New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

relay mode does not work #37

Open
zhou13 opened this Issue Mar 1, 2015 · 31 comments

Comments

Projects
None yet
@zhou13

zhou13 commented Mar 1, 2015

The relay mode does not work on my OpenWRT router. Devices on LAN can get inet6 addr but are unable to ping any public ipv6 address. By Googling odhcpcd and ipv6 relay, I find many similar problems but no one of them are solved. Therefore I think they are due to the bug of odhcpd rather than the configuration problem.

I think issue 15 and 25 are about the same problem but it is closed without actually solving it. I am glad to provide packet capture and other debug information if the developer is still interesting in solving this problem.

@zhou13 zhou13 changed the title from relay mode does not work at all to relay mode does not work Mar 1, 2015

@sbyx

This comment has been minimized.

Member

sbyx commented Mar 1, 2015

Sure feel free to send me pcaps.

@zhou13

This comment has been minimized.

zhou13 commented Mar 7, 2015

Hi I am back.

I made two pcaps. You can download them from https://onedrive.live.com/redir?resid=B1ADCE2F515F326%21336.

  1. The pcap on my own laptop (running linux) when I try to after I plug in the Ethernet cable to show the environment of our university. I found that M=O=0 in this pcap, which means that our university uses SLAAC to assign ipv6 address. So I disable dhcpv6 in the second pcap. The MAC address of my laptop is 80:fa:5b:0d:80:e9 in this pcap.
  2. The pcap on the openwrt router running odhcpc when a client (running windows) connects to the router through WiFi. odhcpc is running in the relay mode. The WAN of router (eth0.2) is able to get its ipv6 address and works correctly. The client can get its ipv6 address but ping to 2001:4860:4860::8888 (google dns) timeout (packet no 3649 and later). The pcap is generated by tcpdump -n -i any -vv -w xxxx.pcap. I am not familiar with the relay protocol so I cannot find the problem here.

Let me know if you need additional information.

Client information (ipconfig after connecting to the WiFi):

Wireless LAN adapter WLAN:
Connection-specific DNS Suffix . : lan
IPv6 Address. . . . . . . . . . . : 2402:f000:5:8401:fcd9:efd1:887d:4b56
Link-local IPv6 Address . . . . . : fe80::fcd9:efd1:887d:4b56%4
IPv4 Address. . . . . . . . . . . : 192.168.1.190
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::6eb0:ceff:fe11:57b2%4
192.168.1.1

My /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 disabled
        option ra relay
        option ndp relay

config dhcp wan6
        option dhcpv6 disabled
        option ra relay
        option ndp relay
        option master 1

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

router information:

root@WNDR4300:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1e:4c:98:92:98:de brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1c4c:98ff:fe92:98de/64 scope link 
       valid_lft forever preferred_lft forever
3: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN group default 
    link/tunnel6 :: brd ::
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN group default 
    link/sit 0.0.0.0 brd 0.0.0.0
5: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 2a:99:5f:8d:4e:06 brd ff:ff:ff:ff:ff:ff
6: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 7e:b6:2f:02:3e:b6 brd ff:ff:ff:ff:ff:ff
7: gre0: <NOARP> mtu 1476 qdisc noop state DOWN group default 
    link/gre 0.0.0.0 brd 0.0.0.0
8: gretap0: <BROADCAST,MULTICAST> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
9: ip6gre0: <NOARP> mtu 1448 qdisc noop state DOWN group default 
    link/gre6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
10: ipddp0: <BROADCAST,MULTICAST,NOARP> mtu 585 qdisc noop state DOWN group default qlen 1000
    link/ip/ddp 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
11: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void 
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 6c:b0:ce:11:57:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2402:f000:5:8401:6eb0:ceff:fe11:57b3/64 scope global dynamic 
       valid_lft 2591902sec preferred_lft 604702sec
    inet6 fda0:52f6:20cb::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::6eb0:ceff:fe11:57b2/64 scope link 
       valid_lft forever preferred_lft forever
20: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default 
    link/ether 1e:4c:98:92:98:de brd ff:ff:ff:ff:ff:ff
21: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 6c:b0:ce:11:57:b3 brd ff:ff:ff:ff:ff:ff
    inet 183.173.144.118/21 brd 183.173.151.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 2402:f000:5:8401:6eb0:ceff:fe11:57b3/64 scope global dynamic 
       valid_lft 2591902sec preferred_lft 604702sec
    inet6 fe80::6eb0:ceff:fe11:57b3/64 scope link 
       valid_lft forever preferred_lft forever
22: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 6c:b0:ce:11:57:b4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6eb0:ceff:fe11:57b4/64 scope link 
       valid_lft forever preferred_lft forever
23: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 6c:b0:ce:11:57:b2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6eb0:ceff:fe11:57b2/64 scope link 
       valid_lft forever preferred_lft forever
@hexchain

This comment has been minimized.

hexchain commented Mar 16, 2015

Same problem here. It's a 4MB TP-Link MR-13U so no iproute2 and no tcpdump. (Argh!)

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option filterwin2k '1'
        option notinterface eth0

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '1'
        option limit '253'
        option ra 'relay'
        option ndp 'relay'
        option dhcpv6 'relay'

config dhcp 'wan6'
        option interface 'wan'
        option ra 'relay'
        option ndp 'relay'
        option dhcpv6 'relay'
        option master '1'

config dhcp 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

ifconfig on router:

root@dorm-gateway:/etc/config# ifconfig
br-lan    Link encap:Ethernet  HWaddr 14:CF:92:C7:C1:3C  
          inet addr:172.16.144.254  Bcast:172.16.144.255  Mask:255.255.255.0
          inet6 addr: fdb8:1b93:b960::1/64 Scope:Global
          inet6 addr: fe80::16cf:92ff:fec7:c13c/64 Scope:Link
          inet6 addr: 2001:250:4000:8138:16cf:92ff:fec7:c13c/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60525 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59684 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10018837 (9.5 MiB)  TX bytes:37493175 (35.7 MiB)

eth0      Link encap:Ethernet  HWaddr 14:CF:92:C7:C1:3C  
          inet addr:222.20.101.197  Bcast:222.20.101.255  Mask:255.255.255.0
          inet6 addr: fe80::16cf:92ff:fec7:c13c/64 Scope:Link
          inet6 addr: 2001:250:4000:8138:16cf:92ff:fec7:c13c/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:130445 errors:0 dropped:8 overruns:0 frame:0
          TX packets:55875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44997783 (42.9 MiB)  TX bytes:10494035 (10.0 MiB)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1384 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1384 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:105858 (103.3 KiB)  TX bytes:105858 (103.3 KiB)

wlan0     Link encap:Ethernet  HWaddr 14:CF:92:C7:C1:3C  
          inet6 addr: fe80::16cf:92ff:fec7:c13c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60855 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56043 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10919230 (10.4 MiB)  TX bytes:36370304 (34.6 MiB)

ip addr show wlan0 on my laptop:

3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 44:85:00:01:7f:25 brd ff:ff:ff:ff:ff:ff
    inet 172.16.144.185/24 brd 172.16.144.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 2001:250:4000:8138:14de:fff8:dc84:5a44/64 scope global temporary dynamic 
       valid_lft 602274sec preferred_lft 83274sec
    inet6 2001:250:4000:8138:4685:ff:fe01:7f25/64 scope global mngtmpaddr dynamic 
       valid_lft 2591750sec preferred_lft 604550sec
    inet6 fe80::4685:ff:fe01:7f25/64 scope link 
       valid_lft forever preferred_lft forever

Plus, I have these kernel params set, to let system use tempaddr by default (hiding MAC address from the IPv6 world):

net.ipv6.conf.all.use_tempaddr = 2                                                                                                                                                                   
net.ipv6.conf.default.use_tempaddr = 2                                                                                                                                                               
net.ipv6.conf.eth0.use_tempaddr = 2                                                                                                                                                                  
net.ipv6.conf.wlan0.use_tempaddr = 2 

By examining route -A inet6 on router, there are only lines destinated to my mngtmpaddr address (ending with 7f25), no relevant lines related to my temporary address (ending with 5a44), or there is such line with a wrong "Interface" field (eth0, should be br-lan). By doing ping6 <my-temporary-address> -I br-lan on router I can get IPv6 connectivity, but not long after stopping pinging. So I think this problem is due to IPv6 Privacy Extension.

@huiyiqun

This comment has been minimized.

huiyiqun commented Mar 17, 2015

I have noticed somethine interesting and hope it may help.

My laptop has gotten ipv6 address with configuration of @zhou13 . but I could not ping a server at out side of router. but after I ping the server on the router, I could also ping it at my laptop.

I'm not familiar with ipv6 protocal, so I could not explain it. But I hope it could help solving the problem.

@zhou13 @hexchain maybe you could try to test it in your environment.

@sbyx Thanks for your great job.

@zhou13

This comment has been minimized.

zhou13 commented Mar 17, 2015

This behavior is normal as the it does not involve relay operation.

In my environment, the laptop and router can ping each other but laptop
cannot ping a global IP address.

I
​ notice that there are no router solicitation in WAN ​in the relay mode
when laptop is connected. Maybe that is the reason that the up link does
not make the proper router decision?

On Tue, Mar 17, 2015 at 4:14 PM, huiyiqun notifications@github.com wrote:

I have noticed somethine interesting and hope it may help.

My laptop has gotten ipv6 address with configuration of @zhou13
https://github.com/zhou13 . but I could not ping a server at out side
of router. but after I ping the server on the router, I could also ping it
at my laptop.

I'm not familiar with ipv6 protocal, so I could not explain it. But I hope
it could help solving the problem.

@zhou13 https://github.com/zhou13 @hexchain
https://github.com/hexchain maybe you could try to test it in your
environment.

@sbyx https://github.com/sbyx Thanks for your great job.


Reply to this email directly or view it on GitHub
https://github.com/sbyx/odhcpd/issues/37#issuecomment-82195881.

@mchouque

This comment has been minimized.

mchouque commented Mar 17, 2015

@zhou13 I see the exact same thing: all my machines on the LAN have routable IPv6 addresses (derived from the one I get from my ISP) but from the LAN I cannot reach the WAN.

@EvianZhow

This comment has been minimized.

EvianZhow commented May 31, 2015

Experienced the same problem. Looking for further information.

@SebastianS90

This comment has been minimized.

SebastianS90 commented May 31, 2015

Which version are you using? OpenWRT uses an outdated version of odhcpd that has an issue with ndp relay. See https://dev.openwrt.org/ticket/18341

@EvianZhow

This comment has been minimized.

EvianZhow commented May 31, 2015

@SebastianS90 I'm using the official version (2014-08-23-24452e1e3e9adfd9d8e183db1aa589f77727f5a7). I'm considering updating the version.

@zcecc22

This comment has been minimized.

zcecc22 commented Jun 11, 2015

I experience the same issue running openwrt trunk (own compilation) on x86 and wdr3800. Clients all get ipv6 global addresses but cannot ping past the router.

One element I should add is that for some reason after turning relay on, both lan and wan interfaces in openwrt get the SAME ipv6 global address. Without relaying, the lan interface obviously does not get any. Maybe the wan and lan getting the same ipv6 address is part of the relaying magic (@sbyx could you let me know?).

I have enables forwarding of ICMPv6 router-advertisment and neighbour-advertisment from wan to lan which is disabled by default in Openwrt but this did not help. @sbyx if you could confirm the rules required for INPUT from wan and FORWARD from wan to lan that could rule out firewall configuration issues.

Configuration is correct as per below:

config dhcp 'lan'
option interface 'lan'
option leasetime '36h'
option start '100'
option limit '150'
option ra 'relay'
option ndp 'relay'
option dhcpv6 'relay'

config dhcp 'wan6'
option interface 'wan'
option ra 'relay'
option ndp 'relay'
option dhcpv6 'relay'
option master '1'

@zhou13

This comment has been minimized.

zhou13 commented Jun 30, 2015

Any comments on the previous pcap? Should I provide something additionally?

@murilopontes

This comment has been minimized.

murilopontes commented Nov 4, 2015

Hi,
I'm using OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)
my config is:

cat /etc/config/dhcp
.....
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'

config dhcp 'wan6'
option master '1'
option interface 'wan'
option ra 'relay'
option ndp 'relay'
option dhcpvp6 'relay'
.....

From SSH into the router ping6 works fine
ping6 google.com
PING google.com (2800:3f0:4004:801::1003): 56 data bytes
64 bytes from 2800:3f0:4004:801::1003: seq=0 ttl=56 time=69.824 ms

My laptops get valid global IPv6 address from relay, but routing is not working.
ping6 google.com
PING google.com (2800:3f0:4004:801::1005): 56 data bytes
^C
--- google.com ping statistics ---
19 packets transmitted, 0 packets received, 100% packet loss

@zcecc22

This comment has been minimized.

zcecc22 commented Nov 4, 2015

Could you share your firewall config? The icmpv6 lines are relevant.

(sent from iphone)

On 04 Nov 2015, at 13:00, Murilo Pontes notifications@github.com wrote:

Hi,
I'm using OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)
my config is:

cat /etc/config/dhcp
.....
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'hybrid'
option dhcpv6 'hybrid'
option ndp 'hybrid'

config dhcp 'wan6'
option master '1'
option interface 'wan6'
option ra 'relay'
option ndp 'relay'
option dhcpvp6 'relay'
.....

From SSH into the router ping6 works fine
ping6 google.com
PING google.com (2800:3f0:4004:801::1003): 56 data bytes
64 bytes from 2800:3f0:4004:801::1003: seq=0 ttl=56 time=69.824 ms

My laptops get valid global IPv6 address from relay, but routing is not working.
ping6 google.com
PING google.com (2800:3f0:4004:801::1005): 56 data bytes
^C
--- google.com ping statistics ---
19 packets transmitted, 0 packets received, 100% packet loss


Reply to this email directly or view it on GitHub.

@murilopontes

This comment has been minimized.

murilopontes commented Nov 7, 2015

Hi @zcecc22

cat /etc/config/firewall

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan6 wwan ipv4wifi ipv6 WAN wan6'

config forwarding
option src 'lan'
option dest 'wan'

config include
option path '/etc/firewall.user'

@zcecc22

This comment has been minimized.

zcecc22 commented Nov 7, 2015

In my case, adding the following rules to Allow-ICMPv6-Forward was required:

list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'

BR,
Vincent

(sent from iphone)

On 07 Nov 2015, at 14:52, Murilo Pontes notifications@github.com wrote:

Hi @zcecc22

cat /etc/config/firewall

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan6 wwan ipv4wifi ipv6 WAN wan6'

config forwarding
option src 'lan'
option dest 'wan'

config include
option path '/etc/firewall.user'


Reply to this email directly or view it on GitHub.

@crccw

This comment has been minimized.

crccw commented Dec 5, 2015

Hi @zcecc22 , I'm experiencing the same problem, adding those rules does not solve it.
Is anyway I can debug it to see if it's firewall issue?

@Orthocenter

This comment has been minimized.

Orthocenter commented Dec 5, 2015

today I found that if I restart odhcpd after boot, everything will be ok

@crccw

This comment has been minimized.

crccw commented Dec 5, 2015

It seems that upstream router just ignores all the neighbor advertisement my router sends...When I ping a computer in my LAN from a remote server, I get the following on my router:

00:55:14.453214 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:da8:207:e132::1 > ff02::1:ff02:f47c: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:da8:207:e132:3602:86ff:fe02:f47c
00:55:14.454657 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 8) 2001:da8:207:e132:286:33ff:fe50:53c6 > 2001:da8:207:e132:3602:86ff:fe02:f47c: [icmp6 sum ok] ICMP6, echo request, seq 0
00:55:14.454687 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 8) 2001:da8:207:e132:286:33ff:fe50:53c6 > 2001:da8:207:e132:3602:86ff:fe02:f47c: [icmp6 sum ok] ICMP6, echo request, seq 0
00:55:14.457539 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2001:da8:207:e132:3602:86ff:fe02:f47c > 2001:da8:207:e132:286:33ff:fe50:53c6: [icmp6 sum ok] ICMP6, echo reply, seq 0
00:55:14.457577 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2001:da8:207:e132:3602:86ff:fe02:f47c > 2001:da8:207:e132:286:33ff:fe50:53c6: [icmp6 sum ok] ICMP6, echo reply, seq 0
00:55:14.581173 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:da8:207:e132:286:33ff:fe50:53c6 > 2001:da8:207:e132::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2001:da8:207:e132:3602:86ff:fe02:f47c, Flags [solicited]

But no echo reply is routed here..

@Mygod

This comment has been minimized.

Mygod commented Nov 14, 2016

I finally made clients get IPv6 addresses in relay mode. However after any client finishes dhcpv6 requests, the router is unable to make IPv6 connections any more. And no clients can make IPv6 connections either. 😢

@tatsuteng

This comment has been minimized.

tatsuteng commented Dec 15, 2016

I've encountered similar issue under SLAAC netowork, after observing the packets on br-lan and iface of wan, I noticed that the router only queried iface of wan about LAN device's address (neighbor solicitation), but not to br-lan. This means the router could not discover the LAN device on br-lan.

So I checked the README and added:

config dhcp 'lan'
        option ndproxy_slave '1'

After restarting odhcpd and reconnect LAN devices, everything just works.

However I still have no idea what external slave is. Maybe it is an necessary option, yet we neglect it because we don't understand the terminology.

@rikakomoe

This comment has been minimized.

rikakomoe commented Jul 8, 2017

I have the same problem that I'm able to get an ipv6 address but cannot access to ipv6. Is there any solution?

@JohnyGemityg

This comment has been minimized.

JohnyGemityg commented Sep 19, 2017

Same problem here
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'relay'
option dhcpv6 'relay'
option ndp 'relay'
option ndproxy_slave '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config dhcp wan6
option dhcpv6 relay
option ra relay
option ndp relay
option master 1

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
option igmp_snooping '1'
option ip6assign '64'

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option hostname 'Lenovo'
option macaddr '68:f7:28:6f:c9:ee'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option enabled '1'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.0.245'
option dest_port '22'
option name '22'

config rule
option target 'ACCEPT'
option name 'IGMP TV'
option proto 'igmp'
option src 'wan'
option dest '*'

config rule
option enabled '1'
option target 'ACCEPT'
option name 'IPVT multicast'
option proto 'udp'
option src 'wan'
option dest 'lan'
option dest_ip '224.0.0.0/4'
option family 'ipv4'

config forwarding
option dest 'wan'
option src 'lan'

Linux OpenWrt 3.18.23 #1 Sun Jan 31 18:39:35 CET 2016 mips GNU/Linux

root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr 30:B5:C2:C0:C5:A4
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee/64 Scope:Global
inet6 addr: fe80::32b5:c2ff:fec0:c5a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3356 errors:0 dropped:0 overruns:0 frame:0
TX packets:3293 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:738660 (721.3 KiB) TX bytes:1178727 (1.1 MiB)

eth0 Link encap:Ethernet HWaddr 68:F7:28:6F:C9:EE
inet addr:147.229.220.110 Bcast:147.229.223.255 Mask:255.255.252.0
inet6 addr: 2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee/64 Scope:Global
inet6 addr: fe80::6af7:28ff:fe6f:c9ee/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28308 errors:0 dropped:13 overruns:0 frame:0
TX packets:3795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4398832 (4.1 MiB) TX bytes:864020 (843.7 KiB)
Interrupt:4

eth1 Link encap:Ethernet HWaddr 30:B5:C2:C0:C5:A4
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:5

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:427 errors:0 dropped:0 overruns:0 frame:0
TX packets:427 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38347 (37.4 KiB) TX bytes:38347 (37.4 KiB)

wlan0 Link encap:Ethernet HWaddr 30:B5:C2:C0:C5:A4
inet6 addr: fe80::32b5:c2ff:fec0:c5a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3447 errors:0 dropped:0 overruns:0 frame:0
TX packets:3128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:795903 (777.2 KiB) TX bytes:1229653 (1.1 MiB)

root@OpenWrt:~# ping6 google.com
PING google.com (2a00:1450:4014:80d::200e): 56 data bytes
64 bytes from 2a00:1450:4014:80d::200e: seq=0 ttl=55 time=12.744 ms
64 bytes from 2a00:1450:4014:80d::200e: seq=1 ttl=55 time=12.661 ms
^C

[john@localhost ~] $ ping6 2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee
PING 2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee(2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee) 56 data bytes
64 bytes from 2001:67c:1220:c1a3:6af7:28ff:fe6f:c9ee: icmp_seq=1 ttl=64 time=2.51 ms

[john@localhost ~] $ ping6 google.com
PING google.com(prg03s06-in-x0e.1e100.net (2a00:1450:4014:80d::200e)) 56 data bytes
^C
--- google.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7202ms

please help

@stintel

This comment has been minimized.

Member

stintel commented Sep 19, 2017

@JohnyGemityg please try LEDE 17.01.2.

@murilopontes

This comment has been minimized.

murilopontes commented Sep 19, 2017

@stintel

This comment has been minimized.

Member

stintel commented Sep 19, 2017

@murix Then try a snapshot from master, and if it still doesn't work, make sure your ISP router actually supports DHCPv6 relay, by running tcpdump on the wan interface of the LEDE device. The ISP router at my parents' place in Belgium does not support it, it silently ignores the DHCPv6 relay packets.

Instead, I am using just ndp and ra relay:

config dhcp 'lan'
        option interface 'lan'
        option ignore '0'
        option start '100'
        option limit '100'
        option dhcpv6 'disabled'
        option ndp 'relay'
        option ra 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option dhcpv6 'disabled'
        option ndp 'relay'
        option ra 'relay'
        option master '1'

Not ideal, as this is similar to proxy ARP, which imo is just nasty, but in my case it's the only option.

@murilopontes

This comment has been minimized.

murilopontes commented Sep 19, 2017

@stintel I tried nightly build but still no result. IPv6 for downstream is broken. I can't able downstream ipv6 like ipv4. I deployed up to nine levels of Nat with IPv4.

@dedeckeh

This comment has been minimized.

Contributor

dedeckeh commented Sep 20, 2017

@murix Log an issue in flyspray (https://bugs.lede-project.org/) if this is not working on Lede snapshot.
As a prerequisite to investigate the issue following info is required (take https://bugs.lede-project.org/index.php?do=details&task_id=595 as example):
-the network and dhcp config
-the setup clearly documenting the devices in use and their IPv6 addresses
-contents of IPv6 routing table
-odhcpd traces (set odhcpd loglevel to 7)

@JohnyGemityg

This comment has been minimized.

JohnyGemityg commented Sep 20, 2017

It works now. It looks like the problem was that the config should not be just in wan6 section but also in wan section.

My current config.

config dhcp 'wan'                  
        option interface 'wan'             
        option ignore '1'                        
        option dhcpv6 'disabled'
        option ndp 'relay'                 
        option ra 'relay'                        
        option master '1'       
                                           
config dhcp 'wan6'                               
        option dhcpv6 'disabled'           
        option ra 'relay'                        
        option ndp 'relay'     
        option master '1'  

Small advice. After router reboot I have to reconnect lan interface (in Luci) to get an IPv6 address for router and then for PC.

Thank you @stintel for a hint ;)

@ttimasdf

This comment has been minimized.

ttimasdf commented Dec 3, 2017

Thanks dude @JohnyGemityg , but setting dhcpv6 to 'disabled' in wan6 will cause router having no v6 address. Set it back to relay makes it perfect.

@MartinNowak

This comment has been minimized.

MartinNowak commented Feb 16, 2018

It works now. It looks like the problem was that the config should not be just in wan6 section but also in wan section.

Works for me to only use the wan section. The wan6 section wasn't there by default, but was mentioned in the wiki (https://openwrt.org/docs/user-guide/basic-ipv6-configuration#router_advertisement_dhcpv6 just updated).
No problem with dhcpv6 relay with my upstream router (SpeedPort W921V), I do get an IPv6 addresses (SLAAC) without DHCPv6 though.
It seems that DHCPv6 is needed to get an ULA address and a ULA IPv6 address for OpenWrt's DNS server. (not working after reboot)

config dhcp 'wan'                  
        option interface 'wan'             
        option ignore '1'                        
        option dhcpv6 'relay'
        option ndp 'relay'                 
        option ra 'relay'                        
        option master '1'

# no wan6 section
@wangyq

This comment has been minimized.

wangyq commented Sep 26, 2018

It works for me only at the time Openwrt router reboot, and it always fails at any other time. I do not know why.
My Openwrt router is TP-Link TL-WR841N/ND v9, and Openwrt ver is "OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment