IPv6 discussions

[andrew_g]

thanks @xiaofan

I kind of 'give up' on the /64 or /56 prefix delegation and worked on configuring my Linux box running Unbuntu.
I tried something, and it works for me and hence I'm documenting it in this thread:

Singnet (Singtel) broadband connectivity using Dual Stack with ONT (note not ONR) in a Linux PC (Unbuntu) using NAT66 (ip6-ip6 network address translation) single IPv6 address (no prefix delegation)

Apparently, based on my own test, the old '6rd' may no longer work, covered in previous comments.
Just that I'm not sure if it is my own mistakes or that 6rd didn't work. But this comment document my success with the 'new' dual stack approach.

Note that this may after all work on even ONR (without bridge mode), but it is double NAT , i.e. the ONR is one NAT, then this is the 2nd NAT. It'd mainly work for 'outgoing' traffic for double NAT setups (e.g. web browsing).
To get 'direct' on internet, the ONR would need to do bridge mode. i.e. the DHCP address is a real internet ip address from SIngtel's DHCP server.

• use a (fairly) recent distribution kernel version

My setup is on Ubuntu 22 Jammy jellyfish to connect to Singnet with both IPv4 and IPv6. Currently, Ubuntu LTS version is 24 and is actually newer than what I'm running, hence the current releases should work)
https://ubuntu.com/download/server
Note that this depends on NAT66 which requires a recent kernel say later than 6.5.Currently, I'm running on 6.8.

• Configure the interfaces (e.g. wan) using NetworkManager and ISC dhcp cliient

https://wiki.archlinux.org/title/NetworkManager
you may need to install network manager if it isn't there, e.g.
apt install NetworkManager isc-dhcp-client

Setup the ethernet interfaces normally using NetworkManager, one can use the GUI if one prefers.
Chances are that if one installs the distribution, the interfaces may already be preconfiigured.
Newer setups e.g. ONR in *bridge* mode may be able to do without the VLAN. If that is the case one can simply use the external facing interface for the SIngnet broadband connection (i.e. going to ONR / ONT)

Vlan tagging is required in the 'old' ONT configs.
this is for the *old* VLAN10 interface, add the VLAN10 as a new VLAN interface e.g.
nmcli con add type vlan ifname VLAN10 dev eno1 vlan.id 10
one can use the GUI if preferred, probably easier
This will be the Singnet broadband connection


Among the things to note:

• IPv4 method should be "auto"
• IPv6 method should be "auto"

one can try this without any further configs, if one can verify connectivity (on router/box itself) by simply connecting e.g. check the 'obvious' sites e.g. google.com and more 'detailed' test (for IPV6 try https://ipv6test.google.com/, https://test-ipv6.com ). if those works, 'that is it'

(if that 'don't work' try using ISC dhcp client
https://www.isc.org/dhcp/
In network manager according to this guide, you can change it in a config file
https://wiki.archlinux.org/title/NetworkManager#DHCP_client
/etc/NetworkManager/conf.d/dhcp-client.conf
[main] dhcp=dhclient
I'm myself using this dhclient config which uses the ISC dhcp client.
I've seen NetworkManager worked without this, but that my own preference is using this ISC dhcp client.
using dhclient writes the leases into /var/lib/dhcp as files, and with NetworkManager in /var/lib/NetworkManager/ instead )

• sidenote: configure your local Wifi and LAN interfaces

NetworkManager can do AP mode if your Wifi interface supports it, e.g.
https://www.baeldung.com/linux/nmcli-wap-sharing-internet

But I used hostapd, with a setup quite similar to this
https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3
https://w1.fi/hostapd/
hosapd is more raw and more difficult to setup but a benefit is it logs every wifi connection in journalctl logs.

But at the end of the day your Wifi hardware (interface) needs to have AP mode supported in Linux for either of the above to work.

• 'sharing out connection' NAT

Then to 'share' out the connection, (note the Singnet interface not the wifi or lan one), I think it is simply

• IPv4 method "shared"
• IPv6 method "shared"

I think 'shared' by default uses DNSMasq
https://thekelleys.org.uk/dnsmasq/doc.html

And it would NAT (network address translate) the connection using "masquerade" on this wan interface.
The other connection could be e.g. your wifi that is shared out.

This is for 'really simple' setups

my own configs is a lot more 'complicated' because I disliked DNSMasq, though it makes things simple by 'doing everything for you'. Sometimes this may not be what one prefers / wanted.

in my case i used nftables
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
and I have statements like
nft add rule nat postrouting masquerade
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
in seperate scripts

• firewall

do setup a proper firewall especially at the external facing interface (wan) e.g. that singnet (e.g. vlan10) connection that you setup.. Accordingly, Ubuntu has UFW
https://help.ubuntu.com/community/UFW

there are *a lot of catch* in setting up the firewall , unfortunately I'm using nftables which has 'much more complicated / verbose' looking scripts / rules and hence I'd prefer not to share them to avoid unnecessarily 'scaring' others away.

among the things, if you want to firewall IPv6 ICMP packets, make sure to alllow NDP
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
on practically all interfaces
and to allow (IPV6 *only* port 546 dhcpv6-client) on the wan interface, this port is used by the IPv6 DHCP client to connect to the DHCP server to get a new address.
firewall 'errors' can create a lot of 'miseries' , but I'd guess one would need to systematically work that.

I failed quite a few time with the Network Manager setups , dhcp etc and it turns out it is because I blocked too many things like IPv6 NDP ICMP packets, IPV6 ports etc. I practically blocked 'everything' on wan side except port 546 for the dhcp client and the ICMP packets.

even for port 546, I'd recommend restrict to only traffic from fe80::/16, i.e. only link local address, because I think ISP (e.g. Singnet) don't let packets with source from fe80::/16 to cross the routers, this prevent anyone in the internet *beyond the immediate Singnet router* from trying to spoof the DHCP server giving you *fake* address provided you take response only from fe80::/16.

• other stuff

Actually there is more
I run my own radvd (router advertisement) for my wifi network
https://github.com/radvd-project/radvd
and I used local unique address starting with fd00::/16 (invent your own subnets down from fd00::/16) for the internal lan (e.g. wifi) networks.
https://en.wikipedia.org/wiki/Unique_local_address
Then that the NAT as discussed above do that 'masquerade' to bridge these addresses to that 1 single IPv4/v6 address.

I'd not document the 'dirty' details here but the gist is to assign fd00:: your_subnet) addresses for your local interfaces
and I'd hope DNSMasq
https://thekelleys.org.uk/dnsmasq/doc.html
can help you for the 'simple' (canonical) cases.

there are quite some tricky stuff like I found out i need to set
AdvRouterAddr on; AdvDefaultLifetime 3600;
in the radvd.conf
https://github.com/radvd-project/radvd

without these android phones won't even setup IPv6 addresses properly and say no IPv6.
if you prefer to do it the 'hard' way like I did, i.e. no DNSmasq, more complicated network config e.g. subnets may run into the limits of what DNSMasq offers. For 'simple' 2 iinterface cases e.g. just wan and wifi, DNSMasq could likely do all that 'hard work'. alternatively, one can consider software bridging the wifi and lan into 1 network and it is likely DNSMasq can handle that as well. DNSMasq is 'hidden' inside NetworkManager when you set the interface to 'shared' mode. If you don't use 'shared' mode, then DNSMasq is inactive, and you need to *setup everything yourself* (e.g. configure NAT , firewall, configure DNS resolver, configure a DHCP server your own for your wifi and LAN, configure router advertisement e.g. using radvd )

for those reading this and trying this out, do document if it is successful (e.g. add a comment in this thread) , issues etc.

there is a benefit of running a full Linux pc/box (server) as a router although it is normally deemed more expensive and probably won't get you the Wifi 7 or even WiFi 6 Wifis. i.e. won't reach those even 3 Gbps speeds offered by the ISP. It actually depends on the hardware you use and if you can find drivers for the WiFi cards or interfaces.

The benefit with using a full Linux box/pc is that it is a server and you can self host various apps on the box (server) itself. this is a 'recent' fad, one can find more about it on internet e.g.
https://www.reddit.com/r/selfhosted/

In terms of 'small' boxes, Intel NUC (or mini PCs) comes up as an option. but it would likely run on 'old' PCs as 'boxes' (server) , one can use used PCs (or mini PCs) and some of them has interesting specs like Intel i7 or Amd Ryzen processors, these PCs (or mini PCs) after all are often *much faster* than 'small' routers where it comes to doing NAT and various other stuff. One can even use a Raspberry Pi if one wants, but that its wifi chip is small hence may have limited range and won't reach those Gbps speeds.

 

[andrew_g]

IP v6 is important, why? because it is quite possible at some point end user connects is IPV6 only, well, no alarm yet, what that means is that IPv4 would be 'inside' this 'big' IPv6.
https://www.internetsociety.org/blog/2017/07/rfc-8200-ipv6-has-been-standardized/
and there are a lot of web sites and services that is ipv6 only

 

[sgcarousell]

I have tried to read thru this thread but having a hard time with me understand all the terms n methods.
I am on starhub 5GB n using openwrt x86, ipv6 seemed to be working fine as I can access ipv6 only url.
my question is in the openwrt ipv6 device lease, the openwrt did not assign any ipv6 to any devices, and all my device has the 2404: ipv6, tgis is the slacc? Any disadvantage of this current setup?

 

[hwzlite]

....
for those reading this and trying this out, do document if it is successful (e.g. add a comment in this thread) , issues etc.

there is a benefit of running a full Linux pc/box (server) as a router although it is normally deemed more expensive and probably won't get you the Wifi 7 or even WiFi 6 Wifis. i.e. won't reach those even 3 Gbps speeds offered by the ISP. It actually depends on the hardware you use and if you can find drivers for the WiFi cards or interfaces.

The benefit with using a full Linux box/pc is that it is a server and you can self host various apps on the box (server) itself. this is a 'recent' fad, one can find more about it on internet e.g.
https://www.reddit.com/r/selfhosted/

In terms of 'small' boxes, Intel NUC (or mini PCs) comes up as an option. but it would likely run on 'old' PCs as 'boxes' (server) , one can use used PCs (or mini PCs) and some of them has interesting specs like Intel i7 or Amd Ryzen processors, these PCs (or mini PCs) after all are often *much faster* than 'small' routers where it comes to doing NAT and various other stuff. One can even use a Raspberry Pi if one wants, but that its wifi chip is small hence may have limited range and won't reach those Gbps speeds.

Hat off to you for trying (manual) stuff against the IPv6 purists (summary)

Do give a shot at OpenWrt support on NAT66 and IPv6 masquerading too, not to mention their great communities especially for developers, as well vast support of working out-of-the-box drivers.

 

[andrew_g]

I have tried to read thru this thread but having a hard time with me understand all the terms n methods.
I am on starhub 5GB n using openwrt x86, ipv6 seemed to be working fine as I can access ipv6 only url.
my question is in the openwrt ipv6 device lease, the openwrt did not assign any ipv6 to any devices, and all my device has the 2404: ipv6, tgis is the slacc? Any disadvantage of this current setup?

normally, if you see a 'valid' IPV6 address like 2404 and not fxxx:: (local addresses ) , most likely you have IPv6.

But the 'real' test normally
I'd goto these sites
https://ipv6test.google.com/
https://test-ipv6.com/index.html.en_US
and I'd recommend doing this as a test as just getting an address won't prove if you have a working IPv6 after all, i.e. the address needs to be routable.

I think these days for 'ONR' types of setups, quite likely Singtel, Starhub, M1 etc would have included IPv6 in their default setup. After all, the ISP (internet service provider) would be more than willing to move all the small subscribers to IPv6, given IPv4 address exhaustion issues.
https://www.apnic.net/manage-ip/ipv4-exhaustion/

it seemed 'full stack' i.e. both IPv4 and IPv6 dhcp is the 'defacto' setup these days. Singtel used to use 6rd like discussed in prior comment, but I'm not sure when it seemed now SIngtel has 'reconfigured' things and provided only the 'full stack' setup. And miserly give only 1 ipv6 address, I please check other ISPs as well and report on how miser are they? note that ipv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 total addresses, giving only 1 address is too much of a miser
https://en.wikipedia.org/wiki/IPv6#:~:text=The main advantage of IPv6,approximately 3.4×1038).

as for SLAAC, this is the article that I find easier to understand
https://www.networkacademy.io/ccna/ipv6/stateless-address-autoconfiguration-slaac
the idea is simple, the router on your network needs to tell each device/client/host/pc on the LAN what is the
top 64 bit /64 prefix to use.
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
each device/client/host/pc generates its own lower 64 bits address, can be simply a random 64 bit integer.
And then it takes that top 64 bits from the router paste it on top of its own address, that is an *internet routable address* , i.e. whole internet not just your local mini LAN or wifi, you can practically host a web site like google.com or amazon.com on it (e.g. even on your iphone, android phone) and it should work, the rest of the world can access.

but due to all that miser ISPs giving you only 1 address, you still needs to do ipv6 to ipv6 address translation these days (called NAT66).

SLAAC is *mandatory* for all Android phones even the 'latest' like Samsung S24, S25 (incl 'Ultra") etc.
and all even slightly older *ALL , EVERY* Android phones are also only SLAAC. I'm not sure about iPhones if they play to the 'miser' i.e. DHCP v6.

SLAAC means that 'by right' ISPs should give 'everyone' a /64 network it is 4 billion times x 4 billion times (not 16 billion, the number is 18,446,744,073,709,551,616 addresses) the size of current internet. for just your 64 bits. In a practical sense, the ISP no longer needs DHCP which the address keep changing and giving you only 1 address. the ISP give you your own galaxy, your own 64 bit galaxy of addresses, static and you can run an entire internet full of hosts /devices if you want to.

SLAAC is an internet standard (for ipv6)
https://datatracker.ietf.org/doc/html/rfc4862

 

[andrew_g]

I have tried to read thru this thread but having a hard time with me understand all the terms n methods.
I am on starhub 5GB n using openwrt x86, ipv6 seemed to be working fine as I can access ipv6 only url.
my question is in the openwrt ipv6 device lease, the openwrt did not assign any ipv6 to any devices, and all my device has the 2404: ipv6, tgis is the slacc? Any disadvantage of this current setup?

add to prior comment, in my comment about 'Linux' setup
https://forums.hardwarezone.com.sg/threads/ipv6-discussions.6976522/post-157359715

it is more or less a 'general' setup 'anyone' can use, a 'summary' about that 'Linux' setup is this:

- setup your router to get IPv4 (32 bit) and IPv6 (128 bit) address by DHCP (dhcp and dhcpv6)
currently miser ISPs will give you only 1 ( out of 340,282,366,920,938,463,463,374,607,431,768,211,456 total ipv6 addresses )
- configure NAT66 (ipv6 to ipv6 address translation) to translate your 'internal' network to that *1 single ipv6 (and v4) address
NAT is 'defacto' 'since stone age' of internet, practically *all* ipv4 routers do NAT (v4)
now due to all that miser ISPs, you need to do NAT66
- local address (i.e. your own wifi / lan) normally in ipv4 it is address like 192.168.*.*/16
local address (e.g.your own wifi / lan) ipv6 address use fd00::* /16 (the sub nets/address invent them yourself)
https://en.wikipedia.org/wiki/Unique_local_address
then configure NAT and NAT66 to translate local address to that 1 single IPv6 (and IPv4) address

the *modern* (by right) way should instead that ISP should allow prefix delegation
https://www.isc.org/blogs/dhcpv6-prefix-length-mode/
at least give /64 (64 bits) because of SLAAC, but miser ISPs today don't, they only give you 1 miser ipv6 address. and by right should be long-term-lease, practically static, give 'everyone' their own galaxy.

• SLAAC (IPv6 Stateless Address Autoconfiguration) https://datatracker.ietf.org/doc/html/rfc4862

many (most) ipv6 devices use SLAAC (especially Android) , to help these devices get IPv6 in your Wifi / LAN,
you need to configure your router for *router advertisements*
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
https://www.networkacademy.io/ccna/ipv6/neighbor-discovery-protocol

you need to tell the client/devices/host what is the top /64 prefix to use.
the top /64 prefix is your fd00::* /16 (the sub nets/address invent them yourself) local network that you configure for your local networks prior.
That should be translated by your router using NAT66 to that 1 single (miser) ipv6 address given by ISP dhcpv6

 

[hwzlite]

OpenWrt - NAT66 and IPv6 masquerading : "Avoid using NAT66 and better use relay mode if you are provided with a /64 prefix." ( note: relay mode aka Neighbor Discovery Protocol )

IMHO a much cleaner ways, although all using the same public prefix, but firewall rules can still enforce segregation between zones.

Refs:

• OpenWrt - Relay a single IPv6 /64 prefix into several VLANs
• OPENsense - Use os-ndproxy to proxy ISP provided /64 Prefix from WAN to LAN

 

[andrew_g]

OpenWrt - NAT66 and IPv6 masquerading : "Avoid using NAT66 and better use relay mode if you are provided with a /64 prefix." ( note: relay mode aka Neighbor Discovery Protocol )

IMHO a much cleaner ways, although all using the same public prefix, but firewall rules can still enforce segregation between zones.

Refs:

• OpenWrt - Relay a single IPv6 /64 prefix into several VLANs
• OPENsense - Use os-ndproxy to proxy ISP provided /64 Prefix from WAN to LAN

hi,

for Singtel / Singnet and on the old VLAN10 network, I'd still recommend dhcpv6 and NAT66 for that 1 single ipv6 address.
And to do NAT66, rather than NDP Neighbor Discovery Protocol .
reasons are like such, NDP based addressing is SLAAC
https://datatracker.ietf.org/doc/html/rfc4862
https://www.networkacademy.io/ccna/ipv6/stateless-address-autoconfiguration-slaac
it uses the notion of taking the prefix e.g. /64 from the upstream router and 'paste' it on the interface address, by definition 64 bits.
if we simply only do SLAAC, then everyone's traffic will goto everyone's other network, i.e. you can *sniff* your neighbor's traffic ! Because you receive them all !
(and FYI, this is true for *all mobile networks* in part because android use SLAAC ! very very insecure)
hence, for your 'own security' , do only dhcpv6 get that 1 single ipv6 address (singtel don't give /64, only 1 ( out of 340,282,366,920,938,463,463,374,607,431,768,211,456 total ipv6 addresses ) and do NAT66
using fd00::* /16 (the sub nets/address invent them yourself) for your local networks
https://en.wikipedia.org/wiki/Unique_local_address
and until Singtel / Singnet provide /64 *prefix delegation * (i.e. give you a whole 64 bits network) on DHCP
https://www.isc.org/blogs/dhcpv6-prefix-length-mode/
NAT66 would be the only way out.
if Singtel / Singnet provide /64 *prefix delegation * (i.e. give you a whole 64 bits network) on DHCP,
then in your network do SLAAC (i.e. do router advertisement ) on you lan/wifi with the prefix received from singtel/singnet DHCP.
All your local lan address will sit on the global ipv6 internet, every ip address is real and the whole world (universe) can reach *all* your ip address directly (e.g. you can run your own google.com, amazon.com ) and they can reach you.
this is actually a repeat of my previous comment (2 comments above), read that as that is better written / formatted.

there is a lot of 'secrets', but it is actually just simple technical understanding about NDP Neighbor Discovery Protocol network switching.
'by right' with network switching, only packets deemed for you gets switched to you (based on ethernet mac address), but if you do NDP an simply answer every who is address 'xxyyzz' , then you get all the traffic of *everyone* (do 'bad' things? that's a risk to every one else and to you)
actually, these days things / 'solutions' are more elaborate than that
there are *experimental* stuff like ndppd
https://github.com/DanielAdolfsson/ndppd
which will do like above answer every who is address 'xxyyzz' , but it doesn't abusively do that.
Instead, it forward that "who is address 'xxyyzz' to your lan / wifi, if it gets an answer, then it forward the response e.g. "me" back to the original (public lan)
maybe that is the so called NDP 'relay' mode.
but if your isp (e.g. singtel / singnet) don't do prefix delegation, your are sharing the same prefix with *everyone else*
this is also why *prefix* delegation is *very very important* - for *security* at least
so that 'everyone' get they own /64 prefix (own galaxy)
and your traffic won't mixed up with everyone else.
now, I suspect that is what happens ('everyones' traffic is mixed up'). and especially if you don't do NAT66 with that 1 single ipv6 address.

 

[xiaofan]

for Singtel / Singnet and on the old VLAN10 network, I'd still recommend dhcpv6 and NAT66 for that 1 single ipv6 address.

Sorry I belive what you say is not correct. People should be able to get /56 or /64 prefix delegation working. I do not want people to get wrong information.

I am not an IPv6 expert to help you fixing the issue, but I do not believe what you say is correct, since I was able to get /56 working when I was using Singtel ONT.

I understand your desire to use pure Linux. But to troubleshoot the issue, you may want to give OpenWRT (you can use virtual machine if you do not want to use a physical machine) a try. Then you can compare OpenWRT with your own setup to see if there is anything different.

Anyway, Singtel no longer provides ONT based plan and no longer provides ONT based recontract either. So this is a moot point.

 

[xiaofan]

BTW, it is very easy to get NAT66 to work under OpenWRT.
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

I've used NAT66 for sub-routers using OpenWRT. pfSense/OPNsense do not support NAT66.

 

[xiaofan]

I have tried to read thru this thread but having a hard time with me understand all the terms n methods.
I am on starhub 5GB n using openwrt x86, ipv6 seemed to be working fine as I can access ipv6 only url.
my question is in the openwrt ipv6 device lease, the openwrt did not assign any ipv6 to any devices, and all my device has the 2404: ipv6, tgis is the slacc? Any disadvantage of this current setup?

You can try to enable DHCPv6 on the LAN side and also SLAAC. Then you may get two types of public IPv6 addresses for your Windows client. Android clients may only get IPv6 address from SLAAC.

For example, my Windows machine gets the following two IPv6 addresses.
2400:d802:dxx:xx00::xxx --> from DHCPv6.
2400:d802:dxx:xx00:xxxx:xxxx:xxxx:xxxx --> from SLAAC

Nothing special about my OpenWRT IPv6 settings.

BusyBox v1.36.1 (2025-06-23 20:40:36 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.2, r28739-d9340319c6
 -----------------------------------------------------
root@openwrt18:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd27:5332:6682::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'zerotier'
        option proto 'none'
        option device 'ztyqbuckbd'

root@openwrt18:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5055'
        option domain 'myop1ddns.duckdns.org'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5055'
        option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
        option interface 'lan'
        option start '50'
        option limit '250'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

 

[hwzlite]

Bye Bye SLACC, Android to support DHCPv6-PD soon before the end of the year...

Android Developers Blog: Simplifying advanced networking with DHCPv6 Prefix Delegation

....we’ve heard feedback from some users and network operators that they desire more control over the IPv6 addresses used by Android devices. Until now, Android only supported SLAAC, which does not allow networks to assign predictable IPv6 addresses, and makes it more difficult to track the mapping between IPv6 addresses and the devices using them. This has limited the availability of IPv6 on Android devices on some networks.
...

The solution: dedicated IPv6 address blocks with DHCPv6 PD​

To overcome these drawbacks, we have added support for DHCPv6 Prefix Delegation (PD) as defined in RFC 8415 and RFC 9762. The Android network stack can now request a dedicated prefix from the network, and if it obtains a prefix, it will use it to obtain IPv6 connectivity. In future releases, the device will be able to share the prefix with wearable devices, tethered devices, virtual machines, and stub networks such as Thread, providing all these devices with global IPv6 connectivity. This truly realizes the potential of IPv6 to allow end-to-end, scalable connectivity to an unlimited number of devices and functions, without requiring NAT. And because the prefix is assigned by the network, network operators can use existing DHCPv6 logging infrastructure to track which device is using which prefix (see RFC 9663 for guidance to network operators on deploying DHCPv6 PD).

This allows networks to fully realize the potential of IPv6: devices maintain the flexibility of SLAAC, such as the ability to use a nearly unlimited number of addresses, and the network maintains the manageability and accountability of a traditional DHCPv6 setup. We hope that this will allow more networks to transition to IPv6, providing apps with end-to-end IPv6 connectivity and reducing the need for NAT traversal and keepalives.

What this means for app developers​

DHCPv6 PD support is expected to roll out to most devices running Android 11 and above before the end of the year via a Google Play System Update. No action is needed to take advantage of it - it will just transparently provide IPv6 connectivity on networks that support it. We hope this change encourages more networks to adopt IPv6, leading to improved battery life, reliability, and code simplicity in these complex networking scenarios. And if you have a complex networking app, and your app or server doesn’t support IPv6, now might be a good time to leverage it to improve reliability and battery life.

 

[xiaofan]

Just want to provide a bit more details of my current issue with Singtel IPv6 --> only the default /64 IPv6 prefix works but not others.

Example --> "lan" clients works with IPv6 but "lan2" clients can not get Internet access despite getting a proper IPv6 address. Looks like the Singtel Gateway just blocks "lan2" clients. BTW, DNS64 works.

Example problem for "lan2" clients, no matter using SLAAC only or DHCP64/SLAAC.

root@debian12ct21:~# nslookup ipv6.google.com
Server:         2400:d802:xxx:8380::1
Address:        2400:d802:xxx:8380::1#53

Non-authoritative answer:
ipv6.google.com canonical name = ipv6.l.google.com.
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c11::8b
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c11::71
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c11::8a
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c11::64

root@debian12ct21:~# ping -c 4 ipv6.google.com
PING ipv6.google.com(se-in-f139.1e100.net (2404:6800:4003:c11::8b)) 56 data bytes

--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3069ms

 

[hwzlite]

Just want to provide a bit more details of my current issue with Singtel IPv6 --> only the default /64 IPv6 prefix works but not others.

Example --> "lan" clients works with IPv6 but "lan2" clients can not get Internet access despite getting a proper IPv6 address. Looks like the Singtel Gateway just blocks "lan2" clients. BTW, DNS64 works.

Hmmm... can try tips below from OpenWRT: IPv6 troubleshooting on use relay mode as well?

In the case that you can only get a /64 from your ISP, but still want to subnetwork, then you can instead:

• Disable “Delegate IPv6 prefixes” (because you would only be able to delegate a prefix to one subnetwork)
• Disable “IPv6 assignment length” on all interfaces
• Change “RA-Service” and “DHCPv6-Service” to relay mode so that IP addresses are requested directly from the ISP instead of from local DHCPv6 server (OpenWrt keeps track of the two VLANs but they will have addresses from the same CIDR block)

 

[xiaofan]

Hmmm... can try tips below from OpenWRT: IPv6 troubleshooting on use relay mode as well?

I do not see the point as relay mode is not the right solution to me. In my case, prefix delegation seems to work fine for lan2 but the gateway is not working.

Need to wait for other Singtel IPv6 users to confirm whether they can get /56 prefix delegation working or not. Take note that I got /56 prefix delegation really working when I was using Singtel ONT.

I have done the troubleshooting with the help of bert64 last time using tcpdump. The conclusion seems to indicate that Singtel side blocks it. But it could be that I need to manually assign the gateway.

BTW, I have used relay mode and it works fine for some use cases. In fact, I believe it is the same as IPv6 passthrough I am using now for the sub-router (eg: TP-Link Archer BE805 and Xiaomi BE5100 in router mode, Double NAT behind the main OpenWRT router). With IPv6 passthrough, clients behind the sub-routers get proper IPv6 address and can access the internet.

 

[hwzlite]

Need to wait for other Singtel IPv6 users to confirm whether they can get /56 prefix delegation working or not. Take note that I got /56 prefix delegation realling working when I was using Singtel ONT.

Ahh /56

Polly you can post your OpenWRT configs here, so others may help chip in and try nailing it as well:

# cat /etc/config/network
# cat /etc/config/dhcp
# cat /etc/config/firewall
# ifstatus wan6

 

[hwzlite]

Ahh /56

Polly you can post your OpenWRT configs here, so others may help chip in and try nailing it as well:

# cat /etc/config/network
# cat /etc/config/dhcp
# cat /etc/config/firewall
# ifstatus wan6

@xiaofan
After digesting all your previous posts on Singtel IPv6 predicament...
If its ONR acts shitty similarly, can give a shot adopting this OpenWRT|ISP Configurations|AT&T Fiber :

...In order to achieve the goal of requesting the additional /64 subnets from the PD, a separate /64 PD request must be sent to the AT&T gateway device, with a unique MAC address, for each /64 you wish to obtain. To meet this objective with odhcp6c, you need to create additional devices and interfaces stemming from the OpenWrt WAN interface. This requires kmod-macvlan...

Good luck

 

[xiaofan]

@xiaofan
After digesting all your previous posts on Singtel IPv6 predicament...
If its ONR acts shitty similarly, can give a shot adopting this OpenWRT|ISP Configurations|AT&T Fiber :

Sorry but I do not think this is the way to go even it is quite interesting.

As mentioned, no issues with /56 DHCPv6-PD, rather the problem is that the gateway for "lan2" does not work. Just to prove that it is /56, I assign 8300::/64 to "lan" and 83ff::/64 to "lan2". So you can see that there are 256 /64 prefixes, which is /56.

I can also assign 8300::/60 to "lan" and 83f0::/60 to "lan2". In this case, there are 16 /60 prefixes, which is again /56.

Devices connected to "lan" works with Internet access using IPv6.
Devices connected to "lan2" does not work with Internet access using IPv6.

If I assign 8301::/64 to "lan", then devices connected to "lan" will also lose internet access using IPv6.

Basically in the end only 8300::/64 works (single /64) for Internet access using IPv6.

Anyway, I do not want to spend time on troubleshooting the issue now. I want to wait for more reports from other SingTel ONR users before confirming whether it is a Singtel IPv6 configuration issue or not. It could still be my OpenWRT configuration issue.

 

[hwzlite]

Sorry but I do not think this is the way to go even it is quite interesting.
...
Anyway, I do not want to spend time on troubleshooting the issue now. I want to wait for more reports from other SingTel ONR users before confirming whether it is a Singtel IPv6 configuration issue or not. It could still be my OpenWRT configuration issue.

Well.... no pain no gain.
ISPs (with no blocking/restriction?) hate this little mavlan trick which even reported working for /64 PD

 

[bert64]

I do not see the point as relay mode is not the right solution to me. In my case, prefix delegation seems to work fine for lan2 but the gateway is not working.

Need to wait for other Singtel IPv6 users to confirm whether they can get /56 prefix delegation working or not. Take note that I got /56 prefix delegation really working when I was using Singtel ONT.

I have done the troubleshooting with the help of bert64 last time using tcpdump. The conclusion seems to indicate that Singtel side blocks it. But it could be that I need to manually assign the gateway.

BTW, I have used relay mode and it works fine for some use cases. In fact, I believe it is the same as IPv6 passthrough I am using now for the sub-router (eg: TP-Link Archer BE805 and Xiaomi BE5100 in router mode, Double NAT behind the main OpenWRT router). With IPv6 passthrough, clients behind the sub-routers get proper IPv6 address and can access the internet.

The ONT should not make any difference as it is a layer 2 device.

Simplest thing to do is, run a tcpdump on the WAN interface of your router, and then ping (or generate some other traffic) the other /64 blocks from somewhere external. if nothing shows up then the traffic isnt being routed to you and its an upstream problem (especially if you see something like destination unreachable in an externally originated traceroute).
If traffic shows up, then try sending something in the opposite direction and make sure it gets sent out the WAN interface of your router, and arrives at the external destination. First try a ping from the router itself with the source address set to something in one of the /64 blocks, then try sending traffic from an actual client in those networks.

Your problem does sound like an upstream issue, like the dhcpv6 server is delegating /56 but is only inserting a /64 route.