Need advice on openwrt configs

peta · March 30, 2025, 4:30pm

Need input from someone more knowledgeable than me. I cant wrap my head around whats wrong with my ipv6 setup. (i get /56 from my ISP)

I can access few services with ipv6 but some dont work. for example pihole ipv6 GUA address works, FE80 doesnt. Sonarr ipv6 dont work at all. no ping. cant reach via http. while ip a show GUA ipv6 aswell.

Whats the best strategy to implement:-

properly configured ipv6 in the entire setup including firewall.
Interface loopback address for ipv6.
proper wireguard setup with ipv4 and ipv6 allowing flow to homelab on same home single network.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'ff'
	option listen_port '51820'
	list addresses '10.0.0.1/24'
	list addresses 'fd00:7::1/64'

config wireguard_wireguard
	option description 'moto'
	option public_key 'ff'
	option private_key 'fff'
	list allowed_ips '10.0.0.2/32'
	list allowed_ips 'fd00:7::2/128'
	option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.2'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wireguard'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard-router'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.0.0.1'
	option dest_port '51820'

config rule
	option name 'Force-DNS-to-Pi-hole'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

trendy · March 30, 2025, 5:38pm

Most likely you need to suffix the interface name, as these addresses are link local and exist on all interfaces.

Is it bound to tcp6?

peta:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard-router'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.0.0.1'
	option dest_port '51820'

You probably want to change it into a rule to allow wireguard port on wan interface, no need to DNAT there.

You'd also need to allow link local IPs over the WG tunnel to be able to operate.

peta · March 30, 2025, 5:54pm

so i need to add fe80::43%enp1s0 like this?

i am unsure and dont know how to check this.

how can i do that?

how can i do this aswell? fe80 address range right?

trendy · March 30, 2025, 6:03pm

For example yes.

Check it with netstat or ss.

config rule 'wg_s2s_51820'
	option name 'Allow-WireGuard-51820'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Yes, as well as the multicast addresses ff0x.

peta · March 30, 2025, 6:26pm

can you please how me how to do this along with fe80 range?

trendy · March 30, 2025, 8:28pm

Add another line of list allowed_ips

egc · March 31, 2025, 11:40am

If you are looking for instructions how to setup a WireGuard server including IPv6 see my notes, hopefully they are helpful:
WireGuard Server Setup guide

peta · March 31, 2025, 12:41pm

this is really good. but it got me wondering. if i have /56 provided by my ISP.
is it possible to have same GUA bit instead of ULA?
if yes how will routing will look like? will it eliminate use of ddns all together if tied to ipv6? or ddns still required with suffix changes or prefix changes.

egc · March 31, 2025, 1:00pm

You can use your routers IPv6 address as endpoint instead of the IPv4 address which is often done if you do not have an IPv4 address e.g in case of CGNAT.

WireGuard does not mind it will route both IPv4 and IPv6 traffic via the connection.
Your IPv6 address often is also dynamic just as your IPv4 address so DDNS then is still necessary, if you have a static IPv6 address then you can just use that address (which is also the case if you have a static IPv4 address)

Only if you have a static IPv6 address and prefix you can dedicate a /64 GUA subnet to use with WireGuard in which case you do not have to NAT(masq6) the ULA IPv6 traffic, in my opinion not worth the hassle but it certainly is possible.