No IPv6 router advertisement for the clients

Sylvan · January 18, 2021, 5:24am

My Setup: Internet -> WAN (LTE-Modem) -> Router -> LAN (Clients)

My router got a global unicast address for his wan-side (2a01:598[...]/64). I think that he got it via router advertisement and SLAAC because i disabled DHCP at the LTE-modem.
From the ssh-shell at the router i`m able to do a dns-request:

dns-request

nslookup openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53
Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

and a ping to the IPv6-address:

ping to IPv6

ping 2a03:b0c0:3:d0::1af1:1
PING 2a03:b0c0:3:d0::1af1:1 (2a03:b0c0:3:d0::1af1:1): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=0 ttl=48 time=47.528 ms
64 bytes from 2a03:b0c0:3:d0::1af1:1: seq=1 ttl=48 time=38.242 ms

So it looks like there is a router in the wan-side, which performs a router advertisement and distributes the global network prefix.

At the client side (my thinkpad) i only get the link local address (fe80::7d24:27ad:7379:c0b7%12) and a bunch of (i presume that they are unique local unicast addresses) other addresses:

other client IPv6 addresses

fd18:c585:1ade:1::39
fd18:c585:1ade:1:7d24:27ad:7379:c0b7
fd18:c585:1ade:1:a877:8ccf:c3f:83fa
fd18:c585:1ade:1:e0ad:b02f:922c:b392

However, I do not see a single global unicast address, therefore I don't have IPv6 access to the Internet on the client. For now, my goal is to provide the clients with a global IPv6 address via SLAAC so that they can connect to the Internet.

For me it seems therefore, that the router advertisement is not forwarded from the router to the lan. I'm just not clear yet where exactly to look for the cause. Is this a problem of the settings of the interface/DHCP or the firewall? I'm not an IPv6 expert - I'm just reading up on it so any tips would be extremely appreciated. I have attached my essential configuration files. If someone also finds errors in them apart from the IPv6 problem - please let me know.

network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd18:c585:1ade::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option igmp_snooping '1'
	option ipaddr '192.168.0.2'
	list dns '1.0.0.1'
	list dns '1.1.1.1'
	list dns '8.8.4.4'
	list dns '8.8.8.8'
	list dns '9.9.9.9'
	option gateway '192.168.1.1'
	option ip6assign '64'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ec:41:18:eb:66:88'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option gateway '192.168.1.1'
	option ipaddr '192.168.1.2'
	list dns '1.0.0.1'
	list dns '1.1.1.1'
	list dns '8.8.4.4'
	list dns '8.8.8.8'
	list dns '9.9.9.9'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 3 2t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '6t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '6t 2t'
	option vid '4'

config interface 'gast'
	option proto 'static'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option ifname 'eth0.3'
	list dns '1.0.0.1'
	list dns '1.1.1.1'
	list dns '8.8.4.4'
	list dns '8.8.8.8'
	list dns '9.9.9.9'
	option ip6assign '64'
	option type 'bridge'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server '1.0.0.1'
	list server '1.1.1.1'
	list server '8.8.4.4'
	list server '8.8.8.8'
	list server '9.9.9.9'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '6h'
	option start '50'
	option force '1'
	option ra 'hybrid'
	list dns '2606:4700:4700::1001'
	list dns '2606:4700:4700::1111'
	option ndp 'hybrid'
	option dhcpv6 'hybrid'
	option ra_management '0'
	list dhcp_option '6,1.0.0.1,192.168.0.9'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'gast'
	option start '100'
	option limit '150'
	option interface 'gast'
	list dhcp_option '6,1.0.0.1,1.1.1.1'
	option leasetime '1h'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'gast'
	option forward 'REJECT'
	option name 'gast'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'gast'

config rule
	option dest_port '67-68'
	option src 'gast'
	option name 'allow-gast-dhcp-router'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'allow-gast-dhcp-dns'
	option target 'ACCEPT'

thedukesd · January 18, 2021, 8:17pm

Think you need to set accept_ra to 2. As far as I know accept_ra is set to 0 in OpenWRT since this commit https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=bb46520159c0119e829900e29681feea6f297fe0

If I remember right it should be something like

sysctl net.ipv6.conf.all.accept_ra=2

Replace "all" with the name of the interfaces you need it enabled if you don't want to enable it for all interfaces (if all doesn't work do it for each interface that you need to have it enabled).

More info about the accept_ra values here: https://sysctl-explorer.net/net/ipv6/accept_ra/

I have a similar situation: isp - router 1 (ipv4+ipv6) (OEM firmware) - router 2 (yep double nat for ipv4) (OpenWRT) - client
to get ipv6 from router 1 (that was actually getting a class from isp) i had to set accept_ra=2 to router 2. I was geting IPv6 on router 2 and it was working to ping an IPv6 address but clients either were not getting any real IPv6 or if they were getting one ping/tracepath/traceroute on an IPv6 address was plain not working (IPv4 was happy working with the double NAT), same as anything related to IPv6 basicaly not even the first node was answering.

L.E.: Think after a reboot accept_ra will change back to 0.and you have to add that command to /etc/rc.local. I suggest to add a sleep 10 or something like that before it.

Sylvan · January 18, 2021, 8:31pm

Thank you very much for the hint - I would not have figured this out by myself.
I tried it the following way:

run sysctl net.ipv6.conf.all.accept_ra=2 on my router
reload the network settings with service network reload
disconnect a client and reconnect again
But my problem still exists - the client still have only local IPv6-addresses

Btw: Do i need to have a global IPv6 address to send a ping to a global address?
Because if not i`m not able to ping from a client to a known global host. So then the ping might get blocked on the way.

trendy · January 18, 2021, 8:39pm

Remove these from lan interface.

and these from the gast.

remove masquerade from lan zone.

set it back to default 1

Finally do a ifstatus wan6 and post here the output.

Sylvan · January 18, 2021, 8:46pm

I did as you told:

output of `ifstatus wan6`

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 194179,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:598:808a:6587:ee41:18ff:feeb:6687",
			"mask": 64
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a01:598:808a:6587::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::86d1:5aff:fe04:205c",
			"metric": 512,
			"valid": 53302,
			"source": "2a01:598:808a:6587:ee41:18ff:feeb:6687/64"
		}
	],
	"dns-server": [
		"fe80::86d1:5aff:fe04:205c"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "00170010fe8000000000000086d15afffe04205c"
	}
}

Btw: Do i need to set some options at the access points too? These are dumb APs with deactivated firewall.

vgaetera · January 18, 2021, 8:55pm

https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay

Sylvan · January 18, 2021, 8:59pm

Thanks - i tried but still got only local addresses

trendy · January 18, 2021, 9:02pm

Post uci export dhcp after you configure the relay.

Sylvan · January 18, 2021, 9:19pm

Ha! - it works!

I think it's a combination of trendy`s and vgaetera (how do you pronounce it?!?) settings and maybe the setting from thedukesd.
I still need to observe if the accept_ra setting is necessary for this or not.
Now I have a basis on which I can build and further optimize.

Many thanks to all here - especially for your time.

The working settings are these:

output of uci export dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server '1.0.0.1'
	list server '1.1.1.1'
	list server '8.8.4.4'
	list server '8.8.8.8'
	list server '9.9.9.9'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '6h'
	option start '50'
	option force '1'
	option ra 'relay'
	list dns '2606:4700:4700::1001'
	list dns '2606:4700:4700::1111'
	option ndp 'relay'
	option dhcpv6 'relay'
	option ra_management '1'
	list dhcp_option '6,192.168.0.9'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wan6'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'
	option interface 'wan6'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'gast'
	option start '100'
	option limit '150'
	option interface 'gast'
	list dhcp_option '6,1.0.0.1,1.1.1.1'
	option leasetime '1h'

system · January 28, 2021, 9:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.