Prefix Deligation to downstream router

New to the board . happy openwrt customer for a long time.

Have a /60 PD chuck from isp to play with, using up first half on main router .
for Vlan, wifis, iots, etc.. 8 or less of /64 prefixes. none above 7 prefix
And want to propagate a full /61 to downstream router.

But with everything i have tried , the interface i create takes the first suffix of the /61 chunk,
be it LUA or GUA from wan. And is unable to propagate anything bigger then /62 to downstream router.

So i am wondering if its possible to have a link-local only for an address on the propagating
interface, so it can send the full chunk of /61 downstream . OR any other solution that
would let me send a whole chunk, without the interface stealing half of it.


Could you explain better the topology? You mentioned main router and downstream router. Which one is running OpenWrt?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ifstatus wan6; ifstatus wan_6; ifstatus lan
1 Like

Main router is running openwrt snapshot x86. and gets assigned /60 from isp.
(snapshot because particular computer does not want to boot bios, only uefi)
And uses up half of the /60 in /64 chunks. the other half of /60 = /61
I want to pass to downstream router.

Downstream router can be another openwrt or opensense etc.. does not matter.

The issue i have is the interface i create to pass that /61 block downstream seems
to grab the first suffix of the GUA or LUA /61 block for an interface address rendering the
half of 61 unnasignable to downstream , and only /62 gets passes along.

config interface 'lan7'
	option ifname 'eth0.7'
	option proto 'static'
	option ip6assign '61'
	option ip6hint '8'

config dhcp 'lan7'
	option interface 'lan7'
	option ra_management '2'
	option dhcpv6 'server'
	option ra 'server'
	option limit '250'
	option leasetime '12h'
	option start '201'

37: eth0.7@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:aaaa:bbbb:8::1/61 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 xxxx:xxx:xxx:xxx8::1/61 scope global dynamic noprefixroute 
       valid_lft 243417sec preferred_lft 243417sec
    inet6 fe80::c23f:d5ff:feb7:decb/64 scope link 
       valid_lft forever preferred_lft forever

Alright, let's have a look at the configuration now.

Here is more info , from ifstatus wan6 and lan7.

notice that wan6 does not assign itself an address from the /60 block
but uses link-local to propagate it downstream
lan7 does assign itself an address from that block , besides the link-local
I do not think it needs it , and can work with link-local only address.
unlike ipv4 where a router needed an interface on that subnet.
link-local serves that purpose in ipv6 if i am not mistaken.

And on a second note, does any other interface that delegates a /64 block
needs a GUA address assigned and be routable on the internet ?

ifstatus wan6

"ipv6-address": [
			"address": "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:6fa3",
			"mask": 128,
			"preferred": 241933,
			"valid": 241933

"ipv6-prefix": [
			"address": "xxxx:xxxx:xxxx:xxx0::",
			"mask": 60,
			"preferred": 241933,
			"valid": 241933,
			"class": "wan6",
			"assigned": {
----------------cut (unrelated)------------------
				"lan5": {
					"address": "xxxx:xxxx:xxxx:xxx5::",
					"mask": 64
				"lan6": {
					"address": "xxxx:xxxx:xxxx:xxx6::",
					"mask": 64
				"lan7": {
					"address": "xxxx:xxxx:xxxx:xxx8::",
					"mask": 61
	"ipv6-prefix-assignment": [

ifstatus lan7

	"ipv6-address": [
	"ipv6-prefix": [

	"ipv6-prefix-assignment": [
			"address": ""xxxx:xxxx:xxxx:xxx8::",
			"mask": 61,
			"preferred": 242670,
			"valid": 242670,
			"local-address": {
				"address": ""xxxx:xxxx:xxxx:xxx::1",
				"mask": 61
			"address": "fd00:aaaa:bbbb:8::",
			"mask": 61,
			"local-address": {
				"address": "fd00:aaaa:bbbb:8::1",
				"mask": 61

From the configuration fragments you posted, I don't see anything out of the ordinary.
You have assigned a /61 to the lan7 and it got it. It will advertise the first /64 for the lan7 hosts and if a dhcp6 client requests a prefix, it will delegate one up to /62.

This is the pool size, not the last IP.

Fun fact: I can't! Because of all these unnecessary redactions. But it anyway is not supposed to. The /60 is delegated by the ISP for the lan.

Because you have ip6assign /61

Feel free to disable it, if you firmly believe so, and assign the IPs yourself.

There are link local IPs in IPv4, although I have not seen them being used the way you describe.

That delegates or is delegated?
Maybe you can explain what are you trying to achieve, because this doesn't make sense.
And when you are asked to post the output of certain commands, you may want to ask first if it is fine to post something less than that. We are not supposed to help you troubleshoot your issues with what you believe is relevant.

1 Like

So what would be your solution to propagate any prefix delegation chunk down an
interface to a downstream router ?
If the interface always assigns itself an address out of whichever chunk it should be delegating
downstream , rendering half the prefix undelegatable .

And you miss the point , interface that simply delegates a prefix to a vlan say
will not miss a single suffix that interfaces assigns itself out of the prefix and has
rest of the host portion for the whole vlan.

But an interface that is supposed to propagate a PD downstream be /61 /60 /48
will render half of that prefix unusable downstream by taking the first suffix in that
prefix for an address of the interface itself !!!!!!!!!

Like making an interface unmganaged should not assign itself any LUA or GUA address
Only a link-local while still giving you ability to propagate PDs downstream and running
a DHCP or SLAAK on that interface.

And I am still wondering why an interface needs a GUA and be routable on the internet , seems
like a security risk if something is miss configured in the firewall. that
means anyone who sees your other ips , can simply replace the host section to ::1
and have a direct line to your device bypassing the wan6 interface firewall.

It doesn't render it undelegateable, you can delegate smaller chunks like /63 or /64.

What you write here doesn't make too much sense to me, but I believe you need static routes not delegation and you are confusing the terms.

I told you earlier that it can be disabled.

Don't let the miss configure the firewall. Nor the mister nor the missus. Leave it to the default which works fine and is safe.

Sorry my ipv6 understanding is limited .
So to understand better . On isp level or a big company, every interface that propagates a PD
to downstream routers cannot split and subdeligate its assigned PD in half ? Always wasting a half?

And an interface that will subdeligate a PD always needs a suffix address within that PD ?
Cannot just be link-local ? Like a wan interface with an adress outside of assigned PD block.

I sort of figured that out.

Try to use layman's terms, as subdeligate doesn't exist.
On an ISP level you most likely have a /32 and you delegate from /48 to /56 to residential customers. So no, they don't delegate half and no half is wasted.

As I already said, what you what to achieve is done with static routes, same as in IPv4.

Got the first part , but you did not answer the second part.

Does or does not an interface that deligates a PD have to have an address within that PD ?
From tcpdumping wan6 on my isp it seems it does not but link-local .

And as for static routes , that would not work with a dynamically assigned PD that changes weekly.
or whenever a router or modem reboots.

This is a very generic question. I suppose it has to do with the networking equipment the ISP uses, but the usecase is different than in our case where there is a residential user, who is expected to have mainly lan hosts and occasionally a router, which will solicit a prefix.

What you see most likely is the last router which relayed the dhcp offer.

With a bit of scripting it is possible.