No IPv6 for clients connected to OpenWrt router

Hi all,

I've got the following setup and I want to enable IPv6 for all LAN devices connected to an OpenWrt Router:

FritzBox 7590 ~~> FritzRepeater 3000 ~~> TP-Link AC1200 with OpenWrt as WDS client --> LAN

(~~> WiFi, --> Ethernet Cable)

I also receive a /62 IPv6 delegated prefix from my ISP: 2001:something/62 and I can see the prefix in the status overview. The TP-Link router can ping IPv6 adresses:

PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=56 time=12.601 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=1 ttl=56 time=18.502 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=2 ttl=56 time=28.169 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=3 ttl=56 time=13.510 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=4 ttl=56 time=13.592 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 12.601/17.274/28.169 ms

However, the devices on the LAN cannot:

Pinging openwrt.org [2a03:b0c0:3:d0::1af1:1] with 32 bytes of data:
Request timed out.

Heres my configuration:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.178.2'
        option gateway '192.168.178.1'
        option ip6assign '62'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@lan'
        option type 'bridge'
        option reqaddress 'none'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option ip6assign '60'
        option ra 'relay'
        option ndp 'relay'
        option master '1'
        list ra_flags 'none'
        
config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        list ra_flags 'none'

Any ideas what's going wrong?

Hostname OpenWrt
Model TP-Link Archer C50 v4
Architecture MediaTek MT7628AN ver:1 eco:2
Firmware Version OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.231.26241-422c175
Kernel Version 5.4.143

Never seen anything like that before ... your IPv6 WAN is an alias of your LAN?

WAN6 ist just an "Alias Interface" for LAN. Maybe I should have named it LAN6 or something.. :wink:

If lan interface is a bridge of all ethernet ports, the WDS client, and the AP where the hosts connect to, then there is nothing for OpenWrt to delegate. Clients can get the RAs and solicit for DHCPv6 the same way that OpenWrt is getting, as they are in the same broadcast domain. Disable SLAAC and DHCPv6 the same way as you have done with DHCPv4.

Hi trendy,

Thank you so much for your answer! :slight_smile:

As a newbie, I still have some questions:

  1. I should disable SLAAC and DHCPv6 on the LAN interface, right? Is it simply done by setting RA-Service/DHCPv6-Service/NDP-Proxy in luci to "disabled"? Or do I have to set anything else?
  2. The WAN6 interface is nevertheless still needed, or?

karinsche

That should be enough.

If you wish for the device to get an IPv6 leave it, just disable the delegated prefix solicitation.

O.K., I've deleted the WAN6 interface and reboot the router. Now, I don't have a IPv6 address anymore and cannot ping IPv6 adresses from the router directly.

BUT: The windows machine connected to the router also cannot..

> ping -6 openwrt.org
Ping request could not find host openwrt.org. Please check the name and try again.

Anything else I could try? Is it correct to set option ip6assign '60'?

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option ip6assign '60'
        list ra_flags 'none'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.178.2'
        option gateway '192.168.178.1'
        option delegate '0'

Why? you were told, "if you want the device to get an IPv6 leave it" ... not "delete it"

Let's take a step back. This TP-Link AC1200 running OpenWrt is a dumbAP, right? It merely bridges the WDS client uplink to the FritzRepeater 3000 with the ethernet ports and its own SSID, right?
If that is the case, then DHCP for both v4 and v6 should be handled by the Fritzbox 7590. Therefore you need to disable both DHCPv4 (done already with option ignore '1') and DHCPv6/RA (switch them all to disabled).
You can keep the LAN6 interface only to get its own IPv6 from Fritzbox 7590, but not request for any Delegated Prefix.

1 Like

Not exactly. I'm using the same SSID as the FritzBox/Repeater. Is this a problem?

The 5GHz signal from repeater is connected to the WDS client (PC connected through Ethernet Cable), whereas the 2.4 GHz signal is connected to a "normal" wireless Access Point.

Yes, done.

This is what I've understood. The OpenWrt router does not need to have its own IPv6, but the connected devices.
I've also setup the FritzBox as described here: Configuring IPv6 support in the FRITZ!Box

Not a problem.

Also fine. So everything is in the same broadcast domain and the solicitations from the clients of OpenWrt for IPv6 should reach the Fritzbox 7590 and then receive the advertisements.

Well, I'm rather at a loss then :frowning:
I've got the following PING results from my PC connected to the OpenWrt router:

Global IPv6 addresses - not working

>ping -6 openwrt.org

Pinging openwrt.org [2a03:b0c0:3:d0::1af1:1] with 32 bytes of data:
Request timed out.

Unique local addresses - not working

>ping fd00::c015:c8ff:fe70:4ada

Pinging fd00::c015:c8ff:fe70:4ada with 32 bytes of data:
Request timed out.

Link-local addresses - working

>ping fe80::c015:c8ff:fe70:4ada

Pinging fe80::c015:c8ff:fe70:4ada with 32 bytes of data:
Reply from fe80::c015:c8ff:fe70:4ada: time=3ms
Reply from fe80::c015:c8ff:fe70:4ada: time=1ms

Ping statistics for fe80::c015:c8ff:fe70:4ada:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 3ms, Average = 2ms

First of all, do the clients get an IPv6 (both ULA and GUA)? If not, when you connect them on the Fritzbox or the FritzRepeater do they get?
If you run tcpdump on the OpenWrt are you able to see the packets going in and out, both solicitations and advertisements?
Post once again the configurations to have a look:

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user

I'll have a look how tcpdump works and let you know..

tcpdump -i br-lan -vn ip6

Part 1, Configuration:

{
        "kernel": "5.4.143",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "TP-Link Archer C50 v4",
        "board_name": "tplink,archer-c50-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0",
                "revision": "r16279-5cc0535800",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 21.02.0 r16279-5cc0535800"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcd:2070:9365::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.178.2'
        option gateway '192.168.178.1'
        option delegate '0'
        list dns '192.168.178.1'

config device
        option name 'eth0.2'
        option macaddr 'cc:32:e5:41:1a:de'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/10300000.wmac'
        option htmode 'HT20'
        option cell_density '0'
        option country 'DE'
        option distance '10'
        option disabled '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'DE'
        option distance '10'
        option disabled '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'sta'
        option ssid 'FRITZBox 7590 LT'
        option encryption 'psk2'
        option key '********************' <- commented out (privacy)
        option wds '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option ssid 'FRITZBox 7590 LT'
        option encryption 'psk2'
        option key '********************' <- commented out (privacy)
        option mode 'ap'
        option network 'lan'

package dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.178.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option ip6assign '60'
        list dhcp_option '192.168.178.1'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'lan'
        option dest '*'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip 'fc00::/6'
        list dest_ip 'fc00::/6'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'lan'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'lan'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Stop and disable the firewall, you have everything allowed anyway.
service firewall stop; service firewall disable
Also you don't have any loop in the network, so you can disable the stp on lan bridge.

Part 2, Trace
I only get an output when pinging the link-local address:

root@OpenWrt:~# tcpdump -i br-lan -vn ip6
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
14:52:09.966450 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) fe80::244d:d71e:fdf0:5d0e > fe80::c015:c8ff:fe70:4ada: [icmp6 sum ok] ICMP6, echo request, seq 220
14:52:09.969147 IP6 (flowlabel 0x8b69c, hlim 255, next-header ICMPv6 (58) payload length: 40) fe80::c015:c8ff:fe70:4ada > fe80::244d:d71e:fdf0:5d0e: [icmp6 sum ok] ICMP6, echo reply, seq 220
14:52:10.976081 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) fe80::244d:d71e:fdf0:5d0e > fe80::c015:c8ff:fe70:4ada: [icmp6 sum ok] ICMP6, echo request, seq 221
14:52:10.977809 IP6 (flowlabel 0x8b69c, hlim 255, next-header ICMPv6 (58) payload length: 40) fe80::c015:c8ff:fe70:4ada > fe80::244d:d71e:fdf0:5d0e: [icmp6 sum ok] ICMP6, echo reply, seq 221
14:52:11.994907 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) fe80::244d:d71e:fdf0:5d0e > fe80::c015:c8ff:fe70:4ada: [icmp6 sum ok] ICMP6, echo request, seq 222
14:52:11.997317 IP6 (flowlabel 0x8b69c, hlim 255, next-header ICMPv6 (58) payload length: 40) fe80::c015:c8ff:fe70:4ada > fe80::244d:d71e:fdf0:5d0e: [icmp6 sum ok] ICMP6, echo reply, seq 222
14:52:14.670571 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::244d:d71e:fdf0:5d0e > fe80::c015:c8ff:fe70:4ada: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::c015:c8ff:fe70:4ada
          source link-address option (1), length 8 (1): 10:62:e5:8a:55:23
14:52:14.672894 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::c015:c8ff:fe70:4ada > fe80::244d:d71e:fdf0:5d0e: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::c015:c8ff:fe70:4ada, Flags [solicited]
14:52:14.978665 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::c015:c8ff:fe70:4ada > fe80::244d:d71e:fdf0:5d0e: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::244d:d71e:fdf0:5d0e
          source link-address option (1), length 8 (1): c2:15:c8:70:4a:da
14:52:14.981474 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::244d:d71e:fdf0:5d0e > fe80::c015:c8ff:fe70:4ada: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::244d:d71e:fdf0:5d0e, Flags [solicited, override]
          destination link-address option (2), length 8 (1): 10:62:e5:8a:55:23

Firewall disabled, STP switched off.

The clients do not get a GUA. However, if connected directly to the Fritzbox or repeater, they do: