[Solved] IPv6 : Unable to propogate the delegated prefix

Hello Experts !

I am learning ipv6. My ISP is Sky-UK who delegates a /56 prefix to the DSL-ONT. The sky router sr203 can't be used as a modem. A Double Natted DMZ config is needed. Unfortunately that kills the prefix delegation (don't know why).

So I use my spare BTHH5A as a DMZ provider, since it has a DSL modem inbuilt. My main OW router is LinkSys EA8300.

The schematic is :

Wifi Clients --> LS lan --> LS wan --> BT dmzlan --> BT dmzwan (dsl) --> internet

I suppose the ipv6 prefix delegation is exact reverse of the above sequence.

I see the isp assigned DP /56 listed under dmwan6 and dmwan. But this DP is not seen under dmlan interface.

Here are my network details

root@iStationBT:~# cat /etc/config/network

config globals 'globals'
        option ula_prefix 'fdbb:473b:26a6::/48'

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'dmlan'
        option proto 'static'
        option device 'dm-lan-device'
        list ipaddr '10.0.0.1/24'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '10.0.0.1'
        option ip6assign '58'
        list ip6class 'dmwan6'
        list ip6class 'local'

config device
        option type 'bridge'
        option name 'dm-lan-device'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'
        option ip6segmentrouting '1'

config dsl 'dsl'
        option annex 'b'
        option xfer_mode 'ptm'
        option ds_snr_offset '-30'
        option line_mode 'vdsl'
        option tone 'a'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr '12:34:56:78:90:ab'
        option ip6segmentrouting '1'

config interface 'dmwan'
        option device 'dsl0.101'
        option proto 'dhcp'
        option norelease '1'
        option clientid '736f6d657468696e6740736b7964736c7c616e797468696e67'
        option reqopts '43'
        option hostname '*'
        option delegate '0'
        option ip6assign '56'
        list ip6class 'dmwan6'
        list ip6class 'local'

config interface 'dmwan6'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option peerdns '0'
        option reqaddress 'try'
        option device '@dmwan'
        option sourcefilter '0'
        option ip6assign '56'
        list ip6class 'dmwan6'
        list ip6class 'local'

config device
        option name 'dm-wan-device'
        option macaddr 'de:40:42:19:2f:81'

The firewall details :

root@iStationBT:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'dmlanfwz'
        list network 'dmlan'

config zone
        option output 'ACCEPT'
        option mtu_fix '1'
        option name 'dmwanfwz'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'
        list network 'dmwan6'
        list network 'dmwan'

config forwarding
        option src 'dmlanfwz'
        option dest 'dmwanfwz'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'dmwanfwz'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'dmwanfwz'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'dmwanfwz'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'dmwanfwz'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'dmwanfwz'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'dmwanfwz'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'dmwanfwz'

config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'dmlanfwz'
        option src 'dmwanfwz'

config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'dmlanfwz'
        option src 'dmwanfwz'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'dmlanfwz'
        option target 'DNAT'
        option name 'temp-desktop'
        option src 'dmwanfwz'
        option src_dport 'redacted'
        option dest_ip '10.0.0.3'

config redirect
        option target 'DNAT'
        option dest_ip '10.0.0.3'
        option src_dport 'redacted'
        option dest 'dmlanfwz'
        option src 'dmwanfwz'
        option name 'ssh-on-wan'

config forwarding
        option src 'dmwanfwz'
        option dest 'dmlanfwz'

And finally the dhcp details :

root@iStationBT:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option sequential_ip '1'
        option localuse '1'
        option logqueries '1'
        list server '208.67.222.222'
        list server '208.67.220.220'
        list server '1.1.1.1'
        list server '1.0.0.1'
        option confdir '/tmp/dnsmasq.d'
        option resolvfile '/tmp/resolv.conf.vpn'

config dhcp 'lan'
        option interface 'lan'
        option start '2'
        option limit '253'
        option leasetime '12h'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        option ra_management '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '30:23:03:6A:6C:04'
        option ip '10.0.0.3'
        option dns '1'
        option leasetime 'infinite'
        option name 'LinkSys'

config dhcp 'dmlan'
        option interface 'dmlan'
        option start '2'
        option limit '253'
        option leasetime '12h'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'hybrid'

There is only one wired LSEA8300 router downstream. The wireline and wireless clients are attached to the LS router. This arrangement is working well. I can access the LS router externally over the forwarded ports. Just the isp supplied ipv6 is not delegated.

Once I resolve the ipv6 delegation issue on my BTHH5A, I hope to repeat those steps on its downstream LS router.

Thank you.

-Gamma

NAT and DMZ are IPv4 concepts so in terms of setting up v6 it would be better to avoid using them and simply have networks called lan and wan(6) inside each router instead of renaming everything. If the ISP uses DHCP and delegates a prefix to your router, the default configuration should work. In general it is best to stay close to the default configuration to reduce the risk of breaking something.

As a side note on IPv4, if you have enough control of the ISP router to install static routes, you can symmetric route your home LANs through multiple routers and avoid double NAT. With the main router having routes to all LANs, it can forward ports directly to any host on any LAN. Again this is IPv4. v6 should just work if sufficient prefix space is available.

The default firewall having only one option forward in the outgoing direction (lan->wan) is especially important for IPv6 security since the lack of a wan->lan forward is what prevents unsolicited connection attempts from the Internet from reaching your LAN machines. Any wan->lan forwarding should be made specific as needed to have particular servers open to the Internet.

Hi @mk24,

Thank you for detailed reply. Most of that is a tangent to me. All I can understand is I need to start with a clean slate. So let me try to reset my BTHH5A to factory settings and build the networks interfaces from scratch.

Thanks once again! :slight_smile:

-Gamma

I am far form an expert but I managed to get IPv6 working so just my two cents

Above is the IPv4 section so perhaps all the IPv6 related stuff should be removed?

This is the IPv6 wan section, I would remove option ip6assign '56' this means that you assign the whole subnet to the WAN so there is nothing left for LAN.
Either assign a prefix of 64 but normally you do not need to assign anything and the WAN will gets its own /128 subnet so try removing it.
Not sure what this will do:

        list ip6class 'dmwan6'
        list ip6class 'local'

So keep it there until someone with more expertise chimes in

Again far form an expert so might be talking nonsense

Yes you're on the right track. ip6assign and ip6class are options for the LAN-like interface to control how a WAN-received prefix is applied to the LAN-like interface. They make no sense on a wan interface.

With an ISP that complies to recommended standards, the customer's WAN interface should be advertised a routed prefix as well as hold a /64 or /128 IP from a separate prefix. The IP that is held by the WAN interface itself will be used for Internet requests that originate from the router itself, such as NTP to set the system clock, and recursed (forwarded) DNS. The routed prefix is not held by the router but it is forwarded through to LANs.

1 Like

Hello @mk24 adn @egc,

Thank you for your inputs. I reset the router to factory settings and the ipv6 magically appeared on modem's lan interface.

My next aim is making ipv6 appear on LS router's lan. I think I will tinker with the prefixes and ipv6 assignments and let me see how far I go.

Thank you once again. :slight_smile:

-Gamma

Hi,

I removed the silly settings on both the wans : the downstream LS router and upstream BT modem. Then checked the downstream LS router's lan. No globally routable ipv6. So ammended my LS ipv6 setting to

network.wan6.ip6assign='62'
and
network.lan.ip6assign='62'

Then the downstream LS lan showed globally routed ipv6 with a /62 prefix.

Don't know if above values should be different. But I am pleased with the results.

Thank you guys! :slight_smile: :+1:

-Gamma

I think that is wasting prefixes, like I said you do not need to assign a prefix to wan6 at all but if necessary use 64
The prefixes you assign to wan6 you can not use otherwise.
I do not assign any prefix to wan6 and 58 to lan, lan can then assign to downstream routers and you have prefixes (2) left for guest and IoT subnet on the router

1 Like

If you don't have another router connected downstream on the LAN, a LAN only needs a /64 prefix to be used directly by the LAN endpoints.

Hi,@mk24,

I might need a sky sr203 router downstream for voip. for that I've put /62 as a prefix. I suppose /64 will not allow downstream voip. Am I correct?

Thanks.

-Gamma

A VOIP box is an endpoint, as it does not route and forward IP packets to another network. So like a tablet or laptop, it would take an IP from the base /64 to make its VOIP connection to the server.

If you're using an ISP provided router only for the VOIP functionality, and not connecting anything to its LAN side, the above would still apply.

Hi @mk24 ,
There is no separate voip box. The router sr203 has an inbuilt voip circuit. It has a phone port in which I connect to my ipphone via sky-supplied telephone cable.

I think I can attach the sr203 to the BT modem rather than downstream to LS router. If that works, then I can safely change the LS lan prefix to /64.

Thank you for your suggestions! :slight_smile:

-Gamma

Edit : spellings

Hi @egc ,

I removed the silly ip6assign setting on wan6.

About the /58 lan prefix, do you mean ip6assign is 58 on your lan?

Thanks. :slight_smile:

-Gamma

Yes that works for me then you have still /64 prefixes left for a guest and IoT subnet on your router and your router can handout /60 to downstream routers (I have a test bed with 6 routers which also have routers behind it)

Hello @egc,

Thank you for the confirmation. I can see why you allocated a /58 address. Thanks once again! :slight_smile:

-Gamma

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.