Hi,
I am with the Austrian ISP Energie AG on a fibre connection.
I am running their ONT Huawei HG8245Q2 and behind it a S920 with OpenWRT.
The S920 which acts as the router for the home network uses two networks (LAN and guest).
I am now trying to get IPv6 connectivity working on both networks.
Sadly, the S920 OpenWRT router on the WAN interface only receives a /64 prefix.
Here are screenshots from the ONT settings, which seem to suggest that the ONT receives a /56 prefix:
Any ideas welcome.
Just to be sure: your ONT is also acting as a router, right?
mk24
August 23, 2024, 12:59pm
5
Do you have reqprefix
configured on the wan interface in OpenWrt? The upstream may require requesting a specific prefix. Try different values between 56 and 63. 56 and 60 would be ones to try first.
1 Like
Thank you for your quick replies and willingness to help! Sorry for not being as precise as possible in the beginning.
Yes, that is correct. I have not found a way to put the ONT into bridge mode, sadly.
I have deleted and recreated the wan6 interface to make sure I am on default settings. Next I tried all Request IPv6-prefix of length settings between 63 and 56. All of them result in IPv6-PD: of the same /64 prefix for the wan6 interface. One of the "child" interfaces (guest and lan) snatches that prefix, and the other "child" interface stays without IPv6.
Are there any IPv6 options on the LAN on the ONT?
1 Like
spot0
August 26, 2024, 12:12am
8
That's a sad situation as you received a /56 from your ISP. Have you tried this solution for AT&T? https://openwrt.org/docs/guide-user/network/wan/isp-configurations
1 Like
alexq
September 1, 2024, 9:17pm
9
@ipv6subnethuawei , similar situation was resolved by requesting and obtaining multiple /64 blocks on the WAN after the ISP Huawei fiber router. Please review the information and try it:
ISP uses the same IPv6 /64 prefix delegation method as AT&T does.
See my test results:
So, I was able to get 4 different IPv6-PD /64 delegated prefixes (didn't try more):
IPv6-PD: 2a01:xxxx:xxxx:2503::/64
IPv6-PD: 2a01:xxxx:xxxx:2504::/64
IPv6-PD: 2a01:xxxx:xxxx:2505::/64
IPv6-PD: 2a01:xxxx:xxxx:2506::/64
2 Likes
Do you mean like the two pictures I posted here
and here
?
Yes, after the following suggestion asks for almost the same, I am answering both in one.
This is a great idea and may just work, but I have not managed to get there yet.
With my current configuration, which is based on the suggestion by @alexq only one of the interfaces gets the prefix delegated.
alexq
September 25, 2024, 7:31pm
12
If you want, you can share your current config, and we can review it together.
uci export network
uci export dhcp
uci export firewall
Also, I assume both the upstream (Huawei) and downstream (OpenWrt) routers were rebooted after the configuration was completed.
Yes, that is correct.
Thank you for the generous offer, here we go:
Network
root@S920:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.lan.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'GUEST'
option proto 'static'
option device 'br-GUEST'
option ipaddr '192.168.guest.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '8.8.8.8'
option delegate '0'
config device
option type 'bridge'
option name 'br-GUEST'
list ports 'eth2'
config interface 'vpn'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '****'
list addresses '192.168.vpn.1/24'
list addresses '****:vpn::1/64'
config wireguard_vpn
option description 'wgclient'
option public_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '192.168.vpn.2/32'
list allowed_ips '****:vpn::2/128'
config device
option name 'eth1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'no'
config device
option type 'macvlan'
option ifname 'eth1'
option mode 'vepa'
option name 'eth1mac0'
config interface 'wan6lan'
option proto 'dhcpv6'
option device 'eth1mac0'
option reqaddress 'none'
option reqprefix '64'
option peerdns '0'
config device
option type 'macvlan'
option ifname 'eth1'
option mode 'vepa'
option name 'eth1mac1'
config interface 'wan6guest'
option proto 'dhcpv6'
option device 'eth1mac1'
option reqaddress 'none'
option reqprefix '64'
option peerdns '0'
DHCP
root@S920:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '1h'
option force '1'
config host
option mac '**:**:**:**:**:**'
option ip '192.168.lan.23'
config host
option mac '**:**:**:**:**:**'
option ip '192.168.lan.32'
config domain
option name 'sub.tld.cld'
option ip '192.168.lan.23'
Firewall
root@S920:~# uci export firewall
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wan6lan'
list network 'wan6guest'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'sshrouter'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.1'
option dest_port '****'
config forwarding
option src 'guest'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.23'
option dest_port '****'
list proto 'tcp'
config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.23'
option dest_port '****'
list proto 'tcp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
list proto 'tcp'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.23'
option dest_port '****'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
list proto 'tcp'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.33'
option dest_port '****'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
list proto 'udp'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.1'
option dest_port '****'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'service'
list proto 'tcp'
option src 'wan'
option src_dport '****'
option dest_ip '192.168.lan.23'
option dest_port '****'
option enabled '0'
config rule
option name 'service'
list proto 'tcp'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.lan.23'
option dest_port '****'
option target 'ACCEPT'
config rule
option name 'service'
list proto 'tcp'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.lan.23'
option dest_port '****'
option target 'ACCEPT'
config rule
option name 'Allow-WireGuard'
list proto 'udp'
option src 'wan'
option dest_port '****'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Block device'
list proto 'all'
option src 'guest'
list src_mac '**:**:**:**:**:**'
option dest 'wan'
option target 'DROP'
option enabled '0'
config rule
option name 'device'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.lan.23'
option dest_port '****'
option target 'ACCEPT'
config rule
option name 'device'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.lan.23'
option dest_port '****'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'device'
list proto 'all'
option src 'guest'
list src_mac '**:**:**:**:**:**'
option dest_ip '192.168.lan.23'
option enabled '0'
config rule
option name 'dmz'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.lan.23'
option target 'ACCEPT'
option enabled '0'
alexq
September 28, 2024, 2:36pm
14
I compared my current wan6
configuration with yours, and it's mostly identical. I noted only the 3 differences for wan6 (it makes no sense to proceed with other discrepancies I detected in the LAN/Guest configurations without solving the issue with obtaining IPv6-PD blocks in new wan6 interfaces ).
Could you please try changing the following in the network config:
Please remove this line for both config device "eth1mac0 " and "eth1mac1 ":
ipv6subnethuawei:
option mode 'vepa'
Please, instead of the '64' value set 'auto' for both config interface "wan6lan' " and "wan6guest ":
ipv6subnethuawei:
option reqprefix '64'
Please make sure that your new "wan6lan' " and "wan6guest " interfaces have been added into the wan
firewall zone:
wan6 firewall example
After that, please reboot both routers (turn on the downstream router only after the Huawei router has already booted), and check whether it helped and if IPv6-PD has been assigned to all 3 of your wan6
interfaces: eth1
, eth1mac0
, and eth1mac1
.
If it doesn't help, then it could be that this AT&T method/hack is not supported by your ISP.
mk24
September 29, 2024, 12:16pm
15
Instead of changing the MAC, it may take requests with different DUID (in OpenWrt, clientid
) settings to obtain multiple prefixes. I know that is how it works on Comcast cable. The MAC address of the interface does not matter there, as DHCPv6 operates at layer 3.