No IPv6 routing, OpenWrt box behind a WAN router

Configuration: FB4040 with a freshly installed OpenWRT 19.07.2 behind a FB6490 used for cable access (dual stack lite).

PC --- LAN --- FB4040 --- WAN/WAN6 --- FB6490 --- ISP

The FB4040 ist configured fairly close to the OpenWRT default setup and IPv4 is working fine. IPv6 isn't though. The WAN6 interface is setup as DHCP6 client and appears to correctly receive a delegated network for its LAN. A PC within the LAN can register with DHCP6 and receives an IPv6 within this delegated network. So far everything looks nice.

IPv6 internet pings by the FB4040 are successful, using its WAN6 side address. Pings from the PC in the LAN local to the FB4040 however are not. A tcpdump on the WAN6 interface of the FB4040 shows the packets passing outbound, but there is not reply. The 6490 does not have a trace option, so I cannot see whats going on there.

A wireshark trace within the WAN/WAN6 network between the FB4040 and the FB6490 shows router advertisements for 2xxx:xxxx:xxxx:2000::/56 by the outer FB6490. It does not show any router advertisements by the inner FB4040 though.

I'm not perfect with the IPv6 stuff, but expected the inner FB4040 to place it's own router advertisements for 2xxx:xxxx:xxxx:20fc::/62 on its exterior network, else the stations there, including the outer FB6490, do not know where to route the LAN addresses..

ISP:
IP Prefix 2xxx:xxxx:xxxx:2000::/56

WAN6:
IPv6 2a02:xxxx:xxxx:2000:yyyy:yyyy:yyyy:22dc/128
IPv6-PD: 2xxx:xxxx:xxxx:20fc::/62

PC within LAN:
IPv6 2xxx:xxxx:xxxx:20fc:zzzz:zzzz:zzzz:7a6a

@prx99, welcome to the community!

Then...

• Please show your DHCP and Network config for LAN

I surmise you'd simply need to tell LAN to assign a /64 and to get its prefix hint from WAN6.

# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd5:0044:1914::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.88.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'force'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'
        option vid '1'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.88.1'
	option ip6assign '64'
	option ip6class 'wan6'

(your orginal config assigned a /60, when your PD is only a /62 - I changed this is /64)

Not sure this is needed; but leave it for now.

Still, the only router advertisements shown on the intermediate network between both routers are those of the outer router every 10 minutes. The inner router, the OpenWRT, advertises in 5 minutes intervals on its niside network (LAN) only, but not on its outside WAN6.

Since there was no wan6 mentioned in the dhcp config, I just added

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option ra 'server'

without having an idea what that really means. Now I've got a router advertisement by the inner router on the intermediate network, but without the interesting part, the network information.

Huh???

So where is that ISP IPv6 PD config coming from???

That needs to be showing on your OpenWrt device for this to work...you do understand that, correct?

Luci shows a protocol "DHCPv6 client" and the delegation appears to work. The prefix matches the one provided by the ISP - see 1st post.

Ethernet Adapter
Device: eth1
Uptime: 2h 43m 53s
MAC: xx:xx:FD:0F:22:DC
RX: 88.74 MB (134294 Pkts.)
TX: 13.97 MB (56357 Pkts.)
IPv6: 2a02:xxxx:xxxx:2000:yyyy:yyyy:fe0f:22dc/128
IPv6-PD: 2a02:xxxx:xxxx:20fc::/62

The protocol is mentioned in the network config:

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'force'

Ignore 1 means disable ...

That means that the wan6 still doesn't have DHCP enabled, so no dhcpv6 based address.

Edit
Sorry, that comment was probably wrong

The intermediate network already has a DHCPv6 running, provided by the outer router. Activating a second DHCPv6 might not be a good idea. I just want the RAs, not a DHCP server.

Played with a few more settings of the dhcp config of wan6:

ra_management appears to have no effect. The flag bits are stuck at 0,

ra_default results in a nonzero router lifetime field only when set to 2. What's this "default route" mentioned in the docs?

You don't need this.

I think you mean pings to the FB6490, otherwise they wouldn't go out of wan6.
Are you trying to ping to some host in the LAN of FB6490 or the 6490?
Pinging the internet works fine?

Pinging IPv4 works, local and internet, on PC or FB4040

Pinging IPv6 works when done on the FB4040, local of internet. The source addr of those pings is the one of the FB4040 within the WAN6 network, so there is no back route necessary.

Pinging IPv6 does not work when done from a PC in LAN. In this case, the source address is within the delegated network. The packet can be seen on the outbound interface eth1 by tcpdump.on the FB4040.

Yes, but is it affecting both the internet pings and the 6490 lan pings or only the lan?

Sorry, I do not understand the question.

What does work?
Ping from host2 to host1?
Ping from host2 to FB6490?
Ping from host2 to ipv6.google[.]com?

      +-------+
      |       |
      | FB6490|
      |       |
      +-------+
      |    |   
+-----|+   |   
|host1||   |   
+------+   |   
           |   
           |   
   +---------+ 
   | FB4040  | 
   +---------+ 
   |  +-------+
   +- | host2 |
      +-------+

Thanks. Took a while but I got it in the meantime too.

host2 => host1 fails. Wireshark on host1 sees the packet, but there is no reply. On host1, there is no specific route to the LAN shown. It however appears to have 2 default routes, one for each router, and additionally a /56 route to FB6490.

host2 => FB6490 works.

host2 => internet fails.

The first case fails because you have asymmetric routing. Echo request goes host2->fb4040->host1. Reply goes host1->fb6490 where it is blocked as invalid, because the firewall on 6490 never examined the initial packet. You need to find in the config of 6490 how to disable this.

The third case is weird, but still it is not an issue of OpenWrt, if you can see the packet in tcpdump leaving wan6 with correct source and destination IPs.

Nope. In the first case there is not reply shown by the Wireshark running on host1. Only the incoming echo requests are shown. Host1 does not even transmit the reply.

Host1 => internet works and both the echo request and the reply are shown by Wireshark.

FB4040 can ping host1.

Is host1 Windows?