WAN6 IP is ULA only

rvs513 · January 2, 2025, 1:43pm

With a new ISP, I new have access to IPv6.
While configuring OpenWrt (23.05.5), I noticed that I get a IPv4 address and a IPv6 address from the ONT as well as a prefix delegation.
But I do not get a 'global/routable' IPv6 address. Is this normal?
How would you assign a global IPv6 address to the WAN interface or is this now a bad practice?

lleachii · January 2, 2025, 1:50pm

Edit the WAN6 interface by adding wan6 to the following:

Screenshot_20250102_084944_Firefox Focus

rvs513 · January 2, 2025, 2:58pm

Thanks! That does seem to enable things.
Ok... Does that mean I assign an address block (/64) to the WAN part?

trendy · January 2, 2025, 3:02pm

This is not correct. The prefix filter by default is fine and should not be changed in wan6.

@rvs513

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall

rvs513 · January 2, 2025, 3:13pm

That is a long list. I have PPPoE connection from the ONT.

{
	"kernel": "5.15.167",
	"hostname": "router",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '2'
	option ip6ifaceid '::1'

config device
	option name 'wan'
	option mtu '1508'

config interface 'wan'
	option device 'wan.6'
	option proto 'pppoe'
	option username 'internet'
	option password 'internet'
	option ipv6 'auto'
	option mtu '1508'

config interface 'WIREGUARD'
	option proto 'wireguard'
	option listen_port ‘x’
	option private_key ‘x’
	list addresses '10.0.0.1/24'

config wireguard_WIREGUARD
	option public_key ‘x’
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description ‘y’
	list allowed_ips '10.0.0.2/32'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list rebind_domain 'dns.msftncsi.com'
	option quietdhcp '1'
	option dnssec '1'
	list notinterface 'wan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WIREGUARD'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config rule
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option dest_port ‘x’
	option target 'ACCEPT'
	option name 'wireguard'

config rule
	option name 'guest-dns'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'guest-dhcp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'iot'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'iot'

trendy · January 2, 2025, 3:16pm

uci set network.lan.delegate='1'
uci commit network
ifup lan

lleachii · January 2, 2025, 3:45pm

This will give the user an IPv6 address - on WAN?

rvs513 · January 2, 2025, 4:05pm

Just double checking here:
What I would like to understand is if a global ipv6 address is needed on the WAN interface and (if yes) how to enable this on the WAN side.
Currently, I have ipv6 working on the LAN side, but the router WAN interface only has a 'local', non routable address.

mk24 · January 2, 2025, 4:12pm

The WAN should have a GUA as that is the IP used to initiate Internet use from the router itself, such as NTP, VPN terminations, and package downloads.

pppoe should start a wan_6 interface (do not confuse this with wan6) which has a GUA assigned by the ISP and that GUA should be outside the PD prefix.

If the ISP does not support this, you could delegate a /64 onto wan out of the PD. How large is your PD space?

rvs513 · January 2, 2025, 5:26pm

I do get a /48 PD. And I get a wan_6 (with auto, if I set it to ‘1’, I create the wan6 based on @wan) but only a ula. Somehow, no global address by dhcpv6.

_bernd · January 2, 2025, 6:15pm

I would try to set ip6hint to 1 for the wan6 interface.

For routing the router does not need a gua on wan. For routing and next hop a link local address is enough. But as already stated you need a gua to init connections from the router for ntp and other protocols.
You should get a address for wan via dhcpv6 or slaac but if not then set the ip6hint.

trendy · January 2, 2025, 7:38pm

No it is not needed to have a routable IP on the wan6. It is enough to have on the lan interface and can use this one for all the communications.

No, it is for delegating prefix in lan, it was not necessary eventually, but it also doesn't hurt.

lleachii · January 2, 2025, 10:02pm

That's true, I was gonna suggest this if the user only had a /64. Perhaps I've experienced a different use case when needing an IP on wan6.

Thanks for the clarification and Happy New Year!

rvs513 · January 3, 2025, 8:02am

Thanks for the clarification. I guess my ISP does not provide a GUA. If I should need it for something, I just assign an IP group as described here above.

system · January 13, 2025, 8:03am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.