Relay a single IPv6 /64 prefix into several VLANs

alexq · August 20, 2022, 3:25pm

Hi everyone!

I have 3 VLANs in my home network: LAN, IOT and Guest.
I'm getting only /64 ipv6 prefix from my ISP into WAN port of OpenWrt router, and while I'm waiting for an answer from my IPS, I'm using IPv6 relay mode solution.

My questions below are addressed to the more experienced OpenWrt users here:

should I avoid IPv6 relay mode configuration for several VLANs interfaces if I get only /64 on WAN?

expand: Relay single /64 IPv6 into several VLANs configuration

config dhcp 'wan6'
        option interface 'wan6'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        ...
config dhcp 'lan'
        option interface 'lan'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        ...
config dhcp 'IOT'
        option interface 'IOT'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        ...

If should avoid, then why? (I really don't have any problem with this configuration at the moment, and am only concerned about possible security and reliability issues with this config).
Thanks.

Details of my test setup can be found here

Because "LAN" vlan is my main network, the IPv6 relay is enabled for LAN only.
Everything works fine, I'm getting ipv6 into main VLAN ("LAN"): I can reach out to any ipv6 resources, https://ipv6-test.com/ says that IPv6 connectivity is available, so everything is fine.

But 1 week ago I've enabled IPv6 relay mode for second vlan "IOT' (so in general, I have got the IPv6 relay enabled on both interfaces: vlan1 "LAN" and vlan2 "IOT")... and ipv6 has started perfectly working on both of them.

Device connected to the IOT interface - ipv6 works:

Device connected to the LAN interface - ipv6 works:

ubus call system board;
ip6tables-save -c; ifstatus wan6

route

root@OpenWrt:~# ubus call system board;
{
        "kernel": "5.10.134",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc6",
                "revision": "r19590-042d558536",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0-rc6 r19590-042d558536"
        }
}
root@OpenWrt:~# ip6tables-save -c; ifstatus wan6
-ash: ip6tables-save: not found
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 9628,
        "l3_device": "wan",
        "proto": "dhcpv6",
        "device": "wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a01:xxxx:xxxx:2500::3",
                        "mask": 128,
                        "preferred": 6573,
                        "valid": 10173
                },
                {
                        "address": "2a01:xxxx:xxxx:2500:2ad1:27ff:feb1:xxd9",
                        "mask": 64,
                        "preferred": 10660,
                        "valid": 14260
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a01:xxxx:xxxx:2502::",
                        "mask": 64,
                        "preferred": 6573,
                        "valid": 10173,
                        "class": "wan6",
                        "assigned": {
                                "IOT": {
                                        "address": "2a01:xxxx:xxxx:2502::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a01:xxxx:xxxx:2500::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 14260,
                        "source": "::/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1660,
                        "source": "2a01:xxxx:xxxx:2500:2ad1:27ff:feb1:xxd9/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1660,
                        "source": "2a01:xxxx:xxxx:2502::/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1",
                        "metric": 512,
                        "valid": 1660,
                        "source": "2a01:xxxx:xxxx:2500::3/128"
                }
        ],
        "dns-server": [
                "2606:4700:4700::1113",
                "2606:4700:4700::1003"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "passthru": "001700202606470047000000000000000000111326064700470000000000000000001003"
        }
}

alexq · August 22, 2022, 8:30pm

Any comments, guys.
@trendy, please, maybe you can provide any suggestions.

trendy · August 23, 2022, 1:15pm

You have a /64 delegated to you, so you can use it to one interface, say lan, and relay the iot only.
Still very lame from the ISP.

patrakov · August 23, 2022, 5:11pm

If you are in the USA, and don't mind paying $16 per month for a premium-quality Wireguard VPN, I can recommend https://hoppy.network/. They give a static public IPv4 address and a /56 of IPv6. EDIT: from your other posts, I see that you are not from the USA, so please disregard this advice - it will work but with a lot of latency.

Please talk to the ISP so that they allow switching their fiber router into bridge mode. Then the whole /56 will be available to OpenWRT.

systemcrash · August 23, 2022, 6:44pm

Welp, you don't need to assign a whole 64bit prefix via relay. Look for the advanced settings: IPv6 assignment length( ip6assign), IPv6 preference, IPv6 assignment hint ( ip6hint)

READ THIS https://openwrt.org/docs/guide-user/network/ipv6/configuration#downstream_configuration_for_lan_interfaces

Choose a prefix length like, I dunno, 96, 112? No home user ever really needs a whole 64bits of address space for an interface.

starhunter · August 24, 2022, 4:04am

interesting, does odhcpd supports prefix > 64 now? last time i checked, it wont.

trendy · August 24, 2022, 8:14am

Nope, that will break SLAAC and all Android devices.

systemcrash · August 26, 2022, 9:15am

Then it seems like DHCPv6 with smaller subnets (/96) is the option, if he.net isn't a viable solution.

trendy · August 26, 2022, 12:01pm

Android devices don't use DHCP6.

alexq · August 29, 2022, 2:09pm

Thanks @trendy, it really works!
But it works only because I have IPv6-PD delegated from my ISP:

IPv6-PD: 2a01:xxxx:xxxx:2502::/64 on the WAN6 interface

So, based on the advice, I applied the following configuration, which has been working fine for me for ~1 week already:

config dhcp 'wan6'
        option interface 'wan6'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        ....

config dhcp 'lan'
        option interface 'lan'
        option ra 'server'
        option dhcpv6 'server'
        ....

config dhcp 'IOT'
        option interface 'IOT'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        ....

Results:

WAN6: IPv6-PD: 2a01:xxxx:xxxx:2502::/64
LAN: IPv6: 2a01:xxxx:xxxx:2502::/64 - DHCPv6
IOT: IPv6: 2a01:xxxx:xxxx:2500::/64 - IPv6 relay mode
Guest: no IPv6

Regarding the initial question I raised at the beginning of this topic:

should I avoid IPv6 relay mode configuration for several VLANs interfaces if I get only /64 on WAN?

all the search results I found led me to the conclusion: yes, this configuration should be avoided.
The main reason I found is that you will be on the same IPv6 subnet for all VLANs if you will try to relay IPv6 /64 from WAN into several VLANs, which is unacceptable from a security perspective (in my case it was relay of IPv6 address 2a01:xxxx:xxxx:2500 ::/64 into both LAN and IOT).

trendy · August 29, 2022, 7:29pm

Albeit using the same prefix, they are not bridged and firewall rules are still enforced between the zones, hence I don't think there will be any security risk. Of course you can (and should) try it out.

system · September 8, 2022, 7:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.