[SOLVED] IPv6 RA on WAN interface

I want to use my WR841ND with OpenWRT as an IPv6 tunnel endpoint (HE Tunnelbroker) and publish the RA on the same WAN-Port that the router is connected to the internet via IPv4. I have to do it this way because I don't want all devices in the network be connected via the WR841ND, but to the main router. The WR841N should only act as tunnel endpoint and IPv6 gateway. Is this doable via Luci?

I have set it up like this currently with the very old WRT54G v1.1 on White Russian (or Kamikaze?), but that device is quite slow, so I am looking to upgrade to the spare WR841ND that I have lying around.

With current OpenWrt you can turn off IPv6 RAs.

The WR841ND has some hope of running current OpenWrt, but LuCI may be a stretch, especially when running and consuming RAM / CPU cycles. I wouldn't expect much more than 100 mbps through it for the earlier revisions, perhaps 200 mbps "on a good day" for the later ones.

I don't want to turn off RAs, I just want to have them on the WAN interface.

I have OpenWRT already installed (Chaos Calmer) already up and running incl. Luci. Seems ok so far. 100 Mbps would be fine. The network is only Fast Ethernet anyways. It'll definitely be better than the 10-20 Mbps I'm getting with the old WRT54G.

You would enable/disable them as you need on each interface.

Chaos Calmer is known insecure and there have been many improvements in IPv6 since then as well.

Ah, I see. Still need to get used to the Luci interface. Can I configure to use a different prefix on the lan-bridge? (I get two prefixes on the tunnel: one /64 and one /48)

I don't know if the box can run any newer build. I am not so much concerned about the security issues as the box is behind a firewall and WiFi is not needed.

https://openwrt.org/toh/start?dataflt[Model*~]=WR841
18.06.2 is supported from what I see.
Then you can experiment with the IPv6 options in WAN interface, however you'll also need to fix accordingly the firewall.

Be carefull: v1 up to v12 are 4/32 devices, only v13 is 8/64MB.

I have not tried such a setup, but I have an idea that might work for you:
Use one of the WR841ND's LAN ports to connect it to your network, and assign the IPv6 tunnel interface to the wan zone in its firewall config.

Would it be feasible to run the tunnel endpoint on your main router instead?

It's probably a one-in-a-million (maybe even billion ) situation.

I thought about that as well when I originally set up the old Kamikaze device. However, that would mean I would not be able to connect any other devices to the box (I only have one static IPv4 that I can use, no DHCPv4 on the network, so NAT on the LAN-interface is needed).

Also, running on the main router is no option, as that device is not capable of terminating the tunnel.

I managed now to have the RA on the WAN so that clients get an IPv6, but IPv6 routing doesn't work yet. I suspect firewall. Trying to figure that out.

What's the best tool to draw a sketch of my network setup?

@tmomas
so I should not try this build? Yes, I have a v7 with 4/32MB.

One of the biggest challenges I think you'll face is that the old releases are from a time when IPv6 wasn't in common use. IPv6 support has improved immensely in both the kernel, as well as in the application software that support it. It may take hours of time to force an old version into (half) working.

Given that there are devices like the GL.iNet AR300M-Lite that support current firmware and have enough resources to comfortably run current releases available at under US$20, forgoing a couple coffees or beers may be a better path. Yes, that device is a single Ethernet, 2.4 GHz only device, but it will run circles around the other two devices combined, as well as likely improving your wireless over the WRT54G v1.1 and WR841N both.

Edit: There are devices at under US$40 that have multiple ports and/or 5 GHz support. I don't have personal experience with them, so I can't recommend a specific model.

You can try, but you should be aware that 4/32MB are deemed insufficient for a current up-to-date OpenWrt like 18.06.2 and that issues are to be expected, depending on your usecase. See https://openwrt.org/supported_devices/432_warning and search the forum for 432 (you will find quite a number of topics where this is discussed extensively).

Thanks jeff, but aren't we also in for the fun? And the other device, even if it can run the newest version, it will still need manual configuration for my use case as it seems, which is the most time consuming part. I had it running fine also on the 10+ years old Kamikaze on a box from 2003. Just slow and I have this other box that I want to use, instead of buying something new.

I now upgraded to LEDE (currently compiling 18 in the background) but the options still don't satisfy my needs. For some odd reason both prefixes (the /64 and the /48) get now advertised on the WAN interface, while the LAN interfaces only advertises the /48. Seems like a bug to me, cause probably noone really examined the WAN interface in his network.

Can you suggest a sketch tool for network graphs?

Even a sketch and a cell-phone photo would be sufficient.

Though I've got three routers cracked open on my bench and am working with "pre-beta" code under Linux 4.19 on them, I don't consider working with outdated, unpatched kernels and application software "fun". Same for not having enough flash, RAM, and CPU power.

It's one thing to see what you can cram into a $10 ARM-based, BLE board that is going to run off a battery, but into a 15-year-old, Broadcom-based router with ancient 802.11 standards and closed-source driver blobs that haven't been updated in nearly as long? That can't run a current Kernel that properly supports IPv6? That's not "fun" for me.

I've probably still got 5 WRT54g units somewhere that I held onto with the thought that they'd be good for something. Between $10 ARM Cortex-M0+ boards, $20 routers, and Pi-class devices, they aren't.

Can you show your configs.

I still don't quite understand what you desire.

• Are you saying that you want your HE IPv6 WAN on eth0.2, facing your ISP?

Sure you can. Have you given your WAN interface an IPv6 address from your prefix yet?

Yes, it should theoretically be facing the ISP (only in my case the WAN-port is not connected to the ISP, but to the network, like in a router cascade).

I've attached a diagram to show the way I'd like it to look. IPv6 addresses for client devices should be assigned by RA.

Untitled Diagram (5).png1322×1367 290 KB

My current config on Kamikaze looks like this:

#/etc/rc.d/S99he-ipv6

ip tunnel add he-ipv6 mode sit remote 216.66.86.114 local x.x.x.19 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:xx:e8e::2/64 dev he-ipv6

ip -6 addr add 2001:470:xy:e8e::1/64 dev eth0.1
ip -6 addr add 2001:470:xxyy::1/64 dev br-lan

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

iptables -I INPUT 2 -p ipv6 -i eth0.1 -j ACCEPT
iptables -t nat -A POSTROUTING --proto ! 41 -o eth0.1 -j MASQUERADE

radvd -C /etc/config/radvd &

ip route add ::/0 dev he-ipv6

#/etc/config/radvd

interface eth0.1 {
   AdvSendAdvert on;
   prefix 2001:470:xy:e8e::/64 {
      AdvOnLink on;
      AdvAutonomous on;
      AdvRouterAddr on;
}; };

interface br-lan {
   AdvSendAdvert on;
   prefix 2001:470:xxyy::/64 {
      AdvOnLink on;
      AdvAutonomous on;
      AdvRouterAddr on;
}; };

• Have you reconfigured the WAN firewall to allow what's needed?
• You'll need to duplicate the interface and give it a static IPv6 address - likely

1. What should I allow exactly?
2. What do you mean by duplicate?

Please see also my updated post with my config files on Kamikaze.

From what I understand how it is displayed in Luci, "WAN6" is what previously was "he-ipv6" for me, and "LAN" is, what was "br-lan", correct?

I don't see your configs. Configs are at /etc/config/network.

No clue what you mean or why it matters. After you create you HE interface, you will need to duplicate the WAN (WAN6 @WAN is fine) -

• you will have to give that interface a static IPv6 address
• Regarding the firewall, you have to permit needed IPv6 traffic to the router (ICMPv6 management traffic, etc.)

What I mean is that I currently have the system running as desired on an older box running OpenWRT Kamikaze. I posted the script/config that is needed to set up the tunnel on Kamikaze.

Now I switched to a newer box with a more recent edition of OpenWRT, and I am trying to get my old setup working again on the new box.

Here's the current config of /etc/config/network. I don't see any obvious differences?

#/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1c:2d34:355b::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6addr '2001:470:xxyy::1/48'
        option ip6prefix '2001:470:xxyy::/48'

config interface 'wan'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr 'x.x.x.19'
        option netmask '255.255.255.0'
        option gateway 'x.x.x.254'
        option dns 'x.x.y.1 x.x.y.2'
        option ip6addr '2001:470:xy:e8e::1/64'
        option ip6prefix '2001:470:xy:e8e::/64'

config interface 'wan6'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto '6in4'
        option ipaddr 'x.x.x.19'
        option peeraddr '216.66.86.114'
        option ip6addr '2001:470:xx:e8e::2/64'
        option ip6prefix '2001:470:xy:e8e::/64'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'