Tomato IPv6/dnsmasq guide/faq

Discussion in 'Tomato Firmware' started by Kevin Darbyshire-Bryant, May 11, 2013.

  1. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    Tomato IPv6/dnsmasq Guide/FAQ

    What is IPv6?

    IPv6 is the current addressing technology used on the internet. It supercedes IPv4. IPv4 addresses have run out in certain parts of the world. There are no more addresses to allocate.

    What do IPv4 & IPv6 addresses look like?

    IPv4 address are represented by 4 octets (bytes if you prefer) written in decimal notation each separated by a full stop (period for the US). is an internet routable IPv4 address. Since each octet is 8 bits long the address length is 32 bits. IPv6 uses 16 octets written is hexadecimal notation (base 16) Hexadecimal uses digits 0-9 & letter a-f. Each group of 4 digits is separated by a colon ‘:’ 1111:2222:3333:4444:5555:6666:7777:8888 would represent an IPv6 address. Clearly the address length is *MUCH* longer at 128 bits. Leading zeros in each address block may be eliminated e.g. 1000:2000:3000:4000:0001:0020:0300:4000 could be written as 1000:2000:3000:4000:1:20:300:4000. A further shortcut may be used *ONCE* only in an address string, this is done by using a double colon ‘::’. E.g. 1111:2222:3333:4444:0:0:0:1 may be written as 1111:2222:3333:4444::1 Since IPv6 addresses include letters there is much fun to be had by choosing addresses that write out words. Look out for DEAD:BEEF or FACE:B00C J

    Does IPv6 have the equivalent of subnets or a netmask?

    Yes. IPv4 before Classless Internet Domain Routing came along, used to use a netmask to tell a system which part of the IPv4 address represented the network portion and that which represented the host portion. An address with a netmask of would split the address into a ‘192.168.1’ network portion and a ‘.1’ host portion. CIDR introduced another method of representing the netmask, in essence defining how many bits are used for the network portion. This is indicated by a ‘/’ followed by the number of bits to use as the netmask. E.g. 192.168.1/24 represents the network portion as being 24 bits long (or equivalent netmask) and implicitly 8 bits used for the host. IPv4 when it was divided into a classful network used for Class A networks, for Class B, and Class C for These days they are /8, /16 & /24 respectively.

    IPv6 uses something called the prefix length defined in a similar way. A common prefix length is /64, so the first 64 bits of an IPv6 address represent the network portion, with the final 64 representing the host.

    How do I get an IPv6 address?

    More correctly you should ask how do I get an IPv6 prefix assigned to me? Since IPv6 has so many addresses available it is common practice to be assigned an entire /64 prefix. So you’ve a 64 bit host range for all your hosts! The concept of hiding many local IPv4 hosts behind one internet routable address (commonly called NAT or masquerading) is not required in IPv6. Every host on your network has the potential of having its own IPv6 internet routable address. Even if your current ISP doesn’t do native IPv6 you may be able to use a tunnel provider to allow you IPv6 access. Hurricane Electric ( provide a free tunnel server (and courses on IPv6) for you to experiment with. It’s how I currently get on the IPv6 internet.

    Did you just say every host on my local network will have an internet routable IPv6 address?

    Yes I did! I know what you’re thinking…what about the ‘security’ provided by NAT where I could map certain ports on the internet routable address to internal hosts but otherwise the internet would get no response whatsoever? Tomato in IPv6 land still has a firewall between the internet (WAN) facing interface and the local hosts (LAN) facing interface. These are commonly vlan2 & br0 respectively in tomato. You can punch holes in the firewall too allow WAN access through to LAN based IPv6 hosts. Tomato is in essence acting as a layer 3 bridge between the WAN & LAN interfaces.

    IPv4 has a number of special addresses, what about IPv6?

    Yes it does. IPv6 has something called a link local address. This is the prefix FE80::/10 It represents addresses that may be used locally on your network and are NOT IPv6 internet routable. They are equivalent to APIPA 169.254.0-255/16 IPv4 non routable addresses that some IPv4 devices automatically configure if they don’t receive an address by other means (eg. DHCP) They’re also similar to 10/8, 172.16-32/16, 192.168.0-255/24 IPv4 non routable addresses, though these IPv4 addresses are not generally automatically configured. alias the IPv4 loopback address is ::1/128 I personally never understood why an entire Class A range was given to loopback in IPv4 anyway...but it's better in IPv6.

    Multicast IPv6 addresses are FF00::/8

    Something that you may not be used to: a network interface will have more than one IPv6 address if it’s internet routable! It will have a link local address FE80, and an internet routable prefix, it'll probably have a multicast address as well.

    See here for the full scope/scoop.

    So how do my hosts get an IPv6 address assignment, is there something like DHCP?

    Oh boy. Now the rabbit hole begins! There needs to be a host on your local LAN providing Router Advertisment (RA) broadcasts. This traditionally has been done by a process called RADVD. RADVD broadcasts its presence to the LAN on occasion, but also a host may solicit a broadcast, the equivalent of saying ‘anyone seen a router?’ RADVD doesn’t actually hand out addresses instead it flags whether addresses are handled in a stateless (SLAAC) or stateful (DHCPv6) manner. It also advertises the IPv6 prefix length and possibly a DNS server.

    SLAA what? – StateLess Address Auto Configuration. In essence a host takes the advertised prefix and adds a hash of the interfaces MAC address as the host portion, thus forming a full 128bit IPv6 address. RADVD hasn’t been involved in this calculation and doesn’t even know the address chosen. But there’s another problem. Since the MAC address hash algorithm is predictable a particular host will have the same host address portion no matter what prefix is in use, thus it may be possible to track a particular host even though it has been configured on different prefix networks. Something called Privacy Extensions was implemented which further randomises the generated host portion of the address. This privacy extension is by default enabled on the Windows platform.

    What about DHCPv6? DHCPv6 hands out IPv6 addresses like DHCPv4 but there’s a gotcha. DHCPv6 cannot advertise the prefix length (imagine DHCPv4 without the netmask!) Also it no longer associates the clients MAC address with the IPv6 address but rather something called the DUID. So tying a particular address/hostname combination to a host is difficult. DHCPv6 itself also supports a stateless mode.

    To further compound this issue, not all IPv6 hosts support DHCPv6, though all hosts are required to support SLAAC.

    What about DNS?

    Traditionally dnsmasq is the server on Tomato that provides both DHCPv4 & DNS service. Since they’re integrated, any DHCPv4 hosts get a matching hostname & reverse lookup in the local IPv4 address space. Since dnsmasq is not involved in SLAAC (not that RADVD knows anything either) it is not possible to create corresponding local DNS entries for your local hosts, nor the reverse lookups.

    Any connection logging pages are going to look like gibberish without IPv6 to hostname lookups.

    Is there a solution to this mess?

    Sort of. Dnsmasq can provide RA service like RADVD, it can also provide DHCPv6. Since it’s an integrated DNS server/forwarder it can also have a good attempt at mapping IPv6 addresses to hostnames and back. This is easy for DHCPv6 served addresses but not so easy for SLAAC, however it will even attempt to guess the IPv6 address generated for an SLAAC host, if it’s seen a corresponding DHCPv4 host/MAC address combination (this is the ra-names option of dnsmasq)

    That’s pretty cool! Yes it is.

    How can I use the dnsmasq thing of which you speak for IPv6 LAN service?

    I’d recommend using a version of dnsmasq above 2.63. 2.61 will work but there’s a bug in the RA flags that’ll slightly upset windows clients. If using version 2.66 or above then you can take advantage of the new ‘constructor’ option.

    Disable ‘use RADVD’ in ipv6 config page if it exists. Else disabled ‘enable IPVv6 RA’ in the Advanced->dhcp/dns.

    2.66+ enter following into dnsmasq.custom

    dhcp-range=::1, ::FFFF:FFFF, constructor:br*, ra-names, 12h
    This enables a dhcpv6 range on all ‘br’ interfaces (usually br0) from br prefix::1 to br prefix::FFFF:FFFF *ASSUMING* that br’n’ ACTUALLY HAS AN ADDRESS ENDING IN ‘::1’ If it does NOT then adjust the dhcp range start to match the host portion of br’n’s address. Dnsmasq will automagically pick up the prefix and build a suitable dhcp range. It will also attempt to provide hostnames based on ipv4 addresses for any SLAAC configured hosts.

    Pre 2.66

    dhcp-range=LAN_PREFIX::1,LAN_PREFIX::FFFF:FFFF, ra-names, 12h
    If all else fails, please read the dnsmasq man page.

    How can I find my LAN prefix?

    Have a look at the Router status overview page, LAN IPv6 address. You’ll stand a good chance of it being the first 4 hex groups as a /64

    Can I blame dnsmasq for breaking my entire IPv6 network and ruining my life?

    No. Dnsmasq is responsible for handing out addresses to the LAN. It has no interest or involvement in obtaining IPv6 addresses for or on the WAN interface.

    But now none of my IPv6 hosts can ping anything on the IPv6 network, and various testipv6 sites say my IPv6 is broken?

    See the above entry. The fundamental question here is does the router WAN interface have an IPv6 address *AND* can the router ping an IPv6 address such as (2a00:1450:400c:c00::6a) Until the WAN side of your router is fixed then it’s unreasonable to expect the LAN side machines to be okay. Whether using radvd or blaming the world on dnsmasq, the net result would be the same.

    I can’t ping an IPv6 address in Tools>Ping – is that the fault of dnsmasq?

    No. The hostname/address entry field is broken and cannot distinguish between a hostname & an IPv6 address. Either use ‘tools->system’ and enter ‘ping –c 3 ipv6::address’ or telnet/ssh into the router and use the command line. Some versions of Tomato have been fixed & allow IPv6 address entry without reporting 'invalid address'.

    dnsmasq fills my routers log file with dhcp & router advertisement/solicit logs.

    Yes it does. It's telling you what's going on IPv6 wise on your LAN.

    My windows hosts have lots of IPv6 addresses and while it says it has a DHCPv6 address it's using others.
    Yes it does that. Windows assigns temporary IPv6 addresses to interfaces with or without Privacy Extensions, and it prefers to use those rather than DHCPv6 assigned addresses. My recommendation is to disable privacy extensions and temporary IPv6 addresses

    I plan to update this with some basic routing info (when I understand it) and also some basic tunnelling info.

    Above is based on my (bitter) experience and in no way represents the standards or should be taken as a definitive guide. I'm an end user that may be slightly ahead of you at this time, but is definitely behind others who have blazed the trail and left.
    Beast, philess, mstombs and 1 other person like this.
  2. Toastman

    Toastman Super Moderator Staff Member Member

    I added a link to this article in "Common Tomato Topics".
  3. philess

    philess Networkin' Nut Member

    :D hahahaha.

    Ok but seriously, thanks for this helpful guide. Will try it all out
    instead of RADVD in the next few days.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice