Ignore 1 means disable ...
That means that the wan6 still doesn't have DHCP enabled, so no dhcpv6 based address.
Edit
Sorry, that comment was probably wrong
The intermediate network already has a DHCPv6 running, provided by the outer router. Activating a second DHCPv6 might not be a good idea. I just want the RAs, not a DHCP server.
Played with a few more settings of the dhcp config of wan6:
ra_management appears to have no effect. The flag bits are stuck at 0,
ra_default results in a nonzero router lifetime field only when set to 2. What's this "default route" mentioned in the docs?
You don't need this.
I think you mean pings to the FB6490, otherwise they wouldn't go out of wan6.
Are you trying to ping to some host in the LAN of FB6490 or the 6490?
Pinging the internet works fine?
Pinging IPv4 works, local and internet, on PC or FB4040
Pinging IPv6 works when done on the FB4040, local of internet. The source addr of those pings is the one of the FB4040 within the WAN6 network, so there is no back route necessary.
Pinging IPv6 does not work when done from a PC in LAN. In this case, the source address is within the delegated network. The packet can be seen on the outbound interface eth1 by tcpdump.on the FB4040.
Yes, but is it affecting both the internet pings and the 6490 lan pings or only the lan?
Sorry, I do not understand the question.
What does work?
Ping from host2 to host1?
Ping from host2 to FB6490?
Ping from host2 to ipv6.google[.]com?
+-------+
| |
| FB6490|
| |
+-------+
| |
+-----|+ |
|host1|| |
+------+ |
|
|
+---------+
| FB4040 |
+---------+
| +-------+
+- | host2 |
+-------+
Thanks. Took a while but I got it in the meantime too. 
host2 => host1 fails. Wireshark on host1 sees the packet, but there is no reply. On host1, there is no specific route to the LAN shown. It however appears to have 2 default routes, one for each router, and additionally a /56 route to FB6490.
host2 => FB6490 works.
host2 => internet fails.
The first case fails because you have asymmetric routing. Echo request goes host2->fb4040->host1. Reply goes host1->fb6490 where it is blocked as invalid, because the firewall on 6490 never examined the initial packet. You need to find in the config of 6490 how to disable this.
The third case is weird, but still it is not an issue of OpenWrt, if you can see the packet in tcpdump leaving wan6 with correct source and destination IPs.
1 Like
Nope. In the first case there is not reply shown by the Wireshark running on host1. Only the incoming echo requests are shown. Host1 does not even transmit the reply.
Host1 => internet works and both the echo request and the reply are shown by Wireshark.
FB4040 can ping host1.
Is host1 Windows?
1 Like
I've been blocked by the forum for a day, being my first day after registration.
Thanks. Yes, it was the Windows firewall. After opening the firewall, host2 => host1 was successful. And both the destination MAC by the reply as sent by host1 as well as the senders MAC shown in tcpdump on the inner router are the one of the outer router, so indeed there is asymmetric routing.
So there still is a routing problem, IMHO caused by missing RAs. Whether solving it also solves the problem with internet pings is a different question indeed, as the outer router apparently knows what to do with the reply packet even though noone else in this net knows.
What is missing? The OpenWrt will not send RAs to the wan interface.
Since prefixes delegated to subnet routers by DHCPv6 are dynamic in nature, I think it should send RAs for the prefixes it routes. If not, how can anyone but the DHCPv6 server itself know the proper routing? Having asymmetric routing forever cannot be the solution.
Things were a bit different in IPv4, where delegations were static in nature, and proper routing relied on manual configuration or separate routing protocols.
It is exactly the same in ipv4.
Host1 has default gw to fb6490 only, unless you add a static route for the network behind fb4040. You can add a static route in ipv6 too if you want to avoid this little asymmetry.
The /56 address provided by the ISP for private internet access is dynamic, though it doesn't change often. This makes static network addresses and prefixes a problem. In IPv4 this is solved by NAT, but IPv6 should not need NAT.
Ok, I probably have to accept this.
There are ULA addresses (the private addresses in IPv6).
You can also try to send out RAs in the lan of fb6490, multiple routers are allowed in ipv6, but I have never done it.
Update: Indeed there have been two problems.
(1) Not solved: Asymmetric routing.
(2) Solved: No access to internet by IPv6 clients in delegated LAN.
Problem (2) turned out to be bug in the filter module of the outer router. A workaround was provided by AVM.
Thanks for all the help.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.