Hi,
I'm running an OpenWRT router with multiple VLANs and a single pi-hole (not on the router, but a separate device). Currently, I have a setup where the DHCP hands out the pi-hole as DNS to the clients as follows
And I added a traffic rule to allow DNS from all VLANs to the pi-hole:
This works fine. However, a few things regarding IPv6, I don't understand.
Do the non-primary VLANs not have an IPv6 / give an IPv6 to the clients?
If so, I probably do not have to (should not) announce an IPv6 DNS-Server on these interfaces, right?
For different subnets, I would like to have different filter groups defined in pi-hole. At the moment, I defined clients like 192.168.0.1/24, 192.168.1.1/24, etc. However, devices which talk IPv6 are not captured by these CIDR groups and would have to be manually configured. Does something like subnets exist on IPv6?
Would it be a good idea to simply deactivate IPv6 on the LAN interfaces for simpler management?
I always set port forwards and traffic rules for IPv4 addresses only so far. And it works. However, I'm wondering if I should also define them for IPv6. Why, why not?
This whole IPv6 topic always produces a knot in my head and I hope you can help me with this.
Thanks in advance!
Thanks for your answer. That already clarified a few things!
I just saw that in the other interfaces, there was no IPv6 assignment length defined while for the LAN Interface it was set to 60. So I set it to 60 for the other interfaces, too. And I gave it an assignment hint corresponding to the VLAN ID. Now, they all have a prefix. In fact, each of them has two prefixes. One 2003:... and one fdb2:.... Why is that?
Is there any benefit or downside of using /60 prefixes instead of /64?
Regarding the traffic rules: Which IPv6 do I have to set them for? If I look at the pi-hole for example, there are dozens of IPv6's for each device :-/
2003 is the public address, routable on the Internet. fdb2 is the private, same as 192.168.1.1. You can have them both available so you can find your internal devices (using the private address) in case your public prefix is changed by your ISP.
/60 is 16 /64. The lan interface is using the first /64 but is able to delegate to some lan host a /64 or something bigger if requested and have more networks downstream.
Look at the DHCPv6 leases, these are static and won't change. Also better provide the private address if it is for your lan only.
I thought, the fe80 is the local one.. What is the difference between those two?
Did you mean "the first /60" here?
In Luci, I can only see one DHCPv6 Lease (my laptop) at the moment while there are ~20 DHCP Leases. When I check the WLAN details on my phone for example, there is one fe80 address, two 2003's and two fdb2's. How come they are not listed in Luci?
I noticed one more difference in the interfaces: my lan interface had the RA flags M,O while the other ones only had O. I changed that, so all have M,O and rebooted the router. But still, only one DHCPv6 Lease
change the size from /60 to /64 and see if the other interfaces get a prefix. you'd need a large PD from your ISP to afford to assign /60 to your interfaces, /64 is standard.
If I understand this correctly, my ISP gives me a /56 prefix to delegate, so I should be fine assigning /60's, right? I don't understand why the wan_6 interface has an IPv6 and an IPv6-PD, and why they differ, though.
I will try that on the weekend when no one is using the internet.
So, this is just something hard-coded? Means, it would not make a difference if I set /60 or /64 prefix.
ahh, I see.
Could you please also explain to me why the IPv6 and IPv6-PD differ in the third block?
Another question to the pi-hole. It is not listed as active DHCPv6 Lease. However, when I ssh into it and run ip addr it clearly has IPv6's. Are these also acquired using SLAAC? And why are they /64 addresses? I thought, an endpoint is identified by a /128 address..
EDIT: the pi-hole IPv6 lease should also be a DHCP lease, at least that's how it's configured.
No it is configurable, it is the ip6assign option under the interface configuration. But you can safely leave it to /60 since you have a /56 delegated from your provider.
IPv6 is the address from your provider on the wan_6 interface.
PD is the delegated prefix for your lan devices.
They are different: 5fff and 5f08
A /64 is the typical network size, sort of equivalent to /24 in IPv4.
A /128 is a host, same as /32 in IPv4.
It's expected to see /64 in the interface addresses. A good indication of getting DHCPv6 address is that it is /128
I deleted the wan6 interface and as you said, it did not change anything. However, the wan_6 interface which is left is not part of any firewall zone (it was not before either, I guess). Is that supposed to be? Also, when I click the Edit button of the wan_6 on the right I get an error Cannot read properties of null (reading '.name') on the top of the page.
I see that they are different, I just don't get why that is. Wouldn't it make sense somehow to just have one network that is defined by a prefix?
So, I set up VMs using IPv6 DHCP, see screenshot above. But after a reboot of this VM, it shows a /64 address. I would have expected a /128.
Another issue is that after setting the IPv6 setting to DHCP, I could no longer reach the hosted website using the domain in my reverse proxy and instead it said 502 Bad Gateway. So, I rolled back the above setting to IPv6 Static with no entry. Now, it works again. Is it problematic to not have an IPv6 on this VM? Could it be that the website would not be accessible from IPv6 or something?
If I may jump in...
You see, from an ISP operator perspective it's faaaaaar more easier and clean and what not, to seperate the two.
One network/prefix defines the infrastructure the ISP operates.
The other one, your delegated prefix, is just offered by the ISP but is operated by you.
Tldr it's normal for the ISP to have the customer premise endpoint in one network and just routes a prefix to the customer so he or she is free to use it how ever it pleases them.
Yes and its a benefit to the customer not having to use PD space for internal router access to the Internet like NTP or VPN terminations. A /56 can then (for example) be split into 16 full /60 blocks to assign to lans and routers downstream in the customer's network.
Be more specific.
If you use slaac and dhcp and have both configure correctly then a client ends up with address based on the RA which is by definition a /64, with access to that subnet and from dhcp you get an address, a /128, simple a single address.
Again, IPv6 is build with auto config as it's first citizen and with multi address support.
Ipv4 had a similar idea, but again it was a lab rat which escaped the lab and later the ipv4 semi auto config never hit the main stream and Microsofts 169 what so ever ipv4 link local is an other story.
wan6 is there by default.
wan_6 is spawned if ipv6 option is set to auto in a pppoe wan interface.
Run a tcpdump on OpenWrt and verify that there is DHCPv6 negotiation. opkg update; opkg install tcpdump; tcpdump -i br-lan.10 -vnn port 547
No and no
I don't see how is this a question for OpenWrt. Is the reverse proxy running on OpenWrt? Are the packets reaching the OpenWrt and not being forwarded further?
Well, it looks like it. It takes forever for the host to boot with IPv6 set to DHCP though. After rebooting the VM, this is what I could log in the router.
You're right, I could aswell ask this on another forum.. No, the reverse proxy is running on another machine. proxy_pass is set to an IPv4, I guess that could be a problem? However, I cannot set it to both IPv4 and IPv6, so not sure what to do there. Strangely, at the moment it works even with IPv6 activated on the serving hosts. Still, they only get /64 adresses which I don't understand
Is this a realistic problem or more theoretical for the next few years?
First of all post your configs as it looks like there is no response from DHCPv6 server to the client.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
