Problems getting native IPv6 to work with LUCI

jus7incase · August 7, 2020, 7:46pm

My provider gives out a public /56 prefix via DHVPv6.
Before I show the setup - what is the problem:
The client recieves the ULA and public addresses properly, no problem here. WHen the client pings a IPv6 host, the ICMPv6 echos are not forwarded by OpenWRT to the WAN6 interface.

sysctl -a | grep "_ra = 2" shows that the OpenWRT interfaces to not accept any RAs. When I set this to 2 for WAN6, the LAN interface and the relevant VLAN interface, forwarding starts to work. (When I removed all firewall rules).

My goal is it to get the config properly through LUCI, I do not want to have 2 levels to manage, CLI and LUCI. So far I was able to get everything done through LUCI alone, so I hope it will also be possible in this case.

Now the config:

lleachii · August 7, 2020, 7:53pm

What version of OpenWrt are you running?

Can you clarify what this means?

jus7incase · August 7, 2020, 7:57pm

Version 19.07.3.

lleachii · August 7, 2020, 7:59pm

Did you ever erase the default IPv6 rules in OpenWrt before you begun your config?

(i.e. the ones that allow RA, ICMPv6, etc.)

jus7incase · August 7, 2020, 8:00pm

I do have rules for that, let me grab them for you

jus7incase · August 7, 2020, 8:09pm

I Flushed the tables for INPUT, OUTPUT and FORWARD to make sure that during troubleshooting the firewall would not get in the way

lleachii · August 7, 2020, 8:16pm

Wow...

Hummmm, then it worked, correct?
What's your LAN DHCPv6 config? (I assume the "client" is in LAN???)
What is the config for forwarding from LAN to WAN?
What is Interface PRIO? (is that where the client is!?!?)
- What is the PRIO to WAN Zone forwarding setting?

OK...be clear:

are you referring to the ECHO-REQUEST from the client; or
an ECHO-REPLY from WAN
where are you monitoring this/how did you determine that?

(I assume the former.)

Definitely tell is what zone the client's in; and show us the: Local, DHCPv6 and Zone to WAN settings
depending on how you monitored, did you get any corresponding ICMP error messages to this traffic

jus7incase · August 7, 2020, 8:26pm

lleachii:

Hummmm, then it worked, correct?

Correct

What's your LAN DHCPv6 config? (I assume the "client" is in LAN???)

irrelevant, there is nothing in there.

What is the config for forwarding from LAN to WAN?

not sure what you mean by forwarding config. Du you mean the Firewall zone forwarding config?

What is Interface PRIO? (is that where the client is!?!?)

Correct. This is where the client is.

What is the PRIO to WAN Zone forwarding setting?

Screenshot 2020-08-07 at 22.20.25.cleaned1374×874 92 KB

jus7incase:

WHen the client pings a IPv6 host, the ICMPv6 echos are not forwarded by OpenWRT to the WAN6 interface.

PRIO is allowed to forward to destination WAN6
PRIO is NOT allowed to foward from source WAN6

OK...be clear:

are you referring to the ECHO-REQUEST from the client; or

Correct, openwrt does not forward the echo requests and replies to the client with destination unreachable (as seen with Wireshark on the PRIO interface). The Echo requests do not go out on the WAN6 interface (Wireshark on WAN6).

an ECHO-REPLY from WAN

Negative. The echo request does not go out to the Internet. (Wireshark on WAN6)

where are you monitoring this/how did you determine that?
(Wireshark, see above)

(I assume the former.)

Definitely tell is what zone the client's in; and show us the: Local, DHCPv6 and Zone to WAN settings

Client is in Zone PRIO. PRIO->WAN settings above. DHCPv6 for PRIO was in the initial posting.

Not sure what you mean by Local...?!

depending on how you monitored, did you get any corresponding ICMP error messages to this traffic

When the Client sends ICMP Echo Request then OpenWRT replied with Destination Unreachable to the client. This happens on Interface PRIO. Nothing is seen on WAN6 about this transaction.

lleachii · August 7, 2020, 8:38pm

Disregard, I see the settings. PRIO does not have a static IPv6 address, nor one assigned from WAN6 in its active status...

You need to add in /etc/config/network under PRIO:

option ip6class 'wan6'

I don't need WAN setting above, I need you to screensot PRIO on the General Firewall page, so I can see if you allowed forwarding from PRIO to WAN. Example using "guest":

screen80

You should have one for PRIO.

jus7incase · August 7, 2020, 8:43pm

This exists for PRIO. I also wrote that in my last post:

PRIO is allowed to forward to destination WAN6
PRIO is NOT allowed to foward from source WAN6

The screenshot in the above post was NOT for WAN, it was for PRIO (see covered interfaces: PRIO)

Do you know what setting in LUCI is responsible for setting ... accept_ra to 2 for a given interface?

jow · August 7, 2020, 8:50pm

On OpenWrt we handle RAs in userspace (odhcpd for emitting, odhcp6c for receiving). The Kernel mechanisms (accept_ra & friends) are disabled on purpose.

Could you share the output of ifstatus wan6, ifstatus prio as well as uci export network and uci export dhcp ? You might need to redact IPs.

jus7incase · August 7, 2020, 8:51pm

I see. Then why did it start to work when I used sysctl to ser accept_ra to 2?

jow · August 7, 2020, 8:53pm

Because the kernel started processing RAs and adding IPv6 prefixes etc, something which odhcp6c is supposed to do in the normal case. You either experience a bug (less likely) or there's a small configuration flaw somewhere (more likely)

jus7incase · August 7, 2020, 8:53pm

OK I am happy you guys are taking care. I really appreciate that.

jus7incase · August 7, 2020, 8:55pm

I'd rather not. It would be a lot to redact. Is there something you are looking out for and I give that particular pieace o check it myself. Or we go closed, but out here its too much detail.

jus7incase · August 7, 2020, 9:02pm

network:

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'

config interface 'prio'
	option proto 'static'
	option ifname 'redacted'
	option ipaddr 'redacted'
	option netmask '255.255.255.0'
	option ip6assign '64'

dhcp:

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'

ifstatus prio:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 9141,
	"l3_device": "redacted",
	"proto": "static",
	"device": "same as I3_device",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "redacted",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "xxxx:yyyy:zzz:aaaa::",
			"mask": 64,
			"preferred": 2941,
			"valid": 2941,
			"local-address": {
				"address": "<above-address>::1",
				"mask": 64
			}
		},
		{
			"address": "fdaa:dead:babe:a::",
			"mask": 64,
			"local-address": {
				"address": "fdaa:dead:babe:a::1",
				"mask": 64
			}
		}
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 898,
	"l3_device": "redacted",
	"proto": "dhcpv6",
	"device": "same-as-I3_device",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "redacted",
			"mask": 128,
			"preferred": 2702,
			"valid": 2702
		}
	],
	"ipv6-prefix": [
		{
			"address": "redacted::",
			"mask": 56,
			"preferred": 2702,
			"valid": 2702,
			"class": "wan6",
			"assigned": {
				"vlan1": {
					"address": "<redacted address of vlan1 interface>::",
					"mask": 64
				},
				"vlan2": {
					"address": "<address for interface vlan2::",
					"mask": 64
				},
.
.
.
				"vlan-n": {
					"address": "redacted vlan n interface address::",
					"mask": 64
				},
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::redacted",
			"metric": 384,
			"valid": 1616,
			"source": "redacted delegated prefix::/56"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::redacted-provider-device-address",
			"metric": 384,
			"valid": 1616,
			"source": "redacted/128"
		}
	],
	"dns-server": [
		"redacted",
		"redacted"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "001700202a022457030c010100000000000000112a022457030c01010000000000000012"
	}
}

jow · August 7, 2020, 9:10pm

Short of increasing ip6assign to something larger (try e.g. 60) I don't have any specific ideas on what might be wrong in your case.

You said clients receive ULAs as well as GUAs from your delegated space, so that part appears to work fine.

What kind of Operating system is running on the client? Also how did you determine that ICMPv6 echos are not forwarded? Through tcpdump?

lleachii · August 7, 2020, 9:16pm

Well you can't assign it statically since your ISP changes it...

I know of no way to configure option ip6class via LuCI.

Step 1 -The command to enter the editor is: vi /etc/config/network
Step 2 - move down to PRIO interface
Step 3 - hit INSERT to edit and enter on the last line to insert
Step 4 - add option ip6class 'wan6' line
Step 5 - hit ESC to stop editing
Step 6 :wq to save and quit
Step 7 - /etc/init.d/network reload
- or just go back to LuCI and (Stop/Start) the interface

(The Kernel is smart enough to know it doesn't have a corresponding [Public] IP on that interface...yet )

jus7incase · August 7, 2020, 9:19pm

wrote it in detail further up. short: tcpdump on interfaces wan6 and prio.

lleachii · August 7, 2020, 9:19pm

/64 is OK and normal for a LAN, unless I'm missing something....?