Serving DHCPv6 without IPv4

Installing and Using OpenWrt Network and Wireless Configuration
1

How can I delegate public IPv6 addresses to my LAN without interfering with an existing IPv4 DHCP (and DNS) server?

I've already got a Linux box on the LAN (CentOS 7) running the ISC DHCP server to configure all my Windows and IoT settings. It's running BIND DNS and the ISC DHCP server adds client names and addresses to the local DNS.

I've got OpenWRT working on my ZyXEL NBG6817 as an IPv4 router and I can see it getting an IPv6 address from the upstream Comcast modem/router. I don't see how to disable the DHCP v4 function without killing the v6 delegations. Is that possible?

1 Like
2

@SpareSimian, welcome to the community!

  • Isn't that a question for Comcast?
  • I'm trying to understand - if the IPv6 address is coming from the Comcast device, how is this an OpenWrt question?
  • Are you saying that you cannot see this in OpenWrt:

Screenshot%20from%202019-08-29%2005-44-32

:question:

1 Like
3

I want the LAN clients to get v6 router advertisements and addresses from the ZyXEL. I don't want them getting v4 addresses or DNS settings from it. (They already get that from the CentOS box.) I can set the v6 DHCP DNS setting to the CentOS box's local v6 address.

Under Status/Overview I can see that there's one v6 lease issued to my CentOS box and I can see that it has a public address assigned (2601:644...). I haven't been able to ping6 a public v6 address but I can ping6 the link addresses on the ZyXEL and on my Windows box. The Windows box hasn't acquired a public address and is failing the tests at http://test-ipv6-vm4.comcast.net/.

I probably need to reboot the clients a few more times to better characterize things as I've tried to manually mess with the routing tables and I'm sure I've screwed something up worse.

BTW, OpenWRT still looks much better than the stock factory firmware.

1 Like
4

Make sure the prefix delegation works properly:

ifstatus wan6
ifstatus lan

https://openwrt.org/docs/guide-user/network/ipv6/start

1 Like
5

On wan6 I'm seeing two records for ipv6-address (a /64 and /128) and ipv6-prefix is empty. lan has no ipv6-address nor ipv6-prefix but has an fd10 address in ipv6-prefix-assignment.

Another data point: "ipconfig /renew6" gives a semaphore timeout error, suggesting that nothing's responding. I tried it with the firewall down. The Windows box does have two fd10 addresses and an fe80 address assigned.

1 Like
6

Automatic prefix delegation won't work in this case.

Make sure that:

  • You are using the latest stable OpenWrt release.
  • Your ISP provides DHCPv6 prefix delegation.
1 Like
7

I'm not sure how to determine that. It's Comcast residential.

Meanwhile, I re-enabled IPv6 on my ASUS running Merlin firmware, setting it to "passthrough", and that seems to work. So I pulled the source code for that from GitHub to see if I can figure out how that works and will adapt the internal settings to OpenWRT. (The ASUS fronts my backup Comcast account with the cheaper plan and the Merlin support for that model was dropped due to the age of the router.)

8

For Comcrap, at least where I am, you can request a /60.

The use case of only offering IPv6 addresses from the OpenWrt device seems reasonable. You may be able to accomplish that by disabling the DHCP feature of dnsmasq as I believe that IPv6 is handled by another service under OpenWrt.

9

I dug down through the Merlin code to see what the passthrough setting does, and it seems to start 6relayd, which has been replaced by odhcpd in OpenWRT. 6relayd is invoked in start_6relayd() here:

It's invoked as "6relayd -drs -Rrelay -Dserver -N -n -v wanifname lanifname".

I found this on how 6relayd was configured before odhcpd superceded it:

https://oldwiki.archive.openwrt.org/doc/uci/6relayd

I'm trying to track down some more detailed documentation on 6relayd to see if I can adapt that command into an odhcpd config.

While looking for 6relayd info, I tripped across this mailing list report about this migration from 2013. Not sure if it's relevant but as a software archaeologist it's interesting seeing the history of this stuff.

https://lists.bufferbloat.net/pipermail/cerowrt-devel/2013-August/006655.html

1 Like
10

Stop wasting time on those legacy tools, what you need is here:

1 Like
11

According to that, I should be able to set the requested prefix length to /60 and the delegated one to /64. I can see an address getting assigned to WAN6 but I'm not seeing clients get an address, yet. How do I know if I got a /60 instead of a /64?

1 Like
12 
ifup wan6; sleep 10; ifstatus wan6
1 Like
13

In /etc/config/network:

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option peerdns '0'
        option reqaddress 'try'
        option reqprefix '60'

From ifstatus wan6:

        "ipv6-address": [
                {
                        "address": "2601:644:2:7919:fef5:28ff:fed3:5d07",
                        "mask": 64,
                        "preferred": 323541,
                        "valid": 323541
                },
                {
                        "address": "2601:644:2:7919::a9d8",
                        "mask": 128,
                        "preferred": 600538,
                        "valid": 600538
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2601:644:2:7919::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 323541,
                        "source": "::\/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1ab8:1fff:fe47:c70e",
                        "metric": 512,
                        "valid": 176,
                        "source": "2601:644:2:7919:fef5:28ff:fed3:5d07\/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::1ab8:1fff:fe47:c70e",
                        "metric": 512,
                        "valid": 176,
                        "source": "2601:644:2:7919::a9d8\/128"
                }
        ],
14 
uci show network; uci show dhcp
1 Like
15 
root@zyxel:/etc/config# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd10:41a8:a3bd::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='10.96.0.253'
network.lan.netmask='255.128.0.0'
network.lan.dns='10.96.0.132'
network.lan.ip6assign='64'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.wan6.peerdns='0'
network.wan6.reqaddress='try'
network.wan6.reqprefix='60'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
root@zyxel:/etc/config# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcp_option='6,10.96.0.132'
dhcp.lan.ra='relay'
dhcp.lan.dhcpv6='relay'
dhcp.lan.ndp='relay'
dhcp.lan.dns='fe80::200'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
2 Likes
16

Is your ISP modem in bridge mode?

17

Not in bridged mode. It's Xfinity's Arris modem and its connection status page shows a delegated prefix with a /64. (I hadn't thought to look at the modem's page, as I hadn't needed to mess with it for quite some time.)

BTW, the main reason I have a router after their modem/router is because their web management doesn't let me disable their DHCP function. I notice they have both IPv4 and IPv6 DHCP servers.

I've got the link between modem and router set to 172.24.0.0/24 with the modem as .1 and the ZyXEL as .2.

1 Like
18

Your ISP modem is handling the PD'd IPv6 subnet.
If possible, switch to bridge mode and let your router be the gateway.

2 Likes
19

Damn, I didn't think bridge mode was available on their residential connection. It's a switch in the main Gateway At a Glance page. I'll have to try that once the family is done using the Internet for the day.

1 Like
20

After switching to bridge mode and restoring the router setting to stock, I'm seeing v6 addresses everywhere, so things seem to be mostly working.

I ran the following v6 connectivity test and it tells me that the large packet ICMP isn't getting through, so it can't do PMTUD. I don't know what to do with that.

http://test-ipv6-vm4.comcast.net/index.html.en_US

Under Network/Firewall/Traffic Rules, I can see Allow ICMPv6-Forward is enabled. So I guess something else must be blocking those packets.