IPv6 on GNP using Passthrough

[rung]

Hi All,

I needed to test IPv6 on a machine on a GNP network. Currently I am running 3006.102.4 on a RT-AX86U Pro. IPv6 works fine in Native mode on the main network but unfortunately, my ISP (AT&T), only provides a prefix on /64 (boo!). So, it looked like IPv6 subnets were not going to work in my case. Instead, I found that sharing the /64 across the main network and the GNP interfaces in Passthtrough mode seems to do the trick. Looking at the Merlin wan.c code, it looks like this feature could be enabled in the future, but for now (unless I missed an option somewhere), I found I had to make the following configuration changes:

First I needed a wan-event script to update the 6relayd proxy from sharing the prefix with just the main network but with all the networks including GNP:

#!/bin/sh
GNP_INTERFACES="br52 br53"
WAN_PORT=$(nvram get wan_ifname)

if [ "$2" = "connected" ];then
        if [ -n "$(pidof 6relayd)" ]; then
                logger -t "wan-event" "Adding GNP interfaces to 6relayd..."
                killall 6relayd
                6relayd -drs -Rrelay -Dserver -N -n $WAN_PORT br0 $GNP_INTERFACES
        fi
fi

Then I just needed to open up outbound IPv6 traffic on the GNP interfaces with a firewall-start script:

#!/bin/sh
WAN_PORT=$1

logger -t "firewall-start" "Enabling IPV6 outbound traffic on GNP interfaces..."
#insert new FORWARD rule after existing eth rule
Fn=$(($(ip6tables --line-numbers -v  -t filter -L FORWARD | grep eth | awk '{ print $1 }')+1))
ip6tables -I FORWARD $Fn -i br+ -o $WAN_PORT -j ACCEPT

So far, everything seems to be working including ping6 from main network to GNP networks but not the other way around (good).

Please let me know if you see any major problems with this approach or if there is a simpler way to solve this problem.

Thanks,
Rung

 

[liug]

ATT does provide 8 /64 IPv6 prefixes. It is just you have to request them individually. Here are some discussions how pfsense did it

https://www.reddit.com/r/PFSENSE/comments/1ecgz0y/att_fiber_modem_only_assign_64_ipv6_prefix

 

[rung]

ATT does provide 8 /64 IPv6 prefixes. It is just you have to request them individually. Here are some discussions how pfsense did it

https://www.reddit.com/r/PFSENSE/comments/1ecgz0y/att_fiber_modem_only_assign_64_ipv6_prefix

Yes, I had seen that. I couldn't see how those techniques would help in my situation.

 

[liug]

openwrt folks also does the similar workaround https://forum.openwrt.org/t/configu...-multiple-pd-requests-for-at-t-fiber/99371/39 Since Asus also uses odhcp6c to request prefix delegation, maybe we can do the same, and then use those different requested /64 for different internal vlans include main LAN and various GNP vlans.

 

[rung]

Thanks. That could work but I'm not seeing a downside yet with sharing the/64 across the various lans.

 

[liug]

If I understand it correctly, sharing the same /64 across vlans will flatten the internal ipv6 network, and beat the purpose of separating vlans from ipv6 perspective.

 

[rung]

I haven't seen that yet. The firewall seems to be still working between virtual bridges as I mentioned with the ping6 tests.