IPv6 works on the router but doesn't work on LAN devices

Installing and Using OpenWrt Network and Wireless Configuration
1

My network looks like this: ISP - modem - Openwrt router - LAN devices

Before I switched to openwrt, I used tp-link which has IPv6 passthrough mode. It worked flawlessly. After switching to openwrt I can't use IPv6. I tried many things to make it work. I've set relay mode on WAN6 and LAN. After doing that, my devices get ipv6 addresses but I can't use them. After using tcpdump, I noticed that ICMPv6 pings are reaching google.com and google is replying to my ping requests but they are not reaching my LAN devices. If I ping the IPv6 address of the router from a device, then IPv6 works on that device. That device gets added to the 'IPv6 Neighbours' list. IPv6 only works if the LAN device is in the 'IPv6 Neighbours' list. There's a problem with Neighbour discovery.

Running ip neigh on the router shows that many LAN IPv6 addresses are not reachable. IPv6 addresses with 'br-lan' are reachable but those with 'wan' are not reachable.

The router gets a /64 ipv6 address so I can't subnet it further. Is there any solution to this?

My configs for dhcp and network.

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'
	option ndproxy_slave '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wan6'
	option interface 'wan6'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fda8.../48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqprefix '64'
	option reqaddress 'try'
	option sourcefilter '0'
	option delegate '0'
2

My ISP also giving me /64 prefix, my config looks similar to you

What I am wondering is, your

option ndproxy_slave '1'

in DHCP - LAN section, I don't have that one

In WAN6 interface I also don't have following 2 lines:

option sourcefilter '0'
option delegate '0'

And also is there any firewall rules?

3

I removed those lines but it still doesn't work. I think there is a routing problem between WAN and LAN interfaces. ICMPv6 reply packets are not reaching LAN devices from WAN interface.

Here's my firewall config

cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
4

You are specifically asking for a /64 PD in the above reqprefix. Change that to 56, and maybe also add option ip6assign 56 to the lan interface and restart your network. If your ISP is cooperative, you should end up with working IPv6 delegation for all of the capable devices on your lan.

1 Like
5

Some ISP will only provide /64 unless you pay more (at least the one I am using is this type)

6

Wow, that sucks. Plus they're biting off their own tail by making it harder to adopt something that will save them money in the long term (IPv4 address prices are skyrocketing, while IPv6 ranges are basically free). I guess it's impossible to underestimate the stupidity of ISPs...

7

If the ISP only offers a single /64, don't request a prefix at all, and use RA and NDP in relay mode. Your LAN clients will SLAAC their address within the same /64, so they do have a unique public IP and a non-NAT connection to the Internet. The LAN interface itself will not hold a public IPv6-- it doesn't need to, only the WAN does.

2 Likes
8

They don't care, in my country some ISP use MAP-E which shares single IPv4 for customer 4-to-6, and they provide their own routers, that's it! That's why I've spent so much time to figure out how to build my own router with OpenWrt (anything else won't work, pfSense/OPNsense/RouterOS are not working).

1 Like