Lan IPv6 IPs routed to wan? IPv6 partly broken

OpenWRT is installed on a PCEngines sort of device with 3 ethernet ports. One is used as WAN, another for a dedicated WiFi router with OpenWRT (my old router), and another for my LAN.

IPv6 works just fine on my DMZ/WiFi network, and also the router.
IPv6 doesn't work on my LAN port, and after running tcpdump not just on the internal interface but the WAN interface I noticed the following key symptom.

Echo Reply packets were seen twice, "duplicated" on the router's WAN interface.

As far as I can tell, there isn't anything wrong with my configuration. I haven't gone to the more extreme step of backing the config up and re-installing the router, but that might be the next step.

# eth0 is the wan Interface
ip -6 route list | grep eth0
default from 2001:ISP via fe80::ISPRouter dev eth0  metric 512 
default from 2601:ISP::/60 via fe80::ISPRouter dev eth0  metric 512 
1:5f90:WTF dev eth0  metric 1024 
2001:ISP?::/64 dev eth0  metric 256 
2601:ISPIPv6Delegated::HostStatic dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom1 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom2 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom3 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom4 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom5 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom6 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom7 dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandom... dev eth0  metric 1024 
2601:ISPIPv6Delegated:PrivateRandomN dev eth0  metric 1024 
e8ce:WTF::WTF dev eth0  metric 1024 
fd00:0:???1::/64 dev eth0  metric 256 
fd00:0:???2::1 dev eth0  metric 1024 
fd00:0:???2::/64 dev eth0  metric 256 
fd64:LOCAL:1::Router dev eth0  metric 1024 
fd64:LOCAL:2::Router dev eth0  metric 1024 
fd64:LOCAL:2::HostStatic dev eth0  metric 1024 
fd64:LOCAL:2:Static dev eth0  metric 1024 
fe80::/64 dev eth0 metric 256 
anycast fe80:: dev eth0  metric 0 
multicast ff00::/8 dev eth0  metric 256

Why the heck are my internal LAN ips listed individually as direct routes on the WAN interface? They're not even part of that firewall zone.

# uci export network
package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd64:LOCAL::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.240.0'
        option ipaddr 'LOCAL2.1'
        option ip6ifaceid '::1'
        option ip6hint '2'
        option ip6assign '64'
        option device 'eth2'
        list dns '2001:4860:4860::8844'
        list dns '2001:4860:4860::8888'
        list dns_search 'lan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'
        option device 'eth0'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        list dns_search 'lan'

config interface 'wifi'
        option proto 'static'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option ip6ifaceid '::1'
        option ip6assign '64'
        option macaddr 'MAC'
        option netmask '255.255.255.0'
        option ipaddr 'LOCAL1.1'
        option ip6hint '1'
        option device 'eth1'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port 'REDACTED'
        list addresses 'REDACTED'
        list addresses 'REDACTED'
        option delegate '0'

config wireguard_wg
        option public_key 'REDACTED'
        option description 'REDACTED'
        option preshared_key 'REDACTED'
        option persistent_keepalive '25'
        list allowed_ips 'fd64:local/128'
        list allowed_ips 'local/32'

config interface 'TetherWAN'
        option proto 'dhcp'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'
        option device 'usb0'

config interface 'wwan_xfinity'
        option proto 'dhcp'

config interface 'WWAN_XFINITY6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '60'
        option device 'wlan0'

config route
        option interface 'wan'
        option target '192.168.100.0/24'

# uci export dhcp

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option nonegcache '1'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option dhcpv6 'server'
        option ra_management '1'
        option leasetime '1h'
        option limit '3995'
        option ra 'server'
        option preferred_lifetime '30m'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option ndp 'relay'
        option ra_useleasetime '1'
        option ra 'relay'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wifi'
        option start '100'
        option limit '150'
        option interface 'wifi'
        option leasetime '30m'
        option dhcpv6 'server'
        option ra_management '1'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'

# Various hosts, nothing obviously wrong here, macaddr, IPs, hostIDs, and duids.

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option ndp 'relay'

The /128 routes result from using relay mode. Do not use relay mode when you have a /60 prefix. Each LAN-like interface should have a different /64 taken out of the same /60.

PPPP:PPPP:PPPP:PPP0::1/64
PPPP:PPPP:PPPP:PPP1::1/64

The P bits are the 60 bits of your prefix from the ISP. The 0 and 1 are assigned by OpenWrt as interfaces are brought up. These could be any two different four bit numbers, from 0 through F. The ip6hint setting is used to help get consistent assignment per interface instead of the default random/racing process.

Then the routing table would contain:
PPPP:PPPP:PPPP:PPP0::/64 via eth1
PPPP:PPPP:PPPP:PPP1::/64 via eth2

Again it is relay mode packing the routing table with individual host routes every time a host joins. This will not happen if you use regular delegation.

Within the /64 on each LAN the endpoints will take unique IPs either by DHCPv6 or SLAAC. Of course when there is only a /64 routed to a LAN interface, it's not possible to delegate and route it further in a downstream router. Interfaces if any that have routers downstream should get a larger chunk of the prefix.

Thank you, disabling NDP proxy on all interfaces fixed the issue.

It would really be great if there were better documentation on the wiki / in LUCI explanations (at least tying back to the config value to lookup on the wiki).

I thought that was something about relaying routing announcements and enabled it while trying to fix a different issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.