OpenWrt Forum Archive

Topic: Configuration problem for IPv6 on Barrier Breaker behind a Freebox

The content of this topic has been archived between 3 Apr 2018 and 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a config problem for my router running OpenWRT (Barrier Breaker): the router has no problem with IPv6 connections on WAN and LAN, but no way to cross it.

My situation is:

  • Freebox v5 in gateway mode (no router mode) with IPv6 enabled. The OpenWRT router is behind the Freebox, and feeds a switch on which my machines are

  • The wifi is enabled on the router and working properly, with the same problem that ethernet for IPv6

  • LAN machines have proper IPv6 addresses, so the announcement is made correctly

  • IPv4 has no problem

In ssh on the router, IPv6 is OK:

  • the router retrieves the settings from the Freebox

  • ping6 ipv6.google.com is OK

  • ping6 to the LAN machines is OK

On machines on the LAN, you can not exit or enter the LAN:

  • ping6 router is OK

  • ping6 ipv6.google.com is NOT OK

  • ping6 to the other LAN machines is OK

My impression is that for IPv6, the LAN and WAN sides do not communicate. Being on the router, I can connect to machines on both sides. But packets from one side can not pass to the other. If the router relays correctly to the LAN the IPv6 segment announced by the Freebox (which allows the LAN to have globally routable IPv6 addresses), it must miss a setting for connecting LAN and WAN for IPv6.

I once had a dd-wrt router, using this with IPv6, and everything worked properly. No way to do the same thing with OpenWRT.

I looked at the OpenWRT docs for IPv6 (network6, odhcpd) but to no avail. So ... help?


Network config of the routeur

#cat /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd00:db80::/64'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '64'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 5t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0 5t'
#cat /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option domain 'local'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'relay'
    option ndp 'relay'
    option ra 'relay'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config dhcp 'wan6'
    option dhcpv6 'relay'
    option ndp 'relay'
    option ra 'relay'
    option master '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

config host
    option name 'arda'
    option mac '00:16:cb:a0:3f:b9'
    option ip '192.168.1.42'

config host
    option name 'serveur'
    option mac '28:92:4a:30:76:67'
    option ip '192.168.1.67'

# and several other machines with fix IPv4
# ifconfig
br-lan    Link encap:Ethernet  HWaddr B0:48:7A:B0:22:9E
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2a01:e35:2efc:5cd0:b248:7aff:feb0:229e/64 Scope:Global
          inet6 addr: fe80::b248:7aff:feb0:229e/64 Scope:Link
          inet6 addr: fd00:db80::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:152248 errors:0 dropped:0 overruns:0 frame:0
          TX packets:139682 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:103880174 (99.0 MiB)  TX bytes:97079534 (92.5 MiB)

eth0      Link encap:Ethernet  HWaddr B0:48:7A:B0:22:9E
          inet6 addr: fe80::b248:7aff:feb0:229e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12122756 errors:0 dropped:1 overruns:6978 frame:0
          TX packets:11894794 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:932305523 (889.1 MiB)  TX bytes:3662089266 (3.4 GiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr B0:48:7A:B0:22:9E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150833 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135961 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:103758310 (98.9 MiB)  TX bytes:95539915 (91.1 MiB)

eth0.2    Link encap:Ethernet  HWaddr B0:48:7A:B0:22:9E
          inet addr:82.239.197.205  Bcast:82.239.197.255  Mask:255.255.255.0
          inet6 addr: 2a01:e35:2efc:5cd0:b248:7aff:feb0:229e/64 Scope:Global
          inet6 addr: fe80::b248:7aff:feb0:229e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:133837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148271 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:93428293 (89.0 MiB)  TX bytes:105547727 (100.6 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:431056 (420.9 KiB)  TX bytes:431056 (420.9 KiB)

wlan0     Link encap:Ethernet  HWaddr B0:48:7A:B0:22:9E
          inet6 addr: fe80::b248:7aff:feb0:229e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1601 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3262 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:160745 (156.9 KiB)  TX bytes:523386 (511.1 KiB)
# brctl show
bridge name      bridge id             STP enabled      interfaces
br-lan           7fff.b0487ab0229e     no               eth0.1
                                                        wlan0

Hello,

Ever found out what the problem was?

I have the same issue. Namely free doesn't do prefix delegation and it doesn't seem like RA relaying is working

mshook wrote:

Ever found out what the problem was?

I have the same issue. Namely free doesn't do prefix delegation and it doesn't seem like RA relaying is working

Nop, the problem is still here : nothing new. Several persons are having the same issue.

Alright I made some progress on that front.

Relaying is working except I only get intermittent IPv6 connectivity from hosts on the LAN.

I found a similar bug reported on github: https://github.com/sbyx/odhcpd/issues/15

(Last edited by mshook on 16 Mar 2015, 21:47)

I am having the same issues.

route -A inet6 returns a list of IP addresses, but no default gateway.
So it cannot simply work.

I wonder why we are using RA relay. With another Freebox and a debian system, Ra packets go trough the router and no relay is needed. So the main freebox is only advertising and all stations receive a unique IPv6 routable address.

(Last edited by gnutella on 22 Mar 2015, 11:41)

gnutella wrote:

I wonder why we are using RA relay. With another Freebox and a debian system, Ra packets go trough the router and no relay is needed. So the main freebox is only advertising and all stations receive a unique IPv6 routable address.

With or without RA relay, the problem is still the same, here hmm

Hello dClauzel.

IMHO the Freebox is SLAAC only and we should concentrate on that without relay.
SLAAC are UDP port 546 and 547, which should be open, that's all what's needed.

The idea of a relay when the Freebox is able to manage everything is quite strange.

(Last edited by gnutella on 22 Mar 2015, 12:10)

It's indeed SLAAC only and the issue is the relay. The bridge/brouter setup was IMHO disgusting but it was working.

Which means our problem lies somewhere in odhcpd because eventhough it was made to relay, obviously it doesn't do the right thing.

Yes, the problem is using odhcpd as a relay when no relay is needed and the only requirements are:
* accepting ICMP6 (pings in IPv6).
* opening UDP 546/547 ports.

odhcpd should either be Server or nothing. I wonder what is "relay" mode for.

My OpenWRT only router is down for low memory and I am waiting for a new router to test. But it is working using either Debian or FreeBSD out of the box.

What do you mean "The bridge/brouter setup was IMHO disgusting". Could you point out discussions? We are in IPv6, so the network is widely open. ebtable is the solution for minimal filtering. But this is not related to SLAAC.

(Last edited by gnutella on 23 Mar 2015, 10:56)

I think the bridge/brouter setup isn't great because it's definitely not what you want when you want to interconnect your home network with your ISP.

If all you need is just a bridge, go ahead but I wouldn't call that having a secure system: it's like letting your front door open.

When one looks at all the devices which can be connected on IPv4 (phones, tablets, TVs, media centers, hifi amplifiers, ...) and which aren't secure at all, I certainly don't want them openly exposed on the internet on IPv6.

I have the same argument with NAT: NAT is not firewalling, just look at NAT traversal.

Hi,
I am also a 'Free' customer, and I ultimately got IPv6 to work, thanks to this blog post: http://x0r.fr/blog/12

Maybe some parts can be made differently, but for what I understand :
- the freebox v5 won't let you map your IPv6 network as you wish. It thinks you network will be flat right under it. Freebox v6 has some delegation possibilities it seems.
- the workaround is running a ndp proxy, namely ndppd to let ND/NA message pass.

I also use ravd, I'm not sure it's necessary, but now everything works.

Here's what I basically did :

My prefix is 2a01:e35:2427:6d70::/64
The public gateway on my freebox is 2a01:e35:2427:6d70::1. You can't change it, EVEN if in bridge mode.

1/ install ndppd and ravd.

2/ setup /etc/ndppd.conf :

route-ttl 30000

proxy br-lan {
   router yes
   timeout 500   
   ttl 30000

   rule 2a01:e35:2427:6d70::/126 {
      auto
   }
}

proxy eth0.2 { # eth0.2 is the wan
   router no
   timeout 500
   ttl 30000

   rule 2a01:e35:2427:6d70::/64 {
      auto
   }
}

3/ setup /etc/config/ravd :

config interface
    option interface    'lan'
    option AdvSendAdvert    1
    option AdvManagedFlag    0
    option AdvOtherConfigFlag 0
    list client        ''
    option ignore        0

config prefix
    option interface    'lan'
    # If not specified, a non-link-local prefix of the interface is used
    list prefix        '2a01:e35:2427:6d70::/64'
    option AdvOnLink    1
    option AdvAutonomous    1
    option AdvRouterAddr    0
    option ignore        0

config route
    option interface    'lan'
    list prefix        '2a01:e35:2427:6d70::/64'
    option ignore        0

config rdnss
    option interface    'lan'
    # If not specified, the link-local address of the interface is used
    list addr        '2a01:e35:2427:6d70:1::fe'
    option ignore        0

config dnssl
    option interface    'lan'
    list suffix        ''
    option ignore        1

4/ configure /etc/config/network

config interface 'lan'
       option ifname 'eth0.1'
        ...
    option ip6addr '2a01:e35:2427:6d70:1::fe/64'  # <-- mind the :1::fe !

config interface 'wan'
    option ifname 'eth0.2'
        ...
    option ip6addr '2a01:e35:2427:6d70::2/126'
    option ip6gw '2a01:e35:2427:6d70::1'

That's about it, tell me if it fixes your problem.

Hi,

Thanks for your help cgo, actually I'm on WRT1900 with Chaos Calmer only with Free ISP too.

In CC, radvd has been replaced by 6relayd... and I don't know how to replace it. Maybe you have an idea to fix it ?

Thanks,

Hi,
look at that :

http://wiki.openwrt.org/doc/uci/6relayd says : "6relayd is deprecated since r40893, use odhcpd".

A closer look at odhcpd makes be think it can both replace radvd and ndppd :

http://wiki.openwrt.org/doc/techref/odhcpd says :

1. Router Discovery support
[...]
4. Proxy for Neighbor Discovery messages (solicitations and advertisments)

I did not upgrade to Chaos Calmer yet, I'm waiting for the stable release. So all of this is speculation smile.

Hope this helps...

Hi,

Thanks cgo, you're right,

I think I messed something... because, I've ipV6 on the router but I can't make it work on the LAN side... I really don't know what to do.

I'm on rc3 right now and everything works flawlessly except ipv6 on LAN.

Thank for your answer

Edit : found a dirty way to get it working with CC...

morganfw wrote:

I've tried to reinstall stock firmware from Netgear on my WNDR3700v1, and I've seen that IPv6 pass-through works perfectly and releases IPv6 addresses to my LAN clients.

After some searches, I've found a (maybe dirty) solution to have IPv6 pass-through on my WNDR3700v1 with OpenWrt Chaos Calmer r43341.

- Login to LuCI of OpenWrt via web browser
- Go to System >> Software
- Click on "Update Lists"
- Download and install "kmod-ipv6" and "ebtables" packages

On my WNDR3700v1 WAN device is called "eth1", obtained from Network >> Interfaces page:

- Go to System >> Startup
- Append four lines in Local Startup section (if needed replace eth1 accordingly) before "exit 0" line

ebtables -t broute -A BROUTING -i eth1 -p ! ipv6 -j DROP && brctl addif br-lan eth1
echo 2 > /proc/sys/net/ipv6/conf/br-lan/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/br-lan/forwarding

Reboot your router and have fun with your fresh IPv6 pass-through support! smile

(Last edited by yanfox on 29 Jul 2015, 23:24)

I have the same problems, no solution.
Unfortunately, ebroute was removed from OpenWRT staging.

Chaos Calmer is stuck in rc3 (no idea if this is a good news or a bad news), the IPv6 support is supposed to be fixed in this release. So I am still waiting hmm

I think we are close to a solution.
I have a working OpenWRT configuration (on the firewall only) with only static addresses.

We only need to set the addresses on local network and it should work with static addresses.
I am going to set up a page on OpenWRT wiki about the Freebox.

Maybe we should ask information to Illiad using the Freebox channel.
http://dev.freebox.fr/bugs/

(Last edited by gnutella on 13 Aug 2015, 01:05)

I am opening a ticket on Free developer channel to complain about the poor support of IPv6.
I don't think it is solely an OpenWRT issue, several people are complaining about poor IPv6 support.

Here is my current configuration :

I think I gathered the right addresses for FreeBox (v6 in gateway mode), OpenWRT box and local network with public IPs.
I can ping6 all machines, but no connection to the Internet on the local network.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fe80:ea94:f6ff:febb::'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option proto 'static'
        option ip6addr '2a01:e35:87d8:xxxx::1:fe/64'
        option ip6prefix  '2a01:e35:87d8:xxxx::/64'
        option ip6gw      '2a01:e35:87d8:xxxx::1'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'static'
        option ip6addr    '2a01:e35:87d8:xxxx::2/126'
        option ip6gw      '2a01:e35:87d8:xxxx::1'
        option ip6prefix  '2a01:e35:87d8:xxxx::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'relay'
        option ndp 'relay'
        option dhcpv6 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'wan6'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'wan6'
        option dhcpv6 'relay'
        option ra relay
        option ndp relay
        option master 1

Cela pinge:

# ping6 2a01:e35:87d8:xxxx::1
PING 2a01:e35:87d8:xxxx::1(2a01:e35:87d8:xxxx::1) 56 data bytes
64 bytes from 2a01:e35:87d8:xxxx::1: icmp_seq=1 ttl=64 time=0.355 ms
64 bytes from 2a01:e35:87d8:xxxx::1: icmp_seq=2 ttl=64 time=0.368 ms
64 bytes from 2a01:e35:87d8:xxxx::1: icmp_seq=3 ttl=64 time=0.332 ms

# ping6 2a01:e35:87d8:xxxx::2
PING 2a01:e35:87d8:xxxx::2(2a01:e35:87d8:xxxx::2) 56 data bytes
64 bytes from 2a01:e35:87d8:xxxx::2: icmp_seq=1 ttl=64 time=0.351 ms
64 bytes from 2a01:e35:87d8:xxxx::2: icmp_seq=2 ttl=64 time=0.318 ms
64 bytes from 2a01:e35:87d8:xxxx::2: icmp_seq=3 ttl=64 time=0.338 ms

Pour moi, il manque juste la propagation de la route.
On doit tout faire passer par 2a01:e35:87d8:xxxx::1 ... qui est l'adresse de la Freebox.

Pour la route, sur le client final :
ip -6 route add default via 2a01:e35:87d8:xxxx::1 ????
Mais cela ne fonctionne pas.

Ma table de routage sur le client :

/sbin/route -A inet6
Table de routage IPv6 du noyau
Destination                    Next Hop                   Flag Met Ref Use If
2a01:e35:87d8:xxxx::/64        ::                         U    256 1     1 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           2a01:e35:87d8:xxxx::1      UG   100 4     0 eth0
::/0                           ::                         !n   -1  1 57942 lo
::1/128                        ::                         Un   0   11   110 lo
2a01:e35:87d8:xxxx::3/128      ::                         Un   0   1     6 lo
fe80::5642:49ff:fe87:xxxx/128  ::                         Un   0   1     4 lo
ff00::/8                       ::                         U    256 1     0 eth0
::/0                           ::                         !n   -1  1 57942 lo

Mais je n'arrive pas à pinger une adresse ipv6 du type ipv6.google.com

(Last edited by gnutella on 13 Aug 2015, 02:22)

Bon, j'ai réussi, en fait c'est assez simple.
Mais il faut une Freebox v6 révolution, qui annonce le Nexthop, c'est à dire où s'arrête la route de la Freebox et où commence celle d'OpenWRT.
C'est OpenWRT le routeur et NON la Freebox.
En fait, chacun fait son travail ...

Donc dans l'interface mafreebox.free.fr, j'ai mis :
Nexthop: fe80::ea94:f6ff:febb:ae16

Ensuite, j'ai déclaré mon PC en utilisant Network manager, avec l'adresse publique 2a01:e35:87d8:xxxx::3 , mais le gateway :
2a01:e35:87d8:xxxx::2 (OpenWRT) et non la Freebox.

J'arrive à pinger Google:
ping6 2a00:1450:4007:806::1000

J'arrive à pinger ma station de travail depuis mon serveur online.net:

ping6 2a01:e35:87d8:xxxx::3
PING 2a01:e35:87d8:xxxx::3(2a01:e35:87d8:xxxx::3) 56 data bytes
64 bytes from 2a01:e35:87d8:xxxx::3: icmp_seq=1 ttl=58 time=32.6 ms
64 bytes from 2a01:e35:87d8:xxxx::3: icmp_seq=2 ttl=58 time=30.3 ms
64 bytes from 2a01:e35:87d8:xxxx::3: icmp_seq=3 ttl=58 time=30.5 ms

(Last edited by gnutella on 13 Aug 2015, 02:55)

So now, to what extent is OpenWRT filtering incoming IPV6 connections?

(Last edited by gnutella on 13 Aug 2015, 02:55)

Marvelous, OpenWRT seems to filter all incoming connections.

Example, on the station, all ports are open :

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

Now, remotely, using nmap:
nmap -PN -6 2a01:e35:87d8:xxxx::3

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-13 01:58 CEST
Nmap scan report for 2a01:e35:87d8:xxxx::3
Host is up (0.067s latency).
All 1000 scanned ports on 2a01:e35:87d8:xxxx::3 are closed

All ports are closed ...

Clap ... clap ... clap

(Last edited by gnutella on 13 Aug 2015, 03:14)

With Freebox v6 Nextop, we don't need RA crap or other mechanisms to announce defaut route.
Once this is configured in Freebox revolution Nexhop, OpenWRT can do everything.

Internet IPv6 <=> OpenWRT NextOp <= Station

And we only need to service IPs by DHCP ...

I am trying to configure IPv6  in OpenWRT:

config host
        option name 'back'
        option mac 'd0:50:99:xxxx:xx'
        option ip '192.168.x.xx'

Is there a way to serve IPv6 entries to my hosts using DNSMASQ?

(Last edited by gnutella on 13 Aug 2015, 03:15)

@gnutella Merci smile J'ai fait des tests sur CC rc-3 sans succès... le fait est que je n'ai pas de v6 mais une V5 (Alicebox en fait) donc pour la config du nexthop... je repasserai sad

So Openwrt filter ipv6 traffic ? We need to open ports ???

Edit : Just added my 2 cents on the ticket tongue

(Last edited by yanfox on 13 Aug 2015, 11:44)