IPv6 discussions

[xiaofan]

Yeah, there's no more active 6rd configuration on the ONR.

I think it's what @bert64 said -- probably the infrastructure hasn't been upgraded. Packet capture on the WAN interface shows only outgoing solicit messages but no response.

I do have another M1 fibre line where the same OPNsense instance gets v6 just fine.

Indeed that may be a reason. That being said, your case is still a bit strange --> as Singtel has already enabled native IPv6 on your ONR and it works when it is not bridged. So the infrastructure is supposed to be ready in your place.

Anyway, the whole ONR is kind of troublesome situation. I was kind of used to living with the unbridged Singtel ONR and Double NAT situation after getting native IPv6 to work. But in the end I still tried to bridge the ONR from time to time and hoped one day it would work. Luckily it is working for me now.

I do not have so many troubles last time when I was using Singtel ONT. So I would still suggest Power Users to avoid Singtel because of the use of ONR.

 

[xiaofan]

You should run a packet capture (eg tcpdump -i IFACE -n ip6) to see if there's any router advertisements being sent out, or see if you get any responses when you ping6 the multicast address (ff02::1%IFACE). On a network where native v6 is enabled you should get a ping response from the router, and you should also see periodic router advertisement packets being sent out, on a legacy network you'll see nothing.

1. Nice tip about using ping6 the multicast address (ff02::1%IFACE). Just wondering the meaning of (DUP!) -- they probably come from Singtel side.

eth1 is the WAN interface for my virtual OpenWRT main router.

root@OpenWrt:~# ping -c 2 ff02::1%eth1
PING ff02::1%eth1 (ff02::1%3): 56 data bytes
64 bytes from fe80::be24:11ff:fe0c:e10d: seq=0 ttl=64 time=0.079 ms
64 bytes from fe80::aab8:e0ff:fe04:1e02: seq=0 ttl=64 time=0.160 ms (DUP!)
64 bytes from fe80::1: seq=0 ttl=64 time=0.691 ms (DUP!)
64 bytes from fe80::200:5eff:fe00:145: seq=0 ttl=64 time=5.073 ms (DUP!)
64 bytes from fe80::be24:11ff:fe0c:e10d: seq=1 ttl=64 time=0.069 ms

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 packets received, 3 duplicates, 0% packet loss
round-trip min/avg/max = 0.069/1.214/5.073 ms

2. I am actually learning a bit of tcpdump recently.
Reference: https://hauweele.net/~gawen/blog/?p=1053

It seems to me RA messages are not happening very often.

root@OpenWrt:~# tcpdump -vvvv -ttt -n -i eth1 icmp6 and 'ip6[40] = 134'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

3. Interestingly I cannot find any DHCPv6 messages at all but there are lots of ICMPv6 messages.
Reference: https://slmeng.medium.com/how-to-sniffer-dhcpv6-with-tcpdump-1cb3526bca9c

root@OpenWrt:~# tcpdump -vvvv -ttt -n -i eth1 '(udp port 546 or 547) or icmp6'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > ff02::1:ff0c:e10d: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::be24:11ff:fe0c:e10d
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:00.000036 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::be24:11ff:fe0c:e10d, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:08.481565 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:5eff:fe00:145
          source link-address option (1), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:00.001114 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > fe80::be24:11ff:fe0c:e10d: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::200:5eff:fe00:145, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:41.221367 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
...
 00:00:19.069227 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:5eff:fe00:145
          source link-address option (1), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:00.001449 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > fe80::be24:11ff:fe0c:e10d: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::200:5eff:fe00:145, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:40.671102 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
...
^C
132 packets captured
132 packets received by filter
0 packets dropped by kernel

 

[bert64]

1. Nice tip about using ping6 the multicast address (ff02::1%IFACE). Just wondering the meaning of (DUP!) -- they probably come from Singtel side.

eth1 is the WAN interface for my virtual OpenWRT main router.

root@OpenWrt:~# ping -c 2 ff02::1%eth1
PING ff02::1%eth1 (ff02::1%3): 56 data bytes
64 bytes from fe80::be24:11ff:fe0c:e10d: seq=0 ttl=64 time=0.079 ms
64 bytes from fe80::aab8:e0ff:fe04:1e02: seq=0 ttl=64 time=0.160 ms (DUP!)
64 bytes from fe80::1: seq=0 ttl=64 time=0.691 ms (DUP!)
64 bytes from fe80::200:5eff:fe00:145: seq=0 ttl=64 time=5.073 ms (DUP!)
64 bytes from fe80::be24:11ff:fe0c:e10d: seq=1 ttl=64 time=0.069 ms

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 packets received, 3 duplicates, 0% packet loss
round-trip min/avg/max = 0.069/1.214/5.073 ms

2. I am actually learning a bit of tcpdump recently.
Reference: https://hauweele.net/~gawen/blog/?p=1053

It seems to me RA messages are not happening very often.

root@OpenWrt:~# tcpdump -vvvv -ttt -n -i eth1 icmp6 and 'ip6[40] = 134'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

3. Interestingly I cannot find any DHCPv6 messages at all but there are lots of ICMPv6 messages.
Reference: https://slmeng.medium.com/how-to-sniffer-dhcpv6-with-tcpdump-1cb3526bca9c

root@OpenWrt:~# tcpdump -vvvv -ttt -n -i eth1 '(udp port 546 or 547) or icmp6'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > ff02::1:ff0c:e10d: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::be24:11ff:fe0c:e10d
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:00.000036 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::be24:11ff:fe0c:e10d, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:08.481565 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:5eff:fe00:145
          source link-address option (1), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:00.001114 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > fe80::be24:11ff:fe0c:e10d: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::200:5eff:fe00:145, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:41.221367 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
...
 00:00:19.069227 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::be24:11ff:fe0c:e10d > fe80::200:5eff:fe00:145: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:5eff:fe00:145
          source link-address option (1), length 8 (1): bc:24:11:0c:e1:0d
            0x0000:  bc24 110c e10d
 00:00:00.001449 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:145 > fe80::be24:11ff:fe0c:e10d: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::200:5eff:fe00:145, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
 00:00:40.671102 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::200:5eff:fe00:145 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:00:5e:00:01:45
            0x0000:  0000 5e00 0145
...
^C
132 packets captured
132 packets received by filter
0 packets dropped by kernel

DUP means duplicate, ie you sent one ping request and received multiple replies. This is normal when sending to a multicast or broadcast address. It's likely you will get a response from yourself, and singtel will probably have at least 2 routers configured as a failover pair.
You might also see a response from your hypervisor if this is a virtual openwrt - some hypervisors (eg proxmox) will have an ipv6 link-local address by default on each bridge interface - something to be aware of.

There are other multicast addresses like ff02::2 (all routers) to which only routers should reply, and ff02::1:2 which is "all dhcpv6 servers on the local segment". It's quite possible that the router and DHCPv6 servers are different devices. There is also ff05::1:3 which is "all dhcpv6 servers on the local site", which allows for DHCPv6 servers to be centralised and not have to reside in the local VLAN, but this is rarely used.

RA messages are only supposed to happen every few minutes to keep your route from timing out, or if there's a topology change on the network. When first booting or bringing an interface up your machine will send out a router solicitation request, which should trigger an immediate RA response from the router.

The ICMPv6 you're seeing is neighbor advertisement and neighbor solicitation, the equivalent of legacy ARP response and ARP request.

You won't see DHCPv6 very often because of the way it works...
DHCPv6 is an optional protocol (used for PD mostly), it is not the primary method of IPv6 auto configuration. If you look at the RA what you're seeing is "Flags [managed, other stateful]" - this "other" flag tells it to use another protocol (ie DHCPv6 instead of RA) to assign an address.

Upon seeing this flag, your router will send a DHCPv6 request to ff02::1:2. You won't see the requests from other customers because this is multicast rather than broadcast, and your port won't be subscribed to the DHCPv6 multicast group (if they have configured things very badly you might be able to subscribe to this group, which would be a major security screwup).

TL;DR: you are only going to see your own DHCPv6 request, which will only renew according to the TTL of your lease.

 

[bert64]

Indeed that may be a reason. That being said, your case is still a bit strange --> as Singtel has already enabled native IPv6 on your ONR and it works when it is not bridged. So the infrastructure is supposed to be ready in your place.

Anyway, the whole ONR is kind of troublesome situation. I was kind of used to living with the unbridged Singtel ONR and Double NAT situation after getting native IPv6 to work. But in the end I still tried to bridge the ONR from time to time and hoped one day it would work. Luckily it is working for me now.

I do not have so many troubles last time when I was using Singtel ONT. So I would still suggest Power Users to avoid Singtel because of the use of ONR.

He said later in his post that they configured 6rd on the ONR rather than native, which strongly suggests there's no native v6 on his node.

 

[xiaofan]

He said later in his post that they configured 6rd on the ONR rather than native, which strongly suggests there's no native v6 on his node.

He is probably the first one who have got native IPv6 working on the ZTE F8648P ONR as mentioned in this thread. In fact, I quoted his message when I talked to Singtel.

Basically Singtel has to pushed some settings to the Singtel ONR to enable native IPv6 (but not exposed to the Web UI so you can not do it by yourself) and resetting the ONR will make you lose native IPv6.

Now he can only get one thing --> unbridged ONR: native IPv6 is working. or bridged ONR but then native IPv6 does not work.

Not so sure about the latest development though --> it could be that Singtel pushed something wrong again. But 6rd setting is available in the Web UI so you can change it by yourself.

Fast forward, after a whole bunch of calls and 2 field engineer visits later, today SingTel finally enabled native IPv6 for my account.

However, it was quite short lived - while I was trying to enable port forwarding/DMZ, I forgot my password and had to reset the router. Upon reset, native IPv6 was gone.

This was quite interesting, because it suggests that it isn't just something at the account level, but something to do with the configuration on the F8648P itself. It might be some kind of configuration push to the ONR?

I'm not sure, will contact SingTel again and see how this goes.

That said, now that M1 has 2.5 Gbps, kind of regret signing up. M1 was much more hassle free in both having bridge mode + native IPv6.

I'm currently leaving it unbridged. However, I did try to bridge with OPNsense, no luck getting an address via DHCPv6 either (after the first time successfully getting it). So reverted to unbridged.

Am starting to think it could be some DHCPv6 params (DUID?) that SingTel is specifically looking for. In your previous configuration that worked, did you manage to figure anything special about the way they were sending DHCPv6 IA_PD/IA_NA messages?

 

[bert64]

He is probably the first one who have got native IPv6 working on the ZTE F8648P ONR as mentioned in this thread. In fact, I quoted his message when I talked to Singtel.

Basically Singtel has to pushed some settings to the Singtel ONR to enable native IPv6 (but not exposed to the Web UI so you can not do it by yourself) and resetting the ONR will make you lose native IPv6.

Now he can only get one thing --> unbridged ONR: native IPv6 is working. or bridged ONR but then native IPv6 does not work.

Not so sure about the latest development though --> it could be that Singtel pushed something wrong again. But 6rd setting is available in the Web UI so you can change it by yourself.

See post #235:

But recently, I discovered that they configured the ONR to use 6rd rather than native v6, leading to poor performance.

My take is that he asked for native, but they configured 6rd and he only noticed sometime later due to the poor throughput.

 

[ShrmnK]

Hi, recently moved to a pfsense box as my router but having trouble getting IPv6 addresses on the LAN interface.
I've gotten an IPv6 address on my VQ 3gbps (no static IP) on my WAN interface using DHCP6, and oddly enough, IPv6 is working fine (test-ipv6 passes 10/10) when I use tailscale with the pfsense box as the exit node. Connecting to the LAN interface however, I am not receiving any v6 address.

LAN Interface's IPv6 Configuration Type=Track Interface; IPv6 Interface set to WAN
DHCPv6 Server enabled.
I have tried all 3 available Router Advertisement Router Modes: Managed, Assisted and Stateless DHCP but none gives any of my clients on windows/android/iphone/macbook a v6 address.

Anyone has a working ipv6 pfsense config for VQ?

 

[xiaofan]

Hi, recently moved to a pfsense box as my router but having trouble getting IPv6 addresses on the LAN interface.
I've gotten an IPv6 address on my VQ 3gbps (no static IP) on my WAN interface using DHCP6, and oddly enough, IPv6 is working fine (test-ipv6 passes 10/10) when I use tailscale with the pfsense box as the exit node. Connecting to the LAN interface however, I am not receiving any v6 address.

LAN Interface's IPv6 Configuration Type=Track Interface; IPv6 Interface set to WAN
DHCPv6 Server enabled.
I have tried all 3 available Router Advertisement Router Modes: Managed, Assisted and Stateless DHCP but none gives any of my clients on windows/android/iphone/macbook a v6 address.

Anyone has a working ipv6 pfsense config for VQ?

Looks like you only get single /128 IPv6 address from VQ and no /64 prefix delegation to be used on the LAN side, matching the description from Mach3.2 in the first page.

One potential solution is using NAT66 but it is not officially supported by pfSense.

 

[bert64]

Hi, recently moved to a pfsense box as my router but having trouble getting IPv6 addresses on the LAN interface.
I've gotten an IPv6 address on my VQ 3gbps (no static IP) on my WAN interface using DHCP6, and oddly enough, IPv6 is working fine (test-ipv6 passes 10/10) when I use tailscale with the pfsense box as the exit node. Connecting to the LAN interface however, I am not receiving any v6 address.

LAN Interface's IPv6 Configuration Type=Track Interface; IPv6 Interface set to WAN
DHCPv6 Server enabled.
I have tried all 3 available Router Advertisement Router Modes: Managed, Assisted and Stateless DHCP but none gives any of my clients on windows/android/iphone/macbook a v6 address.

Anyone has a working ipv6 pfsense config for VQ?

Have you reviewed the DHCPv6 client logs? You should receive both an address (IA_NA) and a prefix delegation (IA_PD).
You can try turning on "Send IPv6 prefix hint" and changing the delegation size between 48 and 64.
You might find from the logs that they delegate you a prefix of one size, but your firewall is expecting a different size so the mismatch causes it to break.

If they delegate you a prefix longer than /64, then you will also need to set the prefix id when you configure your LAN interface. For instance if you get a /56 then you can use prefix IDs between 0 and 255.

DHCPv6 is not the primary way for you to configure your LAN, don't worry about this for now. Ensure first that it's actually able to assign itself an address to LAN (you will see it in the main dashboard), then worry about configure client devices.

SLAAC (router advertisements) is the standard way for clients to configure themselves, and Android *ONLY* supports SLAAC. Windows and Mac/IOS support DHCPv6 as an optional extension to SLAAC. Set LAN to "unmanaged" (no DHCPv6 only SLAAC) or "assisted" (optional DHCPv6). Setting it to managed (dhcpv6 required) will break android and some other devices.

 

[xiaofan]

Have you reviewed the DHCPv6 client logs? You should receive both an address (IA_NA) and a prefix delegation (IA_PD).

As per what @Mach3.2 mentioned in the first page, VQ only assigns an IPv6 address with IA_NA but no IA_PD, for users without static IPv4 add-on. For users with static IPv4 add-on, no IPv6 at all.

@Mach3.2 --> maybe you want to chime in to see if that changes or not. Thanks.

 

[bert64]

As per what @Mach3.2 mentioned in the first page, VQ only assigns an IPv6 address with IA_NA but no IA_PD, for users without static IPv4 add-on. For users with static IPv4 add-on, no IPv6 at all.

@Mach3.2 --> maybe you want to chime in to see if that changes or not. Thanks.

He also mentioned that the assigned /128 did not route, but ShrmnK says it was working. Perhaps there have been some changes since?

It would be very weird to assign just a /128, or to assign a non working /128. This sounds like something that's being tested. The only other alternative would be that it's intended for router management although that doesn't seem likely given their scale.

Comcast in the US deploys IPv6 for router management and monitoring (in addition to fully routed v6 for customer use) because of the shear number of users they have (over 32 million active subscribers based on 2023 reports). Prior to that they had multiple fragmented RFC1918 blocks which was a big headache to manage.

 

[xiaofan]

@Mach3.2

Just wondering if you can try again on the VQ side to see if anything changes or not. Thanks.

 

[xiaofan]

Some debugging done on the Singtel issued ZTE F8648P ONR why the LAN clients do not work for the unbridged port, no matter using IPv4 and IPv6.

You can see from the below ZTE F8648P ONR diagnosis utility. Basically WAN side has no issues with accessing the internet (but not useful since we cannot ssh into the ZTE F8648P ONR). But LAN side (unbridged ports) does not work with Internet access. As per the reports here, you can still use unbridged ports with Singtel TV Box. And Singtel Digital Voice will still work.

In this case, I have Singtel native IPv6 enabled (requested through Singtel and enabled in Singtel Backend), so the diagnosis shows IPv6.

No ideas why it is like this though --> probably a limitation imposed by Singtel for ZTE F8648P ONR.

Take note DHCP server and DNS server for LAN clients are still working for both IPv4 and IPv6. It seems to me that Internet IPv4/IPv6 gateways are disabled.

(Note: no issues with digital voice since there are two phone ports but I have only one phone number).

 

[xiaofan]

On the Singtel ZTE F8648P XGS-ONR bridged port (10G LAN port -- LAN5), I am using a mini PC (Miniroute R1 with dual SFP+ ports) running OpenWRT as a virtual machine on top of Proxmox PVE 8.2.

Singtel native IPv6 is working but DHCPv6-PD sub-delegation to the LAN clients do not seem to work, which makes /56 IPv6 prefix delegation kind of useless..

For the RA flags, I have treid to use "M", "O", both "M" and "O", or none and they have similar results.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5b:fdb2:a17d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list ip6class 'wan6'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '56'
        option norelease '1'
        list ip6class 'wan6'

root@OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ndp 'relay'
        option ra 'server'
        option dhcpv6 'server'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

 

[xiaofan]

On the Singtel ZTE F8648P XGS-ONR bridged port (10G LAN port -- LAN5), I am using a mini PC (Miniroute R1 with dual SFP+ ports) running OpenWRT as a virtual machine on top of Proxmox PVE 8.2.

Singtel native IPv6 is working but DHCPv6-PD sub-delegation to the LAN clients do not seem to work.

For the RA flags, I have treid to use "M", "O", both "M" and "O", or none and they have similar results.

ZTE ONR bridged port --> OpenWRT virtual router --> Xiaomi BE5000 in AP mode --> Acer Laptop.

OpenWRT virtual rotuer --> Singtel native IPv6 is working, /56 IPv6 prefix delegation. Then I assigned /60 IPv6 prefix to the LAN side.

Acer Laptop gets two IPv6 addresses, one with DHCPv6, the other with SLAAC. Interestingly, ipv6 test site only shows the IPv6 address using SLAAC.

 

[xiaofan]

However, LAN clients of another OpenWRT virtual router (sub-router, double NAT with IPv4, DHCPv6-PD on the WAN side) does not work with IPv6, even though LAN clients seem to get two valid IPv6 addresses from DHCPv6 and SLAAC.

ZTE ONR bridged port --> OpenWRT virtual router --> OpenWRT virtual router as a sub-router --> Xiaomi BE5000 in AP mode --> Acer Laptop.

The problem is that the OpenWRT sub-router itself does seem to work with IPv6, let alone the LAN side.

WAN side gets /61 IPv6 prefix delegation, LAN side is assigned with /64 IPv6.

The WAN/LAN side IPv6 gateway of the sub OpenWRT router is shown as the br-lan LLA IPv6 address of the main OpenWRT router, which seems to be correct.

The WAN/LAN side IPv6 gateway of the main OpenWRT router is shown as an LLA address of SIngtel side gateway, which should be correct as well.

So this is very strange.

root@OpenWrt:~# ping -c 4 ipv6.google.com
PING ipv6.google.com(se-in-f100.1e100.net (2404:6800:4003:c11::64)) 56 data bytes

--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3157ms

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'dda5:edda:cf50::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.38.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ip6assign '64'
        list ip6class 'wan6'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix '60'
        option norelease '1'
        list ip6class 'wan6'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'zerotier'
        option proto 'none'
        option device 'ztyqbuckbd'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'none'
        option ndp 'relay'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

 

[xiaofan]

1. Using IPv6 passthrough on the Asus sub-router (Double NAT on the IPv4 side) --> LAN clients side may or may not get IPv6 to work. Windows clients may work sometimes but Linux clients totaly do not work.

I cannot seem to get it work any more even with Windows clients now. Or it may work for a short time. Asus router itself cannot access the Internet either.

2. Using native IPv6 on the Asus sub-router (Double NAT on the IPv4 side) --> LAN clients do not seem to work with IPv6 at all even though proper IPv6 address was issued to the clients. The issue is the Asus router itself is not able to access Internet using IPv6.

xiaofan@TUF_6500-5020:/tmp/home/root# nslookup ipv6.google.com
Server:         192.168.18.1
Address:        192.168.18.1#53

Name:      ipv6.google.com
ipv6.google.com canonical name = ipv6.l.google.com
Name:      ipv6.google.com
ipv6.google.com canonical name = ipv6.l.google.com
Name:      ipv6.l.google.com
Address 1: 2404:6800:4003:c02::71
Address 2: 2404:6800:4003:c02::8a
Address 3: 2404:6800:4003:c02::65
Address 4: 2404:6800:4003:c02::66

xiaofan@TUF_6500-5020:/tmp/home/root# ping -c 4 ipv6.google.com
PING ipv6.google.com (2404:6800:4003:c02::66): 56 data bytes
ping: sendto: Network unreachable

 

[xiaofan]

Using native IPv6 on the pfSense sub-router (Double NAT on the IPv4 side) --> LAN clients do not seem to work with IPv6 at all even though proper IPv6 addresses were issued to the LAN clients via both DHCPv6 and SLAAC.

The problem is pfSense itself can not access Internet with IPv6, let alone LAN clients.

PS C:\work> ssh root@192.168.88.1
(root@192.168.88.1) Password for root@pfSensen100new.home.arpa:
QEMU Guest - Netgate Device ID: xxxxxxxxxxxxxxxxxxxxxx

*** Welcome to pfSense 2.7.2-RELEASE (amd64) on pfSensen100new ***

 WAN (wan)       -> vtnet1     -> v4/DHCP4: 192.168.18.234/24
                                  v6/DHCP6: 2400:d802:xxx:xx00::d5c/128
 LAN (lan)       -> vtnet0     -> v4: 192.168.88.1/24
                                  v6/t6: 2400:d802:xxx:xx01:xxxx:xxxx:xxxx:3324/64

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.7.2-RELEASE][root@pfSensen100new.home.arpa]/root: ping -c 4 ipv6.google.com
PING6(56=40+8+8 bytes) 2400:d802:xxx:xx01:xxxx:xxxx:xxxx:3324 --> 2404:6800:4003:c02::71

--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

[2.7.2-RELEASE][root@pfSensen100new.home.arpa]/root: nslookup ipv6.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
ipv6.google.com canonical name = ipv6.l.google.com.
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c02::64
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c02::65
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c02::66
Name:   ipv6.l.google.com
Address: 2404:6800:4003:c02::71

 

[xiaofan]

1) Using IPv6 passthrough on the Xiaomi BE5000 sub-router (Double NAT on the IPv4 side) --> LAN clients seem to work fine with IPv6.

ZTE ONR bridged port --> OpenWRT virtual router --> Xiaomi BE5000 in router mode (Double NAT with IPv4, IPv6 passthough) --> Acer Laptop.

Again, Acer Laptop gets two IPv6 addresses, one with DHCPv6, the other with RA. Interestingly, ipv6 test site only shows the IPv6 address using RA.

2) Using native IPv6 on the Xiaomi BE5000 sub-router (Double NAT on the IPv4 side) --> LAN clients do not seem to work fine with IPv6, even though the LAN clients can get valid IPv6 addresses using both DHCPv6 and RA. Very strange.

test-ipv6.com says that Acer Laptop does not have valid IPv6 address.

ZTE ONR bridged port --> OpenWRT virtual router --> Xiaomi BE5000 in router mode (Double NAT with IPv4, native IPv6) --> Acer Laptop.

 

[Mach3.2]

@Mach3.2

Just wondering if you can try again on the VQ side to see if anything changes or not. Thanks.

No IPv6 on VQ.