Opkg update fails - How to configure IPv6 right on a local network with one openwrt client and one openwrt router?

soundzentrum · December 11, 2019, 2:32pm

I installed openwrt 18.06.5 on a LinkSys WRT1200AC router. Fresh install, not using old settings. I disable WAN and WAN6 by setting it to unmanaged, because this is router has no internet connection and shall use another openwrt as the gateway. I configure the lan interface via Luci to use a fixed IP and put the gateway address and DNS IP's in. My routers have fixed IP's, a DHCP is running on another box for all other devices on the local lan. The strange thing is that the LUCI network diagnostics page is giving results OK for ping, traceroute and nslookup. Doing the same on the shell using a ssh dropbear also works. So a ping to the download server and a traceroute is working fine in IPv4. Since the local DNS and DHCP is IPv4 only, I tried to disable all the IPv6 on the lan interface of both routers.

Yet I think opkg tries to use IPv6 and doesn't use the IPv4, because the opkg update fails with

opkg_download: Failed to download http://downloads.openwrt.org/releases/18.06.5/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 4."
 * opkg_download: Check your network settings and connectivity.

Network configuration looks OK, DNS and gateway settings are OK.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.15.11'
        option gateway '192.168.15.1'
        option dns '192.168.125.6 192.168.15.1'

Traceroute to download server also works OK

traceroute to downloads.openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  192.168.15.1 (192.168.15.1)  0.542 ms  0.494 ms  0.488 ms
 2  192.168.1.1 (192.168.1.1)  1.047 ms  0.972 ms  0.859 ms
 3  100.65.0.1 (100.65.0.1)  6.953 ms  5.005 ms  5.802 ms
 4  61.152.6.169 (61.152.6.169)  6.917 ms  7.106 ms  61.152.6.173 (61.152.6.173)  5.080 ms
 5  202.101.63.134 (202.101.63.134)  7.322 ms  101.95.120.238 (101.95.120.238)  5.248 ms  4.193 ms
 6  202.97.57.157 (202.97.57.157)  3.029 ms  3.388 ms  *

Using ping6 and traceroute6 does not work for the download server

ping6 downloads.openwrt.org
PING downloads.openwrt.org (2a01:4f8:150:6449::2): 56 data bytes
ping6: sendto: Permission denied

traceroute6 downloads.openwrt.org
traceroute6: can't connect to remote host: Permission denied

trendy · December 11, 2019, 2:49pm

What is the output of the following?

ip -4 addr; ip -4 ro; ip -4 ru; \
ip -6 addr; ip -6 ro; ip -6 ru; \
cat /etc/opkg.conf

When pasting console output or configuration snippets, make sure you use the Preformatted text button </>

soundzentrum · December 11, 2019, 2:58pm

Hi Trendy,

thanks for taking the time. Something in the IPv6 configuration might be wrong, but I am a IPv6 newbie. I would prefer to have a "pure" IPv4 local net. As IPv4 is working OK, I am wondering why opkg update tries to take the not-working IPv6 instead and doesn't use the IPv4 when IPv6 is not working.

Here is the output:

ip -4 addr; ip -4 ro; ip -4 ru;

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.15.11/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.15.1 dev br-lan 
192.168.15.0/24 dev br-lan scope link  src 192.168.15.11 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

ip -6 addr; ip -6 ro; ip -6 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::5aef:68ff:fe0d:c2d7/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
    inet6 fe80::58ef:68ff:fe0d:c2d7/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd65:fdf2:f4c2::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::58ef:68ff:fe0d:c2d7/64 scope link 
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5aef:68ff:fe0d:c2d7/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::58ef:68ff:fe0d:c2d9/64 scope link 
       valid_lft forever preferred_lft forever
fd65:fdf2:f4c2::/64 dev br-lan  metric 1024 
unreachable fd65:fdf2:f4c2::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth1  metric 256 
fe80::/64 dev eth1.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
anycast fd65:fdf2:f4c2:: dev br-lan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev eth1.2  metric 0 
anycast fe80:: dev eth1  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wlan0  metric 0 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth1  metric 256 
ff00::/8 dev eth1.2  metric 256 
ff00::/8 dev wlan0  metric 256 
0:      from all lookup local 
32766:  from all lookup main 
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif br-lan lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12
4200000009:     from all iif eth1.2 lookup unspec 12

cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature

soundzentrum · December 11, 2019, 3:08pm

I also tried some tips from the IPv6 essentials, checking the IPv6 DNS resolution. The IPv6 DNS resolution is working OK. So it seems to be related to my IPv6 routing or the fact, that I somewhere disabled some IPv6 options, but could not disable it completely.

nslookup  openwrt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

A traceroute6 on the gateway works, maybe because this is using the wan6 interface for it.

Maybe I need to set a IPv6 gateway? Basically I want to do something like it is documented for IPV4 in this article, but also with IPV6. How to set-up the DHCPv6 on the router, so that the client will get a IPv6 address with the right gateway address?

https://openwrt.org/docs/guide-user/network/openwrt_as_clientdevice

trendy · December 11, 2019, 3:40pm

It should not try over IPv6 as there is no default gateway for the latter.
A traceroute6 to the gateway works because there are Link-Local (fe80:...) and ULA (fd65:...) addresses. But that is correct.
Also DNS resolution should work over IPv4, the server has replies for both v4 and v6 and must reply them both regardless of the protocol used to contact the NS.
What you want to do with the router is called dumbAP. At the bottom of the page there are instructions how to enable IPv6 for the router itself.

soundzentrum · December 11, 2019, 4:11pm

I did all the things mentioned in the article and set it up as a dumbAP. I additionally disabled the build-in IPv6 management for lan interface and also deleted the global IPv6 ULA-Prefix. Now in LUCI the LAN interface is purely IPv4. I had a similar setup with openwrt/lede 17.01.7 where opkg update was working.

With the above settings in openwrt 18.06.5 opkg update still refuses to work with error message


opkg update
Downloading http://downloads.openwrt.org/releases/18.06.5/targets/mvebu/cortexa9/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/18.06.5/targets/mvebu/cortexa9/packages/Packages.gz

Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/18.06.5/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 8.

I tracked it down a little more by using wget directly. It seems, that IPv4 download is not possible for some reason.

This output I get on the router, which has IPv6 connectivity.

wget http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a9_vfpv3/routing/Packages.gz
Downloading 'http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a9_vfpv3/routing/Packages.gz'
Connecting to 2a01:4f8:150:6449::2:80
Writing to 'Packages.gz'
Packages.gz          100% |*******************************| 11150   0:00:00 ETA
Download completed (11150 bytes)

This output I get on the dumbAP without IPv6:

wget http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a9_vfpv3/routing/Packages.gz
Downloading 'http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a9_vfpv3/routing/Packages.gz'
Connecting to 176.9.48.73:80
Connection error: Connection failed

When I paste above link into firefox on my laptop I also get a connection error.

Is there maybe something wrong on the download server side?
The IPv4 traceroute to the download server works OK now on the dumbAP side:


traceroute downloads.openwrt.org
traceroute to downloads.openwrt.org (176.9.48.73), 30 hops max, 38 byte packets
 1  router.soundzentrum.de (192.168.15.1)  0.494 ms  0.470 ms  0.463 ms
 2  192.168.1.1 (192.168.1.1)  1.079 ms  0.873 ms  0.840 ms
 3  100.65.0.1 (100.65.0.1)  6.197 ms  3.887 ms  5.343 ms
 4  61.152.6.169 (61.152.6.169)  3.374 ms  3.471 ms  61.152.6.173 (61.152.6.173)  3.274 ms
 5  202.101.63.134 (202.101.63.134)  4.222 ms  101.95.120.110 (101.95.120.110)  6.787 ms  3.658 ms
 6  202.97.94.237 (202.97.94.237)  20.718 ms  18.901 ms  19.790 ms
 7  *  202.97.50.193 (202.97.50.193)  13.546 ms  11.903 ms
 8  *  202.97.86.114 (202.97.86.114)  226.419 ms  223.682 ms
 9  118.85.205.82 (118.85.205.82)  177.643 ms  177.745 ms  177.481 ms
10  hetzner-ic-326013-ffm-b4.c.telia.net (213.248.70.3)  223.919 ms  222.976 ms  223.073 ms
11  core21.fsn1.hetzner.com (213.239.224.241)  192.838 ms  core22.fsn1.hetzner.com (213.239.224.245)  211.058 ms  *
12  ex9k1.dc6.fsn1.hetzner.com (213.239.229.90)  225.169 ms  ex9k1.dc6.fsn1.hetzner.com (213.239.229.94)  182.584 ms  182.274 ms
13  *  mirror-02.infra.openwrt.org (176.9.48.73)  181.679 ms  181.584 ms

trendy · December 12, 2019, 8:22am

I just tried it and it looks to be working fine.
Both on Firefox, Edge and the wget in OpenWrt.
Could you capture the packets in tcpdump and upload it to check what is going on?

soundzentrum · December 12, 2019, 11:57am

OK here is the output on tcpdump from the router. The dumpAP I can't install tcpdump for the moment, because okpg update (and thus opkg install) do not work (yet).

wlaneg is the dumbAP
router is the router to the internet.

19:46:34.236824 IP wlaneg.soundzentrum.de.54810 > router.soundzentrum.de.53: 58120+ A? downloads.openwrt.org. (39)
19:46:34.236866 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.236873 IP wlaneg.soundzentrum.de.54810 > router.soundzentrum.de.53: 59584+ AAAA? downloads.openwrt.org. (39)
19:46:34.236891 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.238245 IP wlaneg.soundzentrum.de.38290 > mirror-02.infra.openwrt.org.80: Flags [S], seq 520465434, win 29200, options [mss 1460,sackOK,TS val 4113170141 ecr 0,nop,wscale 6], leng
th 0
19:46:34.238270 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38290: Flags [R.], seq 0, ack 520465435, win 0, length 0
19:46:34.240891 IP wlaneg.soundzentrum.de.44727 > router.soundzentrum.de.53: 39484+ A? downloads.openwrt.org. (39)
19:46:34.240915 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.240920 IP wlaneg.soundzentrum.de.44727 > router.soundzentrum.de.53: 40835+ AAAA? downloads.openwrt.org. (39)
19:46:34.240936 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.242074 IP wlaneg.soundzentrum.de.38292 > mirror-02.infra.openwrt.org.80: Flags [S], seq 1258106219, win 29200, options [mss 1460,sackOK,TS val 4113170144 ecr 0,nop,wscale 6], len
gth 0
19:46:34.242096 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38292: Flags [R.], seq 0, ack 1258106220, win 0, length 0
19:46:34.244593 IP wlaneg.soundzentrum.de.41993 > router.soundzentrum.de.53: 5816+ A? downloads.openwrt.org. (39)
19:46:34.244617 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.244622 IP wlaneg.soundzentrum.de.41993 > router.soundzentrum.de.53: 7148+ AAAA? downloads.openwrt.org. (39)
19:46:34.244638 IP router.soundzentrum.de > wlaneg.soundzentrum.de: ICMP router.soundzentrum.de udp port 53 unreachable, length 75
19:46:34.245750 IP wlaneg.soundzentrum.de.38294 > mirror-02.infra.openwrt.org.80: Flags [S], seq 4273497272, win 29200, options [mss 1460,sackOK,TS val 4113170148 ecr 0,nop,wscale 6], len
gth 0
19:46:34.245772 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38294: Flags [R.], seq 0, ack 4273497273, win 0, length 0
19:46:34.248214 IP wlaneg.soundzentrum.de.47342 > router.soundzentrum.de.53: 25514+ A? downloads.openwrt.org. (39)
19:46:34.248231 IP wlaneg.soundzentrum.de.47342 > router.soundzentrum.de.53: 26801+ AAAA? downloads.openwrt.org. (39)
19:46:34.249361 IP wlaneg.soundzentrum.de.38296 > mirror-02.infra.openwrt.org.80: Flags [S], seq 4173633300, win 29200, options [mss 1460,sackOK,TS val 4113170152 ecr 0,nop,wscale 6], len
gth 0
19:46:34.249383 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38296: Flags [R.], seq 0, ack 4173633301, win 0, length 0
19:46:34.251819 IP wlaneg.soundzentrum.de.50292 > router.soundzentrum.de.53: 27278+ A? downloads.openwrt.org. (39)
19:46:34.251835 IP wlaneg.soundzentrum.de.50292 > router.soundzentrum.de.53: 28770+ AAAA? downloads.openwrt.org. (39)
19:46:34.252963 IP wlaneg.soundzentrum.de.38298 > mirror-02.infra.openwrt.org.80: Flags [S], seq 1655510800, win 29200, options [mss 1460,sackOK,TS val 4113170155 ecr 0,nop,wscale 6], len
gth 0
19:46:34.252985 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38298: Flags [R.], seq 0, ack 1655510801, win 0, length 0
19:46:34.255426 IP wlaneg.soundzentrum.de.54799 > router.soundzentrum.de.53: 27844+ A? downloads.openwrt.org. (39)
19:46:34.255443 IP wlaneg.soundzentrum.de.54799 > router.soundzentrum.de.53: 29231+ AAAA? downloads.openwrt.org. (39)
19:46:34.256594 IP wlaneg.soundzentrum.de.38300 > mirror-02.infra.openwrt.org.80: Flags [S], seq 3681370499, win 29200, options [mss 1460,sackOK,TS val 4113170159 ecr 0,nop,wscale 6], len
gth 0
19:46:34.256615 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38300: Flags [R.], seq 0, ack 3681370500, win 0, length 0
19:46:34.259047 IP wlaneg.soundzentrum.de.40824 > router.soundzentrum.de.53: 44260+ A? downloads.openwrt.org. (39)
19:46:34.259063 IP wlaneg.soundzentrum.de.40824 > router.soundzentrum.de.53: 45583+ AAAA? downloads.openwrt.org. (39)
19:46:34.260188 IP wlaneg.soundzentrum.de.38302 > mirror-02.infra.openwrt.org.80: Flags [S], seq 54613284, win 29200, options [mss 1460,sackOK,TS val 4113170163 ecr 0,nop,wscale 6], lengt
h 0
19:46:34.260208 IP mirror-02.infra.openwrt.org.80 > wlaneg.soundzentrum.de.38302: Flags [R.], seq 0, ack 54613285, win 0, length 0

soundzentrum · December 12, 2019, 12:20pm

I just tried again, it works now. I had squid installed on the router as transparent proxy. Although squid was already disabled, the firewall rule to forward port requests on IPv4 to the proxy port 3128 still existed. That's why IPv6 routing worked but IPv4 not. Though I am wondering why all other HTTP traffic still worked, maybe because most of it is already HTTPS, so I didn't realise it for port 80. opkg update uses port 80 on IPv4 with wget, that was redirected to port 3128 on the router and failed.

Though, enabling the rule and starting squid again, opkg update is still failing.

trendy · December 12, 2019, 1:08pm

The router is sending ICMP port 53/UDP unreachable to the wlaneg.
You can set up http proxy both in opkg and wget if needed.

system · December 22, 2019, 1:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.