Topic: odhcpd doesn't assign public prefix to lan

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Octet

22 Mar 2016, 23:49

Hello,

I'm running a Linksys WRT1200AC with OpenWrt Chaos Calmer 15.05.1.

Yesterday, I asked my ISP to configure IPv6 for me and soon I was assigned a public IPv6 address. Unfortunately though, my clients aren't assigned global IPv6 at all. Luckily, at least my router can resolve and ping IPv6 addresses.

The system log prints the following message once in a while:

daemon.warn odhcpd[950]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!

Therefore I concluded, that odhcpd does not assign a public prefix to my lan. Obviously the lan tries to announce a default route, but since there is no prefix, it can't. The ip6assign seems to be on the right place. Is there a problem with the size of the range the ISP is assigning me; can I assign a /64 subnet even though me ISP is only assigning a /64 to me?

Another weird thing I stumbled across is the private adress (not link local) my ISP is assigning me. Does this have any use or is it a misconfiguration on my part?

Maybe some of you know how to fix this. Any help is highly appreciated!

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '24h'
        option limit '100'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

/etc/config/network

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint 'abcd'

config interface 'wan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'pppoe'
        option username 'XXX'
        option password 'XXX'
        option demand '0'
        option ipv6 '1'
        option peerdns '0'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

# ifconfig

br-lan    Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:AA
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c256:27ff:fe74:8a7b/64 Scope:Link
          inet6 addr: fd00:ae42:65b:abcd::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:425428 errors:0 dropped:29 overruns:0 frame:0
          TX packets:876145 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:34584634 (32.9 MiB)  TX bytes:1134165053 (1.0 GiB)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:000.000.000.000  P-t-P:000.000.000.000  Mask:255.255.255.255
          inet6 addr: fe80::f97e:ede4:6524:3605/10 Scope:Link
          inet6 addr: 2000:0000:0000:0000:0000:0000:0000:0001/64 Scope:Global
          inet6 addr: fd00:1:0:9c:f97e:ede4:6524:3605/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1452  Metric:1
          RX packets:850837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:401507 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1114794155 (1.0 GiB)  TX bytes:32407100 (30.9 MiB)

Post #2

cvmiller

23 Mar 2016, 04:22

Yeah, you have problems.

pppoe-wan Link encap:Point-to-Point Protocol
inet addr:000.000.000.000 P-t-P:000.000.000.000 Mask:255.255.255.255
inet6 addr: fe80::f97e:ede4:6524:3605/10 Scope:Link
inet6 addr: 2000:0000:0000:0000:0000:0000:0000:0001/64 Scope:Global
inet6 addr: fd00:1:0:9c:f97e:ede4:6524:3605/64 Scope:Global

They are feeding you some strange stuff.
* the 2000:0000:0000:0000:0000:0000:0000:0001/64 is _very_ suspect. I am unaware that is even allocated by IANA
* the FD00 addrees is not a Global address, it is a ULA.

So I don't know how you are ping6-ing anywhere. Can you show us your routing table? 'ip -6 route'

Post #3

Octet

23 Mar 2016, 09:37

Hello, thanks for replying!

I actually cencored the IP in order to protect my gateway. I have no idea if that was dangerous to make it public.

When I still tried to get the routing table as root to show you, the console said

~# ip
-ash: ip: not found

The ip package seems to be missing in the repository, if I'm correct.

~# opkg list | grep ip
ip6tables - 1.4.21-1
iptables - 1.4.21-1
kmod-ip6tables - 3.18.23-1
kmod-ipt-conntrack - 3.18.23-1
kmod-ipt-core - 3.18.23-1
kmod-ipt-nat - 3.18.23-1
kmod-ipv6 - 3.18.23-1
kmod-nf-ipt - 3.18.23-1
kmod-nf-ipt6 - 3.18.23-1
libip4tc - 1.4.21-1
libip6tc - 1.4.21-1
libjson-script - 2015-11-08-10429bccd0dc5d204635e110a7a8fae7b80d16cb
luci-lib-ip - git-16.018.33482-3201903-1
luci-proto-ipv6 - git-16.018.33482-3201903-1

However, the iw package is installed

~# opkg list | grep iw
iw - 3.17-1
libiwinfo - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libiwinfo-lua - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371

IPv6 ping runs successfully

~# ping -6 ipv6.google.com
PING ipv6.google.com (2a00:1450:400c:c04::64): 56 data bytes
64 bytes from 2a00:1450:400c:c04::64: seq=0 ttl=53 time=39.149 ms
64 bytes from 2a00:1450:400c:c04::64: seq=1 ttl=53 time=39.298 ms
64 bytes from 2a00:1450:400c:c04::64: seq=2 ttl=53 time=38.707 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 38.707/39.051/39.298 ms

Like I said, IPv6 seems to be assigned correctly to my gateway, but it won't assign IPs to my clients.

Post #4

cvmiller

23 Mar 2016, 16:49

That's odd.

I have two routers running, one 15.05 and the other 15.05.1 and 'ip' is available for both. I assume that you did an update
opkg update

The route table shows how forwarding decisions are made. Since you can ping6 from the router, but not a downstream client (on the LAN), it is useful to see the route table.

I find ip to be more readable than the route command (which is an older commad). But you can display the route table with route
route -A inet6 -n -e

Lastly, you may want to sniff your eth0 interface on your Belkin and look for the DHCPv6 request and response. Inside the response, you should see the PD information if it is there.

Kind of hard to see with tcpdump, but here's what mine looks like:

11:31:53.765909 IP6 (hlim 1, next-header UDP (17) payload length: 96) fe80::501d:3262:46f1:1c0c.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=513856 (elapsed-time 0) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list NTP-server opt_56 opt_64 opt_67 opt_82 opt_83 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 0024a5f107ca) (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0))
11:31:53.776178 IP6 (hlim 65, next-header UDP (17) payload length: 101) fe80::2a0:a512:85:2940.dhcpv6-server > fe80::501d:3262:46f1:1c0c.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=513856 (client-ID hwaddr type 1 0024a5f107ca) (server-ID vid 000005834a4e3132) (IA_PD IAID:1 T1:43200 T2:69120 (IA_PD-prefix 2607:c000:8000:a0f4::/64 pltime:86400 vltime:86400)[|dhcp6ext]))

Note the IA_PD-prefix near the end.

Post #5

Octet

23 Mar 2016, 19:22

Here we go, thanks for reminding me of updating the list. I switched over to 15.05.1 a few days ago. The ip package was installed successfully.

~# ip -6 route
default from 2a02:ac62:352:500::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
default from fd00:1:0:9c::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
2a02:ac62:352:500::/64 dev pppoe-wan  proto static  metric 256
fd00:1:0:9c::/64 dev pppoe-wan  proto static  metric 256
fd00:ae42:65b::/64 dev br-lan  proto static  metric 1024
unreachable fd00:ae42:65b::/48 dev lo  proto static  metric 2147483647  error -101
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev br-lan  proto kernel  metric 256
fe80::/64 dev wlan1  proto kernel  metric 256
fe80::/64 dev wlan0  proto kernel  metric 256
fe80::/10 dev pppoe-wan  metric 1
fe80::/10 dev pppoe-wan  proto kernel  metric 256

The best I could get with tcpdump after setting up eth0 was the following

~# tcpdump -n -i eth0 ip6
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:04:31.146898 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
19:04:31.286873 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
tcpdump: pcap_loop: The interface went down
2 packets captured
2 packets received by filter
0 packets dropped by kernel

As you see, the interface goes down a few times until it stabilizes. How did you capture your packages?

I'm really glad about your help, otherwise I'd be stuck without IPv6.

Something I don't quite get is the fact that I seem to be able to use IPv6 on the router, but the br-lan interface isn't assigned a public IPv6. If the gateway has IPv6 on wan but not on lan, wouldn't that mean there's something wrong with my odhcpd config? Or is it even possible to assign the lan a /64 block if the wan itself is assigned a /64? Wouldn't I need a /60 at least here?

Post #6

cvmiller

24 Mar 2016, 00:12

Glad you got 'ip' installed. I find the routing table easier to read.

I wouldn't mess with your config until we figure out what the ISP is sending you. Just for the record, I just flashed a TP-Link router yesterday with 15.05.1, and without doing _anything_ to the config it successfully DHCPv6-PD'd a prefix from my upstream router (I have a /56 from my ISP), and hosts on the "LAN" get globally routable IPv6 addresses.

So a couple things about the routing table, then I'll talk about the tcpdump.
I am going to put some numbers next to your table and comment on them:

1 default from 2a02:ac62:352:500::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
2 default from fd00:1:0:9c::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
3 2a02:ac62:352:500::/64 dev pppoe-wan  proto static  metric 256
4 fd00:1:0:9c::/64 dev pppoe-wan  proto static  metric 256
5 fd00:ae42:65b::/64 dev br-lan  proto static  metric 1024

Line 1: This looks good, you got a prefix from your ISP, and the upstream router is fe80:...701b
Line 2: This is a little odd, in that it looks like they are also sending you a ULA with the same upstream router 701b. Not sure why they would do this.
Line 3: This is the subnet of the prefix the ISP gave you, good.
Line 4: This is the ULA subnet of the prefix the ISP gave you, So so.
Line 5: This is a red herring. In LuCI, under the LAN interface->IPv6 near the bottom you will see the value of fd00:ae42:656b:: as a ULA to use. So this is coming from YOUR router not the ISP. Personally, I find it a bit confusing that OpenWRT defaults to advertising a ULA inside you LAN. I blank out this field, and the ULA is gone.

The reason I wanted you to sniff (tcpdump) on eth0 rather than the pppoe interface was because I wanted you to capture the entire pppoe negotiations, and right after that you should see the DHCPv6 request and response. Unfortunately, what you have are a couple of MLD reports. Not all that helpful.

The easiest way to capture everything, is to bounce the pppoe interface. Now that you have 'ip' you can do this by:
ip link set dev pppoe-wan down
ip link set dev pppoe-wan up

With any luck, pppoe should renegotiate, and if you start tcpdump before this, you should capture all of the startup (clearly you are going to need 2 logins into the router to do this). Make sure you use tcpdump with -vvv in order to see the decoded DHCPv6 response.

I suspect that the ISP is not sending you DHCPv6-PD response. That is they are not giving you a prefix to use in your LAN. Is this a real ISP, or just an enterprise (like a university) which supports IPv6? Until you get globally routable prefix on your LAN, your hosts on the LAN will go no where on IPv6 (another good reason to get rid of the ULA).

If you are stuck with only a /64 from your ISP, it isn't the end of the world. There are couple of ways to "extend" that /64 into your LAN. But before we go there. Let's see if you can capture the DHCPv6 request and response with tcpdump. Or ask your ISP if they support DHCPv6-PD.

(Last edited by cvmiller on 24 Mar 2016, 00:13)

Post #7

Octet

24 Mar 2016, 01:47

Hi, thanks for the explanation. I disabled ULA for now. If the IPv6 is set up correctly, I should be able to communicate using global addresses anyway.

I ran tcpdump and got the following:

~# tcpdump -n -vvv -i pppoe-wan ip6
tcpdump: listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
00:53:58.251918 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::e917:8581:95e2:6902 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 8
00:54:02.294867 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::207:dff:fe91:701b > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
          mtu option (5), length 8 (1):  1452
            0x0000:  0000 0000 05ac
          prefix info option (3), length 32 (4): 2a02:ac62:352:500::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
            0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 2a02
            0x0010:  0ab8 0201 0600 0000 0000 0000 0000
          prefix info option (3), length 32 (4): fd00:1:0:a1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
            0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 fd00
            0x0010:  0001 0000 00a1 0000 0000 0000 0000
00:54:02.329971 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::e917:8581:95e2:6902 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
00:54:02.370111 IP6 (hlim 1, next-header UDP (17) payload length: 110) fe80::e917:8581:95e2:6902.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5aa921 (elapsed-time 1520) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_83 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 c05627748a7b) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
00:54:03.089939 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::e917:8581:95e2:6902 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
00:54:18.351263 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::207:dff:fe91:701b > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
          mtu option (5), length 8 (1):  1452
            0x0000:  0000 0000 05ac
          prefix info option (3), length 32 (4): 2a02:ac62:352:500::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
            0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 2a02
            0x0010:  0ab8 0201 0600 0000 0000 0000 0000
          prefix info option (3), length 32 (4): fd00:1:0:a1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
            0x0000:  40c0 0027 8d00 0009 3a80 0000 0000 fd00
            0x0010:  0001 0000 00a1 0000 0000 0000 0000
00:54:18.849988 IP6 (hlim 1, next-header UDP (17) payload length: 110) fe80::e917:8581:95e2:6902.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5aa921 (elapsed-time 3168) (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name opt_67 opt_82 opt_83 opt_94 opt_95 opt_96) (client-ID hwaddr type 1 c05627748a7b) (reconfigure-accept) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))

To me it seems like my provider doesn't support DHCPv6-PD. To be honest, its a small austrian buisness provider. They support net neutrality though, that's why I mainly chose them.

~# ifstatus wan6
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 907,
        "l3_device": "pppoe-wan",
        "proto": "dhcpv6",
        "device": "pppoe-wan",
        "metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2a02:ac62:352:500:e917:8581:95e2:6902",
                        "mask": 64,
                        "preferred": 604758,
                        "valid": 2591958
                },
                {
                        "address": "fd00:1:0:a1:e917:8581:95e2:6902",
                        "mask": 64,
                        "preferred": 604758,
                        "valid": 2591958
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a02:ac62:352:500::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591958,
                        "source": "::\/0"
                },
                {
                        "target": "fd00:1:0:a1::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591958,
                        "source": "::\/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::207:dff:fe91:701b",
                        "metric": 512,
                        "valid": 1758,
                        "source": "2a02:ac62:352:500:e917:8581:95e2:6902\/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::207:dff:fe91:701b",
                        "metric": 512,
                        "valid": 1758,
                        "source": "fd00:1:0:a1:e917:8581:95e2:6902\/64"
                }
        ],
        ...
}

As far as I can tell, ipv6-prefix would not be empty if the prefix delegation worked correctly here.

~# ifstatus lan
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 1589,
        "l3_device": "br-lan",
        "proto": "static",
        "device": "br-lan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.1.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [

        ],
        ...
}

Also, ipv6-prefix-assignment would not be empty in lan status as well.

When trying to switch over relay mode (SLACC it's called?) it wouldn't work until I replaced the wan6 dhcp config interface option from 'wan6' to 'wan'.

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '24h'
        option limit '100'
        option dhcpv6 'disabled'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan'
        option dhcpv6 'disabled'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

That's when I finally ended up having a global IPv6 on my lan.

~# ip addr show
...
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether c0:56:27:74:8a:7b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd00:1:0:a1:e1fb:10c2:53f6:90a7/64 scope global noprefixroute dynamic
       valid_lft 2591995sec preferred_lft 604795sec
    inet6 2a02:ac62:352:500:e1fb:10c2:53f6:90a7/64 scope global noprefixroute dynamic
       valid_lft 2591995sec preferred_lft 604795sec
    inet6 fe80::c256:27ff:fe74:8a7b/64 scope link
       valid_lft forever preferred_lft forever
...
9: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet /my/public/ipv4 peer 112.52.16.32/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 fd00:1:0:a1:e1fb:10c2:53f6:90a7/64 scope global noprefixroute dynamic
       valid_lft 2591995sec preferred_lft 604795sec
    inet6 2a02:ac62:352:500:e1fb:10c2:53f6:90a7/64 scope global noprefixroute dynamic
       valid_lft 2591995sec preferred_lft 604795sec
    inet6 fe80::e1fb:10c2:53f6:90a7/10 scope link
       valid_lft forever preferred_lft forever

My phone (Android) now gets assigned 2 global addresses and 2 ULAs, while my workstation (Windows 8.1) seems not to get any.
What does the noprefixroute keyword tell us?

Btw, when I asked my ISP to activate a /64 IPv6 block for me, they said they assigned me a /60 block, but pppoe would connect to a /64 block. What does that mean? Should I simply ask them to extend my block to /62 or /60?

Post #8

cvmiller

24 Mar 2016, 02:56

Wow, Octet that is a lot of good info.

Yes, I agree that if you were getting PD, then you _should_ see it in 'ifstatus lan' . I see it on mine. I don't think they are sending you a /60 (or at least correctly doing so). When I do a 'ifstatus wan6' I see:

    "ipv6-prefix": [
        {
            "address": "2607:c000:8124:ca00::",
            "mask": 56,
            "preferred": 85763,
            "valid": 85763,
            "class": "wan6",
            "assigned": {
                "lan": {
                    "address": "2607:c000:8124:ca00::",
                    "mask": 60
                }
            }
        }

I would expect to see "mask":60 on yours if they were really sending down a /60.

I know that sbyx has done some really nice work in odhcpd to support relay mode, but I have found it intermittent in my testing. I don't have windows machines, so I can't speak to why your windows machine is not picking up a prefix.

You are going to need DHCPv6 for your windows machine (it is how it gets IPv6 DNS). You config should look like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '24h'
        option limit '100'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan'
        option master '1'

If you can't get prefix delegation from your ISP to work, you may want to look at v6brouter project I wrote:
https://github.com/cvmiller/v6brouter

It bridges IPv6 while continuing to NAT/route IPv4.

I did find a bug in that it drops the wireless interface from the bridge. I am testing a fix now. Should have it updated tomorrow.

As for what the ISP is saying. I think they are saying that although they hand you a /60, your PPPoE will look like a /64. But unfortunately, you still haven't captured the DHCPv6 transaction (you have a couple of RAs), although it looks like PD is not being sent. Did you ask them why they are sending down a ULA?

The noprefixroute is normal. It is a flag that is used to say "set this route to the prefix of the interface, not /128"

Post #9

Octet

25 Mar 2016, 22:08

So I contacted my ISP and asked them if they had running a DHCPv6-PD server. They told me that there's only SLAAC and therefore there would be no prefix. Moreover, they assigned me a full /60 block with my PPPoE connection using the /64. It seems like I am intended to delegate other /64 to my lans. In general, I didn't think that was possible.

I still tried to use the 'ip6prefix' keyword on my wan6 interface with the result that there suddenly appeared an IPv6-prefix on my wan. (The reqprefix also prevents my router from asking for a prefix)

/etc/config/network

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0'
        option proto 'pppoe'
        option username 'xxx'
        option password 'xxx'
        option demand '0'
        option ipv6 '1'
        option peerdns '0'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'no'
        option ip6prefix '2a02:ac62:352:501::/64'

# ifstatus wan6

{
        "ipv6-address": [
                {
                        "address": "2a02:ac62:352:500:5031:ca1f:9670:c279",
                        "mask": 64,
                        "preferred": 604723,
                        "valid": 2591923
                },
                {
                        "address": "fd00:1:0:a1:5031:ca1f:9670:c279",
                        "mask": 64,
                        "preferred": 604723,
                        "valid": 2591923
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2a02:ac62:352:501::",
                        "mask": 64,
                        "class": "wan6",
                        "assigned": {
                                "lan": {
                                        "address": "2a02:ac62:352:501::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "2a02:ac62:352:500::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591923,
                        "source": "::\/0"
                },
                {
                        "target": "fd00:1:0:a1::",
                        "mask": 64,
                        "nexthop": "::",
                        "metric": 256,
                        "valid": 2591923,
                        "source": "::\/0"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::207:dff:fe91:701b",
                        "metric": 512,
                        "valid": 1723,
                        "source": "2a02:ac62:352:500:5031:ca1f:9670:c279\/64"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "fe80::207:dff:fe91:701b",
                        "metric": 512,
                        "valid": 1723,
                        "source": "fd00:1:0:a1:5031:ca1f:9670:c279\/64"
                }
        ],
}

Using the 'ip6assign' keyword it was finally possible to get an IPv6-prefix-assignment on the lan side.

# ifstatus lan

{
        "ipv4-address": [
                {
                        "address": "192.168.1.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [
                {
                        "address": "2a02:ac62:352:501::",
                        "mask": 64
                }
        ],
}

Unfortunately, I run into trouble when it comes to actually using the IPv6. It doesn't really seem like I can manage to get a connection using v6. I found out that running stateful + stateless mode causes some clients to have 3 IPv6s. 1 IP for DHCP and 2 for SLAAC (some kind of protection mechanism).

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '24h'
        option limit '100'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

But now I can't even ping an IPv6 system with my router anymore.

# ping -6 ipv6.google.com

PING ipv6.google.com (2a00:1450:400c:c04::8a): 56 data bytes
ping: sendto: Permission denied

Here is some more detail. Do you know where I am stuck?

# ip addr show

6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether c0:56:27:74:8a:7b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2a02:ac62:352:501::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::c256:27ff:fe74:8a7b/64 scope link
       valid_lft forever preferred_lft forever
9: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet mypublicipv4 peer 213.235.234.26/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 fd00:1:0:a1:5031:ca1f:9670:c279/64 scope global noprefixroute dynamic
       valid_lft 2591919sec preferred_lft 604719sec
    inet6 2a02:ac62:352:500:5031:ca1f:9670:c279/64 scope global noprefixroute dynamic
       valid_lft 2591919sec preferred_lft 604719sec
    inet6 fe80::5031:ca1f:9670:c279/10 scope link
       valid_lft forever preferred_lft forever

# ip -6 route

default from 2a02:ac62:352:500::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
default from fd00:1:0:a1::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
2a02:ac62:352:500::/64 dev pppoe-wan  proto static  metric 256
2a02:ac62:352:501::/64 dev br-lan  proto static  metric 1024
unreachable 2a02:ac62:352:501::/64 dev lo  proto static  metric 2147483647  error -101
fd00:1:0:a1::/64 dev pppoe-wan  proto static  metric 256
fe80::/64 dev br-lan  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev wlan1  proto kernel  metric 256
fe80::/64 dev wlan0  proto kernel  metric 256
fe80::/10 dev pppoe-wan  metric 1
fe80::/10 dev pppoe-wan  proto kernel  metric 256

Your project btw looks really nice. I don't know if its what I need though. One thing I noticed is that its super well documented.

Post #10

cvmiller

26 Mar 2016, 01:52

Wow, that is a lot of good info. Let me digest it a bit.

I have never done a ping -6, only used ping6. Could it be your DNS is not resolving. Have you tried ping6 a direct IPv6 address from a router? Google.com
ping6 2607:f8b0:400a:802::200e

I don't think you need the v6brouter either, since you have a /60, and can distribute the other prefixes to your LAN.

Post #11

Octet

26 Mar 2016, 10:34

DNS seems to be working correctly on router and all clients.

# ping6 ipv6.google.com
PING ipv6.google.com (2a00:1450:4014:80b::200e): 56 data bytes
ping6: sendto: Permission denied

Maybe something with the routes doesnt work? (see table in previous post)

wan has assigned 2a02:ac62:352:500::/64
lan has assigned 2a02:ac62:352:501::/64
(look at the last 4 bits)

Another obstacle might be the firewall

/etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

# allow IPsec/ESP and ISAKMP passthrough
config rule
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

Post #12

cvmiller

26 Mar 2016, 16:43

Octet,

I have been thinking there _may_ be an easy way out of this. There is a ULA blank in LuCI where you can put in a ULA address to announce to your LAN. There is no restriction on what kind of address you put in (after all ULAs are not really private addresses. In the config it looks like:

/etc/config/network
config globals 'globals'
option ula_prefix '2a02:ac62:352:501::/64'

But perhaps this isn't required if your clients are already getting this prefix.

It _is_ possible that your firewall is blocking you. If have found the default firewall to work correctly. A quick way to check is to flush the firewall tables:
ip6tables -F
ip6tables -P FORWARD ACCEPT

Lastly, it _could_ be your routing table is not right. Any chance I can see that? Easier to read with 'ip' (opkg install ip)
ip -6 route

Post #13

Octet

26 Mar 2016, 17:55

Hi,

RFC defines ULA to be in fc00::/7, so if the client software works correctly it should ignore such ULA announcement.

I flushed the firewall, ran your command and it turned out not to work.

Here is my routing table, I'm pretty sure the problem is located just around these lines:

# ip -6 route

default from 2a02:ac62:352:500::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
default from fd00:1:0:a1::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512
2a02:ac62:352:500::/64 dev pppoe-wan  proto static  metric 256
2a02:ac62:352:501::/64 dev br-lan  proto static  metric 1024
unreachable 2a02:ac62:352:501::/64 dev lo  proto static  metric 2147483647  error -101
fd00:1:0:a1::/64 dev pppoe-wan  proto static  metric 256
fe80::/64 dev br-lan  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev wlan1  proto kernel  metric 256
fe80::/64 dev wlan0  proto kernel  metric 256
fe80::/10 dev pppoe-wan  metric 1
fe80::/10 dev pppoe-wan  proto kernel  metric 256

Post #14

cvmiller

26 Mar 2016, 20:40

Hmm, the routing table looks OK.

ULA announcements will not be ignored by clients, it is just that it isn't supposed to be routed onto the internet. I was only suggesting using that config to announce a "real" global address rather than a ULA.

And flushing the ip6tables means that your problem isn't with the firewall. I am wondering if for some reason forwarding is not enabled.

I have a static HE tunnel setup, and I am thinking you don't have the LAN prefix defined in the right spot (it seems like you would do that in LAN, but actually it seems to want it in the WAN portion of /etc/config/network

Take a look at the wiki for static IPv6 config (which is what you are doing):
https://wiki.openwrt.org/doc/uci/networ … connection

Post #15

Octet

27 Mar 2016, 11:26

Hello,

I checked the forwarding, this is the output:

# cat /etc/sysctl.conf | grep ipv6
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

The networking config seems right to me. I set up dhcpv6 on wan and added a prefix as explained in the wiki 'network configuration' page: 'Use an (additional) user-provided IPv6 prefix for distribution to clients'
Next, I am delegating that prefix using the 'ip6assign' keyword as explained in the 'OpenWrt native IPv6-stack' wiki page. According to ipstatus that prefix gets delegated correctly, and all my clients receive an IP with that prefix, too. I can ping within my lan network, but if I try to get to the wan side, it won't let me.

I'm not that good at routing tables, could you tell me where it says that packages targeted at my manually added lan prefix (501) will be shown the right way? Again, pppoe-wan is assigned 2a02:ac62:352:500::/64, br-lan is assigned 2a02:ac62:352:501::/64.
Won't I need a

default from 2a02:ac62:352:501::/64 via fe80::207:dff:fe91:701b dev pppoe-wan  proto static  metric 512

then?

//EDIT//
The syslog is full with messages of

kern.debug kernel: [67863.003655] icmp6_send: no reply to icmp error

(Last edited by Octet on 27 Mar 2016, 12:38)

Post #16

cvmiller

27 Mar 2016, 17:39

OK, sounds like you are making progress (except actually forwarding the packets).

Routing is done on destination only, So you wouldn't have a route that says "from". It selects the longest (in prefix length) best match. When no other entries match, it punts the packet along the default route (the route of last resort).

I am wondering if upstream, really isn't ready to accept your "501" network. I'd be curious if you ran traceroute6 on two things:
1) from your router (to say google.com)
2) from a host on your LAN (to google.com).

I am only interested in the first couple of hops. I am wondering if you are actually making it past your router, but the upstream router (in your ISP) is not accepting the packets, or possibly, they don't have a route back to your '501' network, which means packets could go out, but never make it back to you.

While think this through, you could sniff your pppoe-wan interface (with tcpdump) and ping from a LAN host (say to google.com). That would prove if your ICMPv6 packets are actually being forwarded by your router. If they are, then the problem is upstream, and it is time to talk to your ISP again.

Post #17

Octet

27 Mar 2016, 18:28

Traceroute from Router

# traceroute6 ipv6.google.com
connect: Permission denied

Traceroute from Client

traceroute to ipv6.google.com (2a00:1450:4014:80b::200e), 30 hops max, 80 byte packets
 1  2a02:ac62:352:501::1 (2a02:ac62:352:501::1)  1.700 ms !N  2.291 ms !N  3.402 ms !N

When I traceroute from client and sniff on client, tcpdump captures

19:18:46.528388 IP6 2a02:ac62:352:501::1 > 2a02:ac62:352:501:221:85ff:fe7d:e39c: ICMP6, destination unreachable, unreachable route 2a00:1450:4014:80b::200e, length 88

When I traceroute from client and sniff pppoe-wan on router, tcpdump doesn't capture anything.

When I traceroute from router and sniff pppoe-wan on router, tcpdump doesn't capture anything either. Instead I'm shown another

# traceroute6 ipv6.google.com
connect: Permission denied

As far as I can rate this output it's a problem on my part.

Again, cvmiller, thanks for taking that time to help me. I am very pleased to get help!

Post #18

cvmiller

27 Mar 2016, 23:58

OK, I agree, your router is NOT forwarding packets.

And I was wrong, I went back and looked at my HE tunnel router, and it does say:

default from 2001:470:1d:585::/64 dev 6in4-henet  proto static  metric 5000

So Yes, you do need a route for your LAN pointing to your default. I have this section in my /etc/config/network:

config route6
    option interface 'lan'
    option target '2001:470:1d:585::/64'
    option metric '1024'
    option mtu '1280'

Sorry it took me so long to twig on this. I am hopeful that this will allow your packets to roam the internet.

Post #19

Octet

28 Mar 2016, 10:28

I played around with the routing config and ended up with

config 'route6'
        option interface 'lan'
        option target '::/0'
        option gateway 'fe80::207:dff:fe91:701b'
        option metric '1024'

Now I have a

default via fe80::207:dff:fe91:701b dev br-lan  proto static  metric 1024

entry in my ip -6 route table.

This will cause the route of any packet on lan to my ISP if no other route is available. Am I getting it correctly?

Also, whenever pinging via IPv6, I'm not shown the 'Permission denied' message, instead I would not receive any packets at all.

5 packets transmitted, 0 packets received, 100% packet loss

tcpdump on router br-lan, ping ipv6.google.com via router

11:15:37.022127 IP6 2a02:ac62:352:501::1 > ff02::1:ff91:701b: ICMP6, neighbor solicitation, who has fe80::207:dff:fe91:701b, length 32
11:15:45.878415 IP6 2a02:ac62:352:501:c124:e5a1:7bbc:2a37.58416 > 2a01:100:1027:1::515e:33ca.80: Flags [S], seq 1278912568, win 8192, options [mss 1392,nop,wscale 8,nop,nop,sackOK], length 0
11:15:45.878475 IP6 fe80::c256:27ff:fe74:8a7b > 2a02:ac62:352:501:c124:e5a1:7bbc:2a37: ICMP6, redirect, 2a01:100:1027:1::515e:33ca to fe80::207:dff:fe91:701b, length 120
11:15:46.014269 IP6 2a02:ac62:352:501::1 > 2a02:ac62:352:501:c124:e5a1:7bbc:2a37: ICMP6, destination unreachable, unreachable address 2a01:100:1027:1::515e:33ca, length 80

tcpdump on router br-lan, ping ipv6.google.com via client host

11:18:41.424416 IP6 2a02:ac62:352:501:c124:e5a1:7bbc:2a37 > ff02::1:ff74:8a7b: ICMP6, neighbor solicitation, who has fe80::c256:27ff:fe74:8a7b, length 32
11:18:41.424502 IP6 fe80::c256:27ff:fe74:8a7b > 2a02:ac62:352:501:c124:e5a1:7bbc:2a37: ICMP6, neighbor advertisement, tgt is fe80::c256:27ff:fe74:8a7b, length 32
11:18:41.425311 IP6 2a02:ac62:352:501:c124:e5a1:7bbc:2a37 > 2a00:1450:4014:80a::200e: ICMP6, echo request, seq 50, length 40
11:18:41.425380 IP6 fe80::c256:27ff:fe74:8a7b > 2a02:ac62:352:501:c124:e5a1:7bbc:2a37: ICMP6, redirect, 2a00:1450:4014:80a::200e to fe80::207:dff:fe91:701b, length 128
11:18:44.424199 IP6 2a02:ac62:352:501::1 > 2a02:ac62:352:501:c124:e5a1:7bbc:2a37: ICMP6, destination unreachable, unreachable address 2a00:1450:4014:80a::200e, length 88

While pinging, there does not seem to happen any activity on pppoe-wan. I captured it seperately, and it won't show any traffic.

Post #20

cvmiller

28 Mar 2016, 17:05

Rats, that default route isn't quite right.

default via fe80::207:dff:fe91:701b dev br-lan proto static metric 1024

You need the default to point to the next hop (the ISP router) via the WAN interface (eth1?).

Perhaps (for now) delete that config, and put the route in manually from the CLI.

ip route add default via fe80::207:dff:fe91:701b dev pppoe-wan

I believe that is the link-local of your upstream router

Then ping from the client on the LAN, and see if it works. then we can work on the UCI config.

Post #21

Octet

29 Mar 2016, 19:04

Hello cvmiller, you managed to get IPv6 support for my network! I want to say thank you.
I can now ping hosts via IPv6 globally on my lan clients.

LAN is on eth1
WAN is on eth0

Do you think the config should change from 'lan' to 'wan'?

config 'route6'
       option interface 'wan'
       option target '::/0'
       option gateway 'fe80::207:dff:fe91:701b'
       option metric '1024'

Post #22

cvmiller

30 Mar 2016, 02:11

Hey that is great news! Good to hear it is working (finally).

I would "try" the config shown (with the 'wan'), and save, and reboot. See how the route shows up with 'ip -6 route'. I am not a UCI expert, but it "looks" right.

Let me know, I want to learn too!

Post #23

Octet

30 Mar 2016, 15:32

Hello cvmiller,

I now replaced 'lan' with 'wan', rebooted and it worked just as if I executed the command you gave me. Thank you a lot!

So what did the trick? If our provider does not delegate a prefix to us via DHCPv6-PD, we first need to delegate a custom prefix to the lan interface with 'ip6prefix' (on wan) and 'ip6assign' (on lan). Then, we only need to set up routing correctly in order to tell the router to also consider the new network prefix.

A last little question I couldn't find anything about: The routing table says something about "default from ...". I think this is actually blocking my new network prefix from using this default route, since it would only allow packets from the specified pefix to pass through. I couldn't find any option in 'ip route add' to set something like this up. Do you maybe know where the 'from' option is derived from?

Post #24

cvmiller

31 Mar 2016, 16:56

Octet,

Thanks for filling me on the UCI part of the solution.

Yes, when a provider doesn't use DHCPv6-PD, there is a bunch of static stuff that needs to be setup. This is why providers (in north america, anyway) are moving to DHCPv6-PD.

I haven't dealt with the 'from' part of routing before with /sbin/ip. There is a reference in the man page:

              from SELECTOR
                     the same syntax as for to, but it binds the source
                     address range rather than destinations.  Note that the
                     from option only works with cloned routes.

It appears to be a source filter, and once the packet matches the source filter, only then is the route (in your case a default route) is used. I have never used it, because i was always interested in having all packets use a default route. But I can see where there might be situations where you have 2 ISPs and you want to push some traffic to one ISP, and other traffic to the other ISP.

Again, glad to hear you got it working. Enjoy the future of the internet with IPv6

The discussion might have continued from here.

Page 1 of 1