Trouble with ipv6 on router and nat6

ftormena · August 23, 2024, 2:39am

Hi, i´m having this weird issue. i have ipv6 on router with a /64 PD (i tried forcing for more but was left with a 64). Clients on a subnet with that delegated prefix can get valid ip and have funcional ipv6 connectivity. but when i try to ping an internet ipv6 address from the router i get the icmp on the interface out but never get a reply, will try to explain:

root@c7:/var# ip -6 a list eth0.10
24: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP100> mtu 1500 state UP qlen 1000
    inet6 2000:abcd:abcd:1010:52c7:bfff:fef9:34df/64 scope global dynamic noprefixroute 
       valid_lft 2591997sec preferred_lft 604797sec
    inet6 2000:abcd:abcd:1020:52c7:bfff:fef9:34df/64 scope global dynamic noprefixroute 
       valid_lft 2591997sec preferred_lft 604797sec
    inet6 2000:abcd:abcd:1000:52c7:bfff:fef9:34df/64 scope global dynamic noprefixroute 
       valid_lft 2591785sec preferred_lft 604585sec
    inet6 2000:abcd:abcd:1000:ecd4:17b:c77:3d34/128 scope global dynamic noprefixroute 
       valid_lft 80561sec preferred_lft 66161sec
    inet6 fe80::52c7:bfff:fef9:34df/64 scope link 
       valid_lft forever preferred_lft forever

The icmp packet when i do a ping6 www.google.com for example goes on OUT IF with source 2000:abcd:abcd:1020:52c7:bfff:fef9:34df, no returns. But if i request to use the /128 global one (2000:abcd:abcd:1000:ecd4:17b:c77:3d34/128) by passing -I and that ip to the ping command it works ok. Also if i manually delete the /64 global ip (all 3 of them) it momentarily works without the argument, so i was wondering.
Is there any dhcpv6c argument i can pass on my wan6 interface to request only the /128 and the PD so i can get a funcional stack on the router? maybe any other suggestion?
I need that working so i can properly NAT6 the other subnets i currently use.
Thank you guys in advance.
Some configs:

root@c7:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].domain='asdc.org'
dhcp.@dnsmasq[0].nonegcache='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].queryport='44963'
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].dnsseccheckunsigned='0'
dhcp.@dnsmasq[0].localservice='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.start='11'
dhcp.lan.limit='32'
dhcp.lan.ra_management='1'
dhcp.lan.dhcp_option='42,192.168.0.60'
dhcp.lan.force='1'
dhcp.lan.ra_flags='managed-config' 'other-config' 'home-agent'
dhcp.lan.ra_default='2'
dhcp.lan.ntp='192.168.0.60'

root@c7:~# uci show network
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fd00::/48'
network.globals.packet_steering='2'
network.globals.steering_flows='128'
network.lan=interface
network.lan.proto='static'
network.lan.ipaddr='192.168.0.60'
network.lan.netmask='255.255.255.192'
network.lan.ip6assign='64'
network.lan.device='br-lan'
network.lan.delegate='0'
network.lan.force_link='0'
network.lan.ip6class='wan6'
network.wan=interface
network.wan.proto='dhcp'
network.wan.device='eth0.10'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='force'
network.wan6.reqprefix='60'
network.wan6.device='eth0.10'
network.wan6.norelease='1'
network.wan6.sourcefilter='0'

egc · August 23, 2024, 10:22am

Consider using relay mode instead of NAT6:
https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay

mk24 · August 23, 2024, 1:09pm

You're showing three different /64s (1000, 1010, and 1020) as well as a /128 that is inside the 1000 64. This is not a correct address setup if you are saying that only a single /64 is routed to your line.

A standards-compliant ISP should issue a customer a routed prefix as well as a single IP that is outside that prefix. The router will use the single IP for traffic initiated by the router such as pings run on the CLI.

ftormena · August 23, 2024, 2:18pm

The prefix i'm receiving:

IPv6-PD: 2000:abcd:abcd:8553::/64

Those /64 and the /128 on wan6 i'm getting from dhcpv6 client

ftormena · August 23, 2024, 2:34pm

I've never heard from it, would that relay addresses from the prefix i'm delegated? i tried configuring another host on the ISP interface before over dhcp and it wouldn't provide another address, if that's what would be relayed

ftormena · August 23, 2024, 2:54pm

Little progress from reading https://www.davidc.net/networking/ipv6-source-address-selection-linux, as said there, when on a tie to decide src address on a routing table, linux uses the last added ip to the interface. So if i manually remove the /128, dhcpv6 quickly reconfigures it and adds back to the interface. It becomes the last added and starts using it. I'm guessing i will need cron or some other tool to check its status and reconfigure if needed.
The lifetimes tweak suggested there didn´t work, dhcp client keeps bumping it up.

ftormena · August 23, 2024, 3:38pm

I guess this should do for now on cron

#!/bin/sh
COUNT=0
for iplst in `ip -6 a show dev eth0.10  | egrep -v fe80  | /bin/grep inet | /usr/bin/awk '{print $2}'`
        do COUNT=$((${COUNT}+1))
        if [ ${COUNT} -eq 1 ]; then
                if [ -z "`echo ${iplst} | grep /128`"]; then
                        ip -6 a d `ip -6 a show dev eth0.10  | grep /128  | /bin/grep inet | /usr/bin/awk '{print $2}'`  dev eth0.10
                fi
        fi
done

system · September 2, 2024, 3:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.