IPv6 working on router but not on clients

Hi there and thanks already for anyone who wants to help.

So I just switched from dd-wrt to openwrt (OpenWrt SNAPSHOT r13342-e35e40ad82 / LuCI Master git-20.144.63033-62ed4e6) and have the following situation/problem:

• First router from my ISP (LAN: 192.168.1.1 / fe80::1)
• Second router behind first router running openwrt (LAN: 192.168.2.1 / fd25:b828:d527::1, WAN: IPv4: 192.168.1.2/24, IPv6: YYYY:YYYY:YY00:69c5:f04c:e84d:9e66:32f1/64)
• Second router can ping6 without any problems
• Clients behind second router return the following:

ping6 bbc.co.uk
PING6(56=40+8+8 bytes) fd25:b828:d527:0:15b3:e881:e037:73f7 --> 2a04:4e42::81

So I guess it's a 100% packet loss. I do not receive anything back. I already tried putting the DHCPv6 into relay mode but all I honestly do is trial and error as I don't know anything about routing, NAT, IPv6 etc. IPv4 and subnets is what I probably handle "okayish".

I already checked these threads without solving my problem:

• IPv6 not working for clients but router
• Router can use ipv6 ok, but clients in lan cannot

Also: At some point I saw three IPv6 addresses under the WAN6 interface and I thought that would head in the right direction but it's back to one now. I don't know if that helps at all.

If anyone could guide me in the right direction or at least make fun of a total noob, that would be appreciated.

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'
	option ra_default '1'
	option ra 'server'
	option dhcpv6 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd25:b828:d527::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option force_link '0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

ifstatus wan6

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 977,
	"l3_device": "eth1.2",
	"proto": "dhcpv6",
	"device": "eth1.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "YYYY:YYYY:YY00:6038:e0ff:fec9:a1c0",
			"mask": 64,
			"preferred": 172388,
			"valid": 258788
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "YYYY:YYYY:YY00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 258788,
			"source": "::/0"
		},
		{
			"target": "YYYY:YYYY:YY00::",
			"mask": 64,
			"nexthop": "fe80::1",
			"metric": 384,
			"valid": 258788,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1",
			"metric": 640,
			"valid": 1388,
			"source": "YYYY:YYYY:YY00:6038:e0ff:fec9:a1c0/64"
		}
	],
	"dns-server": [
		"2606:4700:4700::1111",
		"2606:4700:4700::1001"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"fe80::1"
		],
		"dns-search": [
			"mediaways.net"
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "0010001200000de9000c64736c666f72756d2e6f726700170010fe8000000000000000000000000000010018000f096d6564696177617973036e657400"
	}
}

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

See example config for relaying:
https://openwrt.org/docs/guide-user/network/ipv6/start#router_advertisement_dhcpv6

Hi @vgaetera,
thanks for the idea.
Unfortunately I already tried the relay mode and if I do that I get the following on the clients:

ping6: UDP connect: No route to host

The clients also do not get any IPv6 addresses anymore after changing it to relay mode. Although first I tried this I simply set it via the GUI the config did not seem to completely reflect all the changes mentioned in the example config. Unfortunately after setting the config manually I still get the same "No route to host".

Edit: I found a different user with the same problem on the Linksys WRT32X which I also use: https://community.linksys.com/t5/Wireless-Routers/WRT32X-IPV6/td-p/1304324
The last post says that the problem was solved by using the modem/router in bridge mode. Unfortunately that is not possible with my ISP.

Is this impossible without a bridge mode or does this help with finding a new approach?

The real issue is your ISP is broken. Issuing you a /64 is like you need to build a wall and although they have a warehouse full of bricks, they give you only 1 brick.

basically their ipv6 is broken, so either complain, or just consider it broken imho.

Hi @dlakelan,

thanks for the analogy. I'm not really sure what the major differences between IPv4 and IPv6 are other than that there are a lot more IPv6 addresses so I assumed that getting one public IPv6 and internally generating a local subnet for IPv6 would work - like I did with IPv4.
I will need to read into IPv6 to completely understand what the problem here is but there is generally no other way to solve this with the brick I got from my ISP?

Thanks for your help.

In IPv6 the first 64 bits are network address, and then the next 64 bits are host address.

Each site should get a /56 at the minimum, this lets you set up 64-56=8 bits worth of subnets, that's 256 subnets.

Instead, ISPs give out a single /64 and it gets put on the WAN subnet, so it's just enough for the router itself to get on the network. The relay mode attempts to "fix" his but it's really just a hack, like when you order a truckload of bricks and they come with an enormous truck and give you one brick... if you went off and made your own bricks instead of complaining that they didn't provide what they said they would.

The smallest recommended prefix is /56, and if your ISP doesn't give out at least /60 it's an indication they haven't got a clue.

Thanks again for the great explanation, @dlakelan.

This sounds like it "should" work in relay mode. Not really sure why it does not work that way for me but I will simultaneously contact my ISP to see if there is anything they can/are willing to do.

Would you say it makes sense to try some different relay mode configurations or is this impossible? I don't know what else I should try but if anything speaks against it I would not waste any more time trying to fix this.

Relay mode kinda should work. I mean it's a hack but people get it to work. I'm not sure why relay mode doesn't work for you. But again, it's really just a hack. Talk to your ISP and tell them you want a /56 prefix as for example described here: https://www.ripe.net/publications/docs/ripe-690

"For example, Tony Hain calculated that assigning a /48 to every human on Earth, and never recovering those, will still mean that IPv6 would have a lifetime over the 480 years and we could repeat that several times."

and

4.2.2. /48 for business customers and /56 for residential customers

"Some operators decide to give a /48 prefix to their business customers and a /56 to their residential customers. This rationale is understood to be mainly coming from sales and marketing departments where they wish to create some distinction in services between different types of customer. This method can be considered as pragmatic, future-proof and has nearly no downsides, the same as the “/48 for everyone” approach."

Thanks again for the very detailed information, @dlakelan. So I talked to the ISP and it is not possible to get a wider range. While this is a bummer and as you mentioned not what IPv6 is meant for I am still wondering if anyone has an idea why the relay mode (which is specifically designed for my use case if I understand it correctly) might not work for me and what else I could try to make it work.

Post here the following with the dhcp6 relay enabled.
uci export network; uci export dhcp; uci export firewall

Hi @trendy,

thank your for your help in advance. Please see below:

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'dd20:b722:1607::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option ip6assign '64'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'
	option ip6assign '64'

config dhcp 'wan6'
	option interface 'wan6'
	option ra 'relay'
	option ndp 'relay'
	option start '100'
	option leasetime '12h'
	option limit '150'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

uci -q delete dhcp.lan.master
uci set dhcp.wan6.master="1"
uci set dhcp.wan6.dhcpv6="relay"
uci commit dhcp
/etc/init.d/odhcpd restart
/etc/init.d/network restart

Also you probably don't want to enable dhcpv4 on wan6 interface.

Thank you, @vgaetera and @trendy.

It kind of works (now) which is amazing - thank you! I only tested it on macOS (WiFi) and it still does not work there but now I tried it on a Windows PC and it works there. So I guess the router is not the problem anymore?!

If one host managed to acquire the settings successfully, the router should not be the problem any more.

@ctrt what did you do to fix your problem?

Likely he followed the advice from vgaetera (above, the uci commands), and in DHCP config he set wan6 to be the relay master instead of lan, which he had originally wrongly set as relay master. ( and added the missing dhcpv6 relay line to wan6)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.