ULA for WAN6 interface?

kvoit · November 21, 2020, 9:41am

Hello, I am currently running a cascaded router setup in the following way:

Router (AVM Fritzbox) --- FW (OpenWRT) -- Net1
                       |               |- Net2
                    DirtyDMZ

The router has a static route to Net1/2, and NAT in the FW is disabled.
The router delegates IPv6 prefixes to the FW.

The DirtyDMZ is necessary because I only get a /62 net from my provider, so I do not have more than 2 nets behind the FW.

This works fine so far.

Now, I want to introduce a DNS recursor into the DMZ. For IPv4, this works fine, I just set DHCP option 6 with the local 10.x.x.x IP of the recursor.
Now IPv6 is a problem. Since I do not have a static IPv6 prefix, I enabled ULA addresses in the router, which works fine for the recursor. However the WAN6 interface of the FW does NOT get any ULA address, which obviously breaks routing from Net1/2 into the DMZ via ULA addresses.
How do I get WLAN6 to accept a ULA address from the router?

(Note that I do not want to use DNS forwarding via OpenWRT, because in the next step, I want client based DNS resolving, so the request from the clients have to reach the recursor directly.)

aboaboit · November 21, 2020, 10:34am

Have you tried adding this to your wan6 config section?
list ip6class 'local'

kvoit · November 21, 2020, 11:41am

My wan6 config section looks like this now:

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        list ip6class 'local'

I made a full restart, but I still have

~# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether f4:f2:6d:c5:fc:73 brd ff:ff:ff:ff:ff:ff
    inet 10.165.32.5/20 brd 10.165.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 [global ipv6]/128 scope global noprefixroute dynamic 
       valid_lft 6949sec preferred_lft 3349sec
    inet6 fe80::[local part]/64 scope link 
       valid_lft forever preferred_lft forever

aboaboit · November 21, 2020, 12:07pm

Uhm, I'm not sure it works with dhcp, I have this keyword set for local networks, which are of course static. Hope someone else has a better idea than mine!

vgaetera · November 21, 2020, 5:13pm

A static alias should be possible.

kvoit · November 21, 2020, 6:31pm

I think I need the dhcp for the main, dynamic but globally routed address, don't I.
Could someone give me a hand with the static alias?

Why is the config so complicated, BTW? Why is there WAN and WAN6? Other interfaces seem to be ready for dual stack.

vgaetera · November 21, 2020, 6:45pm

Something like this:

uci add_list firewall.@zone[1].network="wan6ula"
uci commit firewall
/etc/init.d/firewall restart

NET_DEV="$(uci get network.wan6.ifname)"
uci -q delete network.wan6ula
uci set network.wan6ula="interface"
uci set network.wan6ula.proto="static"
uci set network.wan6ula.ifname="${NET_DEV}"
uci set network.wan6ula.ip6class="local"
uci set network.wan6ula.ip6assign="64"
uci commit network
/etc/init.d/network restart

kvoit · November 21, 2020, 8:45pm

Thanks, we are getting closer :). However, now that interface came up with it's own prefix (+1 from the br-lan prefix). It is supposed to get the prefix from the router, though.

vgaetera · November 21, 2020, 9:11pm

That's correct, otherwise it would be problematic to perform routing.

kvoit · November 21, 2020, 10:51pm

What do you mean "that's correct"? The FW is one of potentially multiple ones that could be in that network in that role, it cannot just make up a ULA prefix for that network. The router has to be dhcpv6 server, because it knows the global prefixes to delegate.
The OpenWRT FW needs to listen to the dhcpv6 info which obviously contains the ULA prefix, because all the Linux servers in the DMZ use it.

I don't see how that would be a problem for routing. It works for IPv4, where the FW gets an IP from the router.

vgaetera · November 21, 2020, 11:05pm

When you configure a /48 ULA prefix, each interface assigns a part of it, e.g. /64 using different hints:
https://openwrt.org/docs/guide-user/network/ipv6/start#downstream_configuration_for_lan_interfaces
But odhcpd still announces a route for the whole /48 for each interface by default.
This way allows clients on different interfaces communicate with each other.

kvoit · November 22, 2020, 7:28am

Well, I did not assign a /48 and the prefix from the FW does not match this. The router is announcing the ULA fd00:165:40:0: to the DirtyDMZ. May Linux servers are grepping addresses with this prefix accordingly. I expect the same from the FW. What the firewall did, however, is using a ULA prefix bases on the one it made up for the Net1/2 side: fdb3:9b15:8d3f:1::1 (Net1 interface has fdb3:9b15:8d3f:0::1). I am pretty sure that the router had no business in coming up with those,
Any Linux server with fd00:165:40:0:... has no idea how to reach fdb3:9b15:8d3f:0::1, neither does the router.

Now, it would be nice if the router would delegate a ULA subnet, to the FW for the nets behind, but

I don't see an option for that in the Fritzbox interface and
I don't see why the FW would honor that, since it doesn't even even use the ULA on the DMZ interface that it gets announced from the router.

By the way, while I don't know a lot about the OpenWRT net config, I am quite surprised that we an interface alias for this. IPv6 is made to have multiple addresses on one interface, It is rather that the ULA announcement isn't used. I would have expected this to be rather a sysctl.conf thing ..

vgaetera · November 22, 2020, 10:47am

Post the output:

ifstatus wan6

kvoit · November 22, 2020, 11:50am

~# ifstatus wan6
{
  "up": true,
  "pending": false,
  "available": true,
  "autostart": true,
  "dynamic": false,
  "uptime": 53177,
  "l3_device": "eth0",
  "proto": "dhcpv6",
  "device": "eth0",
  "metric": 0,
  "dns_metric": 0,
  "delegation": true,
  "ipv4-address": [

  ],
  "ipv6-address": [
    {
      "address": "[globalprefix]:[localpart]",
      "mask": 128,
      "preferred": 2613,
      "valid": 6213
    }
  ],
  "ipv6-prefix": [
    {
      "address": "[delegatedglobalprefix]",
      "mask": 63,
      "preferred": 2613,
      "valid": 6213,
      "class": "wan6",
      "assigned": {
        "lan": {
          "address": "[delegatedglobalprefix]",
          "mask": 64
        }
      }
    }
  ],
  "ipv6-prefix-assignment": [

  ],
  "route": [
    {
      "target": "::",
      "mask": 0,
      "nexthop": "fe80::ca0e:14ff:fea6:79c5",
      "metric": 4096,
      "valid": 6213,
      "source": "[delegatedglobalprefix]\/63"
    },
    {
      "target": "::",
      "mask": 0,
      "nexthop": "fe80::ca0e:14ff:fea6:79c5",
      "metric": 4096,
      "valid": 6213,
      "source": "[globalprefix]:[localpart]\/128"
    }
  ],
  "dns-server": [
    "fd00:165:40::ca0e:14ff:fea6:79c5"
  ],
  "dns-search": [

  ],
  "inactive": {
    "ipv4-address": [

    ],
    "ipv6-address": [

    ],
    "route": [

    ],
    "dns-server": [

    ],
    "dns-search": [

    ]
  },
  "data": {
    "passthru": "0038001401001000fd00016500400000ca0e14fffea679c500170010fd00016500400000ca0e14fffea679c5005600102a0281091bc01c7cca0e14fffea679c5"
  }
}

vgaetera · November 25, 2020, 8:04am

Announce a ULA from the router to both DMZ and OpenWrt.
Add a static route on the router to fdb3:9b15:8d3f::/48 via the ULA address of OpenWrt.

kvoit · November 25, 2020, 9:05am

Does that work without multiple DHCPv6 servers? The OpenWRT-FW CANNOT be the main DHCPv6 server, as the router is the only one knowing the global prefix and has to delegate it.
I see the FW as a client here (and theoretically, there could be multiple ones in the same role), and I don't really see why it would have to push a prefix into the DMZ.

vgaetera · November 25, 2020, 9:15am

You can remove the interface wan6ula and issue a ULA address from the router.
The interface wan6 should obtain both GUA and ULA addresses.
OpenWrt will serve DHCPv6 only for Net1/2.

kvoit · November 25, 2020, 10:17am

Well, the whole issue why I opened this thread is that wan6 does NOT get a ULA address, but only the GUA ...

~# ip -6 address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 [global prefix]:f6f2:6dff:fec5:fc73/128 scope global noprefixroute dynamic 
       valid_lft 6855sec preferred_lft 3255sec
    inet6 fe80::f6f2:6dff:fec5:fc73/64 scope link 
       valid_lft forever preferred_lft forever

The ULA prefix, which I explicitly set on the router, IS distributed to other Linux clients in the DMZ, though, so I assume the problem still lies with openWRT.

trendy · November 25, 2020, 1:35pm

I connected my roadwarrior router on my lan and was able to get ULA + GUA addresses.

root@RoadWarrior:~# ip -6 addr
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:bbbb::...:1b0d/64 scope global dynamic noprefixroute 
       valid_lft 7178sec preferred_lft 7178sec
    inet6 2001:...:1b0d/64 scope global dynamic noprefixroute 
       valid_lft 7178sec preferred_lft 7178sec
    inet6 fd00:bbbb::2cd/128 scope global dynamic noprefixroute 
       valid_lft 7177sec preferred_lft 7177sec
    inet6 2001:...::2cd/128 scope global dynamic noprefixroute 
       valid_lft 7177sec preferred_lft 7177sec
    inet6 fe80::...:1b0d/64 scope link 
       valid_lft forever preferred_lft forever
root@RoadWarrior:~# uci show network.wan6
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'

vgaetera · November 25, 2020, 1:58pm

uci show firewall; ip6tables-save