[Solved] Guest Wifi with IPv6

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I'm fighting with IPv6 since a while now and learned a lot already.

I'm running a guest wifi on one of my OpenWrt Boxes. I've tried to simply "convert" this setup into IPv6. Please no disscussion about the necessity or meaning of doing that. I just want to learn a bit.

network:
config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ifname 'wlan1-1'

dhcp:
config dhcp 'guest'
        option interface 'guest'
        option start '10'
        option limit '10'
        option leasetime '4h'
        option force '1'
        list dhcp_option 'option:dns-server,192.168.1.1'

wifi-iface:
config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUESTWIFI'
        option network 'guest'
        option encryption 'psk2+ccmp'
        option key 'PASSWORD'
        option wpa_disable_eapol_key_retries '1'
        option ieee80211w '1'

For DNS I'm running unbound (public resolver) and dnsmasq (local resolver) on localhost. To achive/force that I have setup appropriate firewall.


network:
config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ifname 'wlan1-1'
        option ip6assign '62'

config dhcp 'guest'
        option interface 'guest'
        option start '10'
        option limit '10'
        option leasetime '1h'
        option force '1'
        option dhcpv6 'server'
        option ra_management '1'
        list dhcp_option 'option:dns-server,192.168.1.1'
        option ra 'server'
        option ra_default '1'
        option ndp 'hybrid'
        option ra_slaac '1'
        list dns 'fdxx:xxxx:xxxx::1' #ula from openwrt, no clue if this is correct; like 192.168.1.1

no changes on wifi iface.

As there is still no button for guest Wifi in OpenWrt like in every other router nowdays I had to track down firewall rules (I had no clue about the ICMP shit) and have the following for now:

config rule
        option target 'ACCEPT'
        option family 'ipv6'
        option proto 'icmp'
        option src 'guest'
        option name 'Allow-GUESTWIFI-PINGv6'
        list icmp_type 'echo-request'

config rule
        option target 'ACCEPT'
        option family 'ipv6'
        option src 'guest'
        option proto 'icmp'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        option name 'Allow-GUESTWIFI-SLAACv6'

config rule
        option src 'guest'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'Allow-GUESTWIFI-MLDv6'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-GUESTWIFI-DHCPv6'
        option family 'ipv6'
        list proto 'udp'
        option src 'guest'
        option src_port '546'
        option dest_port '547'
        option target 'ACCEPT'

config rule
        option name 'Allow-GUESTWIFI-DNS'
        option src 'guest'
        option src_port '53'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Block-GUESTWIFI-WAN-DNS-v4'
        option src 'guest'
        option proto 'tcp udp'
        option dest_port '53'
        option family 'ipv4'
        option dest 'wan'
        option target 'REJECT'

config rule
        option name 'Block-GUESTWIFI-WAN-DNS-v6'
        option src 'guest'
        option proto 'tcp udp'
        option dest_port '53'
        option family 'ipv6'
        option dest 'wan'
        option target 'REJECT'

As I cannot setup IPv6 redirects/dnat over luci interface I have added:

ip6tables -t nat -A PREROUTING -i wlan1-1 -p udp --dport 53 -j DNAT --to-destination
[fdxx:xxxx:xxxx::1]:53

For now I'm getting an IPv6 on my clients and I'm able to ping fdxx:xxxx:xxxx::1 from guest. But name resolution is not working. I can surf with the Browser if I enter the IP's directly. So no general connection error.

guest wifi is getting: fdxx:xxxx:xxxx:10::1/62 and ofc a public /62
clients have also a local and a public address.

If I look into tcpdump I can see a lot of ff02/icmp6 traffic. As far I have read this is for SLAAC.

Another line what I have spotted is fdxx:xxxx:xxxx::1 > guest-client ICMP6, destination unreachable, unreachable port, udp prot domain ... But firewall on client is off. So I have overseen sth. on firewall I guess. Maybe someone of you guys has a hint for me what I have overseen. :slight_smile:

2

Remove

option src_port '53'

from the DNS rule.

Is that for hijacking DNS queries in IPv6? You'll also need to masquerade, otherwise the hosts might disregard the answer coming from a different source.

Here are my firewall rules for IPv6 on guest:

config rule <- you have this one already.
        option target 'ACCEPT'
        option proto 'udp'
        option family 'ipv6'
        option src 'guest'
        option src_port '546'
        option dest_port '547'
        option name 'Allow-guest-DHCP-IPv6'

config rule <- you can omit this since you already have a rule to allow DNS to the router.
        option target 'ACCEPT'
        option src 'guest'
        option family 'ipv6'
        option dest_port '53'
        option proto 'udp'
        option dest 'lan'
        option name 'Allow-guest-NS-IPv6'
        list dest_ip 'fd00:bbbb::c78'

config rule
        option src 'guest'
        option name 'Allow-guest-ICMP6'
        option family 'ipv6'
        option limit '1000/sec'
        option target 'ACCEPT'
        list proto 'icmp'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'port-unreachable'
        list icmp_type 'protocol-unreachable'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option limit_burst '100'
1 Like
3

Hi trendy,

thx for comming around. :slight_smile:

  1. 53 O. K. I will change that.

  2. Yes I want to catch any DNS Traffic on this Router and redirect it to the local resolver 192.168.1.1,fdxx::1/127.0.0.1,::1. Forgot about Masquerade. I will try to fix that.

  3. I will go through your settings. Thx for this input. Very valueable for me to have a comparison.

4

You can add a condition if the destination is not OpenWrt.

1 Like
5

In general I'm trying to avoid adding stuff to OpenWrt firewall. Simply because I don't know much about the implementation (esp. zones, etc.). I don't want to mess up things. Thats why I'm using LuCI (instead of iptables directly) to do some easy rules (e. g. blocking some clients from Internet and redirecting DNS traffic).

I was surprised that fw3 isn't fully supporting IPv6 yet*. But as I mentioned above already: A basic button for a guest Wifi (on/off) should (imo) exist in OpenWrt. Every cheap router has such an option nowdays.

Thank you for helping solving my issue. :slight_smile: It was just the Masquerade I had overseen.
For reference if others facing the same problem:

ip6tables -t nat -A POSTROUTING -d fxxx:xxxx:xxxx::1 -p udp -m udp --dport 53 -m comment --comment "MASQUERADE GUESTWIFI" -j MASQUERADE
ip6tables -t nat -A POSTROUTING -d fxxx:xxxx:xxxx::1 -p tcp -m tcp --dport 53 -m comment --comment "MASQUERADE GUESTWIFI" -j MASQUERADE

fxxx:xxxx:xxxx::1 equivalent of 192.168.1.1

EDIT: * just in case: If you don't want to have NAT then you can say it is fully supported. :smiley:

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.