Hello everyone:
I think I am in a big trouble: After countless trying over past 2 weeks, I still can't get IPv6 working properly on my guest network. I read a lot of articles with the topics of Router Advertisements / ICMPv6, DHCPv6 and openwrt UCI firewall etc. Tried a lot of setting combinations. Current configuration seems alright, IPv4 is working perfectly on both interfaces and their clients. The interfaces themselves seem to have valid IPv6 address and running stable. These clients connected to interface 'lan' will having a working and stable IPv6 connection, but it's not the case for those clients connected to interface 'guest': Those clients will 'lost' their IPv6 connection after several minutes... (I'm testing with https://test-ipv6.com )
I made a simple table to describe the connection status:
RA only: means to enable Router Advertisements without DHCPv6
DHCPv6 only: means to enable DHCPv6 with option stateless and statefull
Stable: clients will have a stable IPv6 connection
No: clients won't get any IPv6 connections
Unstable: clients will have a unstable IPv6 connection
?: Not well tested.
clients connected to lan via WiFi:
**RA only:
android 8 Stable
android 6 Stable
PC (windows 10) Stable
PC (Windows 7) Stable
PC (Fedora 28) Stable
**DHCPv6 only:
android 8 No
android 6 No
PC (windows 10) No
PC (Windows 7) No
PC (Fedora 28) No
clients connected to guest via WiFi:
**RA only:
android 8 No
android 6 Stable?
PC (windows 10) Stable
PC (Windows 7) No
PC (Fedora 28) Unstable
**DHCPv6 only:
android 8 No
android 6 No
PC (windows 10) No
PC (Windows 7) No
PC (Fedora 28) No
So the conclusion is: RA is working well on lan, RA is unstable on guest. DHCPv6 server is NOT enabled on both interface.
I know the odhcp6 is the DHCPv6 server for openwrt/LEDE, I checked the log and found outputs from odhcp. So I don't see any reasons why DHCPv6 server won't work. Is this a BUG? Can Someone try to use DHCPv6 only option with LEDE 17.1.4 and tell me the result?
PS: version of odhcpd: odhcpd - 2017-10-02-c6f3d5d4-2, also tried 2018-03-02-2da5850f-3.
I must admit that this is something exceed my ability, I can't describe how frustrated I was with these days. Any help or suggestions are highly appreciated!
My router is a 2.4/5Ghz dual band WiFi router, the LEDE version is 17.1.04, with default software plus 6in4 package installed. It's using PPPoE to get an IPv4-only address from ISP. I'm using 6in4 provider 'tunnelbroker.net' to get an IPv6 connection.
My interface configurations are like this:
wan: PPPoE to my ISP
wan6: DHCPv6 (not enabled, and will not function because ISP not providing IPv6)
henet: 6in4 protocol
lan: main WiFi network (IPv6 is working perfectly here)
guest: for guests connect with WiFi (clients' IPv6 connection unstable)
Below are my configuration files:
/etc/config/wireless
// partial contents omitted
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'Magical Words'
option network 'guest'
option ssid 'Rainbow'
option hidden '1'
option isolate '1'
config wifi-iface
option device 'radio1'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'Magical Words'
option network 'guest'
option ssid 'Rainbow_5G'
option hidden '1'
option isolate '1'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option nonwildcard '0'
option sequential_ip '1'
option dhcpleasemax '40'
option cachesize '1500'
option noresolv '1'
option nohosts '1'
list server '127.0.0.1#1053'
list server '/1.pool.ntp.org/8.8.4.4'
list server '/north-america.pool.ntp.org/8.8.4.4'
list server '/1.fedora.pool.ntp.org/8.8.4.4'
list server '/pool.ntp.org/149.112.112.112'
list server '/1.europe.pool.ntp.org/149.112.112.112'
config dhcp 'lan'
option interface 'lan'
option leasetime '24h'
option start '20'
option limit '12'
option ra 'server'
option ra_management '1'
option dhcpv6 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option interface 'guest'
option leasetime '24h'
option start '20'
option limit '14'
option ra 'server'
option ra_management '1'
option dhcpv6 'server'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'acc'
option password 'pass'
option ipv6 'auto'
option peerdns '0'
option dns '8.8.4.4 149.112.112.112 64.6.64.6 84.200.69.80 109.69.8.51 64.6.65.6 84.200.70.40 8.8.8.8'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'henet'
option proto '6in4'
option username 'mows'
option peeraddr '1.2.3.4'
option ip6addr '2001:123:c:1234::2/64'
option ip6prefix '2001:123:1234::/48'
option tunnelid '123456'
option password 'RefreshKey'
config globals 'globals'
option ula_prefix 'fdb2:1234:5678::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.9.1'
option macaddr 'removed'
option ip6assign '64'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'removed'
config interface 'guest'
option type 'bridge'
option _orig_ifname 'radio0.network2 radio1.network2'
option _orig_bridge 'true'
option proto 'static'
option ifname 'eth0.3'
option macaddr 'removed'
option netmask '255.255.255.0'
option ipaddr '192.168.10.1'
option ip6assign '64'
option ip6hint '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '1 6t'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 henet'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '51000-51999'
option dest_port '51000-51999'
option name 'PC'
option dest_ip '192.168.9.10'
config include
option path '/etc/firewall.user'
// PS: nothing in '/etc/firewall.user'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option name 'Allow Protocol 41'
option src 'wan'
option target 'ACCEPT'
option proto '41'
config rule
option target 'ACCEPT'
option src 'wan'
option dest 'guest'
option proto 'esp'
option name 'Guest Allow-IPSec-ESP'
config rule
option name 'Guest Allow-ISAKMP'
option src 'wan'
option dest 'guest'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option family 'ipv4'
option src 'guest'
option name 'Guest DHCP'
option dest_port '67-68'
option proto 'udp'
config rule
option target 'ACCEPT'
option family 'ipv6'
option src 'guest'
option name 'Guest DHCPv6'
option proto 'all'
option dest_port '547'
config rule
option target 'ACCEPT'
option family 'ipv6'
option name 'Guest IPv6 ICMP input icmp'
option src 'guest'
option proto 'icmp'
config rule
option target 'ACCEPT'
option family 'ipv6'
option name 'Guest IPv6 ICMP input ipv6-icmp'
option src 'guest'
option proto 'ipv6-icmp'
// I'm not sure which one to use: IPv6 + 'icmp' or IPv6 + 'ipv6-icmp' ?
config rule
option target 'ACCEPT'
option family 'ipv4'
option name 'Guest IPv4 ICMP input'
option src 'guest'
option proto 'icmp'