Wiki: Dumb AP: IPv6: Delete ULA or no DNSv6

Proposal:
The Wiki explains how to enable IPv6 connectivity. In that IPv6 section, also explain that network.globals.ula_prefix must be deleted.

Rationale:

  • If the upstream router advertises itself as DNSv6 server, and
  • if that advertisement is not a globally unique IPv6 address but a ULA,

OpenWrt is not able to do DNS queries via IPv6 because that ULA is blocked by OpenWrt default uci get network.globals.ula_prefix (documented here, created here).

My problem:

I do not know how the OpenWrt community documents such things:

  • uci delete network.globals.ula_prefix
    would leave an empty/orphan globals section.
  • uci delete network.globals
    could be too much because there could be a packet_steering option.

Any comments or ideas?
Who is going to fix that; must I invite/mention them or does an editor drop by?

Nitpick:
Ampersands are missing around the value in option reqprefix no. It should be option reqprefix 'no'.

There's no reason I can see to remove the ULA. Clients are going to preferentially use a global (if available) over a ULA.

Yes. However, there is no global. In case of the upstream router AVM FRITZ!Box here in Germany, OpenWrt gets a global IPv6 address (calculated from SLAAC global prefix, optionally from a ULA prefix, and optionally from a stateful DHCPv6) and a ULA DNS address (RDNSS).

My OpenWrt then was not able to do DNS via IPv6 because its ULA was in a different prefix. In other words: When I have the default created ULA prefix, I cannot access my DNS server via IPv6. After removing that ULA prefix, I can. Finally, I do not see any reason why a dumb access point needs its own ULA prefix.

So you're saying that your ISP is giving you v6, but you aren't propagating that down to your clients, so you are global from the router outward but ULA-only from the router inward?

Nope. I am just about the DNS server. I get (two) global IPv6 address(es) as DNS server(s) from my ISP. However, my upstream router, a non-OpenWrt platform, advertises itself as DNS server, as ULA (on default; I could change that) and then proxies any DNS to those upstream servers.

The global IPv6 addresses (and prefixes) I get from my ISP trickle down to my LAN routers and LAN clients as expected. And they work. On default, the AVM FRITZ!Box does not even offer a ULA prefix.

In other words: The IPv6 Router Advertisements contain a prefix and a DNS server. The prefix is global. The DNS server is ULA. Works great … after deleting the ULA prefix in my OpenWrt devices.

Ah...the 'upstream router' part is key here. In your case, if you aren't bridging, yes, the upstream will be running the show and you'll necessarily need to not hand out local prefixes from OpenWRT...but it's not a DNS server issue, just basic networking.

I need not to hand out local prefixes, right. But furthermore DNSv6 did not work with that default prefix. So my proposal would be not just a nice-to-have change.

Why is your dumb AP giving out or using his ULA? I am not getting the openwrt ULA if not enabled via "option ip6assign" at my static lan device.

Having an own ULA different to fritzbox's additionaly didnt do any harm to nslookup anyway.
My "Alias LAN interface:dhcpv6@lan" is getting the ULA and the Global address from Fritzbox.

OpenWrt-Xiaomi:~# nslookup www.heise.de fd7x:xxx1
Server:         fd7x::xxx1
Address:        fd7x:xxxx1#53

Name:      www.heise.de
Address 1: 193.99.144.85
Address 2: 2a02:2e0:3fe:1001:7777:772e:2:85

And using the Openwrt as DNS server works too (the fritzbox is his DNS server)

odroid:~$ nslookup www.heise.de fd7x::xxx2
Server:         fd7x::xxx2
Address:        fd7x::xxx2#53

Non-authoritative answer:
Name:   www.heise.de
Address: 193.99.144.85
Name:   www.heise.de
Address: 2a02:2e0:3fe:1001:7777:772e:2:85

fd7x:xxx1 being the Fritzbox and fd7x:xxx2 the Openwrt using the same ULA announced by fritzbox

1 Like

Are you about the ula_prefix=auto created on default or something else? Have a look in Wireshark:

  1. With that ula_prefix, I see only one DNS query over DNSv4.
  2. Without ula_prefix, I see two queries, one over DNSv4 and one over DNSv6; as expected.
  3. Without ula_prefix and without IPv4, I see DNSv6; as expected.
  4. With that ula_prefix and without IPv4 but with IPv6, my OpenWrt did not resolve anything.

The first case can be ignored. However, the fourth case showed me that there is an issue.

on the openwrt device its

config globals 'globals'
option ula_prefix 'fd8x::/48'

different than fritzbox's but its not used anyway. (and using it via 'option ip6assign' didnt do any harm)

There shouldn't be an auto after a restart.
if ula_prefix == auto >> set network.globals.ula_prefix=fd$r1:$r2:$r3::/48

btw. You dont use a fritzbox 6490?

Please, do me a favor and try to reproduce my configuration: fritz.box → Heimnetz → Netzwerk → (tab) Netzwerkeinstellungen → (button) IPv6-Einstellungen → Unique Local Addresses (ULA) zuweisen, solange keine IPv6-Internetverbindung besteht. Now, reboot your OpenWrt and try again the tool nslookup with the ULA of your FRITZ!Box as DNS server.

In other words, my upstream router does not advertise a ULA prefix (just a global prefix and itself as DNS server, which is an ULA). My Dumb AP does not show any ULA for itself, neither in the tool ifconfig nor ifstatus lan6. In the latter, there is one ‘dns-server’, which is the ULA of my upstream router. In my case, AVM uses fd80::<EUI-64>.

When I have that network.globals.ula_prefix, in my case ‘auto’ turned into fd21:9197:cab4::/48, the tool nslookup via DNSv6 fails and there is no traffic in Wireshark. When I uci delete network.globals.ula_prefix, the tool nslookup works via DNSv4 and DNSv6. In the latter case, Wireshark shows DNS traffic between a globally unique IPv6 and a ULA.

Are you able to reproduce that?
Yes, DNS lookup works, if the upstream router hands out an ULA prefix. However, that is not my configuration.

on my dumb Ap

9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP200> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xxxxxxx brd ff:ff:ff:ff:ff:ff
    inet 192.168.xxx.xxx/24 brd 192.168.178.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2003:xxxx:xxxx::xxxx/64 scope global dynamic noprefixroute
       valid_lft 7162sec preferred_lft 1294sec
    inet6 fe80::xxxx/64 scope link
       valid_lft forever preferred_lft forever
root@OpenWrt-Xiaomi:~# nslookup www.heise.de fd78:xxxx:xxxxx::1
Server:         fd78:xxxx:xxxxx::1
Address:        fd78:xxxx:xxxxx::1#53

Name:      www.heise.de
Address 1: 193.99.144.85
Address 2: 2a02:2e0:3fe:1001:7777:772e:2:85

yeah works. Are you using a fritzbox 6490?

1 Like

No.

Stand corrected. There we go! Thank you for the wink. In my OpenWrt distribution, that option is set to '60' on the lan interface. In the tool ifconfig, I get fd21:9197:cab4:10::1/60. Now, two questions arise:

  1. Is the option ip6assign set on default in a vanilla distribution? Yes…
  2. What should be mentioned on the Wiki to be deleted: ip6assign, ula_prefix, or both?

Or am I missing something else? None of those options are mentioned in the current version of that Wiki page for the Dumb AP.

Could you recheck that with and without ULA prefix from the FRITZ!Box?

you are right. without the ULA-Prefix from the fritzbox, I cant get a connection to my fritzbox's ULA adress.

root@OpenWrt-Xiaomi:~# ping fd78:xxxx:xxxxx::1
PING fd78:xxxx:xxxxx::1(fd78:xxxx:xxxxx::1): 56 data bytes
ping: sendto: Permission denied

but I dont know why that should be a problem or an error. I mean Thats exactly how ("Unique Local Addresses (ULA) zuweisen, solange keine IPv6-Internetverbindung besteht.") should work. Your fritzbox wont advertise his ULA address and ULA route any more as soon as it gets a global address. So the Dumb-AP dont know that there is another network on a different subnet/prefix.
And you dont need the ULA-Address anymore because you would use the global address.

root@OpenWrt-Xiaomi:~# nslookup www.heise.de 2003:xxxx:xxxxx::1
Server:         2003:xxxx:xxxxx::1
Address:        2003:xxxx:xxxxx::1#53

Name:      www.heise.de
Address 1: 193.99.144.85
Address 2: 2a02:2e0:3fe:1001:7777:772e:2:85
root@OpenWrt-Xiaomi:~#
root@OpenWrt-Xiaomi:~# ping 2003:xxxx:xxxxx::1
PING 2003:xxxx:xxxxx::1(2003:xxxx:xxxxx::1): 56 data bytes
64 bytes from 2003:xxxx:xxxxx::1: seq=0 ttl=64 time=1.184 ms

Not sure I understand. The ULA of the advertised DNS server remains an ULA. It does not turn into a global IPv6 address automatically. At least here. Is that different with your FRITZ!Box?

If I cannot connect to that ULA, I do not have DNS – when I do not have a DNSv4 as fallback. Consequently, my proposal to add ‘that’ deletion to the Dump AP wiki page because it blocks DNS not just theoretically but in real-life situations.

Of course, I could change my local dns-server to the global IPv6 address manually. However, here with my Internet service provider, I get a new IPv6 prefix every 24 hours. Of course, I could … simply delete network.lan.ip6assign and network.globals.ula_prefix.

You are right, i am getting an ula dns from fritzbox too, which I cant connect to when I get OpenWRT's own ULA.
bUUUt. the tutorial for the dumb AP says you shoud have your lan @ dhcp. So its working how its described :sweat_smile: Because you wouldn't have the "option ip6assign"

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

nvm. wouldn't be bad to have an annotation to disable "option ip6assign" if you use a static ip.

You had ip6assign. I had ip6assign. Actually it was not me, this is a GL.iNet re-distribution device and they still have a ip6assign in the default setup of their ‘Access Point’ mode. A company with more than seven experience in OpenWrt. And we required such a long thread to find the culprit. I think this is worth clarification of that Wiki page, isn’t it? Therefore my proposal stands: delete network.lan.ip6assign and network.globals.ula_prefix.

OK. You are right.

I would prefer changing ip6assign to 0

config interface lan
        option ip6assign 0
        .....

or adding "list ip6class != local" like

config interface lan
        list ip6class 'lan6'  
        .....

For this reason:

its not required in the config but I would leave it there.

My concern: It is visible via LuCI and could confuse novice IPv6 users. Contra concern: LuCI does not even allow to delete (or add) it. Therefore, it would be work to bring LuCI and UCI on one level again.

+1 for that, because it is not implicit (default) but explicit (value)

Cannot comment on that because (even after reading the Wiki for IPv6) I do not understand what it does. Hopefully someone takes over. I can only suggest.