[Solved] How to configure IPv6 PPPoE connectivity?

Hi,

my ISP provides IPv4 and IPv6 via PPPoE. IPv4 works fine, but I cannot get IPv6 routing working. pppoe-wan receives a link-local address from my ISP. If I enable Use default gateway I get this error message:

root@OpenWrt:~# ping -6 heise.de
PING heise.de (2a02:2e0:3fe:1001:302::): 56 data bytes
ping: sendto: Permission denied

Setting a default route to the pppoe-wan device works:

root@OpenWrt:~# ip -6 route add default dev pppoe-wan
root@OpenWrt:~# ping -6 heise.de
PING heise.de (2a02:2e0:3fe:1001:302::): 56 data bytes
64 bytes from 2a02:2e0:3fe:1001:302::: seq=0 ttl=57 time=15.041 ms
64 bytes from 2a02:2e0:3fe:1001:302::: seq=1 ttl=57 time=14.852 ms
64 bytes from 2a02:2e0:3fe:1001:302::: seq=2 ttl=57 time=15.335 ms
64 bytes from 2a02:2e0:3fe:1001:302::: seq=3 ttl=57 time=15.040 ms
64 bytes from 2a02:2e0:3fe:1001:302::: seq=4 ttl=57 time=14.705 ms

How can I configure this in OpenWRT correctly?

Thanx for any hint

What is the output of the following (better before applying the static route) ?
uci show network; ip -6 addr; ip -6 ro; ip -6 ru; ifstatus wan;

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd75:98ad:a5e4::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ifname='eth0'
network.lan.ip6addr='2a01:170:1163::192:168:1:1/64'
network.wan=interface
network.wan.proto='pppoe'
network.wan.password='XXXX'
network.wan.username='YYYY#tal@bsa-vdsl'
network.wan.ifname='eth2'
network.wan.ipv6='1'
network.DMZ=interface
network.DMZ.proto='static'
network.DMZ.ifname='eth1'
network.DMZ.netmask='255.255.255.248'
network.DMZ.ipaddr='212.60.137.25'
network.DMZ.ip6addr='2a01:170:1163:1:212:60:137:25/64'
network.VigorNIC=interface
network.VigorNIC.proto='static'
network.VigorNIC.ifname='eth2'
network.VigorNIC.ipaddr='192.168.2.2'
network.VigorNIC.netmask='255.255.255.252'

root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:170:1163:1:212:60:137:25/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe59:d7f/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::21d:aaff:fe53:7f17/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:170:1163::192:168:1:1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fecb:9a02/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6f0:21ff:fe46:3650/64 scope link 
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6f0:21ff:fe46:364f/64 scope link 
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1456 state UNKNOWN qlen 3
    inet6 fe80::4932:6768:4168:2a13/10 scope link 
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip -6 ro
2a01:170:1163::/64 dev br-lan proto kernel metric 256 pref medium
2a01:170:1163:1::/64 dev eth1 proto kernel metric 256 pref medium
unreachable fd75:98ad:a5e4::/48 dev lo proto static metric 2147483647 error -113 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/10 dev pppoe-wan metric 1 pref medium
fe80::/10 dev pppoe-wan proto kernel metric 256 pref medium

root@OpenWrt:~# ip -6 ru
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo failed_policy
4200000003:	from all iif eth1 failed_policy
4200000004:	from all iif eth2 failed_policy
4200000007:	from all iif br-lan failed_policy
4200000010:	from all iif pppoe-wan failed_policy

root@OpenWrt:~# ifstatus wan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 3056,
	"l3_device": "pppoe-wan",
	"proto": "pppoe",
	"device": "eth2",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "213.240.182.41",
			"mask": 32,
			"ptpaddress": "82.139.222.46"
		}
	],
	"ipv6-address": [
		{
			"address": "fe80::4932:6768:4168:2a13",
			"mask": 128
		}
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "0.0.0.0",
			"mask": 0,
			"nexthop": "82.139.222.46",
			"source": "0.0.0.0\/0"
		}
	],
	"dns-server": [
		"81.92.1.1",
		"81.92.1.2"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		
	}
}

Try to switch
network.wan.ipv6='auto' instead of '1', to enable DHCPv6

I tried that and opened ports 546/547, but no success.

root@OpenWrt:~# uci show firewall
...
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='udp'
firewall.@rule[11].dest_port='547'
firewall.@rule[11].name='Allow DHCPv6 (546-to-547)'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].src_port='546'
firewall.@rule[12]=rule
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='udp'
firewall.@rule[12].dest_port='546'
firewall.@rule[12].name='Allow DHCPv6 (547-to-546)'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].src_port='547'
...

Better post the whole firewall config, maybe we missed something.

root@OpenWrt:~# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].src='*'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].name='Allow-Wireguard-Inbound'
firewall.@rule[10]=rule
firewall.@rule[10].src='lan'
firewall.@rule[10].name='FireTV'
firewall.@rule[10].proto='all'
firewall.@rule[10].target='REJECT'
firewall.@rule[10].src_mac='F0:27:2D:29:9E:70 84:D6:D0:46:0A:20'
firewall.@rule[10].dest='wan'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='udp'
firewall.@rule[11].dest_port='547'
firewall.@rule[11].name='Allow DHCPv6 (546-to-547)'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].src_port='546'
firewall.@rule[12]=rule
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='udp'
firewall.@rule[12].dest_port='546'
firewall.@rule[12].name='Allow DHCPv6 (547-to-546)'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].src_port='547'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan vpn_bartsch'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 VigorNIC DMZ wan_6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

/etc/firewall.user is empty

Do you have a wan_6 interface automatically created?
What is the output of ifstatus wan_6 ?

If network.wan.ipv6='auto' I get a wan_6 device.

root@OpenWrt:~# ifstatus wan_6
{
	"up": false,
	"pending": true,
	"available": true,
	"autostart": true,
	"dynamic": true,
	"proto": "dhcpv6",
	"device": "pppoe-wan",
	"data": {
		
	}
}

Seems to be down. ifup wan_6 && ifstatus wan_6

root@OpenWrt:~# ifup wan_6 && ifstatus wan_6
{
	"up": false,
	"pending": true,
	"available": true,
	"autostart": true,
	"dynamic": true,
	"proto": "dhcpv6",
	"device": "pppoe-wan",
	"data": {
		
	}
}

I just talked with the support of my ISP. They do not do DHCPv6. A link-local gateway address is assigned via PPPoE and the default route has to be set to pppoe-wan.

So you have to do everything manually? Not so user friendly approach.
If so, create an IPv6 static route for the internet.
https://openwrt.org/docs/guide-user/network/routes_configuration#ipv6_routes

The link-local address changes with every new PPPoE connection. So the route has to be set to the pppoe-wan device instead of the link-local IPv6 address.
ip -6 route add default dev pppoe-wan works. How can I make this permanent?

You can create a static route as described in the wiki that I pasted above.
The gateway is not a mandatory field, as you can see in the table of options, so you can omit that.

Great!
It even works via Luci.
You made my day.

Thanx a lot!

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.