I'm trying to learn how to run IPv6, not having access to a full IP6 connection I have a test setup of routers in cascade using prefix delgation. If the connection from the upstream router to a downstream one is wired or a wifi AP-STA link, everything works. Using a Wireguard tunnel almost works, except that the GUA of the upstream router or other routers inside the network is not reachable. This prevents DNS from working. Packets can be forwarded through Wireguard to external sites though.
Details of the test setup. All routers are running 22.03.2. Routers 0 and 1 are TL-WDR3500, Router 2 is a Belkin AX3200. I have tried different hardware with the same results.
Router 0, the simulated ISP. It serves a /56 prefix on its lan from a bogus GUA IP block which starts with 3. The network is NAT6 to my house network and ISP which offers only /64.
Router 1, the main router. This is the only router connected to the simulated ISP, by Ethernet from wan to lan. There is no IPv4 wan. Router 1 has IP6-only LAN and a wireguard server:
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqprefix '56'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option ip6assign '60'
option proto 'static'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
list addresses 'fe80::16cc:20ff:fead:838f/64'
option ip6assign '60'
config wireguard_wg0
option description 'rt3200'
option public_key 'redacted'
list allowed_ips '::0/0'lan and wg0 are in the lan firewall zone.
Multiple router 2s connected to R1 LAN or wireguard. As I said above, connecting a router 2 by a local wired or wireless connection works fine by simply making a wan6 DHCP client. For the wireguard connection I used an IPv4 only link for the encrypted packets, to simulate having the router at a remote site with only IPv4 access.
The configuration of the wireguard router2 is:
config interface 'wan6'
option device '@wg0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
list addresses 'fe80::ea9f:80ff:fe4f:e823/64'
config wireguard_wg0
option description 'ip6-r1'
option public_key 'redacted'
list allowed_ips '::/0'
option route_allowed_ips '0'
option endpoint_host '192.168.41.161'
option endpoint_port '51820'
option persistent_keepalive '25'Assigning link-local addresses manually was essential to make anything happen. This will pull configuration from R1:
root@ip6-r2d:~# ifstatus wan6
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 12756,
"l3_device": "wg0",
"proto": "dhcpv6",
"device": "wg0",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "3d51:eaab:117b:120::6ac",
"mask": 128,
"preferred": 2832,
"valid": 2832
},
{
"address": "3d51:eaab:117b:120:ea9f:80ff:fe4f:e823",
"mask": 64,
"preferred": 2831,
"valid": 6764
}
],
"ipv6-prefix": [
{
"address": "3d51:eaab:117b:124::",
"mask": 62,
"preferred": 2832,
"valid": 2832,
"class": "wan6",
"assigned": {
"lan": {
"address": "3d51:eaab:117b:124::",
"mask": 64
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "3d51:eaab:117b:100::",
"mask": 56,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:124::/62"
},
{
"target": "3d51:eaab:117b:100::",
"mask": 56,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:120:ea9f:80ff:fe4f:e823/64"
},
{
"target": "3d51:eaab:117b:100::",
"mask": 56,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:120::6ac/128"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:124::/62"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:120:ea9f:80ff:fe4f:e823/64"
},
{
"target": "::",
"mask": 0,
"nexthop": "fe80::16cc:20ff:fead:838f",
"metric": 512,
"valid": 1364,
"source": "3d51:eaab:117b:120::6ac/128"
}
],
"dns-server": [
"3d51:eaab:117b:120::1"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"passthru": "001700103d51eaab117b01200000000000000001"
}
}This router is presently connected to the PC used to post this (in IPv6) but I have to cheat and allow an IPv4 link to my DNS server because pinging R1 for DNS does not work:
root@ip6-r2d:~# ping6 3d51:eaab:117b:120::1
PING 3d51:eaab:117b:120::1 (3d51:eaab:117b:120::1): 56 data bytes
ping6: sendto: Host is unreachableIt really looks like it should work. The routing table in r2d is:
root@ip6-r2d:~# ip -6 route show
default from 3d51:eaab:117b:120::6ac via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
default from 3d51:eaab:117b:120::/64 via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
default from 3d51:eaab:117b:124::/62 via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
3d51:eaab:117b:100::/56 from 3d51:eaab:117b:120::6ac via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
3d51:eaab:117b:100::/56 from 3d51:eaab:117b:120::/64 via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
3d51:eaab:117b:100::/56 from 3d51:eaab:117b:124::/62 via fe80::16cc:20ff:fead:838f dev wg0 proto static metric 512 pref medium
unreachable 3d51:eaab:117b:120::/64 dev lo proto static metric 2147483647 pref medium
3d51:eaab:117b:124::/64 dev br-lan proto static metric 1024 pref medium
unreachable 3d51:eaab:117b:124::/62 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wg0 proto kernel metric 256 pref mediumThis is almost identical to a route table in a working r2 with wan6 connected by wifi:
root@ip6-r2b:~# ip -6 route show
default from 3d51:eaab:117b:100::/64 via fe80::16cc:20ff:fead:838d dev wlan0 proto static metric 512 pref medium
3d51:eaab:117b:100::/56 from 3d51:eaab:117b:100::/64 via fe80::16cc:20ff:fead:838d dev wlan0 proto static metric 512 pref medium
3d51:eaab:117b:100::/64 dev wlan0 proto static metric 256 pref medium
unreachable 3d51:eaab:117b:100::/64 dev lo proto static metric 2147483647 pref medium
fd66:cc6:f675::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd66:cc6:f675::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev 464-wan6_4 proto kernel metric 256 pref mediumtcpdump shows nothing entering or leaving wg0 during a ping attempt. I've been looking at this for days and can't figure it out. Any ideas appreciated.