Two essid, two distinguished (br-)lan /ip networks, ipv4 well, but can't get ipv6 on both of them

Hello

I try since few hours to get ipv6 disployed on two different LAN, on two differents WLan on a same owrt router.

I went up to figure out the way to have to different IP "vlans" by using br-lan2 and lan2 in addition of br-lan, which lan2 is dedicated to the 2nd essid ip subnet.

But.
even if the two interface, two networks and two dhcp works well in ipv4, i dont find the way out to get ipv6 disployed on both networks. Each time, only one gets it, or none of them.

i think it's due to the "ip6assign" as "64", i tried with both on 60 or even less, but can't find the right way. Even with others options, but here it is :

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '192.168.200.1/24'
        option ip6assign '32'
        option multipath 'off'


config interface 'lan2'
        option proto 'static'
        option device 'br-lan2'
        list ipaddr '192.168.201.1/24'
        option ip6assign '32'
        option multipath 'off'

What's the size of the prefix from your ISP? If it's too small (/64) OpenWrt will assign it in a kind of first come first serve purpose to one of the LANs.

At some point there was also a problem with subnetting with subnets like /63 and it needed at least 2 or 4 bits (can't remember exactly) for things to work.

This is invalid, use 64.

/56 from the modem of the ISP
owrt is connected to it, obtains a /64
i dont find out a way to have subnets for maybe few different isolated wlan networks...

i see lot of prefix on 64, on 64 + 60 for guest, sometimes with ip6hint (or not), etc

i also moved the fw option name 'Allow-ICMPv6-Input'

option src 'wan' to '*'
and the same for Allow-ICMPv6-Forward

so eg if i want to configure 3 or 4 guests networks, it's a bit shaddy to understand how to setup well the ipv6 on each.

thanks

Try letting OpenWrt obtain something like a /60 instead.

It can help if you show us your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus wan6

well, i saw here :

that using a 62 could fit if i want eg 4 different wlan, with separate ipv4/6 networks.

if i force wan6 on /62 instead of "auto", it gather anyway a /64, that appears in the "ip a" of the router.

I dont figure out why some "guest" confs on the internet, shows 64 on the lan and 60 on the guest, or even sometimes 62, it's not easy to understand. I did dozen of tests in several hours, at best time wlan1 had ipv6 but not wlan2, sometimes they just dont have ipv6 on each lan interface.

should i systematically assign the same type of /something for each interface? let's say i need 4 wlans networks with ipv6 (at least..)

in addition, owrt doc says :

If ip6hint is not set, an arbitrary ID will be chosen.
https://openwrt.org/docs/guide-user/network/ipv6/configuration?s[]=option&s[]=1

means that i dont need it?

thank you

Each local interface e.g. Lan or guest can do with a /64, If you have another router connected to the lan so daisy chaining routers and you want that router also to have IPv6, then the lan should have more than one /64 subnet which it then can hand out to downstream but unless you have downstream routers needing IPv6 an /64 is OK for lan (and guest)
So we are talking about two /64 which should come from the wan6.

So the wan6 must have at least a /63 Prefix delegated (PD) (and even then it must not take a /64 for itself)

To see what the wan6 is having we need the output of ifstatus wan6 which is what I already requested earlier

Edit: if you are not familiar with the command line, LuCi also shows the information under Network > Interfaces > wan6

Indeed a /62 should work too, but at some point OpenWrt had troubles with smaller subnets which is why I recommended trying a /60 at first. If it gathers a /64 no matter what you do on the OpenWrt side, then your upstream router likely isn't assigning bigger chunks out of your /56 and you need to look there.

root@devolo:~# ubus call system board
{
	"kernel": "6.12.74",
	"hostname": "devolo",
	"system": "MediaTek MT7620A ver:2 eco:6",
	"model": "devolo WiFi Repeater ac",
	"board_name": "devolo,rac",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.1",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32768-b21cfa8f8c",
		"target": "ramips/mt7620",
		"description": "OpenWrt 25.12.1 r32768-b21cfa8f8c",
		"builddate": "1773711117"
	}
}
root@devolo:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000XXXXX'
	option ula_prefix 'fdXXXXXXX::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device                        
        option type 'bridge'         
        option name 'br-lan2'        
        list ports 'eth0'            

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.200.1/24'
	option ip6assign '62'
	option multipath 'off'
        option ip6hint '62'
#	option ip6class 'wan6'
#        option ip6ifaceid '::1'

config interface 'lan2'             
        option proto 'static'       
        option device 'br-lan2'     
        list ipaddr '192.168.201.1/24'
        option ip6assign '62'       
        option multipath 'off'
        option ip6hint '62'
#	option ip6class 'wan6'
#        option ip6ifaceid '::2'       

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'

config interface 'wan'
	option proto 'dhcp'
	option multipath 'off'
	option device 'phy0-sta0'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
#	option reqprefix '62'
	option norelease '1'
	option multipath 'off'
	option device '@wan'


root@devolo:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option logquery '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_preference 'medium'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

config cname
	option cname 'owrt-7615'
	option target 'devolo-mt2767'

config dhcp 'lan2'                                              
        option interface 'lan2'                                 
        option start '100'                                     
        option limit '150'                                     
        option leasetime '12h'                                 
        option dhcpv4 'server'                                 
        option dhcpv6 'server'                                 
        option ra 'server'                                     
        list ra_flags 'managed-config'                         
        list ra_flags 'other-config'                           
        option ra_preference 'medium'     
root@devolo:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan2' 
#        option masq6 '1'

config rule
	option name 'aa'
	option src 'lan2'
	option dest_port '547'
	option proto 'udp'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

       
config forwarding             
        option src 'lan2'      
        option dest 'wan'     

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
#	option src 'wan'
	option src '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
#	option src 'wan'
	option src '*'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'


root@devolo:~# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 696,
	"l3_device": "phy0-sta0",
	"proto": "dhcpv6",
	"device": "phy0-sta0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2a01:LONG:IPV6:ADDD:RESS:ZZZZ",
			"mask": 64,
			"preferred": 569,
			"valid": 86369
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a01:AAAA:BBBB:CCCC::",
			"mask": 64,
			"preferred": 494,
			"valid": 86294,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a01:AAAA:BBBB:CCCC::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2a01:LONG:IPV6....::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 86369,
			"source": "::/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::aaaa:bbbb",
			"metric": 384,
			"valid": 569,
			"source": "2a01:LONG:IPV6:ADDD:RESS:ZZZZ/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::.......",
			"metric": 384,
			"valid": 569,
			"source": "2a01:AAAA:BBBB:CCCC::/64"
		}
	],
	"dns-server": [
		"2a01:LONG.....:)",
		"fe80::ZZZZ"
	],
	"dns-search": [
		"home"
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"passthru": "HEHE"
	}
}

Two bridges with the same port is not working with DSA, I think this is still an swconfig device maybe that is allowed but chances are it will play tricks

option device 'phy0-sta0' is this connected wirelessly to upstream?

What is upstream?

You really should start with requesting a /64 IPv6 subnet instead of /62, not that it matters as you only got a /64 PD:

You can try ask for /62 or /60 but chances are this is all you get

Auto usually should work

So that leaves the question what is upstream?
If your ISP is handing out a /56 but there is another router in between then you have to check if that is capable of sending a PD lower than /64.
I have yet to see a non Openwrt router which is capable of doing that (those based on OpenWRT not included)

If that is the problem maybe the ISP router can be placed in bridge mode

For comparison this the ifstatus wan6 output of my router, directly connected to the internet as the ISP modem is in bridge mode:

        "ipv6-prefix": [
                {
                        "address": "2001:1c03:::",
                        "mask": 56,
                        "preferred": 434471,
                        "valid": 1039271,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2001:1c03::",
                                        "mask": 60
                                }
                        }
                }
        ],

what means DSA?

well, the both ipv4 networks works well on this ipv4/ dual wlan plan.. as i saw it somewhere else on this forum

yep, this device is an AP+STA

you mean for each lan?

so auto for wan6, 64 for each lan?

im checking, on the modem :
/56 is attributed to the subscriber
then, each equipment says "allocated prefix" with a /64 (and the mac addr of each connected to the modem)
the modem is this :

https://boutique.orange.fr/informations/livebox-6/

i dont think this modem is capable of this.

yes

I read that as allocate a PD of /64 exactly what you are getting.
Maybe you can alter that to /60 or if that does not work /62

I have a Livebox 5 at my home in France that only delegates a Prefix of /64 and cannot be changed so maybe you are lucky

Oh almost forgot you are running an old build with known security problems consider upgrading to latest 25.12, you are behind another router so it is not critical but I would update anyway.

you have several homes in several countries to compare ipv6 deployment of ISP?

for the wan side of the owrt router ?

so i would try to replace 'auto' per '60' or '62', and i just check the / at the end of the ipv6 of the wan intf?

No on the Livebox6 that hands out the prefix.
Your wan6 can request what it wants but it is handed out by your livebox6 if that only hands out a /64 PD then that is what you will get.

Yes indeed to add I have a VPS in Switzerland

so what figures should i put in wan/lan to get it working? i admit im a bit lost..

That does not matter if your livebox not hands out just a /64 Prefix then that is all you will get

You have to make the changes on the livebox to start with.
Ask in the livebox6 forum or try yourself, this looks promising if you can change this:

The wan6 should be kept on auto and lan and lan-2 to /64

You can try for wan6 with /62 and /60 but you already did so the problem looks to be your livebox6

Research if that is capable of handing out a pd of e.g. /62.
The livebox5 cannot but maybe your livebox6 can.
If not then there is nothing you can do about it (yes you can use ULA addresses and NAT66 or relayd but those are just stop gaps)

I asked le Chat for you:

Based on the most relevant and recent information, the Livebox 6 in France (as used by Orange) typically only delegates a single /64 prefix to a downstream router, even if it has a larger prefix (such as a /56) available. It does not support handing out a smaller prefix (e.g., /62) to a downstream router. Multiple sources confirm that the Livebox 6 only provides one /64 prefix to a downstream router, and does not allow for further subdivision or delegation of a larger block (like /62) to downstream devicesforum.netgate.com+2.

In summary: No, the Livebox 6 cannot hand out a smaller prefix than /64 (such as /62) to a downstream router. It only delegates a single /64.

Bronnen

If this is not a hallucination then too bad no dice

Impossible, se ne marche pas, pas de chance

well, im afraid that blogger/engineer X0r shown this up few years ago :

i have the same interface on livebox :

it can only enable or disable ipv6 on the modem. Nothing more.

but "at least", it can still permit to a owrt router to "dispatch" ipv6 to lan clients, as before only device connected directly to the livebox could.

what about ula ? or maybe a sort of shared/relay to let two lans using ipv6 from the ones attributed to owrt router?

thank you

I would create a new thread for that.
You now know that you only have a /64 PD which can be used for just one lan subnet so that is you starting point.