[SOLVED] IPv6 RA on WAN interface

lleachii · March 19, 2019, 7:49pm

OK, your WAN is statically addressed:

Place the IPv6 address on WAN
Remove eth1 from wan6
Did you follow the instructions at the Tunnelbroker site?

Screenshot%20from%202019-03-12%2015-27-35

trendy · March 19, 2019, 10:40pm

The way I see it, it doesn't make too much sense to split your network.
My suggestion is to remove the WAN interface all together with the WAN firewall zone.
Then bridge interfaces eth0 and eth1 along with wifi and assign to interface LAN the settings you have in WAN (IP x.x.x.19/24 GW x.x.x.254)
This way you extend your network from the ISP router to all of the devices, you don't need to worry about the firewall rules blocking anything towards the ISP router (since LAN zone permits all traffic) and the prefix you have from HE.net is delegated to all the devices.
Also fix what @lleachii mentioned.

mpa · March 19, 2019, 11:06pm

Doesn't this expose the WR841ND's LAN to connection requests coming through the tunnel via IPv6?

trendy · March 19, 2019, 11:18pm

Correct, leave the WAN firewall zone with only wan6 as member.

treysis · March 19, 2019, 11:18pm

@trendy
I agree it doesn't make too much sense to split the networks, but in my case I have to. The address space of the main network is exhausted, and it doesn't have DHCPv4, which means I would have to manually configure every device. I have really wrapped my head around it and it can only work the way I described

@mpa
well, machines will respond to requests on IPv6, yes.

trendy · March 19, 2019, 11:21pm

Why not use openwrt as DHCP server then? And you can always grow the network from /24 to /23 for example.

treysis · March 19, 2019, 11:44pm

Because there is no DHCPv4 supposed to be on that segment and all the machines are configured manually. Also, the main router doesn't do NAT. I can't simply extend the network to /23.

mpa · March 20, 2019, 12:16am

As I understand it, the router is going to serve two purposes:

IPv4 NAT gateway
IPv6 tunnel endpoint

The interface connecting it to the main network is in a WAN role for IPv4, but in a LAN role for IPv6. Maybe it helps to consider the protocol families in isolation, and create firewall zones limited to either IPv4 or IPv6.

treysis · March 20, 2019, 12:24am

Okay, after adjusting the firewall settings I now have RA on the WAN interface. The network config is the same as posted above.

However, RAs from odhcp contain a DNS server via RDNSS. I only want to publish prefix and gateway, not DNS (the IPv4-DNS also resolves IPv6 addresses and should be the only DNS). Can I adjust that somehow?
EDIT: Seems like adding "::1" as alternate nameservers in the interface config on Luci will lead to empty RDNSS. At least Windows doesn't assign itself "::1" as DNS.

The other problem I am facing now is that I can't access IPv6 services from behind the OpenWRT box on the LAN interface. I can ping up to the tunnel endpoint (2001:470:xx:e8e::1 <- yes, 1, the endpoint at HEs site). If I try to ping -6 www.google.com I simply get a destination unreachable. I guess there is some problem with the routing table. How do I adjust that in Luci or LEDE in general? Basically I think I want to replicate this command:
ip route add ::/0 dev he-ipv6

@mpa
yes. That seems about right. I know it is a very specialized setup, but we're here to solve also the difficult cases, right?

vgaetera · March 20, 2019, 1:28am

https://openwrt.org/docs/guide-user/network/ipv6/ipv6_henet#default_route

treysis · March 20, 2019, 4:16pm

Thanks. Should've looked into this. However, I can't get it to work. I can either get IPv6 running on WAN, or on LAN, if I want to use the /64 and the /48. Which one is working depends on the parameter I set as ip6prefix in "wan6" section, even though this option is actually considered optional in the documentation. I.e. if I set it to "2001:470:xy:e8e::/64" I get IPv6 working on WAN, if I set it to "2001:470:xxyy::/48" I get IPv6 working on LAN. Never both. This happens even if I set "sourcerouting" to "0". I suspect it is a bug (in kmod-sit?) and probably the same as mentioned here:

https://bugs.openwrt.org/index.php?do=details&task_id=2167

See my current network config:

#/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6addr '2001:470:xxyy:1::1/64'
        option ip6prefix '2001:470:xxyy:1::/64'
        #option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr 'x.x.x.19'
        option netmask '255.255.255.0'
        option gateway 'x.x.x.254'
        option dns 'x.x.y.1 x.x.y.2'
        option ip6addr '2001:470:xxyy:2::1/64'
        option ip6prefix '2001:470:xxyy:2::/64'
        #option ip6assign '60'

config interface 'wan6'
        option proto '6in4'
        option ipaddr 'x.x.x.19'
        option peeraddr '216.66.86.114'
        option ip6addr '2001:470:xx:e8e::2/64'
        option sourcerouting '0'
        option ip6prefix '2001:470:xxyy::/48'
	#option ip6prefix '2001:470:xy:e8e::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config route6
        option interface 'wan6'
        option source '::'
        option target '::/0'

What does work, however, is if I assign both WAN & LAN at least one /64 from the /48 I got assigned. I can either do it manually (ip6prefix 2001:470:xxyy:1::/64 and ip6prefix 2001:470:xxyy:2::/64) or by using ip6assign option. Unfortunately, I'd rather have the "2001:470:xy:e8e::/64" on WAN interface, as that would save me some configuration effort on some machines with static IPv6 addresses from this prefix. But as this seems broken, I assume there's no way around it (unless I wanna downgrade to pre-Barrier-Braker I fear).

Any other thoughts on this?

treysis · March 20, 2019, 6:46pm

First: I fixed it!

Apparently, it is possible to assign several prefixes by using a space-separated list. However, routes for the second prefix are not getting added automatically, and since sourcerouting-option also is broken, I had to add the route manually. So, my issues related to these two bugs:
https://bugs.openwrt.org/index.php?do=details&task_id=592
https://bugs.openwrt.org/index.php?do=details&task_id=2167

Fortunately, manual configuration is possible. My /etc/config/network looks as follows and everything works fine now:

#/etc/config/network

...

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6addr '2001:470:xxyy:1::1/64'
        option ip6prefix '2001:470:xxyy:1::/64'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr 'x.x.x.19'
        option netmask '255.255.255.0'
        option gateway 'x.x.x.254'
        option dns 'x.x.y.1 x.x.y.2'
        option ip6addr '2001:470:xy:e8e::1/64'
        option ip6prefix '2001:470:xy:e8e::/64'

config interface 'wan6'
        option proto '6in4'
        option ipaddr 'x.x.x.19'
        option peeraddr '216.66.86.114'
        option ip6addr '2001:470:xx:e8e::2/64'
        option sourcerouting '0'
        option ip6prefix '2001:470:xxyy::/48 2001:470:xy:e8e::/64'

...

config route6
        option interface 'wan6'
        option source '2001:470:xy:e8e::/64'
        option target '::/0'

Thanks everyone for pointing me here and there in the right direction!

tmomas · March 30, 2019, 6:47pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.