Wan6 DHCPv6 client - cannot access ipv6 from router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi.
I'm trying solve an ipv6 issue with my router.
My ISP uses dhcpv6 to delegate ipv6 address and ipv6-pd.

Network topology:
(Internet)---[ cable modem as bridge ]---[ tl-wr842 openwrt ]---{ lan }

My /etc/config/network is:

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config globals 'globals'
	option ula_prefix 'fd5e:5885:3b4::/48'

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.12.1'
	option force_link '0'
	option ip6ifaceid '::1'
	option stp '1'
	option ip6assign '64'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	option dns '1.1.1.1 1.0.0.1 80.80.80.80 80.80.81.81 8.8.8.8 8.8.4.4 181.213.132.3 181.213.132.2'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth0'
	option reqprefix 'auto'
	option peerdns '0'
	option defaultroute '1'
	option dns '2606:4700:4700::1111 2606:4700:4700::1001 2001:4860:4860::8888 2001:4860:4860::8844 2804:14d:1::181:213:132:2 2804:14d:1::181:213:132:3'
	option reqaddress 'try'

config route
	option interface 'lan'
	option target '192.168.12.252'
	option netmask '255.255.255.252'
	option gateway '192.168.12.3'

# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 573,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses",
		"routes"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.12.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		{
			"address": "2804:14d:5886:823a::",
			"mask": 64,
			"preferred": 71487,
			"valid": 85887,
			"local-address": {
				"address": "2804:14d:5886:823a::1",
				"mask": 64
			}
		},
		{
			"address": "fd5e:5885:3b4::",
			"mask": 64,
			"local-address": {
				"address": "fd5e:5885:3b4::1",
				"mask": 64
			}
		}
	],
	"route": [
		{
			"target": "fd5e:5885:3b4:b1::",
			"mask": 64,
			"nexthop": "fe80::a221:b7ff:fe68:bd43",
			"source": "::\/0"
		},
		{
			"target": "192.168.12.252",
			"mask": 30,
			"nexthop": "192.168.12.3",
			"source": "0.0.0.0\/0"
		}
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		]
	},
	"data": {
		
	}
}

# ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 561,
	"l3_device": "eth0",
	"proto": "dhcpv6",
	"device": "eth0",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		
	],
	"ipv6-address": [
		{
			"address": "2804:14d:5886:c:16cc:20ff:fe77:aadd",
			"mask": 64,
			"preferred": 604797,
			"valid": 2591997
		},
		{
			"address": "2804:14d:5886:1000:16cc:20ff:fe77:aadd",
			"mask": 64,
			"preferred": 604797,
			"valid": 2591997
		},
		{
			"address": "2804:14d:5886:8000:16cc:20ff:fe77:aadd",
			"mask": 64,
			"preferred": 302397,
			"valid": 604797
		},
		{
			"address": "2804:14d:5886:1000::43c",
			"mask": 128,
			"preferred": 71437,
			"valid": 85837
		}
	],
	"ipv6-prefix": [
		{
			"address": "2804:14d:5886:823a::",
			"mask": 64,
			"preferred": 71437,
			"valid": 85837,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2804:14d:5886:823a::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "2804:14d:5886:c::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591997,
			"source": "::\/0"
		},
		{
			"target": "2804:14d:5886:1000::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"valid": 2591997,
			"source": "::\/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::868a:8dff:fef1:cc19",
			"metric": 512,
			"valid": 1797,
			"source": "2804:14d:5886:c:16cc:20ff:fe77:aadd\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::868a:8dff:fef1:cc19",
			"metric": 512,
			"valid": 1797,
			"source": "2804:14d:5886:1000:16cc:20ff:fe77:aadd\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::868a:8dff:fef1:cc19",
			"metric": 512,
			"valid": 1797,
			"source": "2804:14d:5886:8000:16cc:20ff:fe77:aadd\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::868a:8dff:fef1:cc19",
			"metric": 512,
			"valid": 1797,
			"source": "2804:14d:5886:823a::\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::868a:8dff:fef1:cc19",
			"metric": 512,
			"valid": 1797,
			"source": "2804:14d:5886:1000::43c\/128"
		}
	],
	"dns-server": [
		"2606:4700:4700::1111",
		"2606:4700:4700::1001",
		"2001:4860:4860::8888",
		"2001:4860:4860::8844",
		"2804:14d:1::181:213:132:2",
		"2804:14d:1::181:213:132:3"
	],
	"dns-search": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			"2804:14d:1::181:213:132:2",
			"2804:14d:1::181:213:132:3"
		],
		"dns-search": [
			
		]
	},
	"data": {
		"passthru": "001700202804014d0001000001810213013200022804014d000100000181021301320003"
	}
}

# ping6 -c 5 goo.gl
PING goo.gl (2800:3f0:4001:802::200e): 56 data bytes

--- goo.gl ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

If I try ping using wan6 delegated ipv6 address:

# for ip6 in $(ip -6 a show dev eth0|grep inet6|grep -v fe80|awk '{print $2}'|sed 's/\/.*//'); do
> echo "ping goo.gl using wan6 ipv6 addr \"$ip6\"..."
> echo "command: ping6 -c 5 -I $ip6 goo.gl"
> ping6 -c 5 -I $ip6 goo.gl
> echo "------------------------"
> echo
> done
ping goo.gl using wan6 ipv6 addr "2804:14d:5886:8000:16cc:20ff:fe77:aadd"...
command: ping6 -c 5 -I 2804:14d:5886:8000:16cc:20ff:fe77:aadd goo.gl
PING goo.gl (2800:3f0:4001:802::200e) from 2804:14d:5886:8000:16cc:20ff:fe77:aadd: 56 data bytes

--- goo.gl ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
------------------------

ping goo.gl using wan6 ipv6 addr "2804:14d:5886:1000:16cc:20ff:fe77:aadd"...
command: ping6 -c 5 -I 2804:14d:5886:1000:16cc:20ff:fe77:aadd goo.gl
PING goo.gl (2800:3f0:4001:802::200e) from 2804:14d:5886:1000:16cc:20ff:fe77:aadd: 56 data bytes

--- goo.gl ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
------------------------

ping goo.gl using wan6 ipv6 addr "2804:14d:5886:c:16cc:20ff:fe77:aadd"...
command: ping6 -c 5 -I 2804:14d:5886:c:16cc:20ff:fe77:aadd goo.gl
PING goo.gl (2800:3f0:4001:802::200e) from 2804:14d:5886:c:16cc:20ff:fe77:aadd: 56 data bytes

--- goo.gl ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
------------------------

ping goo.gl using wan6 ipv6 addr "2804:14d:5886:1000::43c"...
command: ping6 -c 5 -I 2804:14d:5886:1000::43c goo.gl
PING goo.gl (2800:3f0:4001:810::200e) from 2804:14d:5886:1000::43c: 56 data bytes
64 bytes from 2800:3f0:4001:810::200e: seq=0 ttl=51 time=35.677 ms
64 bytes from 2800:3f0:4001:810::200e: seq=1 ttl=51 time=35.713 ms
64 bytes from 2800:3f0:4001:810::200e: seq=2 ttl=51 time=34.912 ms
64 bytes from 2800:3f0:4001:810::200e: seq=3 ttl=51 time=36.915 ms
64 bytes from 2800:3f0:4001:810::200e: seq=4 ttl=51 time=36.987 ms

--- goo.gl ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 34.912/36.040/36.987 ms
------------------------

Only last address works.

# ping6 -c 5 goo.gl
PING goo.gl (2800:3f0:4001:802::200e): 56 data bytes

--- goo.gl ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

# tcpdump -i eth0 icmp6 and host goo.gl
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:16:59.478838 IP6 2804:14d:5886:8000:16cc:20ff:fe77:aadd > 2800:3f0:4001:802::200e: ICMP6, echo request, seq 0, length 64
18:17:00.583124 IP6 2804:14d:5886:8000:16cc:20ff:fe77:aadd > 2800:3f0:4001:802::200e: ICMP6, echo request, seq 1, length 64
18:17:01.583558 IP6 2804:14d:5886:8000:16cc:20ff:fe77:aadd > 2800:3f0:4001:802::200e: ICMP6, echo request, seq 2, length 64
18:17:02.583941 IP6 2804:14d:5886:8000:16cc:20ff:fe77:aadd > 2800:3f0:4001:802::200e: ICMP6, echo request, seq 3, length 64
18:17:03.628061 IP6 2804:14d:5886:8000:16cc:20ff:fe77:aadd > 2800:3f0:4001:802::200e: ICMP6, echo request, seq 4, length 64

As we can see, the router are using bad ipv6 address as source.

If I add the lan ipv6 address with mask 128 (2804:14d:5886:823a::1/128) to lo iface or wan6 iface (eth0 on my router):

# ip -6 addr add 2804:14d:5886:823a::1/128 dev lo
# ping6 -c 5 goo.gl
PING goo.gl (2800:3f0:4001:802::200e): 56 data bytes
64 bytes from 2800:3f0:4001:802::200e: seq=0 ttl=52 time=39.625 ms
64 bytes from 2800:3f0:4001:802::200e: seq=1 ttl=52 time=39.247 ms
64 bytes from 2800:3f0:4001:802::200e: seq=2 ttl=52 time=42.857 ms
64 bytes from 2800:3f0:4001:802::200e: seq=3 ttl=52 time=40.032 ms
64 bytes from 2800:3f0:4001:802::200e: seq=4 ttl=52 time=39.513 ms

--- goo.gl ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 39.247/40.254/42.857 ms

# ip -6 addr del 2804:14d:5886:823a::1/128 dev lo
# ip -6 addr add 2804:14d:5886:823a::1/128 dev eth0
# ping6 -c 5 goo.gl
PING goo.gl (2800:3f0:4001:802::200e): 56 data bytes
64 bytes from 2800:3f0:4001:802::200e: seq=0 ttl=52 time=40.212 ms
64 bytes from 2800:3f0:4001:802::200e: seq=1 ttl=52 time=41.171 ms
64 bytes from 2800:3f0:4001:802::200e: seq=2 ttl=52 time=41.930 ms
64 bytes from 2800:3f0:4001:802::200e: seq=3 ttl=52 time=41.022 ms
64 bytes from 2800:3f0:4001:802::200e: seq=4 ttl=52 time=43.957 ms

--- goo.gl ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 40.212/41.658/43.957 ms

My question is:
How can I add this address automatically to lo iface when prefix is delegated?
Is it a good idea?
The wan6 ipv6 address changes constantly, and and delegated prefix changes sometimes. So I cannot put it manually.
Thanks.

2

What is the ouput of these commands?

ip -6 route get 2001:4860:4860::8888
ip -6 route show default

When you paste them, please confirm if the prefixes/addresses mentioned belong to LAN or WAN6.

3 
# ip -6 route get 2001:4860:4860::8888
prohibit 2001:4860:4860::8888 from :: dev lo proto kernel src 2804:14d:5886:8000:16cc:20ff:fe77:aadd metric 4294967295 error -13 pref medium

# ip -6 route show default
default from 2804:14d:5886:c::/64 via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 512 pref medium
default from 2804:14d:5886:1000::43c via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 512 pref medium
default from 2804:14d:5886:1000::/64 via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 512 pref medium
default from 2804:14d:5886:8000::/64 via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 512 pref medium
default from 2804:14d:5886:823a::/64 via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 512 pref medium

The last route is the same of my lan delegated prefix (2804:14d:5886:823a::/64).
On hosts the ipv6 is working normal. But the router cannot access ipv6.

I think it is a misconfiguration in my ISP.
Yesterday I've install the LEDE last version to test. Same problem.
I can remember it was working, sometime ago.

Thanks.

4

I don't see the point of having multiple interfaces on the wan6, especially if all but one are not working. Looks to me more like misconfiguration from your ISP; experimenting with some kind of First Hop Redundancy and sending RAs that are useless.
Have a chat with them, let's see what they say.

5

I can't see the point in this either.
My ISP support is horrible. The attendant don't know what is ipv6. I didn't solve the problem with them. Basically it is only waste of time with modem restarts.
They've install the modem to work as router. But the cable modem firewall is very poor. That's why I set the modem as a bridge, to control it on router. They don't provide support for "non standards" installations.

I can't find the way to make odhcp6c ignore the RA packets.
Then I partially solved the issue blocking the router advertisement packets on firewall.

config rule
        option name 'Allow-ICMPv6-Input'  
        ...
        # list icmp_type 'router-advertisement'  #removed
        ...

It works, but after reboot, odhcp6c can get bad addresses. I guess it's happens before firewall block it.
After run:

# ifdown wan6 && ifup wan6

the RA packets are blocked.

# ping6 -c 2 goo.gl
PING goo.gl (2800:3f0:4001:805::200e): 56 data bytes
64 bytes from 2800:3f0:4001:805::200e: seq=0 ttl=54 time=16.304 ms
64 bytes from 2800:3f0:4001:805::200e: seq=1 ttl=54 time=17.679 ms

--- goo.gl ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 16.304/16.991/17.679 ms

# ip -6 route show default
default from 2804:14d:5886:1000::43c via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 4096 pref medium
default from 2804:14d:5886:823a::/64 via fe80::868a:8dff:fef1:cc19 dev eth0 proto static metric 4096 pref medium

# ip -6 a show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2804:14d:5886:1000::43c/128 scope global dynamic noprefixroute 
       valid_lft 78981sec preferred_lft 64581sec
    inet6 fe80::16cc:20ff:fe77:aadd/64 scope link 
       valid_lft forever preferred_lft forever

To block RA packets after reboot I changed firewall defaults from:

config defaults
        ...
        option input 'ACCEPT'
        ...

to:

config defaults
        ...
        option input 'REJECT'
        ...

Now after reboot I only have valid routes.

Thanks.

1 Like
6

Are you still receiving a default IPv6 route after blocking RAs?

If you want to disable SLAAC addresses then you can make the following modification to /lib/netifd/dhcpv6.script
(Maybe this should be made configurable with an uci option.)

7

Yes. I am, if I don't clear firewall rules (ip6tables -F && ip6tables -X).
I guess the "option input 'REJECT'" is overkill.
I tried block only RAs, however on reboot it don't works.

It works well.
Thank you very much.

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.