ISP IPv6 on guest network

el_charlie · May 6, 2025, 4:06pm

I followed the wiki guide to create a guest wifi and it works as it should but the clients only get IPv6 addresses from the router. On my LAN clients, they also get IPv6 from my ISP

Here's my network currently:

And here's the contents of my /etc/config/network:


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd54:8b9a:84db::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '56'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option dns_metric '50'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option dns_metric '55'
        option norelease '1'

config device
        option name 'wan'
        option macaddr '[redacted]'

config interface 'modem'
        option proto 'static'
        option device '@wan'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'lan4'
        option mtu '1500'
        option macaddr '[redacted]'

The way it's set up, the guest device should also get an IPv6 from my ISP right? Like the LAN device does.

Here's my router:

{
        "kernel": "6.6.86",
        "hostname": "CharlieNet",
        "system": "ARMv8 Processor rev 4",
        "model": "Belkin RT3200 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

I've noticed that if I change the IPv6 Assignment Length on my LAN device to disabled, 60 or 64, then the guest device gets the IPv6 from my ISP but the LAN device doesn't. Setting it at 56 gets the IPv6 back to the LAN device.

Thanks in advance, I'd really appreciate the help.

EDIT: here's my firewall config if needed:


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option masq6 '1'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'guest'
        option name 'Allow-DHCPv6-Guest'
        option family 'ipv6'
        list proto 'udp'
        option dest_port '547'
        option target 'ACCEPT'
        option src_port '546'

config rule
        option src 'guest'
        option name 'Guest-SLAAC'
        option family 'ipv6'
        list proto 'icmp'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        option target 'ACCEPT'

DBAA · May 6, 2025, 4:24pm

Change the IPv6 assignment length to be 64. There should be enough :64's from the :60 your ISP delegates to you for all your local interfaces.

el_charlie · May 6, 2025, 4:31pm

64 where? The LAN interface? or the guest? I have to set my lan to 56 because otherwise, the guest interface will get the IPv6 and not the LAN.

EDIT: It works! I set the assignment length to 64 for BOTH guest and LAN interfaces and now I get the ISP IPv6 address on both!

_bernd · May 6, 2025, 4:39pm

You request on wan a delegated prefix.
You can request a specific size. Some ISP need that.

The default downstream config on lan enables you to set 3 additional routers in the lan network but if you have only end devices you need only a single 64. Same goes for the guest network.

el_charlie · May 6, 2025, 4:54pm

Can you elaborate more? I only modified the WAN6 interface to set the Cloudflare's DNS. Other than that, it assigns the IPv6 automatically.

I'm not that great with IPv6 and its suffixes.

_bernd · May 6, 2025, 7:19pm

Sure.
With IPv6 and an ISP which operates with the so called Best Current Practice, and also with certain recommendations yadda yadda...
The customer needs only an IPv6 slaac address on wan and sometimes you get also a address via dhcpv6 for the wan interface.
In addition, with dhcpv6, you request a delegated prefix.
With a /60 you can address upto 16 local networks. 16? Because 2^4.
With a /56 you can address upto 256 local networks.

On OpenWrt you can use the network option ip6hint to address a local network with a stable network id which is used to form a prefix for the local interface.

You should have now some keywords to throw at the wiki and forum, and if you have follow up questions then shot them...

_bernd · May 6, 2025, 8:09pm

Lets take from the previous example that we have a /56 DP, which is given to the CPE (Customer Premise Endpoint(or the like; depends on you you ask...) by the ISP by default via DHCPv6 PD.
With the current OpenWrt default config you get exactly that.

Let's use: 2001:db8:8000:FF00::/56

On the lan interface, there is now (by default) ip6assign 60.
Let's also assume the default of lan is the "first" network, and gets by change ip6hint 0 every time, because it comes "before" wan...

Therefor, the lan interface would get 2001:db8:8000:FF00::1/64, and the "range" / prefix 2001:db8:FF00::/60 is "reserved".

If now a device on the LAN (and lan on the OpenWrt) does request a Prefix (this router does not need to request an address via DHCPv6(!!!!1)) then the OpenWrt can hand out the prefixes

2001:db8:8000:FF01::1/64,
2001:db8:8000:FF02::1/64,
2001:db8:8000:FF03::1/64.

el_charlie · May 9, 2025, 1:44pm

I don't think my issue is solved.

Although I do get IPv6 on both LAN and Guest networks, I do have some problems browsing on my LAN network. Sometimes many sites don't load at all, other times I have to reload the pages. Removing the IPv6 assignment length on the GUEST network solved the issue on my LAN.

I followed the IPv6 Troubleshooting on the Wiki.

Maybe it's because I have DoT with stubby? or maybe the NDP Proxy as Relay (on both networks) as stated on the Wiki??

My end goal is to have both IPv4 and IPv6 on both my LAN and GUEST networks and keep DoT with Stubby.

Thanks again. I'm learning a lot of IPv6. It seems more complicated than IPv4.

EDIT: although the site test-ipv6.com says I have an IPv4 and IPv6 addresses, the site ipv6-test.com says I do not have IPv4, only v6, other times that site doesn't even load at all. Maybe that's the problem on many sites I visit?

EDIT2: The wiki page tell to set NDP-Proxy to relay. I though it was on the LAN network, but I think it meant on the wan6 interface. Although I had to set up a DHCP server, (even check to ignore it) to see the NDP-Proxy setting.

mk24 · May 9, 2025, 2:35pm

Do not use relay or NDP proxy when you have a real ISP with a prefix split into independent networks. Relay is for situations (especially LTE) where the ISP only provides a single /64.

el_charlie · May 9, 2025, 2:39pm

My ISP gives me a /60 address, and I set /64 for my LAN and GUEST networks.

So NDP-Proxy is not needed at all?

What about the assignment hint? the wiki is not clear about it. What should I put in WAN and GUEST networks?

mk24 · May 9, 2025, 2:50pm

Correct, NDP proxy is not needed since all your networks are independent subnets (wan, lan, and guest). Devices on each network are free to use any IP within their /64 which does not conflict with other actual neighbors (local NDP is still in effect), but there is no need to proxy a check for duplicate addresses to other networks-- they can't be duplicate since the prefix is different.

The hint is entirely optional. It is used to make a definite selection of particular /64 on each lan. For example if you use hint 2 for guest, guest IPs would always be of the form XXXX:XXXX:XXXX:XXX2:XXXX:XXXX:XXXX:XXXX instead of a random assignment of the four bits that you have control over when making a /64 out of a /60. This can be useful to make special firewall rules but it isn't important in regular use.

_bernd · May 9, 2025, 4:57pm

Actually it's a lot simpler. But that's because most people don't realize how much duct tape holds ipv4 together.
Yes, IPv6 has a lot of topics but in the end of the day most networks use just a friction of that so the net result is, that IPv6 is more easier and cleaner. Especially in large networks!
However, take your time and don't rush through the topic.
Lurking on r/IPv6 is most of time pretty useful and the address planning book is also good to help you to get rid of ipv4 thinking.

And no please no no no if there is no explicit need (because your network is broken) do not ever use ndp proxy. Of your ISP gives you more then a single network use the delegated prefix.

el_charlie · May 9, 2025, 5:12pm

Yeah, but something's not right still. After a couple of hours with everything working right. I got no IPv6 connectivity although the LAN and GUEST interfaces have GUA and my devices on LAN has GUA, too.

Here's my network config:


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'
        option ip6assign '64'
        option ip6hint '0'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option dns_metric '50'
        option delegate '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option dns_metric '55'
        option norelease '1'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'modem'
        option proto 'static'
        option device '@wan'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'
        option delegate '0'
        option ip6assign '64'
        option ip6hint '1'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'lan4'
        option mtu '1500'
        option macaddr '[REDACTED]'

My DHCP config:


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '127.0.0.1#5453'
        list server '0::1#5453'
        option noresolv '1'
        option strictorder '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'modem.lan'
        option ip '192.168.100.1'

config domain
        option name 'charlienetplus.lan'
        option ip '192.168.1.2'

config domain
        option name 'charlienet.lan'
        option ip '192.168.1.1'

config host
        option name 'Charlie-Laptop'
        option ip '192.168.1.234'
        list mac '[REDACTED]'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '6h'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

config host
        option name 'RE330'
        option ip '192.168.1.129'
        list mac '[REDACTED]'

config domain
        option name 'openwrt.lan'
        option ip '192.168.1.1'

And my firewall config:


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option masq6 '1'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

I don't know what I'm doing wrong, but it was working just fine and I could ping websites with ipv6 and now test-ipv6.com says I don't have IPv6.

Thanks in advance again.

EDIT: I had to issue service network restart and got IPv6 again (new address from my ISP). It could be my ISP's fault in this case?

_bernd · May 9, 2025, 5:51pm

Remove "delegate 0" from all interfaces.
Also the nameserver setting in network looks wrong (0::1)

Your clients get the router IP automatically for nameserver, and if you want to use the nameserver from your ISP then do not set anything on wan.

Sometimes clients need a reset on the connection...

el_charlie · May 9, 2025, 6:03pm

You mean the DNS? The stubby guide tells to add 127.0.0.1 and 0::1 as lists of DNS in the LAN interface (I also added it to the GUEST interface).

Already deleted the delegate 0 from everywhere.

mk24 · May 9, 2025, 6:25pm

If ISP changes your prefix then the LAN devices will have wrong prefix until they renew or have their network restarted. So next time it fails, check if the prefix matches and if the router itself can ping out IPv6.

Also you'll want to do some troubleshooting to see if it is a DNS problem or a general routing to the Internet problem. Try to ping well known IP6 sites by number such as Google 2001:4860:4860::8888.

_bernd · May 9, 2025, 7:28pm

Forget about my complains about 0::1... 0::1 == ::1.

Any cont. stream of 0 can be abbr. with ::...