OpenWrt Forum Archive

Topic: Router not forwarding IPv6 traffic from WAN to LAN

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have Linksys WRT45GL, running latest version of Backfire (trunk, r29337 few days old).
I have native IPv6 connectivity from my provider (/64 address space), and want to have IPv6 in my network. Between provider and LAN sits the WRT54GL router, having Backfire (trunk r29337 few days old). I have followed the Wiki and forums here to set up IPv6 successfully on LAN and WAN. But the problem I have is that my OpenWRT router does not want to forward IPv6 traffic between LAN and WAN.

When I do "ping6 ipv6.google.com" from PC in LAN, the ping times-out. The problem seems to be that traffic from WAN is not forwarded to LAN. I am attaching the TCPDUMP traffic dump for pinging ipv6.google.com from local PC later on. Please note that IPv4 is working without problems. This topic is only about IPv6 issue.

In WAN, I have static IPv6 address and static gateway. Provider routes me whole /64 address space. Communication from router to WAN (to the internet) works fine. Even pinging the router's from the internet works.
In LAN, I have static IPv6 address, and RADVD is set up to advertise /64 address space given by the provider to local network. I have a Windows client (tested Ubuntu as well, no difference), which configures itself by autoconfiguration. Communication between the client and router works perfectly, but client cannot communicate with the IPv6 internet.

The topology:

        <Internet>
            |
  +-------------------+
  | provider's router | ------- 2a00:c500:dead:61 (static address)
  +-------------------+               |
                                      | Assigned adress range:
                                      | 2a00:c500:dead:60/60
  +-------------------+               |
  |                  eth0.1 --- 2a00:c500:dead:68 (static address)
  |     my router     | 
  |                  eth0.0 --- 2a00:c500:dead:68:1 (static adress)
  +-------------------+               |
                                      | Advertised address range:
                                      | 2a00:c500:dead:68:/64
  +-------------------+               |
  |     local PC      | ------- 2a00:c500:dead:68:5:5:5:5 (autoconfiguration)
  +-------------------+

Basic TCPDUMP from the router showing both interfaces (eth0.0 and eth0.1) together. I did "ping ipv6.google.com" on local PC. Router sent out the ICMPv6 PING packet ([1] and [2]). But then provider's router asked for the recipient's address ([3], [4] and [5]), but OpenWRT didn't do nothing with these packets (not forwarded, not responded).

[1] 0.00 eth0.0 local-pc.lan > ipv6.google.com
    2a00:c500:dead:68:5:5:5:5 > 2a00:1450:4001:c01::69
    ICMPv6 echo request

[2] 0.01 eth0.1 local-pc.lan > ipv6.google.com
    2a00:c500:dead:68:5:5:5:5 > 2a00:1450:4001:c01::69
    ICMPv6 echo request

[3] 0.10 eth0.1 link-local WAN provider's router > link-local local-pc.lan
    fe80::20c:42ff:fe1e:4710 > ff02::1:ff5:5
    Neighbor solicitation

[4] 1.10 eth0.1 link-local WAN provider's router > link-local local-pc.lan
    fe80::20c:42ff:fe1e:4710 > ff02::1:ff5:5
    Neighbor solicitation

[5] 2.10 eth0.1 link-local WAN provider's router > link-local local-pc.lan
    fe80::20c:42ff:fe1e:4710 > ff02::1:ff5:5
    Neighbor solicitation

Follows the OpenWRT router configuration:

cat /etc/config/network:

#### VLAN configuration
config switch eth0
        option enable   1

config switch_vlan eth0_0
        option device   "eth0"
        option vlan     0
        option ports    "0 1 2 3 5"

config switch_vlan eth0_1
        option device   "eth0"
        option vlan     1
        option ports    "4 5"

#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   …
        option netmask  …
        option ip6addr  "2a00:c500:dead:68::1/64"

#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    static
        option ipaddr   …
        option netmask  …
        option gateway  …
        option dns      …
        option ip6addr  "2a00:c500:dead:68::/60"
        option ip6gw    "2a00:c500:dead:61::"

cat /etc/config/radvd
config interface
        option interface        'lan'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 0
        list client             ''
        option ignore           0

config prefix
        option interface        'lan'
        list prefix             '2a00:c500:dead:68::/64
        option AdvOnLink        1
        option AdvAutonomous    1
        option AdvRouterAddr    0
        option ignore           0

config route
        option interface        'lan'
        list prefix             ''
        option ignore           0

ip6tables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip -6 addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::c2c1:c0ff:fe99:235f/64 scope link
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    inet6 2a00:c500:dead:68::/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c2c1:c0ff:fe99:235f/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    inet6 2a00:c500:dead:68::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c2c1:c0ff:fe99:235f/64 scope link
       valid_lft forever preferred_lft forever

ip -6 route:

2a00:c500:dead:68::/64 dev br-lan  proto kernel  metric 256
2a00:c500:dead:60::/60 dev eth0.1  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev br-lan  proto kernel  metric 256
fe80::/64 dev eth0.1  proto kernel  metric 256
default via 2a00:c500:dead:61:: dev eth0.1  metric 1

ip -6 neigh:

2a00:c500:dead:61:: dev eth0.1 lladdr 00:0c:42:1e:47:10 router STALE

cat /etc/sysctl.conf:

kernel.panic=3
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=0

net.ipv4.netfilter.ip_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600
net.ipv4.netfilter.ip_conntrack_udp_timeout=60
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=3600
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

ipconfig on local PC in LAN (Windows):

        IP address . . . . . . . . . . . . : 192.168.1.100
        Network mask . . . . . . . . . . . : 255.255.255.0
        IP address . . . . . . . . . . . . : 2a00:c500:dead:68:5:5:5:5
        IP address . . . . . . . . . . . . : fe80::21a:74ff:fe17:1776%5
        Default gateway  . . . . . . . . . : 192.168.1.1
                                             fe80::c2c1:c0ff:fe99:235f%5

I really appreciate any hint where to go next, because I am totally stuck now. I have found another topics regarding this in the forum, but the solution was nowhere. Thank you in advance for any help.

(Last edited by michal.kocarek on 30 Nov 2011, 04:22)

I have the same problem. I think its because thaere is no ip6 gateway address for the nics. However I am not sure, and I am not sure what it would be even if I am right.
I suspect, using your example, that it should be 2a00:c500:dead:61, but thats just a guess.
I have two problems to solving the this;  not enough time to experiment and availability of the router as its a psuedo-operation setup.

(Last edited by zzz2002 on 30 Nov 2011, 19:04)

zzz2002 wrote:

I have the same problem. I think its because thaere is no ip6 gateway address for the nics.

zzz2002, thanks for even the guess, because I am out of ideas. However, do not understand you properly... What you meant by setting the gateway for the nics? Could you give me any more hint (not asking you for exact place in /etc/config files, but just for hint to application/daemon/protocol, where I should look for?)

Many thanks.

I'm not really sure, but it looks like the 2a00:c500:dead:68::/60 address on interface eth0.1 and the 2a00:c500:dead:68::1/64 on the br-lan interface are both part of the 2a00:c500:dead:60/60 subnet. So your providers router "thinks" the hosts are on his local LAN. Your router should react on neighbor solicitation form the providers router for hosts on your local lan (like proxy-arp in ipv4).

If this is the case, maybe this could help you: http://www.ipsidixit.net/2010/03/24/239/

In short:

sysctl -w net.ipv6.conf.all.proxy_ndp=1
ip -6 neigh add proxy 2a00:c500:dead:68:5:5:5:5 dev eth0.1

(Last edited by Adze on 1 Dec 2011, 00:30)

michal.kocarek wrote:

ipconfig on local PC in LAN (Windows):

        IP address . . . . . . . . . . . . : 192.168.1.100
        Network mask . . . . . . . . . . . : 255.255.255.0
        IP address . . . . . . . . . . . . : 2a00:c500:dead:68:5:5:5:5
        IP address . . . . . . . . . . . . : fe80::21a:74ff:fe17:1776%5
        Default gateway  . . . . . . . . . : 192.168.1.1
                                             fe80::c2c1:c0ff:fe99:235f%5

shouldn't there be  an IPV6  "Default Dateway" address in the 2a00:c500:dead:68.... range. The only addresses are the ipv4 and the LInk Local address.
I have no idea what the address sholuld be or how it would be configured.
Should it perhaps be 2a00:c500:dead:68:1 and what is the ipv6 netmask, do we need a ipv6 netmask? do we need a gateway address?
Or are these handled by some other IPV6 mecanism.

(Last edited by zzz2002 on 1 Dec 2011, 07:25)

zzz2002 wrote:

Should it perhaps be 2a00:c500:dead:68:1 and what is the ipv6 netmask, do we need a ipv6 netmask? do we need a gateway address?
Or are these handled by some other IPV6 mecanism.

A link local address as default-gateway should work fine and is normal behaviour.

Thanks for the hints, but... generally I think the problem is in the router NOT forwarding the packets from WAN to LAN... If you check the tcpdump output in my previous post... You can see that - ICMP packet goes away, and then provider's router asks mine, where to send a reply, but mine does not react to the packet anyhow. And this is the point, where communication stops.

michal.kocarek wrote:

If you check the tcpdump output in my previous post... You can see that - ICMP packet goes away, and then provider's router asks mine, where to send a reply, but mine does not react to the packet anyhow. And this is the point, where communication stops.

Exactly! Your router does not respond to neighbor sollicitations from your providers router, where it should. Have you at least tried my 2 commands. If they don't work you simply reboot your router and changes are disgarded.

Your wan is configured staticly, this means a bit of the usual ipv6 magic does not kick in.
In your wan interface, config set "option send_rs 0", "option accept_ra 1". The default is reversed for static ifaces.

I suspect that my problem and michal.kocarek's are different. I am using a Hurrican Electric 6in4 tunnel, with a routed /48 allocation (2001:470:b182::/48).
I then split this into 4 sub-nets lan (2001:470:b182:10::/64)(192.168.1.1/27), dmz(2001:470:b182:20::/64)(74.116.123.456/28), and wlan(guest)(2001:470:b182:30::/64)(192.168.2.1/28).

I appear to be able to get from each of these without trouble, ping and connections from both lan attached PC or a wlan(guest) at 2001:470:b182:10:abcd:efab:cdef:abcd (the address ia assigned by radvd) to ipv6.google.com work. Similar tests from server 1 at 2001:470:b182:20::10 also work.
HOWEVER, while I can access servers attached to thhe DMZ using IPV4 (74.116.123.456/28) I cannot get from the internet (wan) to the servers attached to dmz using IPV6.

Looking at your ip6tables -L my best guess would be you have to enable the ipv6 FW.

I make some tests with a second OpenWRT instance beyond my first FW.

ipv6 FW disabled, didn't work. ipv6 FW enabled, everything's working fine.

Did you try that?

Check ping6 ipv6.google.com from from the router itself. If that works, fine and first issue solved.
FW issues comes third, after clients are working.
Do you try a tracert6 from a client?

My configuration on my second router to simulate your issue looks like. It didn't work until I add the defaut6 gateway. 

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'ip6addr' '2001:dead:beaf:1::1/64'
        option 'ifname' 'eth0 eth2'

config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '10.40.1.16'
        option 'netmask' '255.255.255.0'
        option 'gateway' '10.40.1.1'
        option 'dns' '10.40.1.1'
        option 'ip6addr' '2001:dead:beaf::10/64'
        option 'ip6gw' '2001:dead:beaf::1/64'
        option 'send_rs' '0'

config 'route6'
        option 'interface' 'wan'
        option 'target' '::0/0'
        option 'gateway' '2001:dead:beaf::1'

Are you sure that  your ipv6 are correct? I 'm currently on a 2001:dead:beaf::/48 I'l try to test with a /60 subnet.

tom

(Last edited by f41SIXXS on 6 Dec 2011, 22:34)

f41SIXXS wrote:

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'ip6addr' '2001:dead:beaf:1::1/64'
        option 'ifname' 'eth0 eth2'

config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '10.40.1.16'
        option 'netmask' '255.255.255.0'
        option 'gateway' '10.40.1.1'
        option 'dns' '10.40.1.1'
        option 'ip6addr' '2001:dead:beaf::10/64'
        option 'ip6gw' '2001:dead:beaf::1/64'
        option 'send_rs' '0'

config 'route6'
        option 'interface' 'wan'
        option 'target' '::0/0'
        option 'gateway' '2001:dead:beaf::1'

Are you sure that  your ipv6 are correct? I 'm currently on a 2001:dead:beaf::/48 I'l try to test with a /60 subnet.

tom

ip6gw needs to be a host, not a subnet, so you must not have a prefix there. This should work as well:

config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '10.40.1.16'
        option 'netmask' '255.255.255.0'
        option 'gateway' '10.40.1.1'
        option 'dns' '10.40.1.1'
        option 'ip6addr' '2001:dead:beaf::10/64'
        option 'ip6gw' '2001:dead:beaf::1/64'
        option 'send_rs' '0'

Posted a similar problem here. Anyone got it resolved/running?

The discussion might have continued from here.