how to setting BRIDGE_IP6 ?

[wang20150419]

BRIDGE_IP6 is my router WAN6 ipv6 address from ISP ?

[cvmiller]

The purpose of the BRIDGE_IP6 address it to allow you to manage the router via IPv6 (you can also manage it via the IPv4 address (e.g. 192.168.1.1).

A safe IPv6 address to use in an ISP environment is to use the WAN6 address, since you know this will be unique in the ISP network. However, this may not be an easy IPv6 address to remember. Therefore you can try easier addresses like ::212, since the router will use Duplicate Address Detection (DAD) to ensure the address does not conflict with other addresses the ISP may be using.

[cvmiller]

Hopefully this worked for you. Please reopen the issue if you have more questions.

[tvogel]

I am still new to IPv6 - are you suggesting to add the BRIDGE_IP6 address to /etc/hosts such that dnsmasq will resolve it? Is it an option to leave it unset?

[cvmiller]

In the script itself, there are some basic variables that must be set:

change these to match your interfaces

WAN_DEV=eth1 BRIDGE=br-lan

IPv6 Management address, to access brouter

BRIDGE_IP6=2001:470:ebbd:0::11

Update these to your network settings. While it is possible to leave BRIDGE_IP6 as an empty string "" you will not be able to manage the brouter via IPv6 if you do so.

[ChthonVII]

[Edit: Turns out the LAN PC loses the route after reboot when BRIDGE_IP6 = my router's self-assigned LAN6 ip6 address. So I've got nothing at all that works for BRIDGE_IP.]

Setting BRIDGE_IP6 = WAN6 ipv6 address from ISP is not working for me. It will respond to a ping6, but ssh and http just time out.

However, setting BRIDGE_IP6 = my router's self-assigned LAN6 ip6 address is working. A machine plugged in on the LAN side can ssh in and access LUCI over http. Obviously, this won't be reachable remotely, but I've got no interest in doing that anyway.

Are there any functionality or security issues to be wary of with BRIDGE_IP6 = my router's self-assigned LAN6 ip6 address?

Any thoughts on how to troubleshoot BRIDGE_IP6 = WAN6 ipv6 address from ISP?

[cvmiller]

Perhaps the documentation should be improved. BRIDGE_IP6 is assigned to the br-lan device, so therefore it will be on the LAN side. the BRIDGE_IP6 is just used for managing the router via IPv6.

That said, if you are bridging IPv6 from upstream (ISP or another router), then you are using the /64 provided by the upstream device. There should not be an assigned IPv6 address on your LAN (prior to running v6brouter). If you are receiving a Prefix Delegation from your upstream (ISP or another router), then you should not use v6brouter, but instead allow the OpenWrt router to route IPv6.

v6brouter implements a bridging firewall using both ebtables and ip6tables. The default is to allow external port 22 (ssh) in.

Please provide more details of your network (addresses, config, etc), if I have not answered your questions.

[ChthonVII]

"If you are receiving a Prefix Delegation from your upstream (ISP or another router), then you should not use v6brouter"

Please provide more details of your network

My ISP provides ipv4 over PPPoE and ipv6 over DHCP6. They WILL NOT delegate a prefix. (More precisely: They are not delegating me a prefix. Their English-language customer support doesn't even know what a prefix is. Other customers claim that they will delegate a prefix, but ONLY if you also purchase their VoIP service and use the router that comes with it.)

I'm using a fresh install of OpenWrt 18.06.1 with mostly default settings. (Settings I've changed like wifi encryption and MAC filtering oughtn't be relevant here.) WAN is configured as PPPoE, and works. WAN6 is configured as DCHP6. It receives an address (2405:stuff:stuff:stuff:stuff:stuff:stuff:stuff/64) and the router itself can reach the internet, but no delegated prefix means no ip6 access for PCs attached to LAN. (Looks like they're assigning me a /64 block, but not delegating. Setting forceprefix in DHCP6 results in the ISP not assigning an address at all.) LAN is configured as per default.

There should not be an assigned IPv6 address on your LAN (prior to running v6brouter).

But there is. In the default configuration, OpenWRT generates a random local ULA from fd00::/8, assigns itself the ::1 address, and sets up a local ipv6 network. v6brouter disables router advertisements and dhcp6, but PC's connected to LAN remember how to reach the router's self-assigned local IP, at least until they reboot. (Hence my confusion earlier.) Is this something that requires a settings change to OpenWRT to make v6brouter's BRIDGE_IP6 feature work?

v6brouter implements a bridging firewall using both ebtables and ip6tables. The default is to allow external port 22 (ssh) in.

I've overhauled the firewall to be functionally equivalent to the default OpenWRT firewall. However, for purposes of troubleshooting the problem with BRIDGE_IP6 not working, I am temporarily disabling that. I am (alternately) running v6brouter without -F or running it with -F and expressly allowing dports 22 and 80 from any source in both INPUT and FORWARD. (I'm not really clear on which chain is applicable in the bridge scenario here. I'd assume INPUT, but you're using forwarding_rule, which is only reachable from FORWARD. Please, could you clarify that?)

I've tried setting BRIDGE_IP6 as follows:

• Equal to the IPv6 assigned to WAN6 by the ISP (2405:stuff:stuff:stuff:stuff:stuff:stuff:stuff). Result: pingable (but ~300ms?), ssh and http time out.
• Equal to the IPv6 assigned to WAN6 by the ISP plus 1. Result: pingable (but ~300ms?), ssh and http time out.
• Equal to the self-assigned LAN IPv6 (fd00::stuff::1). Result: Works until the LAN PC is rebooted, then becomes unreachable.
• Equal to the arbitrary IPv6 in the script (2001:470:1d:583::12). Result: Response from ISP upstream says unreachable. (Not surprising.)

---

Unrelated question: Are ip6tables rules with -i lo and -o lo still valid, or does bridging confuse them too?

[cvmiller]

Thanks for the description of your network. I understand your earlier comments better. ULAs are not routable (to the internet), so I wasn't considering them.

The purpose of v6brouter is to allow the ISPs RAs into your network, and the PCs will then get IPv6 addresses from the ISP (or if DHCPv6, the PCs should be able to request an IPv6 address from your ISP).

I have not tested v6brouter with PPPoE ISP connection. I don't think it will work, since ethernet to PPP is not simple bridging any longer. It requires something to encapsulate the ethernet in a negotiated PPP session. I think this is the root of your problem.

Your options appear to be a) ask your ISP to provide Prefix Delegation, or b) switch to an ISP that will provide PD, or c) use a Hurricane Electric Tunnel (which does work in a PPPoE environment)

[ChthonVII]

Oh, the brouting part of v6brouter works fine. (Probably because the upstream ipv6 is provided via DHCP6. It's only the ipv4 that's over PPPoE. (Which is just a stupid way to run network when you think about it. You have to authenticate for ipv4, while you can just plug in and go for ipv6... wtf?)) When I flip v6brouter on, everything on my LAN picks up an ipv6 address immediately. It works. It's faster than NAT6. It's great.

The ONLY thing I can't get working is the darned management address at BRIDGE_IP6.

[cvmiller]

Thanks for the information regarding v6brouter and PPPoE. I am surprised that it works with PPPoE.

Unfortunately, I don't have a PPPoE environment to test with, and not sure I can suggest a solution for your environment. Would you be willing to capture the output of: bash -x ./v6brouter and send it to my email address cvmiller@gmail.com. I will be looking for any errors in the script as it executes.