TL;DR
Problem:
No IPv6 connectivity despite valid addresses and routes from some wired/wireless clients.
Solution steps:
- Double-check that ICMPv6 traffic can pass to the router (FW rule on OpenWRT and external switch configuration, if applicable)
- MAC filter can mess with wireless packets, consider disabling it
I had an IPv6 tunnel setup running for years without issues. Now I switched to a new native, static network and got some issues regarding IPv6 connectivitity on clients that do not speak DHCPv6, i.e. rely on SLAAC.
Environment:
Public native dual statck with routed /48 IPv6 subnet on gateway (through WAN interface).
/52 IPv6 prefix assigned to OpenWRT box (no DHCPv6 or radvd in upstream, all configured using static routes).
Router runs OpenWRT 19.07.4
Issue is equally present on multiple similar configured bridge interfaces.
Both wired (through external, managed switch) and wireless clients partially work and do not work, so it's likely not the infrastructure.
Interfaces (extract):
config globals 'globals'
option ula_prefix 'fd00:0:0:1000::/52'
config interface 'wan'
option ifname 'eth1'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option proto 'static'
option gateway '***.***.***.1'
list ipaddr '***.***.***.2/24'
option ip6ifaceid 'eui64'
option ip6gw 'fe80::1'
option ip6prefix '2001:****:****:1000::/52'
list ip6addr '2001:****:****:0::2/64'
list dns '***.***.***.***'
list dns '***.***.***.***'
list dns '2001:****:****:****:****:****::****'
list dns '2001:****:****:****:****:****::****'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.101.1'
option ip6assign '64'
option ifname 'eth0.1'
option ip6hint '101'
DHCP config (extract):
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option limit '50'
option start '100'
list dns '2001:****:****:1101::1'
option ra_default '1'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
Working clients:
Most clients (Linux, Windows, iOS) perform fine.
Client IP/route example:
$ ip -6 address show
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:****:****:1101::a24/128 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fd00::1101:****:****:****:****/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 2001:****:****:1101:****:****:****:****/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::****:****:****:****/64 scope link noprefixroute
valid_lft forever preferred_lft forever
$ ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2001:****:****:1101::a24 dev eno1 proto kernel metric 100 pref medium
2001:****:****:1101::/64 dev eno1 proto ra metric 100 pref medium
fd00:0:0:1101::/64 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
default via fe80::**** dev eno1 proto ra metric 100 pref medium
Not working:
Some clients (Linux, Android) without DHCPv6 do receive valid IPv6 addresses (1-2 public, 1-2 ULA, 1 link local)
$ ip -6 address show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd00::1101:****:****:****:****/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 2001:****:****:1104:****:****:****:****/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::****:****:****:****/64 scope link
valid_lft forever preferred_lft forever
$ ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2001:****:****:1101::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
fd00:0:0:1101::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::****:****:****:**** dev eth0 proto ra metric 202 mtu 1500 pref medium
On the client trying to ping the router (same for external address):
$ ping 2001:****:****:1101::1
PING 2001:****:****:1101::1(2001:****:****:1101::1) 56 data bytes
From 2001:****:****:1101:****:****:****:****: icmp_seq=1 Destination unreachable: Address unreachable
From 2001:****:****:1101:****:****:****:****: icmp_seq=2 Destination unreachable: Address unreachable
[...]
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
[...]
Simultaneous inspection with tcpdump and WireShark on the bridge interface shows repeated neighbor solicitation packets for public and link local address without responses.
636 2472.961068 2001:****:****:1101:****:****:****:**** ff02::1:ff00:1 ICMPv6 86 Neighbor Solicitation for 2001:****:****:1101::1 from **:**:**:**:**:**
637 2481.920958 fe80::****:****:****:**** fe80::****:****:****:**** ICMPv6 86 Neighbor Solicitation for fe80::****:****:****:**** from **:**:**:**:**:**
[...]
Thanks for any hints or thoughts on that issue!
Stefan