IPv6 with SLAAC

[Softail]

I'm trying to get "Native" IPv6 working on my RT-N66U running Merlin's 376.49_5. My ISP (Monkeybrains) uses SLAAC exclusively. This seems to partly work in that eventually I get a global IPv6 address with a /64 prefix that corresponds with the ISP IPv6 address range. eth0 also gets a link local address and I can ping both the local and the global addresses from the router. I get a default route to another link local address on eth0, which is what should happen as best I understand it and if I reboot the router with those settings I can ping that address. However I cannot ping ipv6.google.com or Monkeybrains' DNS servers, which do have IPv6 addresses. I tried

ip6tables --flush

to make sure there isn't some firewall problem involved but it still doesn't work.

Is this known to work (or not) on stock or Merlin firmware? Is there anything else I need to configure? If it should work I can try talking to my ISP. They think it should but don't provide any client support for making it do so. If it should be working though I can at least ask them if there is some problem.

Thanks

 

[coldwizard]

I don't know a lot about IPV6 so someone please correct me if what I say is wrong.

I believe that SLAAC assigns one IP address at a time, so is good for client machines. DHCPV6 can assign either a single IP or a PREFIX (subnet in ipv4 world). Since IPV6 does not use NAT, a router would need to be assigned a PREFIX to use for it's internal LAN.
I suspect that your ISP, as a first step to full IPV6 implementation, is allowing clients to connect to their network to access SLAAC for testing.

Check if your LAN network (br0) has a IPV6 address not starting fe80.

 

[deekue]

I'm in the same boat. I have the latest stable Merlin build on a RT-AC56U, connected to MonkeyBrains.

I get a /64 IPv6 global address on eth0.

If I run tcpdump on a client on the LAN I don't see any response to the ICMPv6 Router Solicitation from the client.

dnsmasq is using br0 for the dhcp-range option and I see this in /tmp/syslog.log

Feb 14 21:34:31 dnsmasq-dhcp[7286]: DHCPv6 stateless on br0
Feb 14 21:34:31 dnsmasq-dhcp[7286]: router advertisement on br0
Feb 14 21:34:31 dnsmasq-dhcp[7286]: IPv6 router advertisement enabled

I tried changing the dnsmasq.conf to use eth0 for the dhcp-range option

dhcp-range=lan,::,constructor:etho,ra-stateless,64,600

it sees the IPv6 prefix and the constructor works, but it's advertising on the eth0 interface instead of br0

Feb 14 22:01:58 dnsmasq-dhcp[7350]: DHCPv6 stateless on eth0
Feb 14 22:01:58 dnsmasq-dhcp[7350]: router advertisement on eth0
Feb 14 22:01:58 dnsmasq-dhcp[7350]: DHCPv6 stateless on 2607:f598:0:602::, constructed for eth0
Feb 14 22:01:58 dnsmasq-dhcp[7350]: router advertisement on 2607:f598:0:602::, constructed for eth0
Feb 14 22:01:58 dnsmasq-dhcp[7350]: IPv6 router advertisement enabled

I'm honestly not sure how this is supposed to work. I'll keep doing research...

 

[RMerlin]

Out of curiosity, see what happens if you disable the Comcast patch:

nvram set ipv6_neighsol_drop=0
nvram commit
reboot

 

[Softail]

No change for me, i.e. I get the address and route that look plausible on the N66 attached to MonkeyBrains but I can't ping from there beyond the default gateway. I haven't even tried to get any clients to connect via IPv6.

MonkeyBrains doesn't formally support this but they did say they looked at the configuration of my gateway and didn't see any problem on their end.

 

[deekue]

Out of curiosity, see what happens if you disable the Comcast patch:

packet dump on a LAN client looks the same. a ND then several Router Solicitations but no response.

on the AC56U I can still ping6 www.google.com successfully

 

[RMerlin]

No other idea then. The only IPv6 scenario I can test is with a 6in4 tunnel. And it seems like a lot of ISPs have a lot of different implementations, where some will work flawlessly, others will only work half of the time.

As I often say, IPv6 is just one big experiment that should never have left the lab in its current state. Looks great on paper, absolutely abysmal in its implementation. That's why it's taking forever of the Internet to move to IPv6, despite the IPv4 shortage.

 

[Softail]

on the AC56U I can still ping6 www.google.com successfully

Interesting. On my N66U I cannot, at either setting. I'm at 50_0 now also.

 

[charlie2alpha]

I don't understand how this is supposed to work, with SLAAC you can only configure one host, the one that connects directly to the WAN. Normally the ISP is supposed to assign to you an IPv6 prefix, usually with DHCP-PD and then the router advertises that prefix on its LAN interfaces. This is how my ISP has been doing things from the start and never failed to work.

 

[nonolk]

Hello,

So for I agree with Charlie2alpha, the SLACC address is only given to your router external nic.
Don't use dnsmasq on eth0 but only on br0, with something live:
Code:
dhcp-range=lan,::,constructor:br0,slaac,64,600

Best regards,
--
Nonolk.

 

[deekue]

I don't understand how this is supposed to work, with SLAAC you can only configure one host, the one that connects directly to the WAN. Normally the ISP is supposed to assign to you an IPv6 prefix, usually with DHCP-PD and then the router advertises that prefix on its LAN interfaces. This is how my ISP has been doing things from the start and never failed to work.

yeah, I was confused.

you can do what I was expecting with DHCPv6 using the Prefix Exclusion option (rfc6603). but MonkeyBrains are telling me they only support SLAAC+DHCPv6 so if they even support prefix delegation it'll have to be via rfc3633.

I asked again if they support prefix delegation. Have to see what they come back with.

 

[deekue]

Interesting. On my N66U I cannot, at either setting. I'm at 50_0 now also.

have you enabled ping on the wan interface? SLAAC uses ICMPv6

 

[Softail]

have you enabled ping on the wan interface? SLAAC uses ICMPv6

I can ping the link local address of the default route gateway on the WAN port just nothing beyond that. That's different from the link local address on my end so I assume it's really going out and coming in. I've tried flushing ip6tables and the default is ACCEPT but that doesn't help. Is there anything else to try?

They say their gateway is OK but since yours works and mine doesn't and I can ping as far as the gateway makes me think it's not. Haven't dug deep enough yet to know how much real commonality there is between the IPv6 stacks on yours vs mine but my working assumption is they're pretty much the same.

 

[deekue]

I can ping the link local address of the default route gateway on the WAN port just nothing beyond that. That's different from the link local address on my end so I assume it's really going out and coming in. I've tried flushing ip6tables and the default is ACCEPT but that doesn't help. Is there anything else to try?

They say their gateway is OK but since yours works and mine doesn't and I can ping as far as the gateway makes me think it's not. Haven't dug deep enough yet to know how much real commonality there is between the IPv6 stacks on yours vs mine but my working assumption is they're pretty much the same.

the IPv6 stack should be pretty similar, assuming you have current firmware on the device (I'm assuming you're running Asuswrt or Asus-Merlin given you're in this forum).

link local addresses aren't routed. do you have a global scope IPv6 address on your wan interface?
what's the output of 'ip -6 addr'?

MonkeyBrains IPv6 allocation is 2607:f598/32, so you should have an address in that range.

if you don't have an address in that range, what's the output of 'ps | grep odhcp6c'?

 

[Softail]

do you have a global scope IPv6 address on your wan interface?

Yes I do get a global scope address on eth0 that is close to the MonkeyBrains DNS servers, so I assume I'm OK there. I'm not at home at the moment so I can't get the specific numbers but that all looked good to me. Clearly some of it is working, I get the global address myself and a default route back to them.

I haven't tried to ping6 back to that global address because none of my cloud servers at the moment has a functioning IPv6 stack ;-( Looks like there's some online tools to do that, I may try it later or spin up a micro instance in Amazon.

 

[deekue]

pestered MonkeyBrains on twitter and got a response

@deekue @monkeybrainsnet Not yet.. You can only get a single SLAAC address right now. Hopefully dhcpv6-pd will happen once GTTH is deployed -- Paul Saab (@yogurtboy) February 21, 2015

if you can't a get prefix to route to your LAN there's no real point in setting up IPv6.

I'm going to go back to using my Sixxs tunnel until they have DHCPv6-PD support.

 

[Softail]

Do you find that better than Hurricane Electric? I played with one there for awhile that mostly seemed to work but occasionally seemed to boggle some of my devices. Haven't tried it on 50_0 though. They did have a scriptable method for updating the IPv4 address though, which it looks like Sixxs doesn't. Hard to tell though the HowTo's are ancient.

I'm probably going to stick with IPv4 for now. It does what I actually need. My old one at Sonic worked pretty well so I was hoping to keep that going with MonkeyBrains. Oh well...

Thanks for the help.

 

[Rooby]

Has someone managed to get the GUI over WAN via IPV6 address?
I have dual stack using PPPOE and I get an IPV6 address from my ISP.
I open also the 8443 and 8080 IPV6 port for the GUI.
I also sucessfully tested that I have an IPV6 address form outside and i also can access IPV6 web pages.
What i do not understand is the in the IPV6 log:
The
WAN IPv6 Address
and
LAN IPv6 Address
are different. Only the first two blocks are equal.
Should not the whole 8 blocks (64 bits prefix) identical?
Should not the prefix /64 delegated to the LAN addresses?