Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Wed Nov 28, 2018 14:17 Post subject: IPv6
Been ofline for a while because my old UBEE cable modem was acting up.
Received a new Modem/Router (Arris TG2492LG) with full dual stack IPv4/IPv6.
The old UBEE was of course in bridge mode, the new modem can be put in bridge mode but I loose the IPv6.
So I started to familiarize myself with IPv6. Reading the wiki and scouring various forums.
Unfortunately my provider (Ziggo Netherlands) seems to only provide me with a /64 address (see picture) this can not be changed by me and they wont do it.
My Main router (Netgear R6400v2 with latest Kong) does get an IPv6 address and if I "ping6 ipv6.google.com" it returns an answer so it basically works when I put the DHCP6 on the Modem on Stateless (SLAAC) and set the router at Native IPv6.
But I wanted the rest of my main network also to have IPv6.
I came across a post from @JamesMTL: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=306786
But a quick test wth this does not give any result, besides setting vlan2 to the bridge does make me feel uncomfortable.
I know the first ebtables rule is blocking all traffic but IPv6 and subsequent rules are firewalling IPv6, but still.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Wed Nov 28, 2018 16:34 Post subject:
well your options are somewhat limited. either bridged ipv6, using an ndp daemon, or using a script to handle manually adding/removing ndp proxy neighbours.
option 2, ndp proxy is not available on ddwrt
option 3, may no longer be a working option as ddwrt no longer uses the full ip but the busybox ip
when you say it's not working. what exactly is not working. note the example in the other thread explicitly block dhcpv6 from passing through router. the other user was strictly using RAs for stateless addressing. you screenshot seems to imply the modem permits dhcpv6 so you would have to allow dhcpv6 to pass or go stateless.
note stock android devices generally do not support dhcpv6 unless the manu includes the daemon
what was the exact code you used.
fyi i can't do any lab testing earlier than next week
Joined: 13 Aug 2013 Posts: 6858 Location: Romerike, Norway
Posted: Thu Nov 29, 2018 8:27 Post subject:
You need a delegated prefix.
Your main router is giving an end node client address only to your router. You don't have any addresses for the clients behibd the router. Is this the only ISP in your area?
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Nov 29, 2018 12:43 Post subject:
Thanks for your reactions.
I just got word from the helpdesk and they think that the modem actually receives a /56 address, the router part of the modem /router then gets a /64 address.
I kept the ISP router at SLAAC, the WAN interface of my DDWRT router gets an IPv6 address and I can ping6. So that is working.
Next step in DDWRT I used the following settings:
DHCP6v6 PD
Prefix length 60
MTU 1452
Radvd: Enabled
prefix 2001:1c03:3604:13f0::/64
{
AdvValidLifetime 30;
AdvPreferredLifetime 20;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
RDNSS 2001:b88:1002::10 2001:b88:1202::10 2001:730:3e42:1000::53
{
AdvRDNSSLifetime 10;
}; # End of RDNSS definition
}; # End of interface definition
#
# radvd configuration generated by radvdump 2.17
# based on Router Advertisement from fe80::4ad3:43ff:fedd:2e70
# received by interface vlan2
#
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Nov 29, 2018 15:04 Post subject:
This is the routing table:
Code:
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::/64 :: UA 256 0 0 vlan2
2001:1c03:3604:1300::/64 :: UA 256 0 0 vlan2
2001:1c03:3604:13f0::/64 :: U 256 0 0 br0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 vlan1
fe80::/64 :: U 256 2 40 br0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth2
fe80::/64 :: U 256 0 0 vlan2
::/0 fe80::4ad3:43ff:fedd:2e70 UGDA 1024 2 4202 vlan2
::/0 :: !n -1 1 8961 lo
::1/128 :: Un 0 3 24 lo
::2e30:33ff:fedc:c588/128 :: Un 0 1 0 lo
2001:1c03:3604:1300::/128 :: Un 0 1 0 lo
2001:1c03:3604:1300:2e30:33ff:fedc:c588/128 :: Un 0 3 328 lo
2001:1c03:3604:13f0::/128 :: Un 0 1 0 lo
2001:1c03:3604:13f0:200:ff:fe00:0/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 3 290 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c588/128 :: Un 0 2 365 lo
fe80::2e30:33ff:fedc:c589/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c58a/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 vlan1
ff00::/8 :: U 256 2 3515 br0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth2
ff00::/8 :: U 256 2 4137 vlan2
::/0 :: !n -1 1 8961
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Fri Nov 30, 2018 1:18 Post subject:
from what i understand you are saying.
your ISP supports dhcpv6-pd /56
BUT you changed CPE's and the new CPE's bridge mode has no v6 support so you are using it in gateway mode.
Am I correct at this point you are double natted?
you then set the CPE gateway mode to slaac and configured your ddwrt router to dhcpv6-pd and you got a prefix.
This is where you are kind of losing me. where did that prefix come from? was it assigned by the cpe or did it flow through the cpe.
why do you say you lose v6 in bridge mode? have you actually tried it? if not it could be interesting to run ddwrt's dhcp6c cli in debug mode and see if the pd request when the gateway bridge mode has no response or an uinexpected prefix size. dhcp6c does not handle mismatched prefix sizes well.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Fri Nov 30, 2018 11:45 Post subject:
Thank you both for taking the time.
This is indeed a double NAT setup at the moment.
I was in the process of having the modem/Router placed in bridged mode (like it was in the previous situation) the ISP told me I would loose IPv6, which is not a big deal for me.
I have to ask my ISP to put it in bridge mode, I can not do it myself.
As I am acquainted with DDWRT and know something about routing and firewalling of IPv4, this was a moment for me to familiarize myself with IPv6, which until now I know little off.
I saw that my router has a /64 address and I understood that you can not route that any further so I asked the helpdesk If I could get a /56 address (the helpdesk knows very little of everything) and they told me that the modem receives a /56 address (at least they thought so).
But I am not behind the modem but behind the router.
You would think that when placed in bridged mode I could use the IPv6 /56 address but they told me I could not use IPv6 when placed in bridged mode.
So I am basically stuck behind a router with a /64 address as far as I can see.
Stubborn as I am I still tried some things.
When I put the ISP modem on SLAAC my DDWRT routers WAN interface gets an address and I can ping6 from the router so that is working
When I put my ISP modem on Stateful (DHCPv6) my DDWRT routers WAN interface does not get an IPv6 address
Next step was setting my DDWRT router to DHCPv6 with PD (not thinking it would work) and strangely enough I get a PD delegated (as far as I can tell) this must come from the ISP modem /Router.
Yesterday evening I was trying to find out how I can track the delegating of the prefix but have not found a way yet.
As I said I do not have any IPv6 experience but I am open to try anything. If it is not working I will ask to put my modem in bridge mode (and will try if they are not giving me the /56 IPv6)
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Dec 04, 2018 10:07 Post subject:
PROGRESS!
Well I have made some progress and learned a lot about IPv6 (but still a long way to go)
What I have learned so far and please correct me if I am wrong.
ISP Modem/Router is a Ziggo Connectbox (Arris TG2492LG), this is former Ziggo territory so it is full dual stack.
I set the ISP Modem/Router's DHCPv6 on SLAAC (see picture).
IPv6 Firewall is off.
DHCPv4 is giving a static lease on my DDWRT router, that IPv4 address is in the DMZ.
My DDWRT Router (Netgear R6400v1 running Kong's 37845) is pretty default setup.
IPv6 is set on DHCPv6 with Prefix Delegation
Prefix Length: 60
MTU: 1452
Radvd: Enabled
Everything else disabled
(see picture)
When using Radvdump it looks like a prefix is delegated to WAN (vlan2) and another prefix is delegated to BR0 but in the same /56
prefix 2001:1c03:3601:69f0::/64
{
AdvValidLifetime 30;
AdvPreferredLifetime 20;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
RDNSS 2001:b88:1002::10 2001:b88:1202::10 2001:730:3e42:1000::53
{
AdvRDNSSLifetime 10;
}; # End of RDNSS definition
}; # End of interface definition
#
# radvd configuration generated by radvdump 2.17
# based on Router Advertisement from fe80::4ad3:43ff:fedd:2e70
# received by interface vlan2
#
RDNSS 2001:b88:1002::10 2001:b88:1202::10 2001:730:3e42:1000::53
{
AdvRDNSSLifetime infinity; # (0xffffffff)
}; # End of RDNSS definition
prefix 2001:1c03:3601:6900::/64
{
AdvValidLifetime 46364;
AdvPreferredLifetime 17564;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
I am right thus far?
I assume RDNSS are the pushed DNS servers?
The routing also seems like it should be:
Code:
root@R6400v1:~# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2001:1c03:3601:6900::/64 :: UA 256 0 0 vlan2
2001:1c03:3601:69f0::/64 :: U 256 2 5936 br0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 vlan1
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth2
fe80::/64 :: U 256 2 6 br0
fe80::/64 :: U 256 0 0 vlan2
::/0 fe80::4ad3:43ff:fedd:2e70 UGDA 1024 2 6216 vlan2
::/0 :: !n -1 1 12170 lo
::1/128 :: Un 0 3 2 lo
2001:1c03:3601:6900::/128 :: Un 0 1 0 lo
2001:1c03:3601:6900:2e30:33ff:fedc:c588/128 :: Un 0 2 183 lo
2001:1c03:3601:69f0::/128 :: Un 0 1 0 lo
2001:1c03:3601:69f0:200:ff:fe00:0/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c587/128 :: Un 0 3 244 lo
fe80::2e30:33ff:fedc:c588/128 :: Un 0 2 182 lo
fe80::2e30:33ff:fedc:c589/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fedc:c58a/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 vlan1
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth2
ff00::/8 :: U 256 2 1271 br0
ff00::/8 :: U 256 2 2111 vlan2
::/0 :: !n -1 1 12170 lo
I assume the following line represents the default gateway?:
When ping6 from the router I get a reply so far so good
When ping ipv6.google.com from my Windows client (after ipconfig/renew and asserting I got a good IPv6 address), I get a time out however the IPv6 address of google is displayed so there is some kind of DNS resolving?
When using TCPDUMP I see the ICMP request going out of the WAN to the ISP router but there is no return
Conclusion the ISP modem/router is not routing back.
Is this correct?
Now for the magic part:
I cut the power of the ISP modem/Router. After two minutes I restored power.
No IPv6 internet yet.
After half an hour I rebooted my DDWRT modem and BINGO!
(On a subsequent attempt it took several hours before it started to work, so be patient and if it is not working just reboot the DDWRT router after a couple of hours).
I can ping from my windows clients and I get a 10/10 on test-ipv6.com and all green on ipv6-test.com (only complaining of a flitered ICMP which to me seems like a good thing)
Conclusion buggy IPv6 Implementation of ZIGGO?
But indeed it seems as the modem part gets an /56 address and can hand out /64 addresses through its router which has its own /64 address.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Wed Dec 05, 2018 21:45 Post subject:
yes rdns is the pushed recursive dns servers
from what you are saying it does sound as if the prefix is correctly delegated. running dhcp6c in debug mode will log the details.
on another note, this sounds familiar. i believe another user may have encountered something similar and was able to pd on everything except the cpe /64