OpenWrt router behind ISP router: GUA delegation not working

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi.

I am trying to get GUA delegation working for LAN clients.

Configuration is:

ISP router - OpenWrt router - clients

Firstly, this is what my ISP router shows:

Screenshot from 2022-03-11 15-46-48
Screenshot from 2022-03-11 15-46-48746×574 42.6 KB

If I plug a Linux PC into this router, I get the following:

2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:e0:4c:77:16:f5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.112/24 brd 192.168.1.255 scope global dynamic noprefixroute enp6s0
       valid_lft 86392sec preferred_lft 86392sec
    inet6 2a01:xxxx:xxxx:xxxx:4ffb:fc38:3fbb:7701/64 scope global dynamic noprefixroute 
       valid_lft 86081sec preferred_lft 71681sec
    inet6 fd00::6319:feaf:9567:b480/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::a697:868c:8b3:af37/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Pluging the OpenWrt router in shows:

Screenshot from 2022-03-11 17-39-22
Screenshot from 2022-03-11 17-39-22969×450 59.7 KB

Config files are as follows:

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdeb:7f2b:e5be::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr '10:7b:44:59:9b:1c'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'

config device
	option name 'eth1'
	option macaddr '10:7b:44:59:9b:18'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '84.200.69.80'
	list dns '84.200.70.40'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:1608:10:25::1c04:b12f'
	list dns '2001:1608:10:25::9249:d69b'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 506,
	"l3_device": "eth1",
	"proto": "dhcpv6",
	"device": "eth1",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:xxxx:xxxx:xxxx:127b:44ff:fe59:9b18",
			"mask": 128,
			"preferred": 69851,
			"valid": 84251
		},
		{
			"address": "fd00::127b:44ff:fe59:9b18",
			"mask": 64
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a01:xxxx:xxxx:xxxx::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 84251,
			"source": "::/0"
		},
		{
			"target": "fd00::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1",
			"metric": 512,
			"valid": 1382,
			"source": "::/0"
		}
	],
	"dns-server": [
		"2001:1608:10:25::1c04:b12f",
		"2001:1608:10:25::9249:d69b"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"fe80::1"
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "00170010fe800000000000000000000000000001"
	}
}

Things I notice:

  1. The Linux PC gets a /64 address, but the OpenWrt router gets a /128 address. Is this expected?
  2. The OpenWrt router has no IPv6-PD. Is this why the LAN clients are not getting any GUA address delegated?

I've tried setting the "reqprefix" parameter to various values, eg. 64, 60, etc. but this doesn't make any difference.

Can anyone tell me if this is a fundamental limitation of my ISP router and I'm wasting my time, or if there are any configuration changes I can make on the OpenWrt router to get this working.

I can see there are many other similar threads to this but, having spent hours going through them, I still can't get this working.

I'm tearing my hair out on this so, any help is very much appreciated. Thanks.

2

Just adding some more info.

If I remove the ISP router from the configuration, the OpenWrt router shows:
Screenshot from 2022-03-13 10-58-42

I also ran some network traces. Without the ISP router I see:

11:00:06.228860 10:7b:44:59:9b:18 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 164: (flowlabel 0xae3a0, hlim 1, next-header UDP (17) payload length: 110) fe80::127b:44ff:fe59:9b18.546 > ff02::1:2.547: [bad udp cksum 0xeef2 -> 0x86ec!] dhcp6 solicit (xid=d31000 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 107b44599b18) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
11:00:06.243327 c8:8d:83:b7:0c:ab > 10:7b:44:59:9b:18, ethertype IPv6 (0x86dd), length 211: (flowlabel 0x00201, hlim 255, next-header UDP (17) payload length: 157) fe80::ca8d:83ff:feb7:cab.547 > fe80::127b:44ff:fe59:9b18.546: [udp sum ok] dhcp6 advertise (xid=d31000 (IA_NA IAID:1 T1:43200 T2:64800 (IA_ADDR 2a01:xxxx:xxxx:xxxx:557a:955b:3e3a:32ef pltime:72000 vltime:86400)) (IA_PD IAID:1 T1:43200 T2:64800 (IA_PD-prefix 2a01:xxxx:xxxx:xxxx::/56 pltime:72000 vltime:86400)) (client-ID hwaddr type 1 107b44599b18) (server-ID hwaddr/time type 1 time 588232101 005056b6ee86) (reconfigure-accept) (DNS-search-list hyperoptic.com.))
11:00:07.684475 10:7b:44:59:9b:18 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 237: (flowlabel 0xae3a0, hlim 1, next-header UDP (17) payload length: 183) fe80::127b:44ff:fe59:9b18.546 > ff02::1:2.547: [bad udp cksum 0xef3b -> 0x4236!] dhcp6 request (xid=e44cd6 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 107b44599b18) (server-ID hwaddr/time type 1 time 588232101 005056b6ee86) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0 (IA_ADDR 2a01:xxxx:xxxx:xxxx:557a:955b:3e3a:32ef pltime:72000 vltime:86400)) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix 2a01:xxxx:xxxx:xxxx::/56 pltime:72000 vltime:86400)))
11:00:07.698570 c8:8d:83:b7:0c:ab > 10:7b:44:59:9b:18, ethertype IPv6 (0x86dd), length 211: (flowlabel 0x00201, hlim 255, next-header UDP (17) payload length: 157) fe80::ca8d:83ff:feb7:cab.547 > fe80::127b:44ff:fe59:9b18.546: [udp sum ok] dhcp6 reply (xid=e44cd6 (IA_NA IAID:1 T1:43200 T2:64800 (IA_ADDR 2a01:xxxx:xxxx:xxxx:557a:955b:3e3a:32ef pltime:72000 vltime:86400)) (IA_PD IAID:1 T1:43200 T2:64800 (IA_PD-prefix 2a01:xxxx:xxxx:xxxx::/56 pltime:72000 vltime:86400)) (client-ID hwaddr type 1 107b44599b18) (server-ID hwaddr/time type 1 time 588232101 005056b6ee86) (reconfigure-accept) (DNS-search-list hyperoptic.com.))

and with the ISP router I only see:

11:03:06.036837 10:7b:44:59:9b:18 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 164: (flowlabel 0xae3a0, hlim 1, next-header UDP (17) payload length: 110) fe80::127b:44ff:fe59:9b18.546 > ff02::1:2.547: [bad udp cksum 0xeef2 -> 0x55d8!] dhcp6 solicit (xid=d44113 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 107b44599b18) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
11:03:07.997790 10:7b:44:59:9b:18 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 188: (flowlabel 0xae3a0, hlim 1, next-header UDP (17) payload length: 134) fe80::127b:44ff:fe59:9b18.546 > ff02::1:2.547: [bad udp cksum 0xef0a -> 0xa174!] dhcp6 request (xid=4d09cb (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 107b44599b18) (server-ID hwaddr type 6 e019542684c8) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0 (IA_ADDR 2a01:xxxx:xxxx:xxxx:127b:44ff:fe59:9b18 pltime:71917 vltime:86317)))
3

There's a lot going on here...so I'll just ask the easiest question:

Is there a reason you don't wish to remove the ISP router?

(I'm not sure why you want us to troubleshoot the non-OpenWrt.)

I do have one suggestion...test if you can set LAN to receive a /64...set the ip6class as wan.

4

Hi. I would love to remove the ISP router but, when I do this, the IPv6 address assigned to the WAN of the OpenWrt router does not appear to be accessible from the internet.

I want to run a VPN server (OpenVPN / WireGuard) on the OpenWrt router but, when I remove the ISP router, I can't connect to the OpenWrt router (tcpdump shows no incoming traffic). I've asked my ISP if the address should be accessible but all they do is respond with generic information about IPv6 which doesn't answer the question. I do know that they use CGNAT so my IPv4 address is not accessible, I'm not sure if this also applies to IPv6.

I'm sure I've tried to set the ip6class as wan as part of my previous testing, and it didn't make any difference. I can try again.

5

I think I finally have it working. As with everything, the solution was very straight forward.

I have removed the ISP router, used the default network configuration on the OpenWrt router, but set reqaddress to 'none' on the wan6 interface.

All the LAN clients now get a GUA and I can connect to the OpenWrt router using the IPv6 address assigned to the lan interface.

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.