OpenWrt Forum Archive

Topic: IPv6 on Guest Network

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm having a problem getting IPv6 working on my guest WiFi network. Clients aren't being issued with an IPv6 address.

IPv6 is working properly on my LAN and Private WIFI network. (LAN and Private WiFI are bridge).

Here's my /etc/config/network file (redacted and unneeded info removed)

config interface 'loopback'
    <snip>

config globals 'globals'
    option ula_prefix 'fda2:5dc3:8b24::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '192.168.100.1'
    option ip6assign '64'
    option ip6hint 'abcd'
    option _orig_ifname 'eth0.1 wlan0 wlan1'
    option _orig_bridge 'true'
    option ifname 'eth0.1'

config interface 'wan'
    option proto 'dhcp'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'true'
    option ifname 'eth0.2'

config interface 'wan6'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'aiccu'
    option username 'XXX'
    option password 'XXX'
    option tunnelled 'XXX'
    option ip6prefix '2a01:348:250::/48'
    option heartbeat '1'
    option nat '0'
    option ip6addr '2a01:348:6:3a9::2'
    option verbose '0'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'
    option mirror_source_port '0'
    option mirror_monitor_port '0'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '0t 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1'
    option vid '2'

config interface 'Guest'
    option type 'bridge'
    option _orig_ifname 'wlan0-1 wlan1-1'
    option _orig_bridge 'true'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option netmask '255.255.255.0'
    option ip6assign '64'
    option ip6hint 'ffff'

And my /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option localservice '1'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'
    option ra_management '2'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'Guest'
    option start '100'
    option limit '150'
    option interface 'Guest'
    option leasetime '1h'
    list dhcp_option '6,8.8.8.8,8.8.4.4'
    list dhcp_option '15,guest.lan'
    option ra 'server'
    option dhcpv6 'server'
    option ra_management '2'

And my /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config zone
    option output 'ACCEPT'
    option name 'Guest'
    option network 'Guest'
    option input 'REJECT'
    option forward 'REJECT'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '67-68'
    option name 'Guest DHCP'
    option src 'Guest'

config forwarding
    option dest 'wan'
    option src 'Guest'

config forwarding
    option dest 'wan'
    option src 'lan'

config rule
    option enabled '1'
    option target 'ACCEPT'
    option src 'Guest'
    option family 'ipv6'
    option proto 'udp'
    option dest_port '546-547'
    option name 'Allow Guest DHCPv6'

What have I missed?

Many thanks.

Just to add, IPv4 is working correctly on the guest network. Also, here is my ifstatus wan6 output

{
    "up": true,
    "pending": false,
    "available": true,
    "autostart": true,
    "uptime": 2300,
    "l3_device": "aiccu-wan6",
    "proto": "aiccu",
    "updated": [
        "addresses",
        "routes",
        "prefixes"
    ],
    "metric": 0,
    "delegation": true,
    "ipv4-address": [
        
    ],
    "ipv6-address": [
        {
            "address": "2a01:348:6:3a9::2",
            "mask": 128
        }
    ],
    "ipv6-prefix": [
        {
            "address": "2a01:348:250::",
            "mask": 48,
            "class": "wan6",
            "assigned": {
                "lan": {
                    "address": "2a01:348:250:abcd::",
                    "mask": 64
                },
                "Guest": {
                    "address": "2a01:348:250:ffff::",
                    "mask": 64
                }
            }
        }
    ],
    "ipv6-prefix-assignment": [
        
    ],
    "route": [
        {
            "target": "::",
            "mask": 0,
            "nexthop": "::",
            "source": "2a01:348:250::\/48"
        },
        {
            "target": "::",
            "mask": 0,
            "nexthop": "::",
            "source": "::\/128"
        },
        {
            "target": "::",
            "mask": 0,
            "nexthop": "::",
            "source": "2a01:348:6:3a9::2\/128"
        }
    ],
    "dns-server": [
        
    ],
    "dns-search": [
        
    ],
    "inactive": {
        "ipv4-address": [
            
        ],
        "ipv6-address": [
            
        ],
        "route": [
            
        ],
        "dns-server": [
            
        ],
        "dns-search": [
            
        ]
    },
    "data": {
        
    }
}

You need to allow input of ICMP for guest zone to let IPV6 work.

config rule
    option target 'ACCEPT'
    option family 'ipv6'
    option src 'Guest'
    option proto 'icmp'
    option name 'Allow guest ICMP input'

And you do not need dhcpv6 on a guest network. It can be disabled.

(Last edited by Pilot6 on 23 Mar 2017, 14:51)

hi tellytart,

I guess Pilot6 meant the ICMP protocol (not IGMP). And he's right that it has to be unblocked by the firewall for IPv6 to work.

Just like to add that you're using option ra_management '2'. While this is fine for Windows and other clients that speak DHCPv6 (apple?), you'll experience that several other operating systems won't achieve IPv6 connectivity with this setting. Examples are Android and google devices like chromebook, chromecast, and some unix distros.

Here's a summary of the ra_management options in terms of client compatibility:
0: SLAAC addressing enabled, managed (DHCPv6) addressing disabled: Broad device and operating system support, including Windows and Android.
1: both SLAAC and managed addresses enabled: Same broad device/OS support plus managed addresses for those that implement a DHCPv6 client (Ex.: Windows).
2: SLAAC disabled, managed addr enabled: Scarce device/OS support. Devices that can't speak DHCPv6 (like most Android devs) will not be able to configure their IPv6 addresses, thus will use IPv4 only.

Edit: Added example OS to options.

(Last edited by AndreL on 23 Mar 2017, 14:55)

Oh, IGMP was a typo. The rule is about ICMP.

I noticed that Windows and Android work perfectly with SLAAC. DHCPv6 is not well supported by Android.
Especially for a guest network I do not see a reason to have a stateful DHCP. The 0 option is perfect IMHO.

Although I am a big SLAAC proponent, Windows won't get DNS information from SLAAC. As long as your running dual-stack it should work fine. But if you want the Windows machines to get DNS via IPV6, you will need to run DHCPv6 on the guest network.

ra_management=0 is still fine for Windows hosts, since it does not completely disable the DHCPv6 server. It clears the M flag in the RA instead. The DHCPv6 server still provides the DNS address when queried by the Windows host.

ra_management does not control the O-bit, apparently it is always turned on, which is why Windows machines _may_ still get DNS info from the DHCPv6 server.

From:
https://wiki.openwrt.org/doc/techref/odhcpd

ra_management    integer    1            RA management mode
        0: no M-Flag but A-Flag, 1: both M and A, 2: M but not A

I think they're calling the O-bit as A-Flag.

That's not what the Dev told me. He said the O-bit was always set to on. You can change the setting, and check with rdisc6 util (on a linux box) which will show the status of the M and O bits.

The discussion might have continued from here.