[SOLVED] No IPv6 in AP configuration with two networks

gothbert · October 27, 2018, 6:47pm

This is OpenWrt 18.06.1on TP-Link Archer C7 v2

I have two subnets, one private and one guest network.

The private network is on interface HOME which is a bridge of eth0, wlan0, wlan1. The guest network is on interface LET which is a bridge of eth1, wlan0-1, wlan1-1. Each of the two WiFi radios thus spans two WiFi networks, one to access the private and one to access the guest network.

This works flawlessly for IPv4 where the OpenWrt box has a static IPv4 address and the clients get their IPv4 addresses from the upstream firewall appliance connected to eth0 and eth1.

The OpenWrt box does only get link-local IPv6 addresses although the upstream firewall appliance has a Router Advertisment Daemon running and all workstations in the private network get their IPv6 addresses from the firewall appliances.

This is what ifstatus home (the interface on the private network) gives:

        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 1876,
        "l3_device": "br-home",
        "proto": "static",
        "device": "br-home",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 1,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.31.122",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "fd67:17c4:e74f::",
                        "mask": 64,
                        "local-address": {
                                "address": "fd67:17c4:e74f::1",
                                "mask": 64
                        }
                }
        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "192.168.31.1",
                        "source": "0.0.0.0\/0"
                }
        ],
        "dns-server": [
                "192.168.31.1"
        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}

I read the docs and searched the forum but I am unsure where to start making changes. Please let me know what config files I should show you to be able to help me.

Kind regards
Boris

vgaetera · October 27, 2018, 7:04pm

uci show network
uci show firewall

gothbert · October 28, 2018, 7:20am

root@archer:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd67:17c4:e74f::/48'
network.let=interface
network.let.type='bridge'
network.let.proto='static'
network.let.netmask='255.255.255.0'
network.let.ipaddr='192.168.35.122'
network.let.gateway='192.168.35.1'
network.let.dns='192.168.31.1'
network.let.ip6assign='64'
network.let._orig_ifname='eth0'
network.let._orig_bridge='true'
network.let.ifname='eth0'
network.let.metric='2'
network.home=interface
network.home.type='bridge'
network.home.proto='static'
network.home.netmask='255.255.255.0'
network.home.ipaddr='192.168.31.122'
network.home.gateway='192.168.31.1'
network.home.dns='192.168.31.1'
network.home.ip6assign='64'
network.home._orig_ifname='eth1'
network.home._orig_bridge='true'
network.home.metric='1'
network.home.ifname='eth1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6'

root@archer:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

mpa · October 28, 2018, 12:35pm

The wiki describes your setup in the dumb AP and bridged AP articles.
The IPv6 section in the dumb AP article answers your question. You need to set up additional interfaces:

config interface 'home6'
        option proto 'dhcpv6'
        option ifname '@home'
        option reqprefix no

config interface 'let6'
        option proto 'dhcpv6'
        option ifname '@let'
        option reqprefix no

Remove ip6assign from your home and let interfaces since it is meant for distributing addresses via RA/DHCP, not for receiving an address via RA.

gothbert · October 28, 2018, 1:29pm

Excellent. A million thanks for your precise help. This works as desired. The OpenWRT box as well as mobile devices connected to its wireless networks get IPv6 addresses from the radvd running at the firewall appliance.

For posterity:

I removed ip6assign and added the additional interfaces to /etc/config/network as advised by @mpa. I turned off and disabled odhcpd, dnsmasq and firewall. ifname '@home' makes home6 an alias for home.

mpa · October 28, 2018, 1:40pm

Be careful when turning off the firewall. This could allow unwanted communication between the home and let networks. Maybe disable forwarding as well?

gothbert · October 28, 2018, 2:37pm

This is a valuable hint. I put the home and let interfaces in separate firewall zones, forbade forwarding, and re-enabled the firewall.

Best regards
Boris

system · November 7, 2018, 2:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.