[Solved] IPv6 behind ISP Router

Hello,

my ISP forced me to IPv6 recently (DS-Lite, so for the moment no real IPv4).

Now I'm fighting with IPv6 to drop IPv4 on my Infrastructure.

My ISP gave me exactly 1 Address. I have "hacked" the FritzBox 6591 to give me a /56. The FritzBox is getting now a /56.

Behind this Box I have 3 OpenWrt Rotuers. With several clients.

On IPv4 they all have their own Subnet (like .1.0, .2.0, .3.0). The Networks were connected with proper routes. 2.0 and 3.0 have no Internet access (just no gateway).

I want to keep my own resolver/adblocker (unbound/stubby/dnsmasq setup) and kind a stable random ip for the servers. I'm using DHCP with static leases for several clients/server. OpenWrt Boxes are getting no eui64 address from FB. Just full MAC after prefix inside.

1st Problem: I have issues to get a proper IP for the clients in my network.

So I want to understand and solve the IP problem. Therefore I want to configure my "Gateway" aka ISP modem properly. I need some advise.

Fritzbox: Picture 1 and 2 are the config its. 3rd picture showing possible other options.

fb11777×921 103 KB

fb21891×947 117 KB

fb31640×492 58.8 KB

OpenWrt: Picture 4 that what I get on OpenWrt.

owt11584×877 98.6 KB

I will post configs if Fritzbox settings looks O. K. for you guys.

Thanks in advance for help.

Settings look fine. You could select to always advertise the ULA.
The OpenWrt has been delegated a /57 and now you can connect the rest and delegate to them a chunk of it.

O. K. Thank you trendy.

Next step OpenWrt config (relevant sections):

dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option port '53535'
        option noresolv '1'
        option dhcpleasemax '100'
        list server '0::1'
        list server '127.0.0.1#53'
        option cachesize '1000'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '150'
        option leasetime '24h'
        list dhcp_option 'option:dns-server,192.168.1.1'
        list dns '[fdxx:xxxx]'
        list dns '[fe80:xxxx]'
        list dns '[2xxx:xxxx]'
        option ra 'server'
        option ra_default '1'
        option dhcpv6 'server'
        option ra_management '1'
        option force '1'

network:

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option metric '0'
        option force_link '0'
        option ip6assign '64'

config device 'lan_eth1_1_dev'
        option name 'eth1.1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '127.0.0.1'
        option dns_search 'lan'
        option mtu '1500'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option peerdns '0'
        option dns_search 'lan'
        option mtu '1500'
        option reqprefix 'auto'
        list dns '0::1'
        option reqaddress 'force'

My guess is that I've messed up sth. in LAN section. As you mentioned I have to delegate sth. for DHCP. I don't know what.

If the other 2 routers are cascaded under the OpenWrt router, then delegation will not work, because you have ip6assign 64 in the lan interface. If you want to delegate you need to change that into /60 or something like that.
If the other 2 routers are connected to the FritzBox as well, then you need to instruct the first OpenWrt to request for a smaller prefix, in wan6 change

option reqprefix 'auto'

into /60
Some other remarks:

• metric 0 is not needed in lan.
• dns 127.0.0.1 is not needed in wan.
• dns ::1 in wan6 also not needed.
• in dhcp/lan the dhcp option for dns is not needed, dhcp server by default advertises itself as gateway and dns.

I do have a similar setup and IPv6 works with prefix delegation (PD) so that I can run IPv6 web server's just fine (firewall config must be done additionally if required on Fritz!Box and OpenWrt).

I followed this quide here (in german): https://avm.de/service/fritzbox/fritzbox-6591-cable/wissensdatenbank/publication/show/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/

Basically I got as well a 56 prefix on the Fritz!Box cable that I then had to forward to my other router with the guide above.

My OpenWrt router is configured in request IPv6 prefix of length with "Automatic" on the WAN6 interface, with this it gets a 62 prefix assigned. My LAN and WIFI interfaes do request then a 63 assignment and they get a local IPv6 address plus a IPv6 PD one (the second one is the importand one!).

@rainer:

THX for input. I know this site already.

After try and fail I have found a working configuration. I've splitted manually now (no auto anymore). /60 (wan) and /62 (lan). I've deleted metric also. I don't know why this was set. I cannot remember that I did it. I think at the end this was the point?

I'm getting IP's for every client now. Also public IP's.
I can ping the clients with their IP's.
I can do name resolution from clients with DIG.

But I cannot open any page in my Browser. Local access like LuCI is possible. Even access to Fritzbox.
I have disabled client firewall. No change. What I can see on client side is sth. like:

tcp6 0 1 2xxx:8xxx:1xxx:52:42332 2620:0:862:ed1a::1:443 SYN_SENT 1005 89487 5969/firefox

So name resolution is working for firefox aswell. Next I will try to disable OWT Firewall (but there is nothing special beside routing/blocking dns and wireguard traffic) and I will have a look into tcpdump for eth0.2. But not today anymore.

Thx for help so far.

What about traceroute to some internet name and address? Where does it stop?

After digging arround I found the solution. I had defined an IPv4 AND an IPv6 DNS address in stubby (which is wrong). Another point was that I had to force unbound to "prefer" IPv6 over IPv4. For devices not capable doing IPv6 no name resolution. I think I don't have anyone anymore.

But I have to say that there are still a lot of sites arround which are not reachable over IPv6. Overall I'm not convinced about this mixed state. Especially here in Germany: I cannot reach my LAN over VPN due to DS-Lite and the fact that Mobile ISPs route their traffic over IPv4 only. I've tried the big three here in Germany.

In fact I have forced my ISP to give me back IPv4. I got it back after a lot of calls.

Thx @ trendy & rainer for your time in reading and helping.

P. S. Does anyone (who reading this) know a more recent solution for DNS crypting and caching on OpenWrt? I have the feeling that my DNSmasq, Unbound & Stubby solution is a bit outdatet (using it since ~ 2 years now and didn't change much). Odhcp only was not really usable on OpenWrt in the past.

At least the T-Mobile network supports IPv6 just fine, while it's not the default, you can enable it in the APN settings (IPv4 & IPv6 instead of just IPv4). I tested that for my VPN needs, before reluctantly subscribing to a DS-Lite using ISP.

Thank you for your reply slh. I've tried the cheap brand "congstar" from T-Mobile. If I choose IPv6 only I'm not getting any IP. If I change to IPv4/IPv6 I'm getting an IPv6 but connection is downgraded to Edge (for whatever reason) instead of LTE. I didn't test further if I would be able to connect because this is not an option. Telefonica/o2 is IPv4, Vodafone also. But I'm not living in a big City. So I think it's infrastructure related even for T-Mobile. Maybe I'll test it for pure T-Mobile later.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.