Just can't routing from separate network to IPv6 /64 from ISP

Installing and Using OpenWrt
1

Hi,

I just can't get IPv6 working on a LAN segment managed by OpenWRT :frowning:

My ISP supplied modem has it's own /56 subnet and does PD of a /64 to my OpenWRT router.

I want to have a separate network downstream (let's call this LAN) of the OpenWRT router that uses the /64 supplied, plus IPv4 which has to use NAT of course.

IPv4 works easily.

For IPv6, I have OpenWRT operating in IPv6 server mode and it correctly sends RA messages on LAN and devices there get an IPv6 address from the delegated /64. Clients on this network setup a default route to the fe80:... address of the downstream OpenWRT router but I simply cannot get the OpenWRT router to pass packets from this network to the ISP's router.

Traffic can pass directly from the router to the upstream network though (ie. ping ipv6.google.com works fine from the router).

For IPv4 there is a firewall rule allowing LAN -> WAN traffic with masquerading. I have tried limiting this to IPv4 and setting up separate firewall rules just for IPv6 traffic between those zones but that didn't work.

Trying to use IPv6 (ie. ping ipv6.google.com) from LAN one gets 'Destination unreachable: Port unreachable' from the OpenWRT router - the address is it's :1 from the delegated /64 subnet.

The only clue I see is in the docs...

... there is that somewhat cryptic section at the bottom about "Routing Management"

I tried adding routes to/from LAN/WAN in IPv6 Routing Rules but that didn't help either.

Any ideas what I'm doing wrong? Is this a problem with routes? Or firewall? Or maybe both?

Thanks in advance,

Robin

2

For standards-compliant conventional v6 routing, the router's wan interface must hold an IP outside the delegated lan subnet(s). This GUA will be used when the router itself originates a connection such as NTP or forwarded DNS. Some ISPs issue another /64 for that, and some give each customer's router a /128 with all customers likely in the same /64.

If your ISP does not support that, and you only have exactly a single /64 routed to you, use relay mode. But try to reconfigure the ISP box so you have a larger prefix. If you had a /60 you could use one /64 out of it for wan and the other 15 potential /64s for lans.

1 Like
3

if you share

ifstatus wan6

We can see if you have a Prefix delegated, if not the relay option from @mk24 is your only option

1 Like
4

Not sure that is the issue as:

wan6 has:

IPv6: xxxx:xxxx:xxxx:500:724f:57ff:fe10:615/64
IPv6-PD: xxxx:xxxx:xxxx:5e1::/64

The IPv6 is SLAAC and was generated by OpenWRT and is outside the delegated /64.

LAN has:

IPv6: xxxx:xxxx:xxxx:5e1::1/64
IPv6: fd84:yyyy:yyyy:5000::1/64

The first address on this LAN interface is within the delegated /64.

I gave the hint 5000 which is where that comes from on the fd84...

Robin

5

That shows this:

...
	"ipv6-prefix": [
		{
			"address": "xxxx:xxxx:xxxx:5e1::",
			"mask": 64,
			"preferred": 517,
			"valid": 86317,
			"class": "wan6",
			"assigned": {
				"lan_ab": {
					"address": "xxxx:xxxx:xxxx:5e1::",
					"mask": 64
				}
			}
		}
	],
...
6

This all looks good. I see that the lan is not named 'lan' so make sure you have built everything else (network, firewall, DHCP) out with consistent naming.

There is only one possible assignment out of a /64, so a hint does nothing. The ULAs are not doing anything here (OS's do not consider a ULA an IPv6 Internet connection) so you can remove the ula_prefix to reduce clutter.

1 Like
7

Thanks for the input.

I guess the question is: do I need do to anything with firewall or routing rules to make IPv6 work or should it work by default?

As I said, IPv4 is working between the 2 interfaces/zones with the single standard NAT rule.

8

It will work by default because the default config forwarding from lan to wan also includes IPv6, and wan6 is in the wan zone.

9

Hmmmmmmm.

Maybe I should mention that this is an old device that has several zones. It has two other WAN interfaces:

  • One is used for backup when our landline is broken (I plug a cellular device into a USB port) so that is currently inactive.

  • A second WAN is an always active VPN that I route a completely different internal network through via policy routing.

The LAN interface in question has a different name because I created it manually. So if there's some setting that might not have been set on this because of that maybe that's the issue?

Or maybe policy based routing is causing a problem even though the only rule I have set for that is between the other internal network and external VPN (that is IPv4 only though).