Need help configuring my Tomato router dnsmasq server with IPv6

Discussion in 'Tomato Firmware' started by Nazgulled, Apr 11, 2019.

  1. Nazgulled

    Nazgulled Serious Server Member

    Following this topic I decided to review my network related to IPv6 and now I'm trying to configure the same thing I currently have for IPv4 but for IPv6 enabled clients.

    Ok, first things first... I currently have static IPs defined for each known client on my network, one of those is a custom DNS server, which is pushed to all IPv4 clients with a custom dnsmasq configuration (dhcp-option=tag:br0,6,192.168.0.99). Everything is working as expected and now I want to replicate this for IPv6 enabled clients.

    Please correct me if I'm wrong but here's what I think I need to do to get this working:
    • Setup my router with my ISP and get IPv6 working in the first place.
    • Setup IPv6 on the client running the DNS Server.
    • Set a static IPv6 (on the router) for the client running the DNS Server.
    • Push, with dnsmasq, the static IPv6 above to all IPv6 enabled clients.
    The first step is done and working correctly, here's my router configuration for my ISP:

    upload_2019-4-11_18-18-32.png

    My ISP has a test page to make sure IPv6 is working, which I used, and everything looks fine. My main Windows PC correctly gets an IPv6 and everything seems to be working, no issues here. But I have a few questions about the above:

    a) LAN1 (br1) refers to my guest Wi-Fi network, should I enable this for some reason? Why isn't there a similar option for LAN (br0) that refers to my main network? Is it /64 by default or /56?

    b) Is there any other setting from the screen above that I should change? Why?

    Second step is to setup the client running the DNS Server with IPv6, a Synology NAS. I've set this to "Auto":

    upload_2019-4-11_18-32-55.png

    And there's also a link-local address associated (by default, I didn't do anything):

    upload_2019-4-11_18-22-2.png

    Questions about this:

    c) Should I manually set these IPv6 settings and change the "prefix length" to match the 56 from the ISP?
    d) Is that link-local address dynamic or static? Do I still need to set a static IPv6 on the router somehow?

    Question d) leads me to the next question...

    e) I'm assuming it's not a static address on d) and that I still need to set a static address for the machine running the DNS Server so I can push it to clients. How do I use dnsmasq on the Tomato router to configure static IPv6 addresses for specific clients that support IPv6?

    And now the latest step...

    f) How do I push the static IPv6 address belonging to the DNS Server machine (the Synology NAS) to all IPv6 enabled clients?

    Am I missing anything?
     
  2. Sean B.

    Sean B. Network Guru Member

    You can't set a static IPv6 IP for the client as your IPv6 setup is dynamic ( DHCPv6 ). Remember that with IPv6 the addresses your router will be handing out are all global, and therefor the clients address must change dynamically as well. You can push the clients link local address for use as DNS server instead, as this will not change.

    No. The router uses a 64 ( one 64 subnet for each configured LAN ) derived out of the larger 56 prefix served by your ISP. The config is correct.

    I'll answer more when I have time later today.
     
    Nazgulled likes this.
  3. Nazgulled

    Nazgulled Serious Server Member

    I understand I cannot set a global IPv6 (starting with 2001: ) cause that's issued by my ISP, just like the IPv4 one. But just like I've configured my router to have the 192.168.0.254 IPv4, I thought I could do the same for IPv6. I guess "the same" is the link local address?

    But who set this link local address in the first place? Is it derived from some other information? Is it not possible to pick one myself, starting with fe80:? I mean, say I change to a different router in the future with a different firmware and I want to replicate my configuration as much as possible. It's easy to pick the same IPv4 addresses for all my clients, but can I do that for fe80: IPv6 addresses?
     
  4. Nazgulled

    Nazgulled Serious Server Member

    Anyway, looked at dnsmasq man page and researched a bit and got to this:

    Code:
    dhcp-option=tag:br0,option6:dns-server,[fe80::211:32ff:fe7b:9a85]
    And this:

    Code:
    dhcp-option-force=tag:br0,option6:dns-server,[fe80::211:32ff:fe7b:9a85]
    But it doesn't seem to work either way.

    The IPv6 DNS on the clients are set to the router global address starting with 2001:, not sure what I'm missing.
     
  5. Sean B.

    Sean B. Network Guru Member

    You should do some reading up on IPv6, as the concepts and logic you're using from IPv4 are not applicable to IPv6. There is no more NAT ( IE: the 192.168 type internal network you compared to does not exist ). Link-local addresses are the "local only" version for IPv6, and it is not a "network" that you configure. The network stack of the client configures the address automatically, and it will not route over hops ( hence the "link" in link local ).

    I may have missed it, as I haven't read everything, but I don't see a post showing your LAN side V6 config. Whether you're using SLAAC, DHCPv6 statefull or stateless, or a combination, will determine how/what/if clients are configured with the settings you want.
     
  6. Nazgulled

    Nazgulled Serious Server Member

    I always had both enabled:

    upload_2019-4-12_8-0-39.png

    Should I just have one of those enabled?

    Read this link to try and understand the differences between the two but I don't understand a few things:

    DHCP

    If the router's DHCP server is responsible for this, the address will be dynamic and could change for some reason, right?

    SLAAC

    With this option I'm forced to pick IPv6 addresses, manually, for each client on their own network configuration, right?

    Now I'm not sure which mode I should even use...
     
  7. Nazgulled

    Nazgulled Serious Server Member

    Found this related topic with answers from yourself and it feels like I'm on the right path but I can't get it working.

    It seems to me that this is what I'm looking for:

    But I'm not sure if I should have "Announce IPv6 on LAN" for both SLAAC and DHCP enabled and use the dhcp-option or if I should just enabled "Announce IPv6 on LAN (SLAAC)" and use the dhcp-option to push the DNS server.

    Tried both methods but clients don't seem to pick up the DNS server I configured with the dhcp-option.
     
  8. Sean B.

    Sean B. Network Guru Member

    The answer is yes.. and no :). You need to configure it manually rather than checking the boxes for SLAAC and DHCPv6, otherwise Tomato's options will collide with yours. Leave the stated boxes unchecked and enter this into the custom config box:

    Code:
    enable-ra
    dhcp-range=tag:br0,::100,::150,constructor:br0,64,1440m
    dhcp-option=tag:br0,option6:dns-server,[LINK-IP]
    Where LINK-IP is the link-local IP of the DNS server. Make duplicate lines for the range and option changing br0 to br1 for the guest network.

    If for some reason the link-local IP will not work for the option line, then I'd suggest letting the router advertise its own global IPv6 IP as DNS server, then setting the link-local IP of the DNS server as the static DNS under Basic->IPv6.

    **NOTE** Remember, routers will not forward link local addressing, so the DNS server must be locally connected ( no VPN's, no crossing subnets etc ) to use the link local IP.
     
    Last edited: Apr 12, 2019
  9. Nazgulled

    Nazgulled Serious Server Member

    This seems to have worked, partially at least...

    I mean, I've reset both the network connections on my PC and my NAS and while the PC got the link-local IP for the DNS server, the NAS doesn't (it defaults to the gateway 2001: address). I can't seem to understand why the NAS doesn't pick it up. I also have a SHIELD Android TV and that device also seems to have picked the pushed DNS server:

    Code:
    04-13 11:18:54.045  3768  3902 D ConnectivityService: Setting DNS servers for network 101 to [/fe80::211:32ff:fe7b:9a85%eth0, /192.168.0.99]
    So, it works for some devices, it doesn't for others. It's weird because even when I set the IPv6 configuration on the NAS to disabled:

    upload_2019-4-13_11-20-59.png

    It still shows some "preferred DNS server" filled with the gateway 2001: address... Of course, I can set this to manual and configure the DNS Server myself but I'm trying to avoid that. This could be some issue, bug or misconfiguration on my NAS side, but I'm oblivious to what could be causing this.

    Anyway, I still have a few questions about all this...
    1. Won't this link-local IP address ever change under no circumstances? Say I switch to a different ASUS router model (and keep using Tomato), will the link-local address for the NAS (where the DNS server is running) be the same and I won't have to adjust my dnsmasq configuration?
    2. Could you please clarify the dhcp-range option you gave me above and why does it need to be different from the ones that Tomato sets when checking the SLACC/DHCP options? I understand the tag bit, but the rest not so much.
    3. I tried to browse to http://[2001:...]:3000 (the DNS server admin interface) and it worked, however, browsing to http://[fe80:...]:3000 did not. Shouldn't both addresses have worked? I have a feeling that if this didn't work, why would [fe80:...]:53 work for all the devices that are picking up this address as their DNS server?
    4. You mentioned "no crossing subnets", does that mean that I won't be able to use this local-link address on any of my guest network clients by adding a firewall rule like (for IPv6) similar to what we did here? I'm confused because you also said "make duplicate lines for the range and option changing br0 to br1 for the guest network". What does it all mean? Will the link-local address work in the guest network or not? Do I need a firewall rule or not?
     
  10. Sean B.

    Sean B. Network Guru Member

    DHCPv6/SLAAC had a rocky start, mainly with setting a standard on how clients receive information from both protocols. This could very well be an issue with how the NAS thinks it should be done. You could try changing dhcp-option to dhcp-option-force and see if that changes anything.

    A clients link-local address has nothing to do with the router or what it's connected to. It will not change unless hardware on the client itself changes.

    When you check the boxes in the GUI for SLAAC and DHCPv6, tomato adds in the corresponding dhcp-option=option6 line for DNS a long with others. The default is to use the routers global IPv6 IP, adding your own dhcp-option line stacks in line. Some options take the last one in line, others will outright conflict. The enable-ra and range lines are simply setting the base configurations for DHCPv6 and SLAAC, as the GUI boxes are not checked.

    When using link-local addresses you need to specify an interface identifier. Note how the Android TV shows the address:

    See the %eth0 it tacked on the end? It also depends on whether or not the service you're connecting to has bound itself to just the global IP, or is listening to all addressing on the interface.

    Maybe, maybe not. Technically no, as by RFC spec routers are not to forward fe80 addressed packets. However, if the source and destination interfaces are local to the router, it may consider that a link. It's a grey area that you'll have to try and see, as I've never needed to use the link-locals in your fashion.

    Here's quote from some docs regarding link-local:

    As you can see, the rabbit hole gets rather deep with IPv6, and some of it will just need testing in order to grasp its behavior. The router, knowing the interfaces, may forward link-local between the two.. or.. it may not ;).
     
    Last edited: Apr 13, 2019
  11. Sean B.

    Sean B. Network Guru Member

    Here's what I think will likely need to happen:

    Allow your router to advertise its own global IPv6 address as the DNS server to clients. This will be a different address for your private and guest networks, as the router will use a different /64 for each network. Then for the routers static DNS server set the link-local IP of your DNS server client using the interface identifier.. IE: if the DNS server clients link-local IP is fe80:1:1:1::2 and is connected to the br0 LAN, you'd put

    Code:
    fe80:1:1:1::2%br0
    In the static IPv6 DNS box in the GUI. This will allow the DNS server pushed to clients to be dynamic, as the router will send its own global address, yet all queries will be forwarded to the DNS server client.
     
  12. Nazgulled

    Nazgulled Serious Server Member

    Thanks for the detailed answers @Sean B.

    I've been meaning to reply back and test a few things but I've been preparing for a 2-week trip and haven't had much time. I'm leaving tomorrow and coming back by the end of the month. We'll continue this when I get back if you don't mind.

    Just answer me one thing... What if I pushed the global IP address with dhcp-option instead of the link-local? Wouldn't that be simpler/easier and solve a few issues?
     
  13. Sean B.

    Sean B. Network Guru Member

    Because if your WAN goes down/up and the prefix you receive from your ISP via DHCPv6 changes ( just the same as your WAN IP may change upon reconnect with IPv4 ), the global IPv6 address of your DNS server you previously configured to push out to clients will be invalid ( the prefix handed out by the ISP DHCPv6 server makes up the first 56 bits of this address, then your router subnetting that /56 into a /64 makes up the next 8 bits ). This is why I suggested to let the router push its own global IPs, as it will dynamically change the pushed IPs to match whatever its global addresses are. Then set the link-local IP of your DNS server a long with the interface identifier ( IE: fe80:1:1:1::1%br0 ) as the routers static IPv6 DNS. This results in all IPv6 DNS queries being sent to the routers global IPv6 addresses ( I say plural because it will have 2, one for the private network interface and one for the guest network interface ) from both private and guest networks, and those queries are forwarded to your DNS server link-local address. This gets around the probable issue of using link-local IP from the guest network side while also avoiding the risk of prefix change invalidating the global IP address of the DNS server.
     
    Last edited: Apr 15, 2019
  14. Nazgulled

    Nazgulled Serious Server Member

    Hi there @Sean B., I'm back at this :)

    I get the feeling that if I do that, my DNS server will log all DNS requests as coming from the router and not specific clients and I'll lose important information (remember, this is to be used with AdGuard Home / Pi-Hole).

    Anyway, I've managed to get everything working, at least I think I do...

    I've started to use dhcp-option-force just because it makes more sense (I really want to force this DNS server to all clients).

    I understand that but I was really asking was what exactly does the ::100, ::150 and constructor:br0 options in the dhcp-range option meant. I understand the tag and the last two, but not those I just mentioned.

    Tried that and even tried to use %25 instead of % because we have to escape % in URLs, but neither worked. Both Firefox and Chrome just start a Google search when I tried to load http://[fe80::ae9e:17ff:fe80:9828%br0], not sure what am I missing.

    I have not yet tested this but will do it next.

    Right now I have all my devices properly configured to use my DNS server, for both IPv4 and IPv6. Both IPs are being pushed to all clients with dnsmasq and here's my current configuration:

    Code:
    # Enable support for the IPv6 router advertisement feature
    enable-ra
    
    # Enable the DHCP server for the IPv6 configuration
    dhcp-range=tag:br0, ::100, ::150, constructor:br0, 64, 1440m
    dhcp-range=tag:br1, ::100, ::150, constructor:br1, 64, 240m
    
    # Push AdGuard DNS server to private and guest LAN clients
    dhcp-option-force=tag:br0, option:dns-server, 192.168.0.99
    dhcp-option-force=tag:br0, option6:dns-server, [fe80::211:32ff:fe7b:9a85]
    dhcp-option-force=tag:br1, option:dns-server, 192.168.0.99
    dhcp-option-force=tag:br1, option6:dns-server, [fe80::211:32ff:fe7b:9a85]
    
    As for the Synology NAS issue being the only device not picking up the IPv6 DNS server, I somehow fixed that. There must be some kind of bug but I did was manually configure the network connection for the NAS, used the correct DNS server IPv6 and applied those settings. Then I switch back to "Auto" and the link-local DNS server IPv6 I manually configured persisted and persists reboots so all is good now.
     
  15. Nazgulled

    Nazgulled Serious Server Member

    One question about pushing the IPv6 DNS server to br1 (the guest network on a different subnet). I ended up adding the following based on this topic:

    Code:
    iptables -t filter -I FORWARD 1 -i br1 -o br0 -d 192.168.0.99/32 -p udp --dport 53 -j ACCEPT
    Won't I need something similar for IPv6?
     
  16. Sean B.

    Sean B. Network Guru Member

    Yes, that is correct.

    ::100, ::150 is the DHCPv6 address pool range and constructor:br0 means construct the DHCPv6 address pool using the prefix information from the br0 interface.

    Unless you were doing a google search from a browser running on the router itself, br0 would not be a valid interface to use. You use the interface specifier of the machine you're running the program on. Also, I'm not sure if web browsers support the use of link local addresses yet. They may see it as erroneous or take it as a generic search string. I would not base any testing off using a web browser.

    Testing will determine if it works for the guest network.
     
    Last edited: May 9, 2019
  17. Sean B.

    Sean B. Network Guru Member

    No.
     
  18. Nazgulled

    Nazgulled Serious Server Member

    Ok, just tested everything but the laptop I'm using to test the guest network, for some reason, is not even picking the IPv6 gateway. It works if I connect to the main WiFi network, the guest one doesn't. This for IPv6, of course. IPv4 is working just fine.
     
  19. Sean B.

    Sean B. Network Guru Member

    Does the br1 interface have a global IPv6 IP?
     
  20. Nazgulled

    Nazgulled Serious Server Member

    Nope:
    Code:
    br1        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:172.16.0.254  Bcast:172.16.0.255  Mask:255.255.255.0      
               inet6 addr: fe80::ae9e:17ff:fe80:9828/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:15687 errors:0 dropped:0 overruns:0 frame:0
               TX packets:21130 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:2723667 (2.5 MiB)  TX bytes:16687288 (15.9 MiB)
     
  21. Sean B.

    Sean B. Network Guru Member

    Well, that would be a problem. What is the output of:

    Code:
    cat /etc/dhcp6c.conf
    ?
     
  22. Nazgulled

    Nazgulled Serious Server Member

    Code:
    root@AC68U:/tmp/home/root# cat /etc/dhcp6c.conf 
    interface vlan100 {
     send ia-na 0;
     send ia-pd 0;
     request domain-name-servers;
     script "/sbin/dhcp6c-state";
    };
    id-assoc pd 0 {
     prefix ::/56 infinity;
     prefix-interface br0 {
      sla-id 0;
      sla-len 8;
            };
    };
    id-assoc na 0 { };
     
  23. Sean B.

    Sean B. Network Guru Member

    Uhm, that's odd. What build of Tomato are you running again? And please post the output of
    Code:
    ifconfig br0
    You can redact some of the IPv6 global IP if you wish but please leave the majority of it, including the prefix specifier at the end intact.
     
  24. Nazgulled

    Nazgulled Serious Server Member

    upload_2019-5-10_16-41-11.png

    Code:
    root@AC68U:/tmp/home/root# ifconfig br0
    br0        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0   
               inet6 addr: 2001:818:_:_:_:_:fe80:9828/64 Scope:Global
               inet6 addr: fe80::ae9e:_:fe80:9828/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:245123571 errors:0 dropped:0 overruns:0 frame:0
               TX packets:589846130 errors:0 dropped:0 overruns:0 carrier:0       
               collisions:0 txqueuelen:0
               RX bytes:189149477797 (176.1 GiB)  TX bytes:829611566440 (772.6 GiB)
     
  25. Sean B.

    Sean B. Network Guru Member

    Run:

    Code:
    nvram get ipv6_vlan
    If it returns 0, run:

    Code:
    nvram set ipv6_vlan=1
    nvram commit
    Then reboot the router.
     
  26. Nazgulled

    Nazgulled Serious Server Member

    Yes, it was returning 0, changed to 1, commited and rebooted. br1 now reports a global IPv6 address but the laptop still doesn't get an IPv6 on the guest network (it does on the main network).

    However, neither network have IPv6 fully working... Although the main network has an IPv6 (while the guest doesn't), it fails the IPv6 tests on https://ipv6-test.com. My main PC connected by ethernet passes all the tests.
     
  27. Sean B.

    Sean B. Network Guru Member

    LAN clients will not fully pass an IPv6 test, because the only IPv6 IP that will pass for reverse DNS is the /128 on the WAN ( if applicable ) while IP's from inside the delegated prefix will not. Remember, there are 18,446,744,073,709,551,616 possible addresses within a single /64 prefix. Having pre-existing PTR records for entire blocks in IPv6 is not practical. This is why your PC fully passes when direct connected, as it gets a single /128 from your ISP.

    After changing the ipv6_vlan variable, what is the current output of:

    Code:
    ifconfig br0
    ifconfig br1
    cat /etc/dhcp6c.conf
     
    Last edited: May 13, 2019
  28. Sean B.

    Sean B. Network Guru Member

    Btw, just noticed in this post you have spaces after each comma. Not sure if it will affect anything, however the correct syntax is no spacing.

     
    Last edited: May 13, 2019
  29. Sean B.

    Sean B. Network Guru Member

  30. Nazgulled

    Nazgulled Serious Server Member

    I'm confused, aren't all my devices LAN clients on my network? What makes my PC different to get a single /128 IP from my ISP?

    Code:
    root@AC68U:/tmp/home/root# ifconfig br0
    br0        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0   
               inet6 addr: 2001:_:_:8500:_:_:_:9828/64 Scope:Global
               inet6 addr: fe80::ae9e:17ff:fe80:9828/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:84177531 errors:0 dropped:0 overruns:0 frame:0
               TX packets:33334253 errors:0 dropped:0 overruns:0 carrier:0       
               collisions:0 txqueuelen:0
               RX bytes:123963572386 (115.4 GiB)  TX bytes:9482499986 (8.8 GiB)   
    
    root@AC68U:/tmp/home/root# ifconfig br1
    br1        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:172.16.0.254  Bcast:172.16.0.255  Mask:255.255.255.0     
               inet6 addr: 2001:_:_:8501:_:_:_:9828/64 Scope:Global
               inet6 addr: fe80::ae9e:17ff:fe80:9828/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:13643 errors:0 dropped:0 overruns:0 frame:0
               TX packets:63092 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:2028864 (1.9 MiB)  TX bytes:87177701 (83.1 MiB)
    
    root@AC68U:/tmp/home/root# cat /etc/dhcp6c.conf
    interface vlan100 {
     send ia-na 0;
     send ia-pd 0;
     request domain-name-servers;  
     script "/sbin/dhcp6c-state";  
    };
    id-assoc pd 0 {
     prefix ::/56 infinity;       
     prefix-interface br0 {       
      sla-id 0;
      sla-len 8;
            };
            prefix-interface br1 {
                    sla-id 1;     
                    sla-len 8;     
            };
    };
    id-assoc na 0 { };
    If there's an _ on the global IPv6 link it means the value is exactly the same (in the corresponding position) between br0 and br1.

    How likely are the spaces to be causing this single issue and no other? I mean, everything else is working as I expect it with the spaces. Either way, if the correct syntax is no spacing, I'll remove them and see if it makes a difference.
     
  31. Sean B.

    Sean B. Network Guru Member

    As I stated, not sure if it will affect anything, but it's incorrect none the less.

    Perhaps I misunderstood. When you said your PC was connected by cable I thought you meant directly to your modem, without the router, as I don't see what else that could imply. You said your main network has IPv6 connectivity but fails the IPv6 test, but then say your PC passes? What network is your PC connected to then?

    For testing purposes, comment out all of your DHCP/dns custom config ( put a # at the beginning of each line ). Under Basic->IPv6 check the box for "Request /64 for br1" if not already. Under DHCP/dns check the box for "Announce IPv6 on LAN (DHCPv6)", leave the box for SLAAC unchecked. Reboot router and test connectivity from main and guest networks.

    The interfaces both show a /64 prefix now. I see no reason clients on br1 wouldn't be getting an IPv6 IP, so removing the custom config for the moment removes a variable from the equation.

    **NOTE** Before doing the above test, connect your laptop to the guest network and run ( assuming it's running Windows ):

    Code:
    ipconfig /release6 interface
    ipconfig /renew6 interface
    In an administrative cmd or powershell window. Where interface is the name of the network adapter you're connected with ( usually "wi-fi" or "ethernet" ). Check for IPv6 connectivity.
     
    Last edited: May 13, 2019
  32. Nazgulled

    Nazgulled Serious Server Member

    My PC is connected to br0 (this is what I call main network, it's in the same subnet as the router itself) through ethernet and has IPv6 connectivity (passes the IPv6 test). WiFi devices also connected to br0 show to have a global IPv6 but don't seem to have IPv6 connectivity (they fail the IPv6 test). WiFi devices connected to br1 (guest network, different subnet) don't get a global IPv6 and don't have IPv6 connectivity of course (also fail the IPv6 test, obviously). Hopefully this is more clear.

    I had never checked that box before (cause I had no idea what it did) but when I ran "nvram set ipv6_vlan=1", the check box was then checked, so that's probably related.

    I'll do both of those tests as soon as possible and report back :)
     
  33. Sean B.

    Sean B. Network Guru Member

    When you say "don't seem to have IPv6 connectivity" and then also refer to that as failing the IPv6 test, it's very unclear what is actually going on. You can have IPv6 connectivity that works just fine, and still fail one of the generic website "IPv6 tests". So to be on the same page, when saying "no connectivity" it means IPv6 packets from a host inside of your LAN fail to reach or return from a host which is outside of your LAN ( WAN side ). IE: ping6 shows 100% packet loss. The score given for an IPv6 test is ambiguous at best, as there are several different ways an ISP can deploy IPv6 and each will provide varying levels of "completeness". On top of the fact some of the tests that can fail you are utterly pointless ( such as reverse DNS that I previously mentioned and explained ).

    Now, can devices connected to br0 via wi-fi successfully ping google.com using IPv6, or does it fail? There is no configuration difference between wired and wireless clients as far as IPv6 goes on the router. Having wired clients work and wireless clients not would strongly point to an issue with the wireless clients support of IPv6. Keep in mind that several OS's used to, and some still do, prefer IPv4 in their network stack. You need to make sure however it is you're testing will implicitly use IPv6. Also, make sure any firewalls running on client devices are correctly configured for IPv6. For example, on some Windows 10 machines I've noticed that even with IPv6 configured in the stack the firewall does not include a rule to allow inbound ICMPv6 echo requests.
     
    Last edited: May 14, 2019
  34. Nazgulled

    Nazgulled Serious Server Member

    The first test (ipconfig commands) didn't solve anything. Haven't had the time to do the second one yet.

    What I meant by "no IPV6 connectivity" is from Windows:

    upload_2019-5-15_11-59-47.png

    This is the guest network (br1), the main network (br0) says "Internet" in both and if I click on the "Details" button I can see a global IPv6 (starting with 2001) when connected to the main network but not the guest one.

    Just to be clear, only wireless clients connected to br1 don't work, wireless clients connected to br0 have no problems. I don't think it's an issue between wired/wireless clients.
     
  35. Nazgulled

    Nazgulled Serious Server Member

    Just did the second test, same results: "IPv6 Connectivity = No Internet access"
     
  36. Sean B.

    Sean B. Network Guru Member

    Are you certain of your ISP's configuration? A /56 is the prefix they delegate you?

    What is the output of:

    Code:
    ip -6 route show
    You can send it in PM if you like, so not to have to redact that many IP's.

    Also, if I recall correctly you changed the VLAN ID of your WAN interface, right? Provide the output of

    Code:
    ifconfig vlan2
    However, replace VLAN2 with whatever VLAN you have changed your WAN to, if you so did.
     
    Last edited: May 15, 2019
  37. Nazgulled

    Nazgulled Serious Server Member

    Yes. But why would everything work on every wired/wireless LAN client on br0 but not br1?
     
  38. Sean B.

    Sean B. Network Guru Member

    Note my addition to the post above.

    Because br0 is getting the first delegated /64. If the prefix wasn't actually /56 then the second /64 may not be valid.
     
  39. Nazgulled

    Nazgulled Serious Server Member

    I only got this:

    Code:
    2001:_:_:8500::/64 dev br0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    2001:_:_:8501::/64 dev br1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev br0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev vlan3  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev br1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev vlan100  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    fe80::/64 dev wl0.1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
    default via fe80::ff:fe00:2701 dev vlan100  proto kernel  metric 1024  expires 8965sec mtu 1500 advmss 1440 hoplimit 64
    I don't think I did but I may be wrong, here's what I have:

    upload_2019-5-15_22-3-19.png
     
  40. Sean B.

    Sean B. Network Guru Member

    Yeah, it's been changed to 100, as can be seen in the default route line from your output. What is the output for: ifconfig vlan100
     
  41. Nazgulled

    Nazgulled Serious Server Member

    Code:
    vlan100    Link encap:Ethernet  HWaddr AC:9E:17:80:98:29
               inet addr:188._._.59  Bcast:188.37.127.255  Mask:255.255.224.0
               inet6 addr: fe80::ae9e:17ff:fe80:9829/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:17407340 errors:0 dropped:0 overruns:0 frame:0
               TX packets:10807299 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:22038492131 (20.5 GiB)  TX bytes:9544501813 (8.8 GiB)
    
     
  42. Sean B.

    Sean B. Network Guru Member

    What is your internet connection type? Are you using PPPoE?
     
  43. Nazgulled

    Nazgulled Serious Server Member

    That I'm not sure. How can I check?

    Sent from my HTC 10 using Tapatalk
     
  44. Sean B.

    Sean B. Network Guru Member

    Under Basic->Network.
     
  45. Sean B.

    Sean B. Network Guru Member

    Also, check to see if the vlan2 interface still exists via: ifconfig vlan2 . If it does, post output. I'm wondering where the WAN side global IPv6 address is, as vlan100 does not have one. Example of what I'd expect to see:

    Code:
    root@Storage:/tmp/home/root# ifconfig vlan2 && ifconfig br0
    vlan2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:31:25
               inet addr:67.x.x.x  Bcast:x.x.x.255  Mask:255.255.248.0
               inet6 addr: 2001:xxx:xxxx:xx:xxxx:xxxx:43a8:3f13/128 Scope:Global
               inet6 addr: fe80::24d:6fff:fe84:3125/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:28334843 errors:0 dropped:0 overruns:0 frame:0
               TX packets:9084721 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:37490081646 (34.9 GiB)  TX bytes:1347388195 (1.2 GiB)
    
    br0        Link encap:Ethernet  HWaddr xx:xx:xx:xx:57:20
               inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
               inet6 addr: fe80::a62:66ff:fe3a:5720/64 Scope:Link
               inet6 addr: 2601:xxx:xxxx:76f8::1/64 Scope:Global
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:4554373 errors:0 dropped:0 overruns:0 frame:0
               TX packets:11988356 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:595895895 (568.2 MiB)  TX bytes:15451409384 (14.3 GiB)
    
    root@Storage:/tmp/home/root#
    Notice how the WAN has a /128 from the 2001 block, while the LAN has a /64 from the 2601 block. I get the feeling you're supposed to be running PD-only, or the code for dhcp6c/Tomato hasn't compensated for changing the VLAN of the WAN.

    Try checking the box for PD-only under Basic->IPv6, reboot router and test.

    **NOTE** Just in case the ip6tables rules are different than what I expect between your version of build and mine, post the output of:

    Code:
    ip6tables -t filter --list-rules FORWARD
    Alternatively, add this rule and check connectivity from guest network:

    Code:
    ip6tables -t filter -I FORWARD 1 -i br1 -j ACCEPT
    As this is a catch-all rule, after testing remove it with:

    Code:
    ip6tables -t filter -D FORWARD 1
     
    Last edited: May 16, 2019
  46. Nazgulled

    Nazgulled Serious Server Member

    Code:
    root@AC68U:/tmp/home/root# ifconfig vlan2
    ifconfig: vlan2: error fetching interface information: Device not found
    Code:
    root@AC68U:/tmp/home/root# ip6tables -t filter --list-rules FORWARD
    -P FORWARD DROP
    -A FORWARD -m rt --rt-type 0 -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -i br1 -o br1 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT  
    -A FORWARD -i vlan100 -o vlan100 -j DROP
    -A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT    
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT  
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT  
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT  
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT  
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    -A FORWARD -i vlan100 -p ipv6-crypt -j ACCEPT
    -A FORWARD -i vlan100 -p udp -m udp --dport 500 -j ACCEPT  
    -A FORWARD -i vlan100 -j wanin
    -A FORWARD -o vlan100 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A FORWARD -i br1 -j ACCEPT
    -A FORWARD -i br0 -o vlan100 -j ACCEPT
    -A FORWARD -i br1 -o vlan100 -j ACCEPT
    
    This is getting into too much work (for both of us) just to get IPv6 on guest clients, which is not that big of a deal for me. So, unless you think there's some really bad configuration on my network that I should fix, maybe we should just let this go?

    I really appreciate all your help but I've already used up too much of your time for this...
     
  47. pedro311

    pedro311 Addicted to LI Member

    Did you try latest FreshTomato 2019.2?
    There were a lot of changes since the release of tomato v140 in IPv6 support...
     
  48. Nazgulled

    Nazgulled Serious Server Member

    Well, it's something I've been mean to do because my current version is really outdated. But I haven't found the right time just yet. This is probably half of my problems, the old version that is.

    Sent from my HTC 10 using Tapatalk
     
  49. Sean B.

    Sean B. Network Guru Member

    Do me a favor, out of my own curiosity. Try checking the box for PD-Only when you have time. I'm almost certain you should not have a 2001 prefix for your LAN. Either the change of VLAN's on the WAN has messed it up ( because the code assumes VLAN2 should be the WAN ), or PD-Only is required.
     
  50. Nazgulled

    Nazgulled Serious Server Member

    And after enabling that and rebooting the router, what should I check or look at?

    Sent from my HTC 10 using Tapatalk
     
  51. Sean B.

    Sean B. Network Guru Member

    Check connectivity for guest network. Also check ifconfig br0 and br1 , see what IPv6 prefix has been given.
     
  52. tvlz

    tvlz LI Guru Member

    Have you tried adding the Wan port to vlan3 ?
     
  53. Sean B.

    Sean B. Network Guru Member

    That would circumvent the router firewall and expose the br1 network.
     
  54. tvlz

    tvlz LI Guru Member

    Are you sure, never had to work with an ISP that required a vlan tagged wan. So that would mean that his device on vlan4 (STB?) has no firewall protection?
     
  55. Sean B.

    Sean B. Network Guru Member

    That is correct. When the WAN port and a LAN port are placed in the same VLAN, they both are outside of the routers NAT and within the same broadcast domain.
     
  56. Nazgulled

    Nazgulled Serious Server Member

    Same results on the guest client (no IPv6 connectivity, only link-local addresses).

    Code:
    root@AC68U:/tmp/home/root# ifconfig br0
    br0        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0   
               inet6 addr: 2001:_:_:_:_:17ff:fe80:9828/64 Scope:Global
               inet6 addr: fe80::ae9e:17ff:fe80:9828/64 Scope:Link     
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1       
               RX packets:15952 errors:0 dropped:0 overruns:0 frame:0   
               TX packets:22499 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:2089498 (1.9 MiB)  TX bytes:23369988 (22.2 MiB)
    
    root@AC68U:/tmp/home/root# ifconfig br1
    br1        Link encap:Ethernet  HWaddr AC:9E:17:80:98:28
               inet addr:172.16.0.254  Bcast:172.16.0.255  Mask:255.255.255.0     
               inet6 addr: 2001:_:_:_:_:17ff:fe80:9828/64 Scope:Global
               inet6 addr: fe80::ae9e:17ff:fe80:9828/64 Scope:Link
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:2885 errors:0 dropped:0 overruns:0 frame:0
               TX packets:6053 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:683524 (667.5 KiB)  TX bytes:7272013 (6.9 MiB)
    
     
  57. Sean B.

    Sean B. Network Guru Member

    Odd, it didn't change the addressing at all. Clients on br1 get no global address at all? Is there anything in the system log from dnsmasq?
     
  58. Nazgulled

    Nazgulled Serious Server Member

    None.

    Nothing of relevance as far as I can see.

    Well, it could be related to the really outdated Tomato version I'm using, I'll see if I can fint the time to update this this weekend. Maybe that will help. But I'm not going to waste any more time on this since my intention is to move to Ubiquiti (EdgeMAX) hardware and I'll probably have to deal with all this again.
     
  59. tvlz

    tvlz LI Guru Member

    Don't think it's related to the firmware version, it is more likely about your ISP using Tagged WAN.

    If you move one of the LAN ports down to VLAN3 does that device get IPv6 on br1 subnet?

    Thinking that no IPv6 is getting out the Tagged WAN on vlan3.
    May want to try changing vlan3 vid to 100 to match the ISP wan tag.
     
    Last edited: May 31, 2019
  60. Sean B.

    Sean B. Network Guru Member

    All traffic leaving the WAN port would be tagged with VID 100 ( unless the WAN port is included in a different VLAN as well ). The LAN bridge VID's are not what is passed over the WAN, the WAN port VID is used.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice