Enabling LAN IPv6

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon Jan 30, 2023 8:13    Post subject: Reply with quote
The wan will not get a Global Scope address. It will route through the Link Local address fe80:
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 30, 2023 11:10    Post subject: Reply with quote
My Wan gets a global scope address but only if IPv6 works if it does not work (e.g. if I have IPv6 disabled but I have WireGuard enabled which loads the Ipv6 kernel modules, I have a Local scope address but no internet and no global scope address), router R7800

Code:
eth0      Link encap:Ethernet  HWaddr 14:59:C0:5A:43:9E
          inet addr:83.23.678.123  Bcast:83.23.678.123  Mask:255.255.254.0
          inet6 addr: fe80::1659:c0ff:fe5a:439e/64 Scope:Link
          inet6 addr: 2001:cd93:4f1a:0:ab14:969e:4cc0:aff9/128 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17620788 errors:0 dropped:0 overruns:0 frame:0
     


Edit: I use WireGuard with IPv6 to connect to my router from the internet, DDNS gives the WAN (eth0) IP address as IPv6 address to connect and that works when used in my WG client.

But I am far from an expert on IPv6 matters

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Mon Jan 30, 2023 16:22    Post subject: Reply with quote
Mile-Lile wrote:
try just to accept all icmpv6 with:

Code:
ip6tables -A INPUT -p icmpv6 -j ACCEPT


and on ipv6 page of ddwrt GUI don't touch prefix lenght... leave it to default (/64) and see if that helps...


For Comcast, the prefix length needs to be 64, and I have always set it at 64. For Verizon FiOS the prefix length needs to be set at 56. The code you suggested did not work and in fact eliminated the WAN IPv6. As previously stated, Verizon FiOS IPv6 currently works with no firewall script and with this addition to dnsmasq:
no-resolv
no-negcache
server=1.1.1.1
server=8.8.8.8
server=2606:4700:4700::1111
server=2001:4860:4860::8888
local=/rover2155.local/
expand-hosts
domain-needed
dhcp-range=::1000,::FFFF,constructor:br0,ra-stateless,ra-names,12h
ra-param=br0,10,300
enable-ra
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Mon Jan 30, 2023 16:40    Post subject: Reply with quote
egc wrote:
It looks like VLAN2 (which is the WAN) does not get a Global IPv6 at all.

So it could be a setup error.

Try to setup like see attachment


I gave always set it up that way (with a 64 prefix for Comcast and a 56 prefix for Verizon).

Currently, Verizon IPv6 (WAN AND LAN) works (with dnsmasq script).

Comcast WAN IPv6 works with firewall script, but no LAN.
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Fri Mar 10, 2023 14:33    Post subject: Reply with quote
An update: I still cannot get a LAN IPv6 address with Comcast, and other DD-WRT users such as citiot are having the same problem. IPv6 with Comcast works with Netgear firmware and with other router manufacturers. I hope a solution can be found to get DD-WRT to work with Comcast IPv6.
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Mon Mar 13, 2023 6:52    Post subject: Same problem here on r51617 and r51935 Reply with quote
I have an Asus RT-AC68U and have similar problems. I haven't tested the newest couple builds to be fair, but both r51617 and r51935 seemed to be problematic for me.

I had to use the same firewall commands to enable IPv6 for the WAN as the parent poster. Depending on the settings added, I did seem to have an IPv6 address for LAN devices, but then the test sites that let you know IPv6 was functioning would fail (e.g. https://test-ipv6.com/index.html.en_US). And IPv6 only sites did not seem to load either. So I downgraded to r51040 (picked a random build before the parent poster reported experiencing problems) and I think mostly things are working with Comcast.

On r51040, I have a WAN IPv6 address from Comcast without doing anything other than enabling IPv6, enabling prefix delegation (64), and I ended up disabling radvd and instead enabling those Dnsmasq settings also suggested by the OP (I think once I enabled static DNS for IPv6 something got funky so I switched to using the Dnsmasq advanced settings).

What's weird is I swear what my client devices reported for IP and DNS were the same on r51040 as the newer builds I tested, but wouldn't IPv6 stuff actually load if everything was fully functional??? Again, I get what seems to be a global IPv6 address for devices on the newer builds but something is clearly failing in... I am not sure how to put it... routing to the actual clients. Could be a firewall issue given I needed to add special rules to even get a WAN IP on those builds. I am a largely a novice when it comes to IPv6 and know I had this working for a while, but it seems like the incantation has slightly changed over time as DD-WRT has improved their IPv6 code. I don't mind using r51040 for a while but it would be nice to be able to upgrade to a newer build at some point.

This reddit post mentions a couple more users on Xfinity with the same problem in the last few months:
https://www.reddit.com/r/DDWRT/comments/zoqxxt/ipv6_issue/
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Thu Apr 13, 2023 7:21    Post subject: I think I got things working Reply with quote
Having tested these configs quite a bit, I think a solution to the problem may have been found. This was tested on Firmware: DD-WRT v3.0-r52095 std (03/23/23) on my Asus RT-AC68U, which I know is not the most recent build, but much newer than the builds from December 2022 I was previously using to get IPv6 working.

Unlike the OP, I was able to get global LAN IPv6 addresses working on other builds (I also found times the IP addresses would not be assigned, see below for that "fix" as well), but I noticed traffic was not being routed even though I received global IPv6 addresses on my LAN. My assumption was a firewall issue, which tracks given the need to apply firewall rules to get the WAN global IPv6 address to show up initially. For the WAN issues, I tested many different firewall rules incantations but saw an old bug report for DD-WRT, #5438, talking about how the firewall way back then blocked ICMPv6 traffic.

The fix was listed as such:
Code:
ip6tables -I INPUT 2 -m udp -p udp --dport 546 -j ACCEPT
ip6tables -I INPUT 3 -i br0 -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type echo-reply -j ACCEPT


Not knowing what I should add specifically, I tried adding all of it and the WAN IP appeared (as it did with many other firewall incantations), all my LAN devices likewise received a global IPv6 address (again, not unusual given my earlier success with that as well); however, the clients could actually pass IPv6 traffic to the outside world (first success since those prior to January 2023 DD-WRT builds)!!!!

After some more testing, seems like only the first two commands were needed to get all of this working so I added just these two:
Code:
ip6tables -I INPUT 2 -m udp -p udp --dport 546 -j ACCEPT
ip6tables -I INPUT 3 -i br0 -j ACCEPT


Here's where it got weird, having flashed this build and starting everything from scratch yet again, I didn't have all my preferred settings enabled. Because of that, I forgot to configure:
Code:
Setup->WAN Setup->WAN Connection Type->Ignore WAN DNS -- Enabled


No problem as I had not added the static DNS yet, my clients were reporting the ISP's DNS servers. The problem arose when I added Google DNS, Cloudflare, etc, as static IPv6 DNS servers, my clients not only would not see the new DNS settings, they would completely lose their global IPv6 addresses!!! Subsequent testing showed if I only input one static address from the third party services, then IPv6 would start functioning for the clients again:
Code:
IPv6->Internet Protocol version 6 (IPv6)->Configuration->Static DNS 1 or Static DNS 2


Now the clients would report an actual global IPv6 address, a single static DNS address, and also a single Comcast DNS address. Which tracks given the config. I think something got funky when the router was sending two Comcast DNS addresses and two static IP addresses to the clients. As long as the Ignore WAN DNS setting is checked, having both static DNS IPv6 addresses will function properly. Yes, you can use dnsmasq for the servers if you want as well, I've done both, pretty sure either way works fine, again, as long as Ignore WAN DNS setting is checked!



DDWRT_StaticIPv6.png
 Description:
If the Ignore WAN DNS is not checked, and two static IP addresses are added, LAN clients freak out.
 Filesize:  71.03 KB
 Viewed:  1324 Time(s)

DDWRT_StaticIPv6.png



DDWRT_IgnoreDNS.png
 Description:
Enabling Ignore WAN DNS solves that problem.
 Filesize:  44.19 KB
 Viewed:  1324 Time(s)

DDWRT_IgnoreDNS.png


egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Apr 13, 2023 7:56    Post subject: Reply with quote
Your clients should only see one IPv4 DNS address (the router) and one IPv6 DNS address (again the routers local IPv6 address) e.g. :
Quote:
DNS Servers . . . . . . . . . . . :
192.168.0.1
fe80::1659:c0ff:fe5a:439d%34

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Thu Apr 13, 2023 15:32    Post subject: Reply with quote
With the latest build 4/11/2023 I was able to get both WAN and LAN IPv6. I principally use Verizon FiOS on my R7000P and connect Comcast for testing purposes. So using the Verzion configuration as a starting point which has Dnsmasq Infrastructure additional options:

no-resolv
no-negcache
server=1.1.1.1
server=8.8.8.8
server=2606:4700:4700::1111
server=2001:4860:4860::8888
local=/rover2155.local/
expand-hosts
domain-needed
dhcp-range=::1000,::FFFF,constructor:br0,ra-stateless,ra-names,12h
ra-param=br0,10,300
enable-ra

I change the prefix length from 56 to 64 and used the firewall commands you recommended:

ip6tables -I INPUT 2 -m udp -p udp --dport 546 -j ACCEPT
ip6tables -I INPUT 3 -i br0 -j ACCEPT

Thank you for the correct firewall commands!

Edit: as suggested, I only needed

ip6tables -I INPUT 2 -m udp -p udp --dport 546 -j ACCEPT

as the firewall command.


Last edited by PaulGo on Thu Apr 13, 2023 20:39; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Apr 13, 2023 16:01    Post subject: Reply with quote
The use of line numbers is highly unreliable and is not something which is recommended.

The following rule you are using is already present:
ip6tables -I INPUT -i br0 -j ACCEPT

So it is redundant (have a look at the current ip6tables)

The rule to allow dport 546 is also already present but in a more restricted (=safer) form.
It is possible that Comcast does not adhere to common standard and a more relaxed rule is necessary.
I do not use Comcast but have Vodafone and that is working right out of the box.

Besides it looks to me that @silvarios does not use any firewall rules at all but the trick for him was to enable Ignore WAN DNS (something I cannot explain at this moment)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Thu Apr 13, 2023 18:42    Post subject: Reply with quote
egc wrote:
Your clients should only see one IPv4 DNS address (the router) and one IPv6 DNS address (again the routers local IPv6 address) e.g. :
Quote:
DNS Servers . . . . . . . . . . . :
192.168.0.1
fe80::1659:c0ff:fe5a:439d%34


Yes, I agree, my expectations were the same given "Use dnsmasq for DNS" was checked under Setup, but that only seems to apply to IPv4 DNS servers, at least in this build of DD-WRT. Per your example, what I see currently from my laptop is:
Code:

IPv4
Primary DNS: 192.168.0.1

IPv6
Primary DNS: 2606:4700:4700::1111
Seconday DNS: 2606:4700:4700::1001


If I add IPv6 servers as an advanced dnsmasq setting then it does work as you describe, solely a local link Primary DNS pointing to my router, same address as the "Default Route" line (fe80:). Which is fine if the IPv4 and IPv6 settings for DNS are separated that way. I don't know the intent of the checkbox "Use dnsmasq for DNS" under setup but of course only the static IPv4 addresses are listed there. I supposed I could blank out the IPv4 DNS there too and just put all my DNS in the advanced dnsmasq settings, pretty sure that works too. I don't actually care if my clients get the router's address or the actual DNS server addresses, but I have traditionally done it the way you suggested. I just haven't made changes since getting the "basics" working. I'll revist and refine to see what's going on of course.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Apr 13, 2023 19:29    Post subject: Reply with quote
Hmm that is really strange.

I will look into it the coming days and see if I can reproduce this.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Apr 13, 2023 20:53    Post subject: Reply with quote
PaulGo wrote:
I change the prefix length from 56 to 64


Why did you do that. Don't you want separate sub-nets for Guests and IoT Devices?
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Thu Apr 13, 2023 23:02    Post subject: Reply with quote
Per Yngve Berg wrote:
PaulGo wrote:
I change the prefix length from 56 to 64


Why did you do that. Don't you want separate sub-nets for Guests and IoT Devices?


If I had to guess why the OP made the change, it's because Comcast's Xfinity consumer service might not support anything besides 64 these days. Pretty sure they used to support other prefixes, but I read a thread recently (Reddit? Xfinity Support? Can't remember exactly) that claimed only business customers can have something other than 64… yeah, I can imagine your expression right now.

My guest network is IPv4 only. I don't know how to make it work with IPv6 because of that. Seriously.
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Thu Apr 13, 2023 23:59    Post subject: Reply with quote
Per Yngve Berg wrote:
PaulGo wrote:
I change the prefix length from 56 to 64


Why did you do that. Don't you want separate sub-nets for Guests and IoT Devices?


Verizon works with a 56 Prefix length but Comcast requires 64.
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 3 of 5
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum