Two IPv6 prefixes behind fibre ONT Huawei HG8245Q2

Hi,

I am with the Austrian ISP Energie AG on a fibre connection.
I am running their ONT Huawei HG8245Q2 and behind it a S920 with OpenWRT.

The S920 which acts as the router for the home network uses two networks (LAN and guest).

I am now trying to get IPv6 connectivity working on both networks.
Sadly, the S920 OpenWRT router on the WAN interface only receives a /64 prefix.

Here are screenshots from the ONT settings, which seem to suggest that the ONT receives a /56 prefix:

Any ideas welcome.

Just to be sure: your ONT is also acting as a router, right?

Do you have reqprefix configured on the wan interface in OpenWrt? The upstream may require requesting a specific prefix. Try different values between 56 and 63. 56 and 60 would be ones to try first.

1 Like

Thank you for your quick replies and willingness to help! Sorry for not being as precise as possible in the beginning.

Yes, that is correct. I have not found a way to put the ONT into bridge mode, sadly.

I have deleted and recreated the wan6 interface to make sure I am on default settings. Next I tried all Request IPv6-prefix of length settings between 63 and 56. All of them result in IPv6-PD: of the same /64 prefix for the wan6 interface. One of the "child" interfaces (guest and lan) snatches that prefix, and the other "child" interface stays without IPv6.

Are there any IPv6 options on the LAN on the ONT?

1 Like

That's a sad situation as you received a /56 from your ISP. Have you tried this solution for AT&T? https://openwrt.org/docs/guide-user/network/wan/isp-configurations

1 Like

@ipv6subnethuawei , similar situation was resolved by requesting and obtaining multiple /64 blocks on the WAN after the ISP Huawei fiber router. Please review the information and try it:

2 Likes

Do you mean like the two pictures I posted here

and here

?

Yes, after the following suggestion asks for almost the same, I am answering both in one.

This is a great idea and may just work, but I have not managed to get there yet.
With my current configuration, which is based on the suggestion by @alexq only one of the interfaces gets the prefix delegated.

If you want, you can share your current config, and we can review it together.

uci export network
uci export dhcp
uci export firewall

Also, I assume both the upstream (Huawei) and downstream (OpenWrt) routers were rebooted after the configuration was completed.

Yes, that is correct.

Thank you for the generous offer, here we go:

Network
root@S920:~# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '****:****:****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.lan.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'GUEST'
	option proto 'static'
	option device 'br-GUEST'
	option ipaddr '192.168.guest.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-GUEST'
	list ports 'eth2'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port '****'
	list addresses '192.168.vpn.1/24'
	list addresses '****:vpn::1/64'

config wireguard_vpn
	option description 'wgclient'
	option public_key 'redacted'
	option preshared_key 'redacted'
	list allowed_ips '192.168.vpn.2/32'
	list allowed_ips '****:vpn::2/128'

config device
	option name 'eth1'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'no'

config device
	option type 'macvlan'
	option ifname 'eth1'
	option mode 'vepa'
	option name 'eth1mac0'

config interface 'wan6lan'
	option proto 'dhcpv6'
	option device 'eth1mac0'
	option reqaddress 'none'
	option reqprefix '64'
	option peerdns '0'

config device
	option type 'macvlan'
	option ifname 'eth1'
	option mode 'vepa'
	option name 'eth1mac1'

config interface 'wan6guest'
	option proto 'dhcpv6'
	option device 'eth1mac1'
	option reqaddress 'none'
	option reqprefix '64'
	option peerdns '0'
DHCP
root@S920:~# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option force '1'

config host
	option mac '**:**:**:**:**:**'
	option ip '192.168.lan.23'

config host
	option mac '**:**:**:**:**:**'
	option ip '192.168.lan.32'

config domain
	option name 'sub.tld.cld'
	option ip '192.168.lan.23'

Firewall
root@S920:~# uci export firewall
package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wan6lan'
	list network 'wan6guest'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'sshrouter'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.1'
	option dest_port '****'

config forwarding
	option src 'guest'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.23'
	option dest_port '****'
	list proto 'tcp'

config rule
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'
	option family 'ipv4'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.23'
	option dest_port '****'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	list proto 'tcp'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.23'
	option dest_port '****'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	list proto 'tcp'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.33'
	option dest_port '****'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	list proto 'udp'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.1'
	option dest_port '****'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'service'
	list proto 'tcp'
	option src 'wan'
	option src_dport '****'
	option dest_ip '192.168.lan.23'
	option dest_port '****'
	option enabled '0'

config rule
	option name 'service'
	list proto 'tcp'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.lan.23'
	option dest_port '****'
	option target 'ACCEPT'

config rule
	option name 'service'
	list proto 'tcp'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.lan.23'
	option dest_port '****'
	option target 'ACCEPT'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '****'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Block device'
	list proto 'all'
	option src 'guest'
	list src_mac '**:**:**:**:**:**'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule
	option name 'device'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.lan.23'
	option dest_port '****'
	option target 'ACCEPT'

config rule
	option name 'device'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.lan.23'
	option dest_port '****'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'device'
	list proto 'all'
	option src 'guest'
	list src_mac '**:**:**:**:**:**'
	option dest_ip '192.168.lan.23'
	option enabled '0'

config rule
	option name 'dmz'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.lan.23'
	option target 'ACCEPT'
	option enabled '0'

I compared my current wan6 configuration with yours, and it's mostly identical. I noted only the 3 differences for wan6 (it makes no sense to proceed with other discrepancies I detected in the LAN/Guest configurations without solving the issue with obtaining IPv6-PD blocks in new wan6 interfaces).

Could you please try changing the following in the network config:

  1. Please remove this line for both config device "eth1mac0" and "eth1mac1":
  1. Please, instead of the '64' value set 'auto' for both config interface "wan6lan'" and "wan6guest":
  1. Please make sure that your new "wan6lan'" and "wan6guest" interfaces have been added into the wan firewall zone:
wan6 firewall example

After that, please reboot both routers (turn on the downstream router only after the Huawei router has already booted), and check whether it helped and if IPv6-PD has been assigned to all 3 of your wan6 interfaces: eth1, eth1mac0, and eth1mac1.

If it doesn't help, then it could be that this AT&T method/hack is not supported by your ISP.

Instead of changing the MAC, it may take requests with different DUID (in OpenWrt, clientid) settings to obtain multiple prefixes. I know that is how it works on Comcast cable. The MAC address of the interface does not matter there, as DHCPv6 operates at layer 3.