c:7c00:6609:80ff:fe70:ed6 via fe80::1 dev eth0.2  metric 640
240e:****:cfe2:100::/64 dev eth0.2  metric 256
unreachable fdd0:5f55:5612::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev br-lan  metric 256
default via fe80::1 dev eth0.2  metric 1024
anycast 240e:****:cfe2:100:: dev eth0.2  metric 0
anycast fe80:: dev eth0.2  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev br-lan  metric 0
ff00::/8 dev eth0  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev br-lan  metric 256

ip a

root@OpenWrt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 64:09:80:70:0e:d6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6609:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 64:09:80:70:0e:d8 brd ff:ff:ff:ff:ff:ff
4: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 64:09:80:70:0e:d7 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 66:09:80:70:0e:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::6409:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever
12: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 66:09:80:70:0e:d6 brd ff:ff:ff:ff:ff:ff
13: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 64:09:80:70:0e:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 240e:****:cf4c:7c00:6609:80ff:fe70:ed6/128 scope global dynamic
       valid_lft 2589187sec preferred_lft 601987sec
    inet6 240e:****:cfe2:100::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::6609:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever

on my PC, ipconfig

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : fdd0:5f55:5612::312
   Link-local IPv6 Address . . . . . : fe80::cdeb:ff3e:aaa9:11d1%46
   IPv4 Address. . . . . . . . . . . : 192.168.3.171
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 240e:****:cf4c:7c00:6609:80ff:fe70:ed6
                                       192.168.3.1

network topology:
image

6

Try this way:

uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart

https://openwrt.org/docs/guide-user/network/ipv6/start

1 Like
8

Probably you need to remove the WAN6 /64 address and specify it as the ip6prefix.
Sorry, I have no native IPv6 to test other ways.

12

This may help you with troubleshooting:

# Runtime IPv6 configuration
ip -6 address show; ip -6 route show; ip -6 rule show

# Routing check
ip -6 route get 1::
ip -6 route get 1:: from ipv6_addr
traceroute -6 example.org

# Traffic counters for firewall rules
ip6tables-save -c

# Traffic monitoring
# Router
tcpdump -n -i any icmp6
# Client
ping6 example.org
13

Thanks. I think I have the default route for ipv6, here is traceroute result:

root@OpenWrt:~# traceroute -6 2a03:b0c0:3:d0::1af1:1
traceroute to 2a03:b0c0:3:d0::1af1:1 (2a03:b0c0:3:d0::1af1:1), 30 hops max, 64 byte packets
 1  240e:****:cfdf:3800:62bb:cff:fee8:304 (240e:****:cfdf:3800:62bb:cff:fee8:304)  3.900 ms  0.960 ms  0.980 ms
 2  240e:****::2840 (240e:****::2840)  3.300 ms  13.321 ms  3.060 ms

root@OpenWrt:~# traceroute -6 2a03:b0c0:3:d0::1af1:1 -i br-lan
traceroute: can't connect to remote host: Permission denied

which might be the same as when I tried ping6 from different interface:

root@OpenWrt:~# ping 2a03:b0c0:3:d0::1af1:1 -I eth0.2
PING 2a03:b0c0:3:d0::1af1:1 (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=38 time=317.581 ms

root@OpenWrt:~# ping 2a03:b0c0:3:d0::1af1:1 -I br-lan
PING 2a03:b0c0:3:d0::1af1:1 (2a03:b0c0:3:d0::1af1:1): 56 data bytes
ping: sendto: Permission denied

It seems that even I have set sourcefilter=0, I can only ping6 through from the WAN interface 'eth0.2', but not through from the LAN interface 'br-lan'.

besides, here some more info:

image
image566×608 20.6 KB

root@OpenWrt:~# ip -6 rule show
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 240e:****:cf04:2c00::1/64 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000013:     from all iif br-lan failed_policy
4200000015:     from all iif eth0.2 failed_policy
4200000015:     from all iif eth0.2 failed_policy

root@OpenWrt:~# ip -6 route show table local
local ::1 dev lo proto kernel metric 0 pref medium
anycast 240e:****:cf04:2c00:: dev br-lan proto kernel metric 0 pref medium
local 240e:****:cf04:2c00::1 dev br-lan proto kernel metric 0 pref medium
local 240e:****:cfdf:3800:6609:80ff:fe70:ed6 dev eth0.2 proto kernel metric 0 pref medium
anycast fdd0:5f55:5612:: dev br-lan proto kernel metric 0 pref medium
local fdd0:5f55:5612::1 dev br-lan proto kernel metric 0 pref medium
anycast fe80:: dev eth0 proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 proto kernel metric 0 pref medium
anycast fe80:: dev br-lan proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 proto kernel metric 0 pref medium
local fe80::6409:80ff:fe70:ed6 dev br-lan proto kernel metric 0 pref medium
local fe80::6609:80ff:fe70:ed6 dev eth0 proto kernel metric 0 pref medium
local fe80::6609:80ff:fe70:ed6 dev eth0.2 proto kernel metric 0 pref medium
local fe80::6609:80ff:fe70:ed8 dev wlan0 proto kernel metric 0 pref medium
ff00::/8 dev eth0 metric 256 pref medium
ff00::/8 dev br-lan metric 256 pref medium
ff00::/8 dev eth0.2 metric 256 pref medium
ff00::/8 dev wlan0 metric 256 pref medium

root@OpenWrt:~# ip -6 route show table main
240e:****:cf04:2c00::6fe dev br-lan proto static metric 1024 pref medium
240e:****:cf04:2c00::/64 dev br-lan proto static metric 1024 pref medium
unreachable 240e:****:cf04:2c00::/56 dev lo proto static metric 2147483647 error -148 pref medium
240e:****:cfdf:3800:62bb:cff:fee8:304 dev eth0.2 proto static metric 1024 pref medium
240e:****:cfdf:3800:fd23:4661:c7a6:eb3c dev eth0.2 proto static metric 1024 pref medium
fdd0:5f55:5612::6fe dev br-lan proto static metric 1024 pref medium
fdd0:5f55:5612::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdd0:5f55:5612::/48 dev lo proto static metric 2147483647 error -148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0.2 proto static metric 640 pref medium

root@OpenWrt:~# ip -6 address show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::6609:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 240e:****:cf04:2c00::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fdd0:5f55:5612::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::6409:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 240e:****:cfdf:3800:6609:80ff:fe70:ed6/128 scope global dynamic noprefixroute
       valid_lft 2587126sec preferred_lft 599926sec
    inet6 fe80::6609:80ff:fe70:ed6/64 scope link
       valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6609:80ff:fe70:ed8/64 scope link
       valid_lft forever preferred_lft forever

# sysctl -a:
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br-lan.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.1.forwarding = 1
net.ipv6.conf.eth0.2.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan1.forwarding = 1
1 Like
26

Finally it's done. Working config:
/etc/config/network:

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.100.129'
        option netmask '255.255.255.128'
        option ifname 'eth0.1'
        option ip6assign '60'
       list ip6class lan

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option sourcefilter '0'
        option reqaddress 'try'
        option reqprefix 'auto'

/etc/config/dhcp:

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option start '130'
        option limit '100'
        option leasetime '12h'

config dhcp 'lan6'
        option interface 'lan'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master 1
2 Likes
27

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.