Need help for setting up IPv6 without upstream

Hi

I need some help for setting up my IPv6 network. I have no IPv6 WAN upstream as my ISP only gives IPv4.
I have a number of zones (guests (only IPv4), dmz, IoT, remote location via wireguard) and I want to set up proper IPv6 between the zones.

grafik

All zones have a static interface with IPv6 assignment length and IPv6 assignment hint set and I have an ULA prefix defined. The interface's IPv6 address looks good for me.

The DHCP settings look like this:

I also see that on the OpenWrt Router there are IPv6 routes.

As you see, I announce my pi-hole as DNS server.

Now, all the devices I have have different Ipv6 settings ..

The pi-hole registers IPv6 with the router and is known in all subnets (with 'host pi-hole') with IPv4 and IPv6. But I can't get the devices to use it, as only a few of the devices have a proper route to the DMZ zone where the pi-hole is connected. Even more: the pi-hole itself is not aware of a IPv6 route to the other zones (making answering impossible).

I thought of setting the 'Always announce default route' but this seems to be wrong and causes the devices to query the DNS for AAAA records for all domains ... and they can't connect there as there is no IPv6 upstream).

So question (finally): Am I wrong with my assumption that the OpenWrt with my settings shall announce IPv6 routes to the other subnets to the devices or at least one fd42:0:0:/48 via the router itself?
Are my settings correct?

Any help or hint appreciated.

Are you looking for a purely local setup or would you also like to have upstream IPV6 with a tunnel?
Regardless of what your ISP does, that is.

1 Like

I'm looking for a (at the moment) pure local setup. As there are a few servers (nas, pi-hole, ..) I need an internal routing and as far as I understand, that's what ULA prefixes is for.

When I get an IPv6 upstream the devices shall also get a public global IPv6, but for local access the ULA shall be used. That's also because the public prefix I might get may change dayly.

2 Likes

The deeper I go, I think my settings are correct and it mostly depends on the clients. I have a lan zone (that's the one that has been originally created).
Devices in the lan zone register with IPv6 in DNS and have a proper fd42::/48 route to the router. This for Linux Mint, Linux LMDE and Windows 7.
E.g.:

Kernel-IPv6-Routentabelle
Destination                    Next Hop                   Flag Met Ref Use If
fd42:0:0:41::383/128           ::                         U    256 0     0 enp0s31f6
fd42:0:0:41::/64               ::                         U    100 0     0 enp0s31f6
fd42::/56                      fe80::24f5:a2ff:fe2d:7cc0  UG   100 0     0 enp0s31f6
fe80::/64                      ::                         U    256 0     0 enp0s31f6
::/0                           ::                         !n   -1  1  1367 lo
::1/128                        ::                         Un   0   5   297 lo
fd42:0:0:41::383/128           ::                         Un   0   1     0 lo
fd42::41:7c31:e0f2:72ad:8f63/128 ::                         Un   0   1     0 lo
fe80::4fb1:379c:2e4d:6763/128  ::                         Un   0   4     4 lo
ff00::/8                       ::                         U    256 4    32 enp0s31f6
::/0                           ::                         !n   -1  1  1367 lo

Devices in DMZ register in DNS, but don't have a fd42::/48 route. One devices states there is no IPv6 router?

Kernel-IPv6-Routentabelle
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fd42:0:0:40::/64               ::                         U    202 5     0 eth0
fe80::/64                      ::                         U    256 2     0 eth0
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   6     0 lo
fd42:0:0:40::2/128             ::                         Un   0   4     0 eth0
fd42::40:ba27:ebff:fefd:4226/128 ::                         Un   0   2     0 eth0
fe80::ba27:ebff:fefd:4226/128  ::                         Un   0   3     0 eth0
ff00::/8                       ::                         U    256 6     0 eth0
::/0                           ::                         !n   -1  1     0 lo

This is a Raspberry.

Second device in DMZ:

Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         U    256 1     0 lo
fd42:0:0:40::/64               ::                         U    202 2     0 eth0
fe80::/64                      ::                         U    256 2     0 eth0
::/0                           ::                         !n   -1  1     0 lo
::1/128                        ::                         Un   0   6     0 lo
fd42::40:dea6:32ff:fe04:c18b/128 ::                         Un   0   3     0 eth0
fe80::dea6:32ff:fe04:c18b/128  ::                         Un   0   3     0 eth0
ff00::/8                       ::                         U    256 6     0 eth0
::/0                           ::                         !n   -1  1     0 lo

Looking in logfiles
For the first device:

pi@pi-hole:~ $ journalctl | grep -Ei 'dhcp'
Jan 13 17:10:29 pi-hole systemd[1]: Starting dhcpcd on all interfaces...
Jan 13 17:10:29 pi-hole dhcpcd[314]: dev: loaded udev
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: waiting for carrier
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: carrier acquired
Jan 13 17:10:30 pi-hole dhcpcd[314]: DUID 00:01:00:01:25:6b:e1:a5:b8:27:eb:fd:42:26
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: IAID eb:fd:42:26
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: adding address fe80::ba27:ebff:fefd:4226
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: carrier lost
Jan 13 17:10:30 pi-hole dhcpcd[314]: eth0: deleting address fe80::ba27:ebff:fefd:4226
Jan 13 17:10:31 pi-hole dhcpcd[314]: eth0: carrier acquired
Jan 13 17:10:31 pi-hole dhcpcd[314]: eth0: IAID eb:fd:42:26
Jan 13 17:10:31 pi-hole dhcpcd[314]: eth0: adding address fe80::ba27:ebff:fefd:4226
Jan 13 17:10:32 pi-hole dhcpcd[314]: eth0: soliciting an IPv6 router
Jan 13 17:10:32 pi-hole dhcpcd[314]: eth0: rebinding lease of 192.168.40.2
Jan 13 17:10:32 pi-hole dhcpcd[314]: eth0: probing address 192.168.40.2/24
Jan 13 17:10:33 pi-hole dhcpcd[314]: eth0: Router Advertisement from fe80::24f5:a2ff:fe2d:7cc0
Jan 13 17:10:33 pi-hole dhcpcd[314]: eth0: adding address fd42::40:ba27:ebff:fefd:4226/64
Jan 13 17:10:33 pi-hole kernel: ICMPv6: process `dhcpcd' is using deprecated sysctl (syscall) net.ipv6.neigh.eth0.retrans_time - use net.ipv6.neigh.eth0.retrans_time_ms instead
Jan 13 17:10:33 pi-hole dhcpcd[314]: eth0: adding route to fd42:0:0:40::/64
Jan 13 17:10:33 pi-hole dhcpcd[314]: eth0: confirming prior DHCPv6 lease
Jan 13 17:10:33 pi-hole dhcpcd[314]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 13 17:10:34 pi-hole dhcpcd[314]: eth0: REPLY6 received from fe80::24f5:a2ff:fe2d:7cc0
Jan 13 17:10:34 pi-hole dhcpcd[314]: eth0: adding address fd42:0:0:40::2/128
Jan 13 17:10:34 pi-hole dhcpcd[314]: eth0: renew in 21600, rebind in 34560, expire in 4294967295 seconds
Jan 13 17:10:37 pi-hole dhcpcd[314]: eth0: leased 192.168.40.2 for 43200 seconds
Jan 13 17:10:37 pi-hole dhcpcd[314]: eth0: adding route to 192.168.40.0/24
Jan 13 17:10:37 pi-hole dhcpcd[314]: eth0: adding default route via 192.168.40.1
Jan 13 17:10:37 pi-hole dhcpcd[314]: Failed to get unit file state for ntp.service: No such file or directory
Jan 13 17:10:37 pi-hole dhcpcd[314]: forked to background, child pid 506
Jan 13 17:10:37 pi-hole systemd[1]: Started dhcpcd on all interfaces.
Jan 13 17:10:43 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 13 17:10:43 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 13 17:17:16 pi-hole dhcpcd[506]: eth0: Router Advertisement from fe80::24f5:a2ff:fe2d:7cc0
Jan 14 02:16:14 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 14 02:18:43 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 14 02:18:43 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 14 15:06:17 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 14 15:07:38 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 14 15:07:38 pi-hole dhcpcd[506]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again

And the second one:

pi@pi-nc1:~ $ journalctl | grep -Ei 'dhcp'
Jan 13 17:14:08 pi-nc1 systemd[1]: Starting dhcpcd on all interfaces...
Jan 13 17:14:09 pi-nc1 dhcpcd[310]: dev: loaded udev
Jan 13 17:14:09 pi-nc1 dhcpcd[310]: eth0: waiting for carrier
Jan 13 17:14:14 pi-nc1 dhcpcd[310]: eth0: carrier acquired
Jan 13 17:14:14 pi-nc1 dhcpcd[310]: DUID 00:01:00:01:24:a8:ea:83:b8:27:eb:c8:6a:ec
Jan 13 17:14:14 pi-nc1 dhcpcd[310]: eth0: IAID 32:04:c1:8b
Jan 13 17:14:14 pi-nc1 dhcpcd[310]: eth0: adding address fe80::dea6:32ff:fe04:c18b
Jan 13 17:14:15 pi-nc1 dhcpcd[310]: eth0: rebinding lease of 192.168.40.62
Jan 13 17:14:15 pi-nc1 dhcpcd[310]: eth0: probing address 192.168.40.62/24
Jan 13 17:14:15 pi-nc1 dhcpcd[310]: eth0: soliciting an IPv6 router
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: eth0: leased 192.168.40.62 for 43200 seconds
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: eth0: adding route to 192.168.40.0/24
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: eth0: adding default route via 192.168.40.1
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: Too few arguments.
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: Too few arguments.
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: Failed to get unit file state for ntp.service: No such file or directory
Jan 13 17:14:20 pi-nc1 dhcpcd[310]: forked to background, child pid 466
Jan 13 17:14:20 pi-nc1 systemd[1]: Started dhcpcd on all interfaces.
Jan 13 17:14:27 pi-nc1 dhcpcd[466]: eth0: no IPv6 Routers available
Jan 13 17:17:16 pi-nc1 dhcpcd[466]: eth0: Router Advertisement from fe80::24f5:a2ff:fe2d:7cc0
Jan 13 17:17:16 pi-nc1 dhcpcd[466]: eth0: adding address fd42::40:dea6:32ff:fe04:c18b/64
Jan 13 17:17:16 pi-nc1 dhcpcd[466]: eth0: adding route to fd42:0:0:40::/64
Jan 13 17:17:16 pi-nc1 kernel: ICMPv6: process `dhcpcd' is using deprecated sysctl (syscall) net.ipv6.neigh.eth0.retrans_time - use net.ipv6.neigh.eth0.retrans_time_ms instead
Jan 13 17:17:16 pi-nc1 dhcpcd[466]: eth0: confirming prior DHCPv6 lease
Jan 13 17:17:16 pi-nc1 dhcpcd[466]: eth0: fe80::24f5:a2ff:fe2d:7cc0 is reachable again
Jan 13 17:17:26 pi-nc1 dhcpcd[466]: eth0: failed to confirm prior address
Jan 13 17:17:26 pi-nc1 dhcpcd[466]: eth0: soliciting a DHCPv6 lease
pi@pi-nc1:~ $ 

This is all a bit confusing. Checked the dhcpcd.conf and sysctl, all identical.

I don't see the (cause for the) problem ....

Could you post the output of
uci export network; uci export dhcp; uci export firewall; ifstatus lan; ifstatus dmz

1 Like

Sure I can

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd42:0:0:0::/56'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6hint '41'
	option ipaddr '192.168.41.1'
	option ip6assign '64'
	option ifname 'eth0.1 eth0.41'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '5t 1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '5t 0t'
	option vid '41'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '5t 2 0t'
	option vid '40'

config interface 'DMZ'
	option proto 'static'
	option ifname 'eth0.40'
	option type 'bridge'
	option ipaddr '192.168.40.1'
	option ip6assign '64'
	option ip6hint '40'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '44'
	option ports '5t 3'

config interface 'Iot'
	option ifname 'eth0.44'
	option proto 'static'
	option ipaddr '192.168.44.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '44'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '5t 0t'
	option vid '47'

config interface 'MAIL'
	option ifname 'eth0.47'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6hint '47'
	option ipaddr '192.168.47.1'
	option ip6assign '64'

config interface 'GUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ipaddr '192.168.38.1'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '192.168.46.1/24'
	list addresses 'fd42:0:0:46::1/64'

config wireguard_wg0
	list allowed_ips '192.168.46.201/32'
	list allowed_ips 'fd42:0:0:46::201/128'

config wireguard_wg0
	list allowed_ips '192.168.46.202/32'
	list allowed_ips 'fd42:0:0:46::202/128'

config interface 'wg1'
	option proto 'wireguard'
	list addresses '192.168.34.1/24'
	list addresses 'fd42:0:0:34::1/64'

config wireguard_wg1
	list allowed_ips '192.168.34.71/32'
	list allowed_ips 'fd42:0:0:34::71/128'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config interface 'WG2'
	option proto 'wireguard'
	list addresses '192.168.33.1/24'
	list addresses 'fd42:0:0:33::1/64'

config wireguard_WG2
	option persistent_keepalive '25'
	list allowed_ips '192.168.33.91/32'
	list allowed_ips '192.168.10.0/24'
	option route_allowed_ips '1'


I removed lines with wireguard keys, endpoints and ports.

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option domain 'lan'
	option local 'lan'
	list server '127.0.0.1#5053'
	option cachesize '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.40.2'
	list dhcp_option '42,0.0.0.0'
	list dns 'fd42:0:0:40::2'
	option ndp 'hybrid'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'DMZ'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'DMZ'
	list dhcp_option '42,0.0.0.0'
	list dhcp_option '6,192.168.40.2'
	list dns 'fd42:0:0:40::2'
	option ndp 'hybrid'
	option dhcpv6 'server'
	option ra_management '1'
	option ra 'server'

config dhcp 'VOIP'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'VOIP'

config dhcp 'Iot'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Iot'
	option dhcpv6 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.40.2'
	list dhcp_option '42,0.0.0.0'
	list dns 'fd42:0:0:40::2'
	option ndp 'hybrid'
	option ra 'server'

config dhcp 'MAIL'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'MAIL'
	option dhcpv6 'server'
	option ra_management '1'
	list dhcp_option '6,192.168.40.2'
	list dhcp_option '42,0.0.0.0'
	list dns 'fd42:0:0:40::2'
	option ndp 'hybrid'
	option ra 'server'

config dhcp 'GUEST'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'GUEST'

config host
	option mac 'B8:27:EB:FD:42:26'
	option dns '1'
	option name 'pi-hole'
	option hostid '2'
	option duid '00010001256be1a5b827ebfd4226'
	option ip '192.168.40.2'
	option leasetime '12h'

config host
	option mac 'DC:A6:32:04:C1:8B'
	option leasetime '12h'
	option dns '1'
	option hostid '62'
	option name 'pi-nc1'
	option ip '192.168.40.62'

config host
	option mac 'B8:27:EB:9F:F6:1F'
	option leasetime '12h'
	option dns '1'
	option hostid '30'
	option name 'pi-mail'
	option ip '192.168.47.30'

config host
	option mac 'B8:27:EB:22:20:47'
	option leasetime '12h'
	option dns '1'
	option hostid '20'
	option name 'pi-omv'
	option ip '192.168.41.20'

config host
	option mac '7C:2F:80:FC:B5:2E'
	option name 's850a-go'
	option dns '1'
	option ip '192.168.44.108'
	option leasetime '12h'

config host
	option mac 'AC:22:0B:52:60:91'
	option leasetime '12h'
	option dns '1'
	option hostid '22'
	option name 'u-nas'
	option ip '192.168.41.22'


root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'DROP'

config zone
	option network 'wg1'
	option forward 'REJECT'
	option name 'cXXXXXX'
	option output 'ACCEPT'
	option input 'REJECT'
	option mtu_fix '1'
	option conntrack '1'

config zone
	option network 'WG2'
	option forward 'REJECT'
	option name 'bXXXXXX'
	option output 'ACCEPT'
	option input 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option network 'mobiles wg0'
	option name 'mobiles'
	option mtu_fix '1'
	option forward 'REJECT'
	option output 'REJECT'
	option input 'REJECT'

config zone
	option input 'ACCEPT'
	option name 'DMZ'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'DMZ'

config forwarding
	option dest 'wan'
	option src 'DMZ'

config forwarding
	option dest 'DMZ'
	option src 'lan'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'IoT'
	option network 'Iot'

config forwarding
	option dest 'wan'
	option src 'IoT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config zone
	option network 'MAIL'
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'MAIL'
	option output 'ACCEPT'
	option conntrack '1'

config forwarding
	option dest 'wan'
	option src 'MAIL'

config forwarding
	option dest 'MAIL'
	option src 'lan'

config zone
	option network 'GUEST'
	option forward 'REJECT'
	option name 'GUEST'
	option output 'ACCEPT'
	option input 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'GUEST'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'nc1 (http)'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.40.62'
	option proto 'tcp'
	option dest 'DMZ'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'nc1 (https)'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '192.168.40.62'
	option proto 'tcp'
	option dest 'DMZ'


config rule
	option dest_port 'XXX5'
	option src '*'
	option name 'Wireguard for Mobiles'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option dest_port 'XXX6'
	option src 'wan'
	option name 'Wireguard from cXXXXXX'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option dest_port 'XXX7'
	option src 'wan'
	option name 'Wireguard from bXXXXX'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option dest_port '53'
	option proto 'tcp udp'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'DMZ'
	option src_mac 'B8:27:EB:FD:42:26'
	option name 'Allow authorized DNS (pi-hole)'

config rule
	option dest_port '53'
	option src '*'
	option name 'Local DNS (pi-hole)'
	option dest 'DMZ'
	option target 'ACCEPT'
	option proto 'tcp udp'

config rule
	option dest_port '53'
	option src '*'
	option name 'Refuse unauthorized DNS'
	option dest 'wan'
	option target 'REJECT'
	option proto 'tcp udp'

config rule
	option dest_port '25'
	option proto 'tcp'
	option name 'Allow access to pi-mail'
	option src_ip '192.168.40.0/21'
	option dest 'MAIL'
	option dest_ip '192.168.47.30'
	option target 'ACCEPT'
	option src '*'

config rule
	option dest_port '25 80 443'
	option src 'cXXXXX'
	option name 'Expose pi-mail to cXXXXX'
	option dest 'MAIL'
	option target 'ACCEPT'
	option proto 'tcp'

config rule
	option dest_port '25'
	option src '*'
	option name 'Block unauthorized mail'
	option dest 'wan'
	option target 'REJECT'
	option proto 'tcp'

config rule
	option dest_port '80 443'
	option src 'GUEST'
	option name 'Internal Services for Guests'
	option dest 'DMZ'
	option target 'ACCEPT'
	option proto 'tcp udp'

config rule
	option dest_port '139 445'
	option src '*'
	option name 'NetBios-Filter'
	option dest 'wan'
	option target 'REJECT'
	option proto 'tcp udp'

config rule
	option dest_port '3544'
	option src '*'
	option dest 'wan'
	option target 'REJECT'
	option proto 'udp'
	option name 'Teredo-Filter'
	option family 'ipv4'

config forwarding
	option dest 'DMZ'
	option src 'mobiles'

config forwarding
	option dest 'wan'
	option src 'mobiles'

config forwarding
	option dest 'cXXXXXX'
	option src 'lan'

config forwarding
	option dest 'MAIL'
	option src 'mobiles'

config forwarding
	option dest 'bXXXXXX'
	option src 'DMZ'

config forwarding
	option dest 'bXXXXXX'
	option src 'lan'

config forwarding
	option dest 'cXXXXXX'
	option src 'MAIL'


root@OpenWrt:~# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 255065,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.41.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "fd42:0:0:41::",
			"mask": 64,
			"local-address": {
				"address": "fd42:0:0:41::1",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

root@OpenWrt:~# ifstatus DMZ
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 255119,
	"l3_device": "br-DMZ",
	"proto": "static",
	"device": "br-DMZ",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.40.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "fd42:0:0:40::",
			"mask": 64,
			"local-address": {
				"address": "fd42:0:0:40::1",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

It depends, if you use he.net for tunnels the prefix is stable. Anyhow, my setup is no good for you, since it relies on the upstream prefix.

if I look on my clients the on in LAN have a proper routing table.

$ ip -6 route
fd42:0:0:41::383 dev enp0s31f6 proto kernel metric 256  pref medium
fd42:0:0:41::/64 dev enp0s31f6 proto ra metric 100  pref medium
fd42::/56 via fe80::24f5:a2ff:fe2d:7cc0 dev enp0s31f6 proto ra metric 100  pref medium
fe80::/64 dev enp0s31f6 proto kernel metric 256  pref medium

On the DMZ not:

$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fd42:0:0:40::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium

Here the ULA route is missing ... I wonder if this is with the firewall.

And this is a bit mysterious on the DMZ device:

Jan 14 20:40:52 pi-nc1 dhcpcd[467]: eth0: Router Advertisement from fe80::24f5:a2ff:fe2d:7cc0
Jan 14 20:40:52 pi-nc1 dhcpcd[467]: eth0: fe80::24f5:a2ff:fe2d:7cc0: no longer a default router
Jan 14 20:40:52 pi-nc1 dhcpcd[467]: eth0: deleting default route via fe80::24f5:a2ff:fe2d:7cc0
Jan 15 16:33:28 pi-nc1 dhcpcd[467]: RA from non local address fd42:0:0:40::1
Jan 15 16:33:28 pi-nc1 dhcpcd[467]: RA from non local address fd42:0:0:40::1
Jan 15 16:44:40 pi-nc1 dhcpcd[467]: eth0: Router Advertisement from fe80::24f5:a2ff:fe2d:7cc0

What does that mean: RA from non local address fd42:0:0:40::1

Seems as if a route is advertised but ignored on the client?

Disable that from all interfaces.

I don't see anything else wrong, however I suggest you change the capital letters of the interfaces and zones into small.

1 Like

Check this! I notice there's no ::/0 via <OpenWrt> route to your NIC cards - a default route is needed to route to another network, not what you've been mentioning!

Do you have a second router in the network or something?

If all traffic is going to the OpenWrt which has routes to the networks, this is not the case, IPv6 should be working or you.

Generally wrong. Routers don't usually announce routes (unless you're running a routing protocol); but they do announce the IPv6 router/gateway, DNS, etc.

I haven't seen an error.

  • Do you permit traffic to/form these zones in the firewall?
  • Is your DMZ Interface even assigned a firewall zone?

To use what...IPv6?

That has to do with the software you're using (i.e. browser, FTP, etc.), not the router). Try testing instead by pinging the IPv6 address across networks.

I did a few more tests (testing becomes regular activity ... :wink: )

Now: all devices in LAN got a fd42::/56 route advertised from the router enabling them to connect to other zones on my site.
The devices in DMZ did not.
Easiest test now (I should have done that earlier): I placed one of the devices (my notebook) from LAN into DMZ...e voila: It got a fd42::/56 route.

Result:
a) It's not the router, that one advertises correct routes (though I have to check if it advertises them correctly).
b) The 'Always announce default route' is not needed (and there is no public route).
c) Setting NDP 'hybrid' or disabling it makes no difference.

Conclusion: The problem is on the Raspis...

Thank you all.

Seems as if the problem is related to dhcpcd. I've set up a fresh raspberry and got the same problems. Seems as if devices with dhclient do not have an issue.

Looking for help I found https://roy.marples.name/archives/dhcpcd-discuss/0002803.html

I now need to figure out how to compile an up to date dhcpcd on the raspberry ..