PPPoE - IPv6 addressing and prefix delegation not working as docs indicate - SOLVED (firewall rules for DHCPv6)

howels · April 3, 2018, 10:14pm

I've got a PPPoE connection, with native IPv6. However when I run 'ifstatus wan' I see the IPv6 address associated to the wan interface and nothing appears on wan6. Running LEDE 17.01.4 on a WR2543N.

I can manually insert a prefix and that gets delegated but the automatic Prefix Delegation that should 'just work' isn't working. The DHCP address on the PPPoE tunnel appears on wan instead of wan6 and nothing else happens, there isn't even a IPv6 route created.

/etc/config/network

config interface 'wan'
	option ifname 'eth0.2'
	option _orig_ifname 'eth0.2'
	option _orig_bridge 'true'
	option proto 'pppoe'
	option username 'blah'
	option pass 'blah'
	option ipv6 '1'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'

/etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option ndp 'relay'
	option ra_management '1'
	list dns '2001:8b0::2020'
	list dns '2001:8b0::2021'
	option ignore '1'
	option ra 'relay'
	option dhcpv6 'relay'
#	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
 	option ignore '1'

config dhcp 'wan6'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	option ndp 'hybrid'
	option master '1'

Any ideas what is happening? Been fighting this for a while now.

jow · April 4, 2018, 8:36am

Try "option ipv6 auto", this should automatically spawn a virtual DHCPv6-PD interface.

howels · April 4, 2018, 11:38am

In which configuration stanza? I already have "option ipv6 '1'" in the wan interface inside /etc/config/network.

jow · April 4, 2018, 11:40am

Yes, change 1 to auto - they have different meanings. 1 will enable IPCP6 negotiation but nothing else, you'll need to manually configure a DHCPv6 interface then.

Setting it to auto will spawn a virtual interface wan_6 (note the underscore) which takes care of the prefix assignment. Also make sure that your lan interface has option ip6assign 64 (or a larger prefix size) set to actually redistribute the received prefix downstream.

howels · April 4, 2018, 1:12pm

Does this mean that the configuration should reference the dynamically created "wan_6" interface as opposed to "wan6" shown above? The documentation for IPv6 doesn't mention wan_6 dynamically created interfaces.

I removed the wan6 interface but wan_6 is behaving the same as wan6 was:

# ifstatus wan_6
{
	"up": false,
	"pending": true,
	"available": true,
	"autostart": true,
	"dynamic": true,
	"proto": "dhcpv6",
	"device": "pppoe-wan",
	"data": {
		
	}
}

Looks like no address is being allocated.

WAN interface has an IPv6 address though

ifstatus wan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 148,
	"l3_device": "pppoe-wan",
	"proto": "pppoe",
	"device": "eth0.2",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 0,
		{
			"address": "fe80::e017:1399:20be:927d",
			"mask": 128
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "0.0.0.0",
			"source": "0.0.0.0\/0"
		},
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "81.187.81.187",
			"source": "0.0.0.0\/0"
		}
	],
	"dns-server": [
		"217.169.20.21",
		"217.169.20.20"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		
	}
}	"delegation": true,
	"ipv4-address": [
		{
			"address": "123.123.123.123",
			"mask": 32
		}
	],
	"ipv6-address": [
		{
			"address": "fe80::e017:1399:20be:927d",
			"mask": 128
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "0.0.0.0",
			"source": "0.0.0.0\/0"
		},
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "123.123.123.124",
			"source": "0.0.0.0\/0"
		}
	],
	"dns-server": [
		"123.123.123.21",
		"123.123.123.20"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		
	}
}

jow · April 4, 2018, 1:14pm

Seems your issue is not with the configuration then, maybe an incompatibility between odhcp6c and your ISP? Do you see anything of interest in logread after ifdown wan; ifup wan ?

howels · April 4, 2018, 1:19pm

Other than the usual PPPoE negotiation and some failed DHCPv6 requests on the LAN side there's nothing.

Wed Apr  4 14:15:23 2018 daemon.notice netifd: Network alias 'pppoe-wan' link is up
Wed Apr  4 14:15:23 2018 daemon.notice netifd: Interface 'wan_6' is enabled
Wed Apr  4 14:15:23 2018 daemon.notice netifd: Interface 'wan_6' has link connectivity 
Wed Apr  4 14:15:23 2018 daemon.notice netifd: Interface 'wan_6' is setting up now
Wed Apr  4 14:15:24 2018 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Wed Apr  4 14:15:25 2018 user.notice firewall: Reloading firewall due to ifupdate of wan (pppoe-wan)
Wed Apr  4 14:15:25 2018 daemon.notice odhcpd[9114]: Got DHCPv6 request

I have a support ticket with my ISP open already. They suggest the fixed wan interface with a reqaddress: force setting but nothing much else.

EDIT:

I’ve sent details of my config to my ISP and they are investigating their end. Looks like for all the world like DHCPv6 requests are not going through the PPPoE link.

EDIT: Added tcpdump

I installed tcpdump and captured the output when restarting the wan6 interfaces (ifdown wan6; ifup wan6):

Unreachable port 546 shown in capture.

howels · April 4, 2018, 2:54pm

Found the problem. DHCPv6 was blocked at the wan zone. This requires a solicitation (UDP src 546 to dst 547) and a response (UDP src 547 to dst 546). The following firewall rules allow this to work:

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '547'
	option name 'Allow DHCPv6 Relay (546-to-547)'
	option family 'ipv6'
	option src_port '546'

config rule                             
        option target 'ACCEPT'          
        option src 'wan'                
        option proto 'udp'              
        option dest_port '546'          
        option name 'Allow DHCPv6 Relay (547-to-546)'
        option family 'ipv6' 
        option src_port '547'

billingd · April 5, 2018, 11:32pm

I reworked the option ipv6 section of the wiki a few days ago. I have expanded it with some of the information above.

howels · April 6, 2018, 3:19pm

Thanks, I have added the firewall rules shown above as those seemed to be the crucial part which was missing for a dynamic DHCPv6 PPP-based connection.

Stephen

billingd · April 6, 2018, 11:40pm

Is the routing an issue for wan6 or with the wan_6 interface you get with ''option ipv6 auto''?

My ISPs DHCPv6 is a bit broken so most of my testing is with a static IPv6 on the wan. However, I think I was getting DHCPv6 responses with ''option ipv6 1'' and ''option proto dhcpv6'' on wan6.

I will have a play once I am allowed to fiddle with the router. I need some more practice with packet capture and interpretation.

billingd · April 8, 2018, 8:20am

I don't need non-default firewall rules using ‘‘option ipv6 1’’ on wan and ‘‘option proto dhcpv6’’ on wan6. Full IPv6 connectivity from router and lan.

howels · April 12, 2018, 11:24pm

Well, I had a packet capture which shows blocked ports beforehand and DHCPv6 enabled over PPPoE afterwards, after enabling those two rules. Very clear and simple test. Are you using PPPoE or do you have a plain Ethernet hand-off?

Multiple configurations exist but for my ISP using a fiber connection with an IPv4 PPPoE connection encapsulating DHCPv6 advertisement/solicitation this was required. Using LEDE 17.0.1.4

billingd · April 12, 2018, 11:57pm

I have PPPoE as well. I wasn't questioning that you need firewall rules. More thinking aloud about why you do but I don't. Doesn't matter.

Perhaps it is an interface name thing - your "ipv6 option auto"==wan_6 compared to my "ipv6 option 1" == wan6.

I understand there are default wan6 firewall rules. I may have a fiddle at some stage. I need some more packet tracing practice and learn better with real problems.

howels · April 17, 2018, 11:47pm

I ended up using "option ipv6 1" with a static wan6 interface. Wish I knew why DHCPv6 was blocked as well, I found one other person who mentioned this so I'm wondering if it's the way an ISP deploys DHCPv6? Very strange but it's been stable for a while now and I had zero success before the firewall changes.
Are there different means of allocating ipv6 addresses besides DHCPv6?
Tracing packets was easy once tcpdump was installed. Make sure you have a big terminal window then it's a simple expression to filter the output to leave DHCPv6 over PPPoE. Something like "pppoes and ipv6" on the interface carrying the PPPoE connection, mine was eth0.2