The router has a static route to Net1/2, and NAT in the FW is disabled.
The router delegates IPv6 prefixes to the FW.
The DirtyDMZ is necessary because I only get a /62 net from my provider, so I do not have more than 2 nets behind the FW.
This works fine so far.
Now, I want to introduce a DNS recursor into the DMZ. For IPv4, this works fine, I just set DHCP option 6 with the local 10.x.x.x IP of the recursor.
Now IPv6 is a problem. Since I do not have a static IPv6 prefix, I enabled ULA addresses in the router, which works fine for the recursor. However the WAN6 interface of the FW does NOT get any ULA address, which obviously breaks routing from Net1/2 into the DMZ via ULA addresses.
How do I get WLAN6 to accept a ULA address from the router?
(Note that I do not want to use DNS forwarding via OpenWRT, because in the next step, I want client based DNS resolving, so the request from the clients have to reach the recursor directly.)
Uhm, I'm not sure it works with dhcp, I have this keyword set for local networks, which are of course static. Hope someone else has a better idea than mine!
Thanks, we are getting closer :). However, now that interface came up with it's own prefix (+1 from the br-lan prefix). It is supposed to get the prefix from the router, though.
What do you mean "that's correct"? The FW is one of potentially multiple ones that could be in that network in that role, it cannot just make up a ULA prefix for that network. The router has to be dhcpv6 server, because it knows the global prefixes to delegate.
The OpenWRT FW needs to listen to the dhcpv6 info which obviously contains the ULA prefix, because all the Linux servers in the DMZ use it.
I don't see how that would be a problem for routing. It works for IPv4, where the FW gets an IP from the router.
Well, I did not assign a /48 and the prefix from the FW does not match this. The router is announcing the ULA fd00:165:40:0: to the DirtyDMZ. May Linux servers are grepping addresses with this prefix accordingly. I expect the same from the FW. What the firewall did, however, is using a ULA prefix bases on the one it made up for the Net1/2 side: fdb3:9b15:8d3f:1::1 (Net1 interface has fdb3:9b15:8d3f:0::1). I am pretty sure that the router had no business in coming up with those,
Any Linux server with fd00:165:40:0:... has no idea how to reach fdb3:9b15:8d3f:0::1, neither does the router.
Now, it would be nice if the router would delegate a ULA subnet, to the FW for the nets behind, but
I don't see an option for that in the Fritzbox interface and
I don't see why the FW would honor that, since it doesn't even even use the ULA on the DMZ interface that it gets announced from the router.
By the way, while I don't know a lot about the OpenWRT net config, I am quite surprised that we an interface alias for this. IPv6 is made to have multiple addresses on one interface, It is rather that the ULA announcement isn't used. I would have expected this to be rather a sysctl.conf thing ..
Does that work without multiple DHCPv6 servers? The OpenWRT-FW CANNOT be the main DHCPv6 server, as the router is the only one knowing the global prefix and has to delegate it.
I see the FW as a client here (and theoretically, there could be multiple ones in the same role), and I don't really see why it would have to push a prefix into the DMZ.
You can remove the interface wan6ula and issue a ULA address from the router.
The interface wan6 should obtain both GUA and ULA addresses.
OpenWrt will serve DHCPv6 only for Net1/2.
Well, the whole issue why I opened this thread is that wan6 does NOT get a ULA address, but only the GUA ...
~# ip -6 address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 [global prefix]:f6f2:6dff:fec5:fc73/128 scope global noprefixroute dynamic
valid_lft 6855sec preferred_lft 3255sec
inet6 fe80::f6f2:6dff:fec5:fc73/64 scope link
valid_lft forever preferred_lft forever
The ULA prefix, which I explicitly set on the router, IS distributed to other Linux clients in the DMZ, though, so I assume the problem still lies with openWRT.