Wan6 clients cannot reach internet

Hi,

I had a working configuration on an old router, surprisingly the same configuration doesn't work on a new router. The isuue is the ipv6 connectivity. The router have access to ipv6 networks but not the clients. The trick on the old router was to add a static route (see below) but this doesn't work on the new router. Can you please help?

# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1' 'eth2'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.ip6assign='64'
network.wan6.ip6prefix='2a01:masked::/64'
network.@route6[0]=route6
network.@route6[0].gateway='fe80::masked'
network.@route6[0].target='2000::/3'
network.@route6[0].interface='wan6'

The clients get a correct ipv6 address using slaac and RA server; they use the router as gateway and can ping it successfully. However they cannot reach the internet despite the route6 which used to work in the old router.

uci delete network.wan6.ip6assign
uci delete network.wan6.ip6prefix
uci commit network
ifup wan6

You are not supposed to assign any prefix to wan6 interface and the ip6prefix is given from the ISP during DHCP6. Also the default route should not be needed, unless your ISP has wrong configuration.

1 Like

Following this thread with interest as I have the same problem, this is a secondary router and the primary does not hand out a prefix, manual setting a prefix just like the OP does get my clients a GUA, but either the routing or the firewall is blocking IPv6 for the clients.

From the router itself (SSH) IPv6 is working

Hmm I might have solved it by adding a default route e.g.:
ip -6 route add default via fe80::1659:c0ff:ce3b:521a dev wan proto static metric 512 pref medium

The fe80 address is the wan6 gateway

There are probably much smarter ways to do this, but I am new to IPv6 and learning

I do confirm 100% egc statements. When I delete wan6 ip6prefix, clients do not have anymore a global IPv6 address. My router is also a secondary router, fixing manually the prefix will let the clients have a valid GUA.

The issue is within the router configuration which is blocking the IPv6 outside of LAN. I have been struging for more than 2 hours to sort the issue. The route added in my original post did solve the issue for my old router (different hardware). Using the same configuration on the new router, I am unable to ping the gateway shown in the ipv6 stream (it is only reachable within the router, not from clients), however, clients can ping both lan and eth0 in the router. There is something blocking the route from wan6 to internet... Your help is appreciated !!!

A manually assigned prefix will only work if the ISP has configured their network to route that prefix from the Internet to your line. So you should only manually assign a prefix on instructions from the ISP and you must use the one the ISP has set up for you.

The IPv6 gateway should indeed be the link local of the next device connected to the WAN port (typically owned by the ISP), but this also is usually set automatically.

2 Likes

My understanding is that network.@route6[0].gateway='fe80::masked' is adding the route from wan6 to internet manually, where fe80::xxx is the link local of the WAN port of the ISP modem. This is not working anymore on my new router. Here is my routing table:

root@OpenWrt:~# ip -6 route show
default from 2a01:xxx::/64 via fe80::f6ca:e5ff:fe58:d24e dev eth0  metric 512
2a01:xxx::/64 dev eth0  metric 256
unreachable 2a01:xxx::/64 dev lo  metric 2147483647
2a01:yyy:4191::/64 dev br-lan  metric 1024
unreachable 2a01:yyy:4191::/64 dev lo  metric 2147483647
2000::/3 via fe80::f6ca:e5ff:fe58:d24e dev eth0  metric 1024
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0  metric 256
anycast 2a01:xxx:: dev eth0  metric 0
anycast 2a01:yyy:4191:: dev br-lan  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
multicast ff00::/8 dev br-lan  metric 256
multicast ff00::/8 dev eth0  metric 256

Can you please check what's wrong?

can you delete your rule and try mine

for the fe80 address use the gateway from the Status>Overview page that is what works for me.

The following is true but that has been taking care of in my case

The gateway is the same for traffic from inside the router and from the LAN. When you originate traffic from the router (i.e. a ping test), the source address will be prefix X. LAN clients are assigned IPs within prefix Y, and when they try to reach the Internet that will be their source address. The website that they reach will return the page to their prefix Y IP. The ISP must route prefix Y back to your line for the connection to work. If the ISP is only routing prefix X but not Y, you will find that local traffic from the router works but Internet access from the LAN does not.

Also you should make sure that DNS works on the LAN, as that is often the reason for Internet use to fail. Pinging numeric IPs is a good test as it does not depend on DNS.

Got the following message:

ip: either "to" is duplicate, or "pref" is garbage

I think eth0 and wan are the same, or am I missing something?

DNS is configured correctly. The clients are able to resolve the host as per below. The issue is that ip6 public network is not reachable.

PS C:\Users\Admin> ping -6 google.com

Envoi d’une requête 'ping' sur google.com [2a00:1450:4007:805::200e] avec 32 octets de données :
Impossible de joindre le réseau de destination.

The default route is correct if you can reach the Internet from the router itself, for example running ping -6 openwrt.org on the router CLI. The same default route is used when the router forwards IPv6 traffic from the LAN.

Thanks for the information. The router is able to ping -6, so why the clients aren't able to ping -6 outside of LAN?

It is quite possible your wan is eth0.2

from ssh just use: ip -6 route show

some scripting :slight_smile:

ip -6 route add default via $(ip -6 route show | awk '{for(i=1;i<=NF;i++)if($i~/via/)print $(i+1) ;exit;}') dev $(uci get network.wan.device) proto static

1 Like

egc is right; a route should be added to enable clients on lan to reach ipv6 network either with the command egc is suggesting above or using uci as posted in my first post.

I solved the problem, the issue was in my ISP router in the prefix delegation, needed to change the next hop to match the eth0 address of my router (pic below).

freebox_ip6

This should also be automatic, if RA is working properly. Of course if you're manually configuring everything, you will need to reconfigure after replacing the router.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.