Router use ipv6 well, but clients in lan cannot, how to solve this?

xiedeacc · April 15, 2022, 3:41am

my router it self use ipv6 well, but clients in lan cannot, clients has ipv6 address, in the same net with router lan interface's ipv6 address, and client can connect to openwrt via ipv6.

network toplogic

isp -> isp modern -> my main router -> openwrt -> pc
I cannot modify isp modern configuration

isp modern info:

GUA obtain method: SLAAC
GUA : 2408:8256:3073:a1e3:aaa:89ff:feb8:6bed
DNS obtain method: DHCPv6
DNS1: 2408:8888::8
DNS2: 2408:8899::8
prefix obtain method: DHCPv6
prefix: 2408:8256:3083:c747::/64
gateway obtain method: PPP
gateway: fe80::4ef9:5dff:fe8f:8da7

main router

main router configuration divide into two part, WAN and LAN, if configuration use automatic method and PC connect to main router directory, pc use ipv6 good, but if openwrt behind main router, then pc bebind openwrt, openwrt use ipv6 well but pc not. pc can connect to openwrt via ipv6 as previous said.

can I change main router configuration to support has a openwrt router? I tried, but I'm little kown about ipv6. these configuration means was:

WAN

Address:  2408:8256:3083:c747:c228:bff:fee3:9e03 with 64 prefix, I think it was allocated by isp modern

Lan

路由广播配置 means router broadcast
prefix:

main router autoconfiguration result

WAN IP: 2408:8256:3083:c747:c228:bff:fee3:9e03/64
Default gateway: fe80::1 
DNS Server: fe80::1
LAN prefix: fdC0:280B:E39E:0200::/64
LAN Link-Local address: fe80::c228:bff:fee3:9e02 
WAN Link-Local address: fe80::c228:bff:fee3:9e03

openwrt configuration

route info

# ip -6 route
default from fdc0:280b:e39e:200::/64 via fe80::c228:bff:fee3:9e02 dev eth0 proto static metric 512 pref medium
fd94:239d:c31d::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd94:239d:c31d::/48 dev lo proto static metric 2147483647 pref medium
fdc0:280b:e39e:200::/64 dev eth0 proto static metric 256 pref medium
unreachable fdc0:280b:e39e:200::/64 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium

network config

# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:239d:c31d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr '82:34:28:38:e9:5c'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config device
        option name 'eth0'
        option macaddr '80:34:28:38:e9:5c'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '127.0.0.1'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option peerdns '0'
        list dns '::1'
        option reqprefix 'auto'

firewall

# uci export firewall
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option target 'ACCEPT'
        list src_ip 'fc00::/6'
        list dest_ip 'fc00::/6'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'shadowsocks'
        option type 'script'
        option path '/var/etc/shadowsocks.include'
        option reload '1'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '3389'
        option src 'wan'
        option src_dport '3389'
        option dest_ip '192.168.1.155'
        option dest_port '3389'

config forwarding
        option src 'wan'
        option dest 'lan'

dhcp

# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option ednspacket_max '1232'
        option noresolv '1'
        list confdir '/etc/dnsmasq.d'
        list server '::1#5353'
        option cachesize '0'
        option localservice '1'
        list interface 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '365d'
        option ra 'server'
        list ra_flags 'none'
        option dhcpv6 'server'

config dhcp 'wan6'
        option interface 'wan6'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option ignore '1'
        list ra_flags 'none'

pc

ipv6 : fd94:239d:c31d::bba;fd94:239d:c31d:0:3dda:150d:6a59:9ee4
ipv6 dns: fd94:239d:c31d::1

I have tried relay mode follow below link, but failed
https://forum.openwrt.org/t/ipv6-working-on-router-but-not-on-clients/79416

I google some post similiar with my situation, some people said need change isp modern from nat to bridge mode can solve it, I'ill try to contact my isp support

hnyman · April 15, 2022, 4:34am

It is likely caused by too many rules on wan6, especially the "require only 64 prefix". Router should have a wider prefix if possible, so that one /64 can be assigned to lan. (Typically ISPs give /48 or /56)

The DHCP config file plays major role in client IPv6 assignment. Please show also /etc/config/dhcp

I also wonder about the DNS setting on wan interfaces. Those look strange to me. (Usually not needed)

xiedeacc · April 15, 2022, 6:44am

after strugle a while, now I access router via ipv6 successful, and know more about ipv6 a litte bit, but still cannot access wan, I have update my config

xiedeacc · April 15, 2022, 6:51am

my openwrt behind anoterh main router, so I used nat mode, and my main router seems has a lan prefix with 64bit, is this anyproblem ?

hnyman · April 15, 2022, 7:27am

Yes.
The openwrt router should preferably have more than /64 so that can keep one /64 for itself and still assign more /64s for various Lan networks.

If you want relevant advice, please first explain all relevant info about your network topology.
Having double NAT changes a bit...

Hopefully your upper router can be set to assign more than /64.
Other option is to configure the openwrt router to IPv6 relay mode.

xiedeacc · April 15, 2022, 10:02am

for secure reason，I'd prefer nat mode, not relay mode

xiedeacc · April 16, 2022, 8:13am

finnally resovled by flash a new image, then edit wan6 interface use luci
Network -> Interfaces -> WAN6 -> DHCP Server

1. uncheck Ignore interface
2. check Designated master
3. change all to relay mode

Network -> Interfaces -> LAN -> DHCP Server -> IPV6 Settings

1. change all to relay mode

that's ok

system · April 26, 2022, 8:14am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.