Some IPv6 issues encountered?

Good day,

I've been mucking about with IPv6 (23.05.0 rc2).

From my isp I get a /48 delegated prefix via PPPoE and the virtual interface. I do not use NAT6.

IPv6 works fine when I configure the alias interface WAN6 IP with a mask between 49 and 64 bits, and all LAN IPs with a /64 address. However, what I did discover is that the WAN and LAN IPs/networks cannot be in the same subnet prefix, Openwrt refuses by changing one or more of the subnet prefixes to a different value. For example, IP aaaa.bbbb.cccc.dead::1 for the WAN interface means I must configure IPs for the LAN with a prefix value other than "dead". Is this by design? Can WAN and LAN networks/IPs not be in the same IP/subnet prefix?

Also, if I configure a LAN network with a mask larger than /64, the IP is simply not shown. I know that this can break certain protocols like neighbor discovery and ICMPv6, and that /64 is standard and advised practise. So if anyone can clear this up for me, I'd be much obliged. It seems to me there are exceptions to the rule which would be made impossible by OpenWRT. Thank you in advance.

Fundamentally, routing is based on the prefix of the destination address. All of the networks that a router is handling must have a different prefix so that a deterministic routing table can be built.

The way that OpenWrt delegates prefixes does not seem optimal to me. A lan interface is always given a GUA. It is not necessary for a lan interface to hold a GUA at all, as the default route from all prefixes that are delegated to that LAN can be the link-local of the interface in the router. Each such assignment cuts the usable prefix space in half (i.e. uses one bit) from further delegation.

1 Like

The interface itself should only have (as any other interface) a /64.
(Really, the only exception is to use a /127 on a point-to-point link, but you still can get good arguments why it might be a not-so-good-idea, and why you should just use a /64 for each and every link. The address space is large enough to support this / such a allocation or addressing model.)

A delegated prefix or a prefix in general should be larger of course, so a router is able to assign each interface (i.e. a VLAN) a dedicated /64.
(In my experience, people say subnet, when they reference a link where a /64 is present, and prefix when refer to the whole network, like a /56 or /48, or /32.)

Yes, they have to be different.
Normally the prefix on the WAN interface is part of a prefix the provider uses for customer links, and a delegated prefix which can be used by the customer on its LAN comes from an other network.
The ISP must be able to route your traffic. The routing table looks like "customer prefix via customer wan prefix", but without an "known" address on the wan interface, the ISP could not route the traffic to the delegated prefix to you, because it would not know where to route it.
Even on "business" internet uplinks, or uplinks you get in a data center: The provider uses addresses out of his prefix, and tells you upfront how to configure your wan interface(s). And either they set a static route for your prefix, or you do speak BGP with the provider and you announce your own prefix to them. But still, your prefix is routed via the address on the wan interface if you will look at the routing table.

Quick example:
The ISP has 2001:db8::/32. It will use 2001:db8::/34 for its own services and infrastructure. Then 2001:0db8:4000::/34 will be used for dialup-customer, 2001:0db8:8000::/34 for business customer, ...

So your WAN interface would be within 2001:0db8::/34, "but" your LAN would be within 2001:0db8:4000::/34.

My personal theory why people get confused is because IPv4 has clouded their minds. Based on the sparse address space, and that we know since the early 90ies that we do not have enough (IPv4) addresses, mankind has invented IPv4 NAT and people have seen global addresses only on the WAN interface of there router, and the private IP space got translated, when routing to the Internet was done.

Again, each interface should have a /64. Otherwise SLAAC will not work. (A prefix pool which can be used for prefix delegation is a totally different topic.
(The config option ip6assign maybe is a little bit kind of special.)

Yes and no. You can build an IPv6 network without GUA addresses on each interface, but only, and only if you have at least one GUA address on the router, which can be used by all other interfaces.

The loopback-interface is such one. If you use f.i. OSPF(v3) and BGP you can advertise the GUA from loopback within the OSPF area, and BGP makes this address available in the (larger) BGP network.

But for a "standard" network topology it is always easier to have a larger enough prefix for each customer and each interface (and subnet) on the local side gets its own (GUA) subnet (/64)
The internet, IPv4, and IPv6 are build with a unique global address space in mind, and more importantly with the ability that each and every device can communicate with each and every device directly, without translation or anything.

If you want your devices/clients on a link to be participate on the Internet, you have to assign a GUA prefix to this interface anyway. Even if you configure this prefix only for RA and DHCPv6 (and the router does not have an address our of that prefix on its interface), the subnet gets allocated and assigned (on that link). Yes you can do NAT or other translation but this shit just breaks (without any need) the end to end philosophy of this computer network. So please don't!

And just to repeat it: The WAN side of a customer gets a /64 from a "customer-prefix", while the usable /56 or /48 comes from an other prefix from the ISP.
My ISP thankfully does it this way:

WAN 2003:e4:bfff:13e7:xxxx:xxxx:xxxx:xxxx/64
DP  2003:e4:bf09:xx00::/56

What OpenWrt provides / is able to do and is IMHO correct about it: I.e. uses DHCPv6 on WAN to get a address on WAN, then uses DHCPv6-PD to request a prefix, and if it got one, it can dynamically assign a subnet out of that prefix to each interface.
How the user splits the network is of course its own problem, but I see no issues here what should be wrong/faulty...

(Side note: On a business/enterprise network, where you got a (static) assignment from your ISP, you configure each and every subnet out of your /48 or /32 statically or have some form of automation but in the end each and every allocation of a router/switch interface is hardcoded/statically configured.)


Thanks for a very nice explanation.

I hope this is not off-topic but as we are discussing IPv6 I have this question/observation.

My WAN has indeed (as expected) another Prefix than my LAN which it got with PD of /56, but my WAN has a prefix of /128 instead of /64 and I have seen that more often.

inet6 2001:xxxx:xxxx:0:xxxx:50ac:ec18:4aed/128 scope global

How does that fit in?

That is DHCP6 assigned address and it is completely fine.

1 Like

Thank you for that elaborate explanation, it clears up things a lot for me!

I see that the engineers that dreamt up the regulations for IPv6 went out of their way to make configuration pretty easy. The 128 bit address when written as complete address looks terrifying, scaring many that are interested, away. But when one learns the abbreviations and the way the networks and hosts are accommodated within that address, a lot become easy as pie, easier than IP4 even. the /64 obligation is definitely a life saver for many!

Thanks again for your phenomenal explanation!