This is a weird one - When I use OpenWRT the router will not receive an IPv6 address. IPv6 is enabled and a tcpdump on the WAN interface does show outgoing DHCP6 solicit packets but no response from the ISP. However, if I unplug the router and just connect a PC directly to the Internet (it's a FTTH fiber connection) it immediately receives an IPv6 address without any issues.
Any ideas on how to debug this would be greatly appreciated.
Did you alter the firewall config?
Somewhat, since it's running OpenVPN server, though the VPN is (currently) v4 only.
Still, even if it were filtered by the firewall, wouldn't packets show in tcpdump?
Some more weird information -
try configuring ipv6 relay wan->lan (I would recommend to first reset your config)
in /etc/config/dhcp ( in Luci GUI also possible)
config dhcp wan
option dhcpv6 relay
option ra relay
option ndp relay
option master 1
config dhcp lan
option dhcpv6 relay
option ra relay
option ndp relay
You need odhcp6c to receive an ipv6 address and prefix delegation from the isp. Maybe you aren't getting a response from the isp because the mac address on the router's wan interface is different from your pc, and your isp's network hasn't picked up the change. Try copying the pc's mac address to the router's wan interface and see if that works.
The router has ignore on both interfaces (lan and wan) because there's another computer providing DHCPv4 on the network, I'm not exactly sure how to enable only v6.
That can't be the issue because it does respond to virtually anything other than OpenWrt, and I've tried multiple computers, they all work fine.
By the way - The server doesn't even respond to the initial solicit packet.
Also - I've tried disabling odhcp6c and using dhcpcd instead and still nothing. Also tried disabling pd and that didn't work either.
good point
if the vendor device is a device in bridge mode (allowing a single attached customer device), better reboot the ISP modem everytime when you change the attached device.
I would opt for default OpenWRT config (reset device), until you have figured out the IPv6 issue. Its difficult, to hunt down issues in a non default configured system. Save custom config via luci backup, so you can switch back to your config later
There's no vendor equipment at all - it's a fiber to the building connection and the router is plugged directly into the wall.
Would a safe-mode test be sufficient? I'd rather not reflash the route because it's running a customized version of OpenVPN.
Relay where?
I don't recall what process (or the Kernel) does what. But yes, OP must receive the RA replies for it's own address and DHCPv6 replies for a PD.
How about your wan and wan6 config first?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
between WAN and LAN interface.
If your ISP gives you a /64 prefix only, you can successfully use that in your LAN interface via relay as described.
Network:
root@gateway:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.63.1'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
# Site-to-site VPN
config interface 'vpn_site'
option proto 'none'
option ifname 'tun0'
# Remote access VPN over UDP
config interface 'vpn_ra'
option proto 'none'
option _orig_ifname 'tap0'
option _orig_bridge 'false'
option ifname 'tun1'
# Remote access VPN over TCP
config interface 'vpn_ra_tcp'
option proto 'static'
option ifname 'tun2'
# Outgoing Fortinet-based VPN connection (defunct)
config interface 'WORK'
option ifname 'ppp0'
option proto 'none'
option auto '0'
option delegate '0'
# 4G backup WAN connection through USB dongle (physically disconnected unless WAN connection is down)
config interface 'ZTEWAN'
option ifname 'eth2'
option proto 'dhcp'
root@gateway:/etc/config#
DHCP:
root@gateway:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
# There is another DHCP server on the LAN
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
root@gateway:/etc/config#
Firewall - Some details of port forwarding rules of ports above 1024 have been asterisked-out for security reasons (most of them are disabled anyway):
root@gateway:/etc/config# cat firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option input 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'VPN_RA_TCP lan vpn_ra vpn_site vpn_ra_tcp'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan WORK wan6 ZTEWAN'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_port '547'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option _name '**'
option src 'wan'
option proto 'tcpudp'
option target 'DNAT'
option dest 'lan'
option src_dport '****'
option dest_ip '192.168.**.*'
config redirect
option _name '*********'
option src 'wan'
option proto 'tcpudp'
option src_dport '****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option src 'wan'
option proto 'tcpudp'
option src_dport '****'
option target 'DNAT'
option dest 'lan'
option name '************'
option dest_ip '192.168.**.*'
config redirect
option _name '**************'
option src 'wan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option _name '**************'
option src 'wan'
option proto 'udp'
option src_dport '****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option _name '**************'
option src 'wan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option _name '**************'
option src 'wan'
option proto 'udp'
option src_dport '****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option _name '**********'
option src 'wan'
option proto 'tcp'
option src_dport '****-****'
option dest_ip '192.168.**.***'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option src 'wan'
option dest 'lan'
option name '********************'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option enabled '0'
config redirect
option src 'wan'
option proto 'tcpudp'
option dest_ip '192.168.**.*'
option target 'DNAT'
option dest 'lan'
option _name '***********'
option src_dport '****-****'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '*****'
option name '************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '****************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '*******************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '***********'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '**************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '******************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '*******************'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '****'
option name 'OpenVPN-Remote-Access'
option proto 'tcp udp'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '****'
option name 'OpenVPN-Site-Link-Incoming'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '***'
option dest_ip '192.168.63.1'
option dest_port '****'
option name 'OpenVPN-New-Port'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '************'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '*************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '*************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****'
option dest_ip '192.168.**.*'
option dest_port '****'
option name '*************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '113'
option dest_ip '192.168.**.*'
option dest_port '113'
option name '**************'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '****-****'
option dest_ip '192.168.**.*'
option dest_port '****-****'
option name '****************'
config forwarding
option dest 'wan'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.**.*'
option name '********'
option src_dport '****-****'
option dest_port '****-****'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '****'
option name 'OpenVPN-SSL'
config redirect
option src 'wan'
option name '**************'
option src_dport '****'
option target 'DNAT'
option dest_ip '192.168.**.*'
option dest 'lan'
list proto 'tcp'
option dest_port '****'
root@gateway:/etc/config#
@lleachii @rao @Pico
Thank you for your assistance. I've decided to install OpenWrt on a Raspberry Pi 4b I had lying around, completely unmodified, and the problem persists. I then replaced OS to another Linux distro (Debian) and it got an ipv6 address without any issues.
I took a capture of the IPv6 traffic on both OSes, see link below. I'd really appreciate it if you can help me somehow get OpenWrt to send a solicit packet as similar as possible to the one sent by Debian.
Specifically I think the FQDN or one of the DHCP options might be the problem but I can't find a way of removing them.
Thanks for your time.
Captured packets:
EDIT: Found the 'defaultreqopts 0' option but it doesn't remove option 82 for some reason. The issue persists.
EDIT 2: 'noclientfqdn 1' removes the FQDN but that doesn't solve the problem either.
EUREKA!
Needed to add noacceptreconfig '1'
No clue why the server doesn't like it.
I would not have guessed that. That setting doesn't even seem to be properly documented. Maybe your isp has a security paranoid administrator, but at least the problem is solved.
Yes, I had to resort to manually changing the solicit packet, adjusting it to be closer and closer to the pakcet sent by Debian then injecting it using tcpreplay until I found the offending option, then looked at the odhcp source code to find that undocumented option.
I'm pretty sure that the ISP isn't that paranoid, it's probably a misconfiguration on their side but there's no one really that I could talk to. They only started offering IPv6 recently and only after being forced to by government regulations and most tech support personnel have no clue how to support it. Also, the moment they hear about 3rd party firmware they refuse to support it.
Still, seeing that this issue is pretty much unique to OpenWrt it must mean that the option should probably default to enabled, since that appears to be the case pretty much everywhere else.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.