Static IPv6 and DHCPv6-PD Setup

frog · February 12, 2024, 7:11pm

Hi, I am trying to set up IPv6 by following the doc, and currently the router can establish connection (ping6 google.com) but my devices can't. I only have limited knowledge on this topic so any help on debugging or fixing the issue would be appreciated, thanks!

The information I got from my ISP:

IPv6 address
IPv6 default gateway
Allocated prefix

I created a wan6 interface and here is the config (cat /etc/config/network)

Summary

config interface 'wan6'
	option device 'eth0'
	option proto 'static'
	list ip6addr '2604:21c0:xxxx:xxxx::xxxx:xxxx/64'
	option ip6gw '2604:21c0:xxxx:xxxx::xxxx:xxxx'
	option ip6prefix '2604:21C0:xxxx:xxxx::/60'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

For DHCP (cat cat /etc/config/dhcp)

Summary

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'
	list dhcp_option '6,8.8.8.8,8.8.4.4'
	option dhcpv6 'server'

The interface status (ifstatus wan6)

Summary

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 2785,
	"l3_device": "eth0",
	"proto": "static",
	"device": "eth0",
	"updated": [
		"addresses",
		"routes",
		"prefixes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [

	],
	"ipv6-address": [
		{
			"address": "2604:21c0:xxxx:xxxx::xxxx:xxxx", (The given IPv6 address)
			"mask": 64
		}
	],
	"ipv6-prefix": [
		{
			"address": "2604:21c0:xxxx:xxxx::",
			"mask": 60,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2604:21c0:xxxx:xxxx::",
					"mask": 60
				}
			}
		}
	],
	"ipv6-prefix-assignment": [

	],
	"route": [
		{
			"target": "::",
			"mask": 0,
			"nexthop": "2604:21c0:xxxx:xxxx::xxxx:xxxx", (The default gateway)
			"source": "::/0"
		}
	],
	"dns-server": [
		"2001:4860:4860::8888",
		"2001:4860:4860::8844"
	],
	"dns-search": [

	],
	"neighbors": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [

		],
		"dns-search": [

		],
		"neighbors": [

		]
	},
	"data": {

	}
}

And ping6 google.com from my laptop got 100% packet loss.

Summary

❯ ping6 google.com
PING6(56=40+8+8 bytes) 2604:21c0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx --> 2607:f8b0:4005:802::200e
^C
--- google.com ping6 statistics ---
87 packets transmitted, 0 packets received, 100.0% packet loss

Please let me know if you see any issues on the config, or how I could further find out which part is problematic.

trendy · February 12, 2024, 7:30pm

Run a tcpdump on OpenWrt and verify that you see the packets leave the wan interface.
opkg update; opkg install tcpdump; tcpdump -i eth0 -vn ip6
If you see the pings and not the answers, call your ISP to have it checked.

mk24 · February 12, 2024, 7:37pm

When you ping from the router it uses the regular address in the /64 as the source address. When you ping from a LAN device, the source address will be the one assigned to the device out of the /60. So the first thing to consider is that the /60 may be wrong and it is not actually the one that the ISP is routing from the Internet to your line. That will cause the pings to be lost within the ISP since it is not your assigned IP prefix.

If you use the default dhcpv6 on wan6, does it pick up an IP and prefix from the ISP? This is recommended if the ISP supports it.

AndrewZ · February 12, 2024, 7:42pm

As a side note:
you don't need this

If you have IPv6 only connectivity upstream and you don't want or cannot use provider's DNS, replace this in wan6 configuration

with

list dns '2001:4860:4860::6464'
list dns '2001:4860:4860::64'

I would also add option ip6assign 64 in lan interface configuration.

frog · February 13, 2024, 6:39am

Thanks, yeah I only see echo request but not echo response

frog · February 13, 2024, 6:50am

The prefix (first 64 bits) of my LAN device seems to match the prefix my ISP provides.

I tried to use the DHCPv6 client protocol on wan6, it did pick up an IP but it didn't get the prefix. And my ISP said that they don't provide RA and I need to set things up manually with the information they provided.

frog · February 13, 2024, 7:03am

Thanks, do you mean removing them from the dhcp config? I think the google IPv4 DNS server is optional, but the IPv6 ones are not since my ISP told me to use them for lookups, I don't think they have IPv6 DNS (they said they don't have RA)

The 2001:4860:4860::6464 and 2001:4860:4860::64 are for IPv6 only network right? Since I have both IPv4 and IPv6, I guess I should keep using 2001:4860:4860::8888 and 2001:4860:4860::8844

As for option ip6assign 64, is it on the interface config? I actually have option ip6assign 60 there, shall I change it?

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list ip6class 'wan6'

trendy · February 13, 2024, 9:11am

The delegated prefix is distributed with DHCPv6, not RA. When you enable the DHCPv6 protocol for wan6 interface, it will anyway send RS too as it is needed to find out the routers available.
If your ISP is not sending RAs, then you may have picked up some rogue RA.

Both are valid and working.

It depends. You are delegated a /60 prefix and you assign all of it to lan. It means that you won't be able to have a chunk of this prefix to another interface, e.g guest/iot.
If you don't plan to add a downstream router on the lan segment, you can make it /64.
If you plan to add some downstream router you can change it to /61. That will leave space for 7* /64s downstream the lan and another 8* /64s for other networks.

mk24 · February 13, 2024, 1:42pm

These are DNS64 servers. They differ from standard servers in that when the requested site is only on the IPv4 Internet, they reply with a synthetic IPv6 instead of none at all. If the ISP supports NAT64, the synthetic IPv6 can be used to access the site through ISP translation to the v4 Internet. From the view of the client and the customer's end of the ISP, it works like an IPv6 site.

The problem that you're having is not DNS. When you cannot ping sites by their well-known numeric IP, there is a fundamental routing issue.

Start a tcpdump on the wan interface looking for any destination IP within your /60. Then try to ping that IP from outside on the Internet.

frog · February 16, 2024, 6:13pm

Thanks all for your help. I finally understand the suggestion around the DNS configuration, the DNS should be set on the wan interface, and not announce in the DHCP setting, and the clients will use the router as the DNS server. By setting them this way I will be able to utilize the DNS cache provided by dnsmasq to improve the performance a bit.

I also solved an DNS issue where previously domain resolved to private address (10.x.x.x) got no answered with nslookup, which led me to set the announcement of IPv4 DNS, turns out I just need to uncheck Rebind protection under Network -> DHCP and DNS -> Filter

As for the IPv6 connectivity, I believe it is an ISP problem that the prefix delegation is not working as expected, and addresses assigned to my clients have routing issues. While waiting for the response from my ISP, I have set up NAT66 as a temporary workaround.