[Solved] Forward ipv6 to subnet

Hello everyone,

currently I have the following setup:
dsl router -> my openwrt router -> personal devices.
This is in order to have my own subnet for my personal devices and separate them from all other devices from my flatmates, which are directly connected to the dsl router.

The main net uses the private ipv4 addresses 192.168.1.0/24 and my personal subnet 192.168.10.0/24. Everything including port forwarding just works just fine.

With IPv6 there's no NAT is, guess. So I would need to forward all DHCP requests from my local subnet to my router? How do I setup this?
The wan6 interface on my openwrt router currently gives me the the message " Error: Network device is not present" on the web interface. This is kind of strange, since I get local and public IPv6 addresses with my Laptop/Phone etc when connecting directly to the dsl router. And my dsl router also has a designated IPv6 range.
So my question is, how do I get public ipv6 working for my subnet? Currently I can only access devices in my subnet via ipv4 and port forwarding, which is some work to set up. I'd rather use private ipv6 addresses to access my devices from anywhere in the world.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

For context: 192.168.1.2 is the ip for my router inside the main home network (192.168.1.1 is the dsl router). 192.168.10.1 is the ip for my router inside my subnet.

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd80:****:****::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option dns '1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4'
	option type 'bridge'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '**:**:**:**:**:**'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option type 'bridge'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca956x_wmac'
	option htmode 'HT20'
	option legacy_rates '1'
	option country 'DE'
	option channel '13'
	option __toggle 'Enable'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/ahb:apb/18100000.wmac'
	option htmode 'HT20'

config wifi-iface 'wifinet0'
	option ssid '***'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option key '***'
	option network 'lan'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option dns '1'
	option name '**My Desktop**'
	option ip '192.168.10.***'
	option mac '**:**:**:**:**:**'
	option duid '***'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name '***'
	option src_dport '****'
	option target 'DNAT'
	option dest_ip '192.168.10.***'
	option dest 'lan'

config redirect
	option dest_port '****'
	option src 'wan'
	option name '***'
	option src_dport '****'
	option target 'DNAT'
	option dest_ip '192.168.10.***'
	option dest 'lan'
	list proto 'tcp'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
19: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-wan
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-wan  src 192.168.1.2 
192.168.1.0/24 dev br-wan scope link  src 192.168.1.2
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-wan table local scope link  src 192.168.1.2 
local 192.168.1.2 dev br-wan table local scope host  src 192.168.1.2 
broadcast 192.168.1.255 dev br-wan table local scope link  src 192.168.1.2 
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.1 
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1 
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::****:****:****:****/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd80:****:****::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::****:****:****:****/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::****:****:****:****/64 scope link 
       valid_lft forever preferred_lft forever
19: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::****:****:****:****/64 scope link 
       valid_lft forever preferred_lft forever
fd80:****:****::/64 dev br-lan  metric 1024 
unreachable fd80:****:****::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev br-wan  metric 256 
local ::1 dev lo table local  metric 0 
anycast fd80:cda0:****:: dev br-lan table local  metric 0 
local fd80:cda0:****::1 dev br-lan table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev br-wan table local  metric 0 
local fe80::****:****:****:52be dev br-lan table local  metric 0 
local fe80::****:****:****:52be dev eth0 table local  metric 0 
local fe80::****:****:****:52be dev wlan0 table local  metric 0 
local fe80::****:****:****:52bf dev br-wan table local  metric 0 
ff00::/8 dev br-lan table local  metric 256 
ff00::/8 dev eth0 table local  metric 256 
ff00::/8 dev wlan0 table local  metric 256 
ff00::/8 dev br-wan table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000005:	from all iif br-lan lookup unspec 12
4200000019:	from all iif br-wan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Jan 29 16:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May 15 17:55 /tmp/resolv.conf
-rw-r--r--    1 root     root            92 Jun  3 10:37 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

I hope I haven't censored too much/few. especially with the IPv6 addresses, I'm not 100% sure which are local and safe to share and what is not.

The fe80 addresses are link local. The fd80 address is ULA, which is private like 192.168. So both didn't have to be covered, but it doesn't matter much.

Apart from the bridge in wan and wan6 interfaces and the fact that ULA address is not present, I don't see anything wrong in your configuration. Remove that and restart networking. Post here the output of ifstatus wan6
Also ubus call system board

1 Like

Wan6 now has a connection. But devices connected via my router still only get a local IPv6.

ifstatus wan6:

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 377,
	"l3_device": "eth0.2",
	"proto": "dhcpv6",
	"device": "eth0.2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2003:f6:1713:****:****:****:****:****",
			"mask": 64,
			"preferred": 1065,
			"valid": 13665
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2003:f6:1713:****::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 13665,
			"source": "::/0"
		},
		{
			"target": "2003:f6:1713:****::",
			"mask": 56,
			"nexthop": "fe80::1",
			"metric": 384,
			"valid": 14145,
			"source": "2003:f6:1713:****:****:****:****:****/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::1",
			"metric": 512,
			"valid": 1545,
			"source": "2003:f6:1713:****:****:****:****:****/64"
		}
	],
	"dns-server": [
		"2606:4700:4700::1111",
		"2606:4700:4700::1001",
		"2001:4860:4860::8888",
		"2001:4860:4860::8844"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"fe80::1"
		],
		"dns-search": [
			"localdomain"
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "00170010fe80000000000000000000000000000***********************************"
	}
}

ubus call system board:

{
	"kernel": "4.14.167",
	"hostname": "LEDE",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link TL-WR1043ND v4",
	"board_name": "tplink,tl-wr1043nd-v4",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.1",
		"revision": "r10911-c155900f66",
		"target": "ath79/generic",
		"description": "OpenWrt 19.07.1 r10911-c155900f66"
	}
}

Looks better now, but it seems that the upstream router is not delegating any prefix. So you'll need to make the following adjustments in dhcp config (/etc/config/dhcp):

config dhcp wan
...
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
 
config dhcp lan
... 
   option dhcpv6 relay
    option ra relay
    option ndp relay
2 Likes

This didn't seem to do the trick...
/etc/config/dhcp is now:

	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'relay'
	option ra 'relay'
	option ra_management '1'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'
	option master '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option dns '1'
	option name '**My Desktop**'
	option ip '192.168.10.***'
	option mac '**:**:**:**:**:**'
	option duid '000*********************************'

I did reboot my router and check afterwards.
Before applying these changes, I had three different but local ipv6 adresses, now I only get one local ipv6 address.
If I'm not mistaken, every device should get three ipv6 addresses. One local and two public of which one is static (e.g. ends with mac address) and on random (after the given prefix of course)?.

Edit: Moved master option to wan

The master is in wan, not lan.

One link local, one or more ULA, and you should get one or more GUA.

My bad. Thank you very much! And thank your for the small lesson on ipv6 :smile:

Edit: It works now :wink:

1 Like

I'm glad you got it right!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Done! Thank you very much for your help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.