Obtain DHCPv6 addresses from other VLAN

Michi · February 3, 2022, 2:15pm

Hi all,

I use a Linksys WRT3200ACM as router without WLAN with version 21.02.1.
I have created two additional VLANS (IOT and Office) on the router.
Both VLANS have their own DHCP server for IPV4 and IPV6. The assignment within the new VLANs also works as desired.
The main VLAN is allowed to access the IOT VLAN (lan > iot).
However, all computers within the main VLAN receive additional IPV6 addresses from the other VLANS (IOT and Office). Here I am absolutely not sure if this is correct or how I can change this.
Maybe someone can help me with this.
Attached are the following configurations.

Many thanks in advance

/etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '10'
	option ip6ifaceid '::1'
	option ipaddr '192.168.10.1'
	option device 'br-lan.1'

config device
	option name 'wan'
	option macaddr ‘XX:XX:XX:XX’

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'
	option peerdns '0'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'

config device
	option name 'eth0'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '20'
	option ip6ifaceid '::1'
	option device 'br-lan.10'

config interface 'office'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	option device 'br-lan.20'
	option ipaddr '192.168.30.1'
	option ip6hint '30'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan3'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option output 'ACCEPT'
	list network 'lan'
	option input 'ACCEPT'
	option forward 'REJECT'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'iot'
	list network 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'

config zone
	option name 'office'
	list network 'office'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'office'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	list proto 'udp'
	option src_port '5353'
	option dest_port '5353'
	option target 'ACCEPT'
	option src '*'
	option family 'ipv4'
	list dest_ip '224.0.0.251'
	option name 'Allow-mDNS'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option leasetime '12h'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'

config dhcp 'office'
	option interface 'office'
	option start '100'
	option leasetime '12h'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'

trendy · February 3, 2022, 3:08pm

Your config looks correct. Could you please post also the following:

ìfstatus wan6; ifstatus lan; ifstatus iot; ifstatus office

You may scramble the public IP part, but try to keep it consistent and don't change the last network bytes.
E.g if your ISP delegates you 2001:db8:aaaa:bb00::/56 you can scramble the 2001:db8:aaaa part.

trendy · February 3, 2022, 4:17pm

Looks good. Could you show us the ipconfig /all from a win host or ip -6 addr from a linux host in the lan, office, and iot vlan?

trendy · February 3, 2022, 4:55pm

The windows host looks fine.
Regarding the IOS device, it is connected by cable only, right? Wifi is switched off?
On the WRT3200 you have disabled wifi. On the lan ports is anything connected or only the ethernet port of the lan hosts?

Michi · February 3, 2022, 5:00pm

The Windows host is in the Office VLAN. The issue seems to be just in the LAN VLAN.
The WRT3200 is wired only and is connected to a managed switch.
The VLAN config is also matching on the manged switch (same VLAN IDs for dedicated ports).
On the switch, i have two wired dump WIFI access points.
The iOS devices are also in the LAN VLAN (per wifi).
My mac and my business notebook are wired.

trendy · February 3, 2022, 5:10pm

I suspect misconfiguration of the managed switch and/or APs.
Connect the IOS directly on the WRT3200 lan port without the managed switch and check the addresses.

Michi · February 3, 2022, 6:46pm

Thanks a lot trendy.
I will check the switch configuration.

Michi · February 5, 2022, 8:28am

I was able to solve the problem. On the switch, the ports were set as "General" and had the default VLAN with PVID=1 assigned in addition to the IOT or Office VLAN. I changed the ports to Access with the corresponding PVID and now it works.

system · February 15, 2022, 8:28am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.