I operate two networks here, my "home net" and my "desk net". My LEDE router connects these two, the "home net" being behind the wan port and the "desk net" behind the lan ports. The (non-LEDE) home net router which also provides access to the internet and the LEDE router acquires a global ipv6 prefix via PD from the home net router.
Now to allow local communication independent of the global prefix provided by my ISP I configured ULA addresses in both networks ("home net": fdb0:5279:7365:0::/64 and "desk net": fdb0:5279:7365:100::/64).
The missing part in the puzzle now is that the clients in the home net learn that they can access the desk net via my LEDE router. (The other direction is no problem as the LEDE router serves as default gateway.)
To accomplish that the (IMHO) best option would be if the LEDE router sent router advertisements (RA) into the home net, announcing itself as router to the desk net ULA prefix.
I wonder how I could do that. Normally I would have picked radvd for this job, but this package doesn't exist any more in LEDE (or OpenWRT) and odhcpd is supposed to fulfill its tasks. I failed to find in the docs if (and how) the latter can send RAs to the wan interface. Can somebody give an advice here?
The obvious alternative is to teach the home net router about the desk net ULA prefix but that's less pretty because it hardcodes redundant data and so doesn't benefit from the nice automatic stuff built into ipv6.
That should be pretty straightforward:
Log in to LuCi -> Network -> Interfaces
Select WAN -> Edit
Scroll down to 'DHCP Server' and select 'IPv6 Settings'
'Router Advertisement-Service' -> select 'Server Mode' and tick 'Always announce default router'
I don't have luci installed so I'm interested in a solution that only involves editing config files. Apart from that I expect that "Always announce default router" is wrong, as I don't want to announce another default router in the home net, only one for the ULA addresses used in the desk net.
This will activate RAs on the WAN interface. You have to configure your prefixes in /etc/config/network. I assumed you did that already. In case you did not, you should probably add the following there in config interface 'wan':
It's not giving out addresses. It's advertising a prefix. It's up to the clients to assign themselves a prefix from the ones advertised. I'm not sure though if you'll manually have to add routes so different ULA-segments can talk to each other. ULAs are also a bit new for me.
And that's not what I want. The clients on wan should not pick an address from the ULA prefix, they should only learn, that they can reach the ULA net via the OpenWrt box.
Ah, okay, so clients on WAN get the public IPv6 prefix, but they should be able to reach clients on LAN using the ULA that is distributed in LAN? I am not sure if that is allowed in IPv6 and if the kernel can handle this.
Why don't you want to assign ULA to your clients on WAN?
Would it be a problem to have this managed by LEDE instead? Right now I can't figure out how to do it. IPv6-address configuration seems to be not as granular as one might want to...or I am thinking concepts wrongly
Oh well, I think I managed it. Give me a few minutes to write it up! Can't tell if it will work with a second router!
If this doesn't work, it would probably be good to provide us with a sketch of your network setup. How does the home net router connect to the wan port? Do you also use a switch or you just plugged the LEDE-WAN into one of the non-LEDE LAN-ports?
A non-LEDE/OpenWRT router (Fritz!Box provided by my ISP) is connected to the internet and provides DHCPv4, DNS, IPv6 PD, IPv6 ULA (prefix: fdb0:5279:7365::/64) etc. The inner side of the Fritz!Box is what I called "home net" in my initial post.
My OpenWRT box is a client in "home net" with its wan interface and so gets an address in the fdb0:5279:7365::/64 network and a global IPv6 address. Further it requests a global subnet from the Fritz!Box for its lan side. On its lan interface it also announces fdb0:5279:7365:100::/64 ("desk net").
What I want now is that a client in the desk net (e.g. fdb0:5279:7365:100::23) can talk to a client in the home net (e.g. fdb0:5279:7365:0::42).
To accomplish that I want the OpenWRT box to send router announcements to the home net (i.e. on its wan interface) telling: "Hey, machines out there, to reach fdb0:5279:7365:100::/64 route via me". That is accomplished using the "Route Information" Option in the ICMPv6 package according to rfc4191 (Section 2.3) that is also used to announce the default route on the lan side.
As a bonus also let the OpenWRT box send router announcements to the desk net (i.e. on its lan interface) telling: "Hey, to reach fdb0:5279:7365::/64 route via me". (This is lower prio though as the OpenWRT box is the default router for the machines in the desk net. So this is only relevant when the Fritz!Box stops announcing a default route because there is a problem with the internet connection.)
First one general question: would it be feasible to NOT run LEDE as a client, but just as a switch and have everything handled directly by the FritzBox (FB)?
But, I am actually wondering why this isn't working out of the box? FB is manually given a ULA prefix (/48 btw.). It assigns itself one /64 in the homenet and advertises it their, and it delegates the prefix further to the LEDE box. The LEDE box assigns itself a /64 and then advertises this to the LAN/desknet clients.
So all clients both in home and desk get assigned a ULA address? If so, what happens if you try to ping across the segments? Could it just be a misconfigured firewall, that treats WAN as potentially evil and blocks incoming ULA? But also, I am not sure if downstream routers have to announce which prefixes they're using themselves, and if they have to, I don't know if odhcpd is doing this (I think it should).
One added question: could you maybe also just let the LEDE box handle the ULA advertisement for both segments instead of the FB? It seems dirty but might be easier than compiling your own odhcpd.
But actually I think the following in /etc/config/dhcp should be sufficient:
Maybe experimenting with option ra 'relay' on the LAN interface of the LEDE box could be interesting. I haven't really understood the concept of odhcpd in relay-mode. Or maybe you have to set option ignore '1'. Documentation is not really clear what does what. It could be that the ignore-option enabled RAs with RI but without advertising a prefix.
re "use a switch instead of routing": No, I want to route for better separation of the networks. In my desk net there are sometimes untrusted machines that I don't want to let access the internet or the home network.
Regarding the ULA prefix: This is manually configured in the OpenWrt box. I assumed (but didn't check) that the FB doesn't offer a delegation of its ULA prefix. (Also I would expect that I have to handle getting a different subnet occasionally which makes my /etc/hosts wrong ...)
If I try to ping as is from desknet to homenet ULA, I don't get any replies as the homenet machines don't have a route for fdb0:5279:7365:100::/64.
I quickly looked at the pull request, and actually I would prefer if just the available routes on WAN would be announced on LAN and vice versa. This would then even cover the now special handling of the default route.
I don't want to let OpenWrt handle advertising ULA on both nets because the home network should also work when the OpenWrt box is off.
Having looked at the odhcpd code I don't think that your snipped will announce routes. And I'm not deeply afraid of patching software on my router, so I might take another turn in the odhcpd code when I find the time (which currently is not foreseeable )
But it seems you can only set a /64 for ULA in the Fritz!Box. You should send a feature request to AVM to allow setting a /48 and to enable delegation of ULA prefixes. Usually they listen to such requests.
I'm facing the exact same problem as Uwe in 2017: tell hosts connected to the WAN interface of an OpenWRT router how to reach the network connected to its LAN interface. The solution that I would like to use is precisely the one that Uwe described in its first post, i.e., have the router send RAs on its WAN interface to announce itself as router to the LAN network. These RAs would only contain a Route Information option, as specified in RFC4191.
Is it possible to configure OpenWRT so that it send RAs on its WAN interface with just a Route Information option? I'm currently using 18.06.5 by the way.
If that's not possible, what is the good way to solve this problem? I am currently relying on ICMP redirects (sent by the main router of the network connected to the WAN interface of the OpenWRT router), but this is not optimal.