N00b struggling with ipv6

I have a TP-Link TL-WR1043N/ND v4 and have been very satisfied with OpenWRT on it. My ISP supports IPv6, online tests report I can use IPv6, and I can view IPv6 websites. So IPv6 is working. :slight_smile:
I have a server (an old PowerPC based PowerMac running Fedora PPC64) that's pretty much just used for bittorrent and storage. IPv6 works fine as I'm able to reach services on it using an IPv6 address within my LAN. Same with my laptop also running Fedora.
My goal is to have my bittorrent client connectable from IPv6, it works fine with IPv4 and opening the relevant port.

OpenWRT shows two interfaces - WAN and WAN6. Both have different IPv4 and IPv6 numbers, with WAN6 showing my actual public IPv4 address. I don't know what the IPv4 number in WAN is about. Both have a different fe80 IPv6 address each while the public IPv6 address is a 2406 for the router itself.
I also have two DHCPv6 client interfaces, WAN6_6 and WAN6. WAN6 appears to have the public facing IPv6 address of the router.
The LAN interface has one IPv4 address, three IPv6 - fe80 and two 2406 addresses (one a piece for WAN6_6 and WAN6).
So my first concern is if I have a configuration problem.

My laptop shows I have seven IPv6 addresses. One fe80, two fd8a (/128 and /64), then two from each DHCP range in WAN6_6 and WAN6 (/128 and /64 from each).
The server also has seven addresses of a similar nature.

Finally, I can't work out how to make one of my server IPv6 addresses connectable from the internet. A tracker I use wants to connect to the public facing IPv6 address of the router and reports the client can't receive incoming connections...expected as the client isn't on the router. How do I make the IPv6 address of the server public as I shouldn't need to use NAT?

My /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8a:b191:aa4e::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'd4:6e:0e:b3:48:de'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0.10'
	option ipv6 'auto'
	option username 'xxxx'
	option password 'xxxx'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'd4:6e:0e:b3:48:df'

config interface 'wan6'
	option proto 'pppoe'
	option username 'xxxx'
	option password 'xxxx'
	option ipv6 'auto'
	option ifname 'eth0.10'
config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 4'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '10'
1 Like

https://openwrt.org/docs/guide-user/network/wan/isp-configurations

1 Like

Under WAN interface you have the option ipv6 'auto' so it will automatically create the wan6 interface and try with DHCPv6. So basically you don't need the extra wan6 interface.
Other than that you need to open the flows in firewall for IPv6 as by default everything is blocked.

3 Likes

Awesome! Thanks for your help, peeps. Including tmomas who cleaned up the /etc/config/network embedding in my first post.

I removed the extra device. The extra device was there at setup and despite my instincts I put my PPPoE settings in there as well.
I opened up the flow by creating a Traffic Rule "IPv6-traffic, From any host in wan, To any host in lan", which I believe blows a hole though the router's firewall for all devices using an IPv6 address?

1 Like

Don't do this! Assign a specific IP6 address to your server, and then add a forward rule for any wan host to your server only on the port of interest.

5 Likes

I'll draft a list of devices and add them to the dnsmasq file, so the will have stable addresses. Then open the firewall on an address by address/port basis.
For now I'll just limit the rule to any address: torrentclientport "until I get around to fixing it".

Only if they use dhcpv6.

3 Likes

DHCPv6 might not be necessary. Stable IPv6 addresses can also be generated by Stateless Address Autoconfiguration (SLAAC) with an interface identifier derived from the MAC address (Modified EUI-64) or a stable privacy address (RFC 7217). Quite likely the LAN hosts already have one of those addresses assigned.

Another point to consider is that ISPs often assign the IPv6 prefix dynamically, which causes all of the global IPv6 addresses in your LAN to change along with the prefix. This is independent of the address assigment mechanism used in your LAN (DHCPv6 or SLAAC). If your prefix is dynamic, the firewall rule must take this into account with a suitable address mask. Here is an example for a webserver:

config rule                                                                     
	option name 'webserver'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '::2345:67ff:fe89:abcd/-64'
	option dest_port '80 443'
	option family 'ipv6'
	option target 'ACCEPT'
3 Likes

DHCPv6 is a reasonable way to configure servers that require stable and predictable addresses esp even while the prefix changes. But you need to configure the devices to use DHCPv6 which they may well not be doing by default.

Also, rather than a fixed rule you can set up an ipset to describe all the addresses that should be reachable from the exterior. This can be updated on the fly, for example by a cron job.

2 Likes

So, a follow up.

I've used Dnsmasq a lot over the years but ipv6 got me stumped. Documentation is thin on the ground and trying to put ipv6 addresses in the config file wasn't working for me. I ended up using the lua interface to create static leases in the Network -> DHCP and DNS menu. Entering MAC/ipv4 and DUID/ipv6.
To deal with dynamic ipv6 prefixes and firewall access I installed the iptables-mod-u32 package. Then created a FORWARD rule to match a portion of the suffix. By using an octet of a specific value, any IPv6 address using it in their suffix is forwarded, and the final octet (that I use as the unique client identifier) allows me to create client specific rules.

e.g. ip6tables -I FORWARD 1 -m u32 --u32 "34 = 0x6565" -j ACCEPT
Allows any machine with an address of ::6565:???? unrestricted access from the WAN. It doesn't matter what the prefix is or if it changes, the firewall rule remains valid.
This is a simplified example! Something like:
ip6tables -I FORWARD 1 -p tcp --dport xyz -m u32 --u32 "36 = 0x6565abcd" -j ACCEPT
would open port xzy for the client at ::6565:abcd

Matching of the interface identifier can be solved without u32 match, use "::ffff:ffff:ffff:ffff" as destination mask, i.e. "-d ::xxxx:xxxx:xxxx:xxxx/::ffff:ffff:ffff:ffff"

1 Like

@mpa Hello, what's the name of this kind of mask called?

::2345:67ff:fe89:abcd/-64

or ::xxxx:xxxx:xxxx:xxxx/::ffff:ffff:ffff:ffff

Any rfc defined them?

I have research this all night but can't get some usefull infomation. If you have, Do you mind telling me about it?

1 Like

A negative value inverts netmask making it match the suffix instead of prefix:

3 Likes

The :: is defined in RFC 4291:

A mask of ::ffff:ffff:ffff:ffff expands to 0000:0000:0000:0000:ffff:ffff:ffff:ffff, which matches the interface ID part of the IPv6 address and causes the network prefix to be ignored.

2 Likes

Firewall configuration are converted to iptables rules, and the rules that can be converted in this way are

-A zone_wan_forward -d ::ca1/128 -p tcp -m comment --comment "!fw3: @rule[9]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -d ::ca1/128 -p udp -m comment --comment "!fw3: @rule[9]" -j zone_lan_dest_ACCEPT

I think this is mainly because firewall is based on iptables, which is the reason for this feature.

But I don't see it used in other projects, Maybe this usage only exists in iptables?

Not the rfc defined the :: but define the how the mask should work

A mask of ::ffff:ffff:ffff:ffff expands to 0000:0000:0000:0000:ffff:ffff:ffff:ffff , which matches the interface ID part of the IPv6 address and causes the network prefix to be ignored.

This is your define, What I want to know is whether rfc has defined this behavior.

Many CLI tools support the numeric netmask notation.
But the negative numeric appears to be the fw3-specific feature.

Thank you very much, I'm trying to find out how iptables implements it.

fw3 inverts the netmask bits when its numeric value is negative:
https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=utils.c;hb=HEAD#l853

1 Like

Thanks! It's very helpful! I think OpenWrt just convert config to iptables args and call the command just before, this show fw3 do something other job too.