OpenWrt Raspberry 4B WAN_IPv6 getting no IP from ISP

Gillan · August 5, 2021, 2:13pm

Hello,

i was using before a Netgear R7800 because of the bad cpu performance for shaping i use now a Raspberry 4B with OpenWRT. On the Netgear the IPv6 worked fine.

I think its a configuration failure.

I did everything the guide on this website offers. But im still getting no IPv6 from the isp.

/etc/config/network/

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:db80::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option ip6hint '10'
	option ip6assign '60'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	option hostname '*'
	list dns '127.0.0.1'

config interface 'WAN_IPv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option proto 'dhcpv6'
	option ip6prefix '2001:db80::/56'

/etc/config/dhcp/

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '127.0.0.1#5453'
	list server '127.0.0.1#5453'
	option noresolv '1'
	option dnssec '1'
	option dnsseccheckunsigned '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'WAN_IPv6'
	option interface 'WAN_IPv6'
	option ignore '1'
	list ra_flags 'none'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master 1

And with this config because the DHCPv6 is disabled i get no IPv6 for my devices on lan.

Maybe you have a solution for my problem.

Best regards

Gillan

Edit:

root@OpenWrt:~# ifstatus WAN_IPv6
{
"up": false,
"pending": true,
"available": true,
"autostart": true,
"dynamic": false,
"proto": "dhcpv6",
"device": "eth1",
"data": {

}

Maybe this is the main problem.

iplaywithtoys · August 5, 2021, 4:59pm

My own Raspberry Pi 4B has only one network interface (eth0).

What device are you using with yours for the second interface (eth1)?

Gillan · August 5, 2021, 5:16pm

An usb dongle with rtl8152 chipset. I think the problem of not getting any ipv6 address is the not starting wan_IPV6 interface. If i use ifup [interface name] it timed out.

Edit:

Now the ifup command works without timeout. Log showing "daemon.notice netifd: Interface 'WAN_IPV6' is enabled".

But ifstatus is still responding:

 ifstatus WAN_IPV6
{
        "up": false,
        "pending": true,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "proto": "dhcpv6",
        "device": "eth1",
        "data": {

        }

iplaywithtoys · August 5, 2021, 5:28pm

What does a packet capture on eth1 reveal?

Gillan · August 5, 2021, 5:37pm

Eth1 is working but only with ipv4. The WAN (ipv4) is up and working. But i want use also ipv6 wan.

There is a Virtual dynamic interface (Unmanaged) interface named "WAN_6". But it's normal. I saw this also on the R7800 with OpenWrt. I use the R7800 router behind the Raspi for testing WAN6. R7800's WAN6 is working, the relevant options in config for Network and DHCP are identical with Raspi 4.

On the Raspi Openwrt some options are missing in Luci. Inbuild ipv6 management and ipv6 stateful stateless option. Maybe this kills the functionality of IPv6 WAN?

You have to use this snapshots because there are no other firmware files.

iplaywithtoys · August 5, 2021, 6:06pm

So, what does a packet capture on eth1 reveal? Does it reveal any DHCPv6 traffic at all, in either direction?

Gillan · August 5, 2021, 9:44pm

Ok, it's the isp.Also the R7800 ipv6 via wan isnt working anymore. I would wonder if ipv6 assignment via wan would be such complicated, even with openwrt without complete wan config "out of the box" like on the raspi4. I will try it in the future again. But before i invest time in investigation a problem, i will use a fritzbox with ipv6 to be sure its really running by isp. Today the isp had a longer crash maybe they disabled ipv6 temporary.

The R7800 was showing the same ifstatus response. It is normal if isp is not offering DHCPv6?

No the packet capture is not revealing any DHCPv6 traffic. But i wonder why the WAN_IPV6 was showing the same increase of data like the WAN_IPV4 without obtaining any IPV6.

Edit:

IPv6 was not working because my isp has implemented a protocol called RD6.

Now its working with the helpful information from the internet.

IPv6 Prefix where i get the info from? I used the same value as the guy (customer of isp) used. It would be better i will use another value?

I used as remote ip address my curren ipv4? This should be wrong if my ipv4 is changing. Which is the right value for auto assignment?

Gillan · August 6, 2021, 10:55am

I deleted the WAN_IPV6 Interface because its useles, not coming up. Now the virtual wan interface is spawning itself with RD6 protocol, without any additional data. And i get Ipv6.

The virtual interface is not related to any firewall rules. So i cant close or open ports. Maybe its all related to Ipv4 Firewall, because the RD6 sits on the IPv4 interface?

Which dns service is the virtual interface using? I use DOT via stubby for IPv4 WAN.

Edit:

I did a port check. No ipv6 ports are open from outside. So the virtual interface must be related to ipv4 firewall.

iplaywithtoys · August 6, 2021, 4:36pm

From your ISP. Don't just pick values at random. Your ISP will be able to give you all the information you require to run IPv6 on your network.

Gillan · August 6, 2021, 8:42pm

Maybe i should use ipv6 via autoconfig, after installing 6rd protocol. But far as i can tell, 6rd is useless and not fully under my control according to firewall rules and dns. Nothing is changeable if its running over the virtual interface. The normal wan6 interface (which i created) will not receive the config from the isp automatically.

How can i check working of dot on my router?

iplaywithtoys · August 7, 2021, 8:13am

You're trying to solve two problems at once. My recommendation is: don't. It often adds to one's confusion, from experience.

Solve each problem in turn.

First, get IPv6 working on its own, without any consideration for DNS. Prove that you can get an IPv6 assignation from your ISP (or prove that your ISP is the cause of the problem and then take your money to a different ISP). Prove that you can get routed IPv6 traffic to a host elsewhere on the Internet.

Once you've got IPv6 working, then look at DNS.

By the way, DoT, DoH, DNSSEC, et al, don't need IPv6. They also work over IPv4. So consider what your actual objective is.

If your objective is to have a working IPv6 setup, then go ahead. But if your objective is to have working DoT/DoH/DNSSEC and you don't necessarily care about IPv6, then you may wish to refocus your efforts on the DNS side of things.

Gillan · August 7, 2021, 12:05pm

DOT is working checked it with tcpdump on the router. No udp traffic on port 53 and port 853 is in use if dns request from my browser has been made.

Is the auto assignment on the virtual interface not enough for IPv6. If the virtual interface is getting an IPv6 address i get a IPv6 on the internet.

6rd is based on IPv4 so the firewall must be the same?

iplaywithtoys · August 7, 2021, 12:55pm

Why must it be the same? What is the evidence for your assertion?

vgaetera · August 7, 2021, 1:53pm

https://openwrt.org/releases/21.02/notes-21.02.0-rc4#known_issues

Gillan · August 7, 2021, 2:35pm

Because if i use IPv6 via virtual interface. All ports are closed from outside. So it must be the IPv4 firewall.

@vgaetera

Thank you. Another reason for not using IPv6 atm. Especially if its running via 6rd and i'm using stubby which needs further configuration for wan_ipv6 which isn't possible on virtual interface.

Gillan · August 9, 2021, 8:09am

The only possibility to get ipv6 is to use virtual dynamic interface after installing the 6rd package.

As i said 6rd is based on ipv4:

Its using ipv4. So no additional config is needed. Even if the virtual interface for ipv6 via 6rd is active its requesting dns via port 853. When i open ipv6 website.There is 0 ipv6 traffic on eth1 (wan).

ifstatus wan_6 says:

 "data": {
                "zone": "wan"
        }

So it mustbe the same firewall as ipv4 is using.

But for the virtual interface dns server is empty:

´ "dns-server": [

on ipv4 its using 127.0.0.1 for stubby.

You cant change the dns for the virtual interface.

You always get "uci invalid argument" .

The dns leak test says only ipv4 cloudflare dns in use. Strange when ipv6 is really (i get ipv6 address) used :D.

vgaetera · August 9, 2021, 11:36am

The DNS leak test can only detect public recursive resolvers.
Apparently, your DNS requests go to a forwarder first.
It works similarly to Dnsmasq on your router.
That's typically used for load balancing.
But can be a sign of DNS hijacking.

murraydr44 · September 15, 2021, 6:55pm

Assign wan firewall side to the 6rd interface. It is grayed out in your screenshot.