Using IPv6 with two subnets when ISP gives you /64 prefix

I have a /64 prefix (damn ISP ) , like many of us becuse of unlimited ISP greed (that is the only thing that they provide an unlimited amount of).

I heard that you can use relay mode but I am not sure how to do this - I tried few suggestions, but I am not sure I understand.

My ISP gives the wan interface single /128 IP, two DNS addresses and /64 PD all via DHCPv6.

AFAIK, Android devices don't use DHCPv6, thus I need to forget about DHCPv6.

The other option I understand is RA and NDP. These run on top of ICMPv6,
and by default when you give your network interface an 'IPv6 assignment length', and a source of prefix to tap into (either upstream device or ULA), the RA/NDP server will start and give the devices on the network all the required config, e.g default gateway, tell them what prefix to use for SLAAC, etc.

Now how I relay that info? The ISP doesn't support NDP/RA, so I can't relay this. What I can do is that I can set two networks (in my case lan, and lan_ext), make one network (lan) take the PD /64 prefix and became RA/NDP server, and then make the other, the lan_ext network tap into that.

Is that possible? I tried it many times but it just doesn't work. How to debug this.

What does work is to set NAT66 on the lan_ext interface instead, I don't mind this except that it was recently broken:

Also it looks like NAT66 is not accelerated by mediatec's ppe/wed engine (is this a bug, or is it never worked?).

I do know that regular IPv6 is accelerated by it just fine (maybe after I installed bridger, don't know).

So if possible to use the relay mode I would like to use it on the lan_ext (less secure partition of my network), and if not I would like to know if I can safely disable gro as suggested, or will it impact performance in unexpected way.

Thanks in advance!

PS: I am using GL-MT6000 with their v4.6.6-op24
firmware, I will soon install stock openwrt on it.

I would first install OpenWRT, when you use the stock firmware all bets are off.

This is the "official" answer:

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

If you are on OpenWRT then for IPv6 relay see: https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay

I have never used it my self (my ISP hands out /56 PD) but I know many are in the same boot as you are and are using it

I know that this firmware is not official openwrt and I am not asking to help me with it specifically, but I ask about a general advice about this feature, I want to understand how it works, and if what I want to do is possible in the official openwrt.

One option would be to merge your lan and lan_ext into one network and delegate the /64 you got.
Another option is to give the /64 on only one network, e.g lan, and use ULA on the other one, which can be NATed into the wan /128 IP.
The third option, more like an untested theory I thought from the top of my head, is to use the ipv6relay, and use lan as master, in case the wan6 is not working because your ISP doesn't allow.

1. The reason lan and lan_ext exist is that this allows me to create a separation between them that doesn't rely on IPs, or anything client provided (a client can spoof IP, and even its MAC). I am running a openvpn to company's servers (ipv4 only) and I would like only 'lan' network to be able to access it.
   So I created two bridges, br-lan and brlan-ext, connected to both bridges the interfaces which I consider secure and not (even beside the two wlan interfaces for 2.4 and 5 Ghz, which are both connected to lan_ext, I added 3rd wifi interface, also on 5G which is connected to 'lan' and I can use it only on my company's laptop.

Then I created firewall zones with corresponding forwards:
lan (br-lan) -> wan, vpn
lan_ext (br-lan-ext) ->wan

And of course this separation allows lot more nice things, like not even allowing systems on lan_ext to access the router itself.

Can this be done with a single subnet / bridge?

2. Using ULA and NAT66 on lan_ext is exactly what I am using right now. It works but as I expalined a recent change in openwrt broke it, and its is broken for 1/2 of year already and I don't expect this to be fixed since NAT66 is frowned upon.

3. This is what I am trying to do - have RA master on one 'lan', and relay it to lan_ext, making lan_ext and lan have the same subnet on ipv6 side. In fact I could have done this for ipv4 as well, since ip addresses themselfves are never used as a security separation.

However I suspect that this is not possible, that openwrt can only forward RA/NDP messages from a network it doesn't manage (e.g wan), but in my case my wan interface only have DHCPv6.
And this is exactly what I was trying to ask, if this is possible in your opinion.
When I tick the 'master' option on 'lan', I see that both RA and NDP became 'hybrid', and then I configure lan-ext to use 'relay', but nothing happens. I even added a firewall rule to allow all ICMP6 traffic on all interfaces in all directions.

BTW I live in Canada and my ISP is Rogers. AFAIK, the only other alternative which provides fiber is Bell, who provide their own 'bells and whistles' box (see what I did here) which can't even be put reliably into bridge mode.

Rogers at least provides ONT box with a single ethernet port and I hope that they will continue to do so. Their IPv6 also actualy works besides /64 prefix.

So I don't really have any choice in regard to switching providers.

(Begging Rogers for larger prefix AFAIK was also already done, I read several threads about this on the internet, and as expected they just ignore it)

You can have multiple LANs with relay mode. Relay mode works by snooping the NDP messages and using that information to install a /128 route to each client as it joins a LAN network. All the clients will have IPs within the same /64, but with a unique last 64 bits. The ISP routes the entire /64 to your house then the /128 route determines which LAN will be used to reach that client. Local connections between the multiple LANs can be allowed or blocked by the firewall by using separate firewall zones and forwarding rules the same as works for v4.

If a LAN is routed to a v4 only VPN for Internet access, that network must not issue v6 addresses as otherwise the clients will go directly to the Internet via the local v6 ISP.

The question is: Can I relay from one LAN which has a deligated prefix to another LAN which has no prefixes, and as I understand its interface doesn't even have an ipv6 address ? This is exactly what I want to do, it would be perfect for me.

Can you provide a config of two lans in which one uses a prefix from wan6,
and the second lan gets relayed NDP messages from the first? I did everything as was said in the wiki, and all my phones just get link-local address.
Thanks in advance!

For VPN thankfully it doesn't provide internet, but only access to bunch of private IP ranges 10.*, so all do currrently is to configure my PC's dns resolver to use company's DNS server for company's DNS domain, and everything else goes to router's DNS server.

I do see now that openwrt has option to set multiple dnsmasq instances, so I might create an instance lisening on br-lan, and make it do this work, this way I won't need to setup anything on the PC. Its a side topic though.

That is different from how it is usually used. I use relay with an LTE connection which gives an IP within a /64 directly on wan and no delegation to any lan. Here you want one of your lans to be both master of relay and also issue IPs directly. This might be possible with an alias interface. Also I don't know if you could put ip6assign on wan so it takes the ::1 within the delegated /64 instead of one of the lans.

Thanks for the information. I try to play with alias interfaces, and I also need to understand better how RA/NDP work under the hood.

Thanks!

I played a bit with alias interfaces. I am more or less sure that this config has the maximum probabiliiy of working but it doesn't:

This is part of /etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'xx:xx:xx:xx:xx:xx'
	list ports 'lan1'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-lan-ext'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option macaddr 'xx:xx:xx:xx:xx:xx'
	option bridge_empty '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option isolate '0'
	option ip6ifaceid '::1'
	option ip6assign '64'
	list ip6class 'wan6'

config interface 'lan_alias'
	option proto 'dhcpv6'
	option device '@lan'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'lan_ext'
	option device 'br-lan-ext'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option isolate '0'

And this my /etc/config/dhcp:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option ra 'server'

config dhcp 'lan_alias'
	option interface 'lan_alias'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option ndp 'relay'
	option force '1'
	option dhcpv6 'relay'

config dhcp 'lan_ext'
	option interface 'lan_ext'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option ra 'relay'
	option ndp 'relay'
	option dhcpv6 'relay'

I see that there is only one instance of odhcpd running. To make this work
the odhcpd must in essense relay the packets that it sends itself, and it probably
doesn't do this.

It also seem to have no config file, so I don't know yet how it is configured, and if I can start more that one instance of it.

Bummer, looks like I stuck with NAT66, or I have to give up on IPv6, at least for the larger portion of my network.

BTW, I tried this as well - it does 'work' in a sense that I see the wan interface getting an IP range, don't know what it really means, but I still can't relay this to lans.
(I tried to do this on both wan and wan6)

Every ISP I've seen defaults to giving you a /64, but if they are following RFC6177 as they should, ISPs should give you at least a /60 or /56 upon request:

The IETF recommends that any policy on IPv6 address assignment policy to end sites take into consideration the following:

• it should be easy for an end site to obtain address space to number multiple subnets (i.e., a block larger than a single /64) and to support reasonable growth projections over long time periods (e.g., a decade or more).

Yes, ISPs are a greedy bunch, but just in case you haven't actually tried this yet:

1. Go to LuCI→Network→Interfaces
2. Edit "wan6" and set "Request IPv6-prefix of length" to 56
3. Restart the interface or your router

If this doesn't work try the above steps again with prefix length to 60.

I tried that, I tried even /63, it doesn't help, they always give me /64 prefix. It looks like a known issue:

As I said, I still say thanks to Rogers for the fact that they give ONT. With Bell, its their shitty "bells and whistles" box which is the only way to connect to their optical network.

Plus they don't do any RA - their ONT box only supplies /64 prefix, a DNS server addres and and a single IP, all via DHCPv6 (I even captured this with tcpdump), so it looks like I can't really use relay mode, unless I patch the odhcpd to relay its own packets or something like that.

Do you happen to have another OpenWrt router you can use? A travel router or even a spare PC can work. I would try this setup with two OpenWrt routers A and B:

1. Connect ONT to router A's WAN.
2. Set up router A as usual with the /64 prefix delegated from upstream.
3. Check that internet connectivity works on router A's LAN.
4. Connect router B's WAN to router A's LAN.
5. Set up router B with IPv6 relay mode.
6. Check that internet connectivity works on router B's LAN.

If the above setup works then in principle you can combine the functions of router A and B into a single device.

Internet access is a commercial service and commercial ISPs are happy to serve any request - when you pay for it - in a monopolized market like Canada that means paying a lot.

The reality of "consumer-grade IPv6" turned out being one /64 assignment (the absolute minimum required) and "consumer-grade IPv4" turned out being CGNAT/DS-Lite/464 (the absolute minimum required). Commercial operations don't care at all, what some non-profit like the IETF, ISOC, Reston, Virginia, US recommends. End user internet access is NAT444 and NAT66 for most people in the world.

odhcp6c is very limited in what it can do. You might want to have a look into dhcpcd for DHCPv6 and ndppd for NDP relaying. It's not well supported by OpenWrt though.

Yes exactly. Beeing a devil advocate, I can say that that this is what you get when the targer customer base doesn't know the difference between 'wifi' and the internet, neither does have a clue what an IP address is, let alone what the IPv6 means.

In fact I don't fully understand why these ISPs even started to provide IPv6 to customers at all - my theory is that it either helps them in some way with add-on services like IPTV that they sell, or that the goverment demanded them to do so to accelerate the IPv6 rollout.

I don't have another openwrt box but I do have Roger's stupid 'Ignite' box that is sitting in the closet. It no doubt does RA with the delegated prefix, so I don't see why this won't work. Thanks for the idea, this will at least confirm that relay mode works as it should.

Thanks a lot for this info as well - I will take a look, after I install a vanilla openwrt on the router (I just need to find some spare time to re-configure everything from scratch, it might take some time), and then I'll take a look a this.
Maybe I can also patch odhcpd (its source seems more or less simple) to achieve this as well.

Thank you all for very informative answers!

IPv6 allocations are cheaper than IPv4 allocations. Running CGNAT infrastructure is expensive as well.

Currently DualStack support is still built like a router from then pre-NAT44 era: Back then you got /16 or /24 IPv4 allocations for free from the registry when you needed them. CPEs learned NAT44 during the mid-1990s, when this was no longer true.

Also there is still the assumption built in that broken IPv6 connectivity gracefully falls back to functional IPv4. However this will no longer be true down the line. Mobile ISPs are already testing IPv6-only Internet access.

odhcp6c needs to be patched to get somewhat working IPv6 connectivity automatically with defaults, even if if there is only a single /128 address available through DHCPv6 or only a single /64 prefix available through RA/DHCPv6. Currently all this needs to be configured manually with important options not being accessible through the luci GUI (like "extendprefix").

Maybe you could submit a patch for odhcp6c to properly implement Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link

Ideally it would look like section 4.2 "Example Scenario 1".

It's because ARIN has completely run out of IPv4 addresses in 2015. So if Rogers or Bell needs more IPv4 addresses (to grow their customer base or to sell more IP-based devices to them), they need to get them from the open market, which costs money.

I don't live in Canada, but from what I've heard about Rogers there it would honestly not surprise me if incompetence was also a major reason for your situation.

True, we all know that, but sadly CGNAT works (for them) to fix this issue - I mean nobody really measures speed of their 'wifi', right?

I mean if the ISP claims that my 'wifi' is 1.5 'Giga-something', it has to be lightning fast, no? That is how the general public thinks, I mean.

(They don't even allow 160 Mhz channels on their 'Ignite' box, and it has only one 2.5G port, so you literaly can't reach that speed, not to mention that besides running speed tests vs local town servers, I rarely see speeds that are even fraction of this, I almost sure that they don't have capacity to actually provide these speeds over intercontentional cables)

(I am lucky though that my fiber connection still does have a public IPv4, but my phone is already long ago behind CGNAT)

Sorry for ISP rant!

At least in the past getting hold of at least one /32 IPv4 address provided you with a free 6to4 prefix from the corresponding 2002:xxxx:xxxx::/48 address range, with full 16 bits to delegate.

However 6to4 has been deprecated since and the anycast 6to4 gateways were phased out and no longer work.