Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Mon Jan 30, 2023 11:10 Post subject:
My Wan gets a global scope address but only if IPv6 works if it does not work (e.g. if I have IPv6 disabled but I have WireGuard enabled which loads the Ipv6 kernel modules, I have a Local scope address but no internet and no global scope address), router R7800
Edit: I use WireGuard with IPv6 to connect to my router from the internet, DDNS gives the WAN (eth0) IP address as IPv6 address to connect and that works when used in my WG client.
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Mon Jan 30, 2023 16:22 Post subject:
Mile-Lile wrote:
try just to accept all icmpv6 with:
Code:
ip6tables -A INPUT -p icmpv6 -j ACCEPT
and on ipv6 page of ddwrt GUI don't touch prefix lenght... leave it to default (/64) and see if that helps...
For Comcast, the prefix length needs to be 64, and I have always set it at 64. For Verizon FiOS the prefix length needs to be set at 56. The code you suggested did not work and in fact eliminated the WAN IPv6. As previously stated, Verizon FiOS IPv6 currently works with no firewall script and with this addition to dnsmasq:
no-resolv
no-negcache
server=1.1.1.1
server=8.8.8.8
server=2606:4700:4700::1111
server=2001:4860:4860::8888
local=/rover2155.local/
expand-hosts
domain-needed
dhcp-range=::1000,::FFFF,constructor:br0,ra-stateless,ra-names,12h
ra-param=br0,10,300
enable-ra
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Fri Mar 10, 2023 14:33 Post subject:
An update: I still cannot get a LAN IPv6 address with Comcast, and other DD-WRT users such as citiot are having the same problem. IPv6 with Comcast works with Netgear firmware and with other router manufacturers. I hope a solution can be found to get DD-WRT to work with Comcast IPv6.
Posted: Mon Mar 13, 2023 6:52 Post subject: Same problem here on r51617 and r51935
I have an Asus RT-AC68U and have similar problems. I haven't tested the newest couple builds to be fair, but both r51617 and r51935 seemed to be problematic for me.
I had to use the same firewall commands to enable IPv6 for the WAN as the parent poster. Depending on the settings added, I did seem to have an IPv6 address for LAN devices, but then the test sites that let you know IPv6 was functioning would fail (e.g. https://test-ipv6.com/index.html.en_US). And IPv6 only sites did not seem to load either. So I downgraded to r51040 (picked a random build before the parent poster reported experiencing problems) and I think mostly things are working with Comcast.
On r51040, I have a WAN IPv6 address from Comcast without doing anything other than enabling IPv6, enabling prefix delegation (64), and I ended up disabling radvd and instead enabling those Dnsmasq settings also suggested by the OP (I think once I enabled static DNS for IPv6 something got funky so I switched to using the Dnsmasq advanced settings).
What's weird is I swear what my client devices reported for IP and DNS were the same on r51040 as the newer builds I tested, but wouldn't IPv6 stuff actually load if everything was fully functional??? Again, I get what seems to be a global IPv6 address for devices on the newer builds but something is clearly failing in... I am not sure how to put it... routing to the actual clients. Could be a firewall issue given I needed to add special rules to even get a WAN IP on those builds. I am a largely a novice when it comes to IPv6 and know I had this working for a while, but it seems like the incantation has slightly changed over time as DD-WRT has improved their IPv6 code. I don't mind using r51040 for a while but it would be nice to be able to upgrade to a newer build at some point.
Posted: Thu Apr 13, 2023 7:21 Post subject: I think I got things working
Having tested these configs quite a bit, I think a solution to the problem may have been found. This was tested on Firmware: DD-WRT v3.0-r52095 std (03/23/23) on my Asus RT-AC68U, which I know is not the most recent build, but much newer than the builds from December 2022 I was previously using to get IPv6 working.
Unlike the OP, I was able to get global LAN IPv6 addresses working on other builds (I also found times the IP addresses would not be assigned, see below for that "fix" as well), but I noticed traffic was not being routed even though I received global IPv6 addresses on my LAN. My assumption was a firewall issue, which tracks given the need to apply firewall rules to get the WAN global IPv6 address to show up initially. For the WAN issues, I tested many different firewall rules incantations but saw an old bug report for DD-WRT, #5438, talking about how the firewall way back then blocked ICMPv6 traffic.
Not knowing what I should add specifically, I tried adding all of it and the WAN IP appeared (as it did with many other firewall incantations), all my LAN devices likewise received a global IPv6 address (again, not unusual given my earlier success with that as well); however, the clients could actually pass IPv6 traffic to the outside world (first success since those prior to January 2023 DD-WRT builds)!!!!
After some more testing, seems like only the first two commands were needed to get all of this working so I added just these two:
Here's where it got weird, having flashed this build and starting everything from scratch yet again, I didn't have all my preferred settings enabled. Because of that, I forgot to configure:
Code:
Setup->WAN Setup->WAN Connection Type->Ignore WAN DNS -- Enabled
No problem as I had not added the static DNS yet, my clients were reporting the ISP's DNS servers. The problem arose when I added Google DNS, Cloudflare, etc, as static IPv6 DNS servers, my clients not only would not see the new DNS settings, they would completely lose their global IPv6 addresses!!! Subsequent testing showed if I only input one static address from the third party services, then IPv6 would start functioning for the clients again:
Code:
IPv6->Internet Protocol version 6 (IPv6)->Configuration->Static DNS 1 or Static DNS 2
Now the clients would report an actual global IPv6 address, a single static DNS address, and also a single Comcast DNS address. Which tracks given the config. I think something got funky when the router was sending two Comcast DNS addresses and two static IP addresses to the clients. As long as the Ignore WAN DNS setting is checked, having both static DNS IPv6 addresses will function properly. Yes, you can use dnsmasq for the servers if you want as well, I've done both, pretty sure either way works fine, again, as long as Ignore WAN DNS setting is checked!
DDWRT_StaticIPv6.png
Description:
If the Ignore WAN DNS is not checked, and two static IP addresses are added, LAN clients freak out.
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Thu Apr 13, 2023 15:32 Post subject:
With the latest build 4/11/2023 I was able to get both WAN and LAN IPv6. I principally use Verizon FiOS on my R7000P and connect Comcast for testing purposes. So using the Verzion configuration as a starting point which has Dnsmasq Infrastructure additional options:
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Apr 13, 2023 16:01 Post subject:
The use of line numbers is highly unreliable and is not something which is recommended.
The following rule you are using is already present:
ip6tables -I INPUT -i br0 -j ACCEPT
So it is redundant (have a look at the current ip6tables)
The rule to allow dport 546 is also already present but in a more restricted (=safer) form.
It is possible that Comcast does not adhere to common standard and a more relaxed rule is necessary.
I do not use Comcast but have Vodafone and that is working right out of the box.
Yes, I agree, my expectations were the same given "Use dnsmasq for DNS" was checked under Setup, but that only seems to apply to IPv4 DNS servers, at least in this build of DD-WRT. Per your example, what I see currently from my laptop is:
If I add IPv6 servers as an advanced dnsmasq setting then it does work as you describe, solely a local link Primary DNS pointing to my router, same address as the "Default Route" line (fe80:). Which is fine if the IPv4 and IPv6 settings for DNS are separated that way. I don't know the intent of the checkbox "Use dnsmasq for DNS" under setup but of course only the static IPv4 addresses are listed there. I supposed I could blank out the IPv4 DNS there too and just put all my DNS in the advanced dnsmasq settings, pretty sure that works too. I don't actually care if my clients get the router's address or the actual DNS server addresses, but I have traditionally done it the way you suggested. I just haven't made changes since getting the "basics" working. I'll revist and refine to see what's going on of course.
Why did you do that. Don't you want separate sub-nets for Guests and IoT Devices?
If I had to guess why the OP made the change, it's because Comcast's Xfinity consumer service might not support anything besides 64 these days. Pretty sure they used to support other prefixes, but I read a thread recently (Reddit? Xfinity Support? Can't remember exactly) that claimed only business customers can have something other than 64… yeah, I can imagine your expression right now.
My guest network is IPv4 only. I don't know how to make it work with IPv6 because of that. Seriously.