Menu
What's new
By:
Filters Better Search

YazFi Ipv6 subnets

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Z

ZebMcKayhan

Very Senior Member
I recently enabled Ipv6 for learning/experimental reason. I don't have ipv6 on wan so I generated an ULA (/48) which I then divided into a first subnet
fdff:a37f:fa75:1::/64

Disabled Dhcp-pd and entered this in gui and connected wireguard were I get an ipv6 connection so added default route and proper firewall rules and my network is now dual stack.

Yazfi was never designed/intended for ipv6 so clients get ipv6 from the same pool. And initially I just added firewall rules to drop all ipv6 from them. I would like to see if it was possible to assign other ipv6 subnets to these interfaces but I run into a dead-end and was hoping anyone here would have some ideas to test.

Here is what I have done:
firewall-start:
Code: 
ip -6 address add dev wl1.2 fdff:a37f:fa75:6::1/64
ip link set up dev wl1.2
dnsmasq.conf.add
Code: 
interface=wl1.2 
#setup stateless assignment based on if prefix:
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 
#assign DNS:
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9]

But the interface clients now assigns itself both ipv6 from br0 and ipv6 from my new subnet, in total 5 ipv6 adresses. Seeing this as a side effect of wl1.2 is still in br0 I removed it (despite the warnings)
Code: 
brctl delif br0 wl1.2
This worked and all was fine for a day so I put this in firewall-start and rebooted. When the router booted up ipv6 on br0 just did not work altough everything seemed ok (ipv4 was good though and ipv6 on the removed interfaces). Poking around (adding/removing firewall rules, adding/removing routes, reconnecting wifi) and it works occasionally but drops out again within 1-2h.

Not sure it is linked to the same issue but something really seems funky with ipv6 br0 bridge/route control.

Adding the interfaces in br0 manually only seems to solve it temporary, it drops out again.

So I removed the firewall-start entry that removes the interfaces and rebooted and ipv6 has been stable now for 12h...

Not sure if some services that runs on boot is picky on how the br0 looks but later it doesn't care. However maybe just some service-restart event from crapping out again if the interfaces are not there.


any idea of how to keep wlx.y inside br0 and prevent it from generating br0 ipv6 adresses?
Or how to safely remove it from br0?

Or am I getting at this the wrong way?

I'm on 386.4 RT-AC86U

//Zeb
 
Last edited:
ZebMcKayhan said:
I recently enabled Ipv6 for learning/experimental reason. I don't have ipv6 on wan so I generated an ULA (/48) which I then divided into a first subnet
fdff:a37f:fa75:1::/64

Disabled Dhcp-pd and entered this in gui and connected wireguard were I get an ipv6 connection so added default route and proper firewall rules and my network is now dual stack.

Yazfi was never designed/intended for ipv6 so clients get ipv6 from the same pool. And initially I just added firewall rules to drop all ipv6 from them. I would like to see if it was possible to assign other ipv6 subnets to these interfaces but I run into a dead-end and was hoping anyone here would have some ideas to test.

Here is what I have done:
firewall-start:
Code: 
ip -6 address add dev wl1.2 fdff:a37f:fa75:6::1/64
ip link set up dev wl1.2
dnsmasq.conf.add
Code: 
interface=wl1.2 
#setup stateless assignment based on if prefix:
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 
#assign DNS:
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9]

But the interface clients now assigns itself both ipv6 from br0 and ipv6 from my new subnet, in total 5 ipv6 adresses. Seeing this as a side effect of wl1.2 is still in br0 I removed it (despite the warnings)
Code: 
brctl delif br0 wl1.2
This worked and all was fine for a day so I put this in firewall-start and rebooted. When the router booted up ipv6 on br0 just did not work altough everything seemed ok (ipv4 was good though and ipv6 on the removed interfaces). Poking around (adding/removing firewall rules, adding/removing routes, reconnecting wifi) and it works occasionally but drops out again within 1-2h.

Not sure it is linked to the same issue but something really seems funky with ipv6 br0 bridge/route control.

Adding the interfaces in br0 manually only seems to solve it temporary, it drops out again.

So I removed the firewall-start entry that removes the interfaces and rebooted and ipv6 has been stable now for 12h...

Not sure if some services that runs on boot is picky on how the br0 looks but later it doesn't care. However maybe just some service-restart event from crapping out again if the interfaces are not there.


any idea of how to keep wlx.y inside br0 and prevent it from generating br0 ipv6 adresses?
Or how to safely remove it from br0?

Or am I getting at this the wrong way?

I'm on 386.4 RT-AC86U

//Zeb
Click to expand...
You need to define dhcpv6 for each interface separately in dnsmasq, or else the :: universally applies all of them
 
So you mean basically remove this:
Code: 
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600

And replace with:
Code: 
dhcp-range=eth1,::,constructor:br0,ra-stateless,64,600
dhcp-range=eth2,::,constructor:br0,ra-stateless,64,600
dhcp-range=eth3,::,constructor:br0,ra-stateless,64,600
dhcp-range=eth4,::,constructor:br0,ra-stateless,64,600
dhcp-range=eth5,::,constructor:br0,ra-stateless,64,600
dhcp-range=eth6,::,constructor:br0,ra-stateless,64,600
Would achieve this and allow me to keep wl1.2 inside br0?
 
SomeWhereOverTheRainBow said:
:: is the universal listen ALL, when you are only concerned about the communications related for each individual one.
Click to expand...
I'm sorry if I'm abit slow (or thick) but thought this [::] was about the range:
--dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
Click to expand...

I'm finding this part of dnsmasq.conf manual confusing. I still want stateless assignment with /64 prefix, just different for some interfaces included in br0
 
ZebMcKayhan said:
I'm sorry if I'm abit slow (or thick) but thought this [::] was about the range:


I'm finding this part of dnsmasq.conf manual confusing. I still want stateless assignment with /64 prefix, just different for some interfaces included in br0
Click to expand...
Okay so at the front end of each ula address you have a prefix.. your prefix replaces ::


:: universally applies to all prefix.

Thus why you are seeing all addresses. Instead of only the one specific to that network.
 
SomeWhereOverTheRainBow said:
Okay so at the front end of each ula address you have a prefix.. your prefix replaces ::


:: universally applies to all prefix.

Thus why you are seeing all addresses. Instead of only the one specific to that network.
Click to expand...
fdff:a37f:fa75:1:: would replace :: for the interface it applies to so on for each network, thus solving you seeing every address for each network.
 
ZebMcKayhan said:
I recently enabled Ipv6 for learning/experimental reason. I don't have ipv6 on wan so I generated an ULA (/48) which I then divided into a first subnet
fdff:a37f:fa75:1::/64

Disabled Dhcp-pd and entered this in gui and connected wireguard were I get an ipv6 connection so added default route and proper firewall rules and my network is now dual stack.

Yazfi was never designed/intended for ipv6 so clients get ipv6 from the same pool. And initially I just added firewall rules to drop all ipv6 from them. I would like to see if it was possible to assign other ipv6 subnets to these interfaces but I run into a dead-end and was hoping anyone here would have some ideas to test.

Here is what I have done:
firewall-start:
Code: 
ip -6 address add dev wl1.2 fdff:a37f:fa75:6::1/64
ip link set up dev wl1.2
dnsmasq.conf.add
Code: 
interface=wl1.2 
#setup stateless assignment based on if prefix:
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 
#assign DNS:
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9]

But the interface clients now assigns itself both ipv6 from br0 and ipv6 from my new subnet, in total 5 ipv6 adresses. Seeing this as a side effect of wl1.2 is still in br0 I removed it (despite the warnings)
Code: 
brctl delif br0 wl1.2
This worked and all was fine for a day so I put this in firewall-start and rebooted. When the router booted up ipv6 on br0 just did not work altough everything seemed ok (ipv4 was good though and ipv6 on the removed interfaces). Poking around (adding/removing firewall rules, adding/removing routes, reconnecting wifi) and it works occasionally but drops out again within 1-2h.

Not sure it is linked to the same issue but something really seems funky with ipv6 br0 bridge/route control.

Adding the interfaces in br0 manually only seems to solve it temporary, it drops out again.

So I removed the firewall-start entry that removes the interfaces and rebooted and ipv6 has been stable now for 12h...

Not sure if some services that runs on boot is picky on how the br0 looks but later it doesn't care. However maybe just some service-restart event from crapping out again if the interfaces are not there.


any idea of how to keep wlx.y inside br0 and prevent it from generating br0 ipv6 adresses?
Or how to safely remove it from br0?

Or am I getting at this the wrong way?

I'm on 386.4 RT-AC86U

//Zeb
Click to expand...
When you get this all said and done, I hope you take the time to share your process like iptables ; routes; and specific scripts (or places) where you put your setup. Obviously omit any private data. I have been interested in setting something like this up too and I would love to compare notes and what not.
 
Ok, so replace the existing
Code: 
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600
With:
Code: 
dhcp-range=lan,fdff:a37f:fa75:1::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,fdff:a37f:fa75:6::,constructor:wl1.2,ra-stateless,64,600

I will give it a go in acouple of days (still experimenting on ways to keep wl1.2 out of br0, need to read up on posix commands to do find-and-replace in dnsmasq postcode.

The routes are setup by the kernel so haven't need to worry about them. The firewall is a hand-ful though. Right now I'm on vanilla but looking into icmpv6 there seems to be some work to do.

Some toilette reading:

Should I block ICMP?

Should I block ICMP
shouldiblockicmp.com
unix.stackexchange.com

What are the essential iptables rules for IPv6 to work properly?

I had a problem where I lost connectivity to a server on the IPv6 address after some time and it turned out to be caused by DHCPv6 client packets (port 546) being dropped by the default INPUT polic...
unix.stackexchange.com unix.stackexchange.com

I may push up the firewall part until I get a wan ipv6. Being ipv6 over vpn Im behind several NAT66 so I'm not so exposed.

I will always be open to share my work or notes, but sometimes abit worried about firewall stuff so I'm not leading others to do the same as me when I sometimes have other means of protection so it may not always apply.
 
ZebMcKayhan said:
Ok, so replace the existing
Code: 
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600
With:
Code: 
dhcp-range=lan,fdff:a37f:fa75:1::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,fdff:a37f:fa75:6::,constructor:wl1.2,ra-stateless,64,600

I will give it a go in acouple of days (still experimenting on ways to keep wl1.2 out of br0, need to read up on posix commands to do find-and-replace in dnsmasq postcode.

The routes are setup by the kernel so haven't need to worry about them. The firewall is a hand-ful though. Right now I'm on vanilla but looking into icmpv6 there seems to be some work to do.

Some toilette reading:

Should I block ICMP?

Should I block ICMP
shouldiblockicmp.com
unix.stackexchange.com

What are the essential iptables rules for IPv6 to work properly?

I had a problem where I lost connectivity to a server on the IPv6 address after some time and it turned out to be caused by DHCPv6 client packets (port 546) being dropped by the default INPUT polic...
unix.stackexchange.com unix.stackexchange.com

I may push up the firewall part until I get a wan ipv6. Being ipv6 over vpn Im behind several NAT66 so I'm not so exposed.
Click to expand...
The same applies to br0. You need to change the :: on the segment for br0s to the prefix of that networks address or simply make a ula for that interface and use the ula prefix.
 
ZebMcKayhan said:
Ok, so replace the existing
Code: 
dhcp-range=lan,::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600
With:
Code: 
dhcp-range=lan,fdff:a37f:fa75:1::,constructor:br0,ra-stateless,64,600
dhcp-range=wl1.2,fdff:a37f:fa75:6::,constructor:wl1.2,ra-stateless,64,600

I will give it a go in acouple of days (still experimenting on ways to keep wl1.2 out of br0, need to read up on posix commands to do find-and-replace in dnsmasq postcode.

The routes are setup by the kernel so haven't need to worry about them. The firewall is a hand-ful though. Right now I'm on vanilla but looking into icmpv6 there seems to be some work to do.

Some toilette reading:

Should I block ICMP?

Should I block ICMP
shouldiblockicmp.com
unix.stackexchange.com

What are the essential iptables rules for IPv6 to work properly?

I had a problem where I lost connectivity to a server on the IPv6 address after some time and it turned out to be caused by DHCPv6 client packets (port 546) being dropped by the default INPUT polic...
unix.stackexchange.com unix.stackexchange.com

I may push up the firewall part until I get a wan ipv6. Being ipv6 over vpn Im behind several NAT66 so I'm not so exposed.

I will always be open to share my work or notes, but sometimes abit worried about firewall stuff so I'm not leading others to do the same as me when I sometimes have other means of protection so it may not always apply.
Click to expand...
Just a heads up, you will also have to do the same for the ipv6 dns. Say for example the address is fdff:a37f:fa75:1::/64

You would replace the :: for dns options with fdff:a37f:fa75:1::1 for the first network address.
 
Didn't find a way to set any range in the option6:23?

Really hoping to find a way that the router is happy with wl1.2 being a stand-alone interface. This way my current setup works (despite the [::]) which means less maintenance to take care of (and no posix stuff that I never could remember). Currently testing to remove the interface in YazFi custom scripts which is executed 10s after all start-up, but each test I do take about a day to verify stability.
 
ZebMcKayhan said:
Didn't find a way to set any range in the option6:23?

Really hoping to find a way that the router is happy with wl1.2 being a stand-alone interface. This way my current setup works (despite the [::]) which means less maintenance to take care of (and no posix stuff that I never could remember). Currently testing to remove the interface in YazFi custom scripts which is executed 10s after all start-up, but each test I do take about a day to verify stability.
Click to expand...

nano /jffs/scripts/dnsmasq.postconf

Code: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,infinite" "dhcp-range=lan,::2,::500,constructor:br0,ra-names,slaac,64,infinite" $CONFIG

here is an example of something I do for br0 (keep in mind this is different from your setup, I was just showing you how to use the function).
 
For what it's worth, I finally figured out why br0 ipv6 failed when wl1.2 was removed from the bridge.
After removal of the interfaces I need to restart dnsmasq:
Code: 
service restart_dnsmasq

Can't believe I didn't try this before but it was not obvious since there are no changes to dnsmasq.conf but I guess dnsmasq must redefine its definition of br0 somehow. The tricky thing is that this doesn't notice until the lease expires (throw me way off)

For reference, here is my setup now:
/jffs/scripts/firewall-start:
Code: 
ip -6 address add dev wl1.2 fdff:a37f:fa75:6::1/64 2>/dev/null
ip link set up dev wl1.2 2>/dev/null

/jffs/config/dnsmasq.conf.add
Code: 
### wl1.2 ipv6 config ###
interface=wl1.2
ra-param=wl1.2,10,600 #set ra-interval, lifetime
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 # set stateless
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9] #set dns
### end wl1.2 ipv6 config

YazFi userscript (/jffs/addons/YazFi.d/userscripts.d/ipv6.sh)
Code: 
#!/bin/sh

### Yazfi ipv6 fix
brctl delif br0 wl0.1 2>/dev/null # YazFi ipv6 fix
brctl delif br0 wl1.1 2>/dev/null # YazFi ipv6 fix
brctl delif br0 wl1.2 2>/dev/null # YazFi ipv6 fix

service restart_dnsmasq # br0 borks when ipv6 lease expires
### YazFi ipv6 fix end
(This could be moved to firewall-start)

For the sake of knowledge I will test your approach @SomeWhereOverTheRainBow with leaving wl1.2 inside br0 and change the br0 dhcp-range and see if it works just as well.

//Zeb
 
Last edited:
@SomeWhereOverTheRainBow

I tried adding this:
Code: 
pc_replace "dhcp-range=lan,::,constructor:br0,ra-stateless,64,600" "dhcp-range=lan,fdff:a37f:fa75:1::,constructor:br0,ra-stateless,64,600" $CONFIG
And confirmed that /etc/dnsmasq.conf now had:
Code: 
dhcp-range=lan,fdff:a37f:fa75:1::,constructor:br0,ra-stateless,64,600

But when I tried to reconnect I couldn't anymore... after managing to remove the line and restart dnsmasq I checked the sys-log:
Code: 
dnsmasq[28549]: prefix must be zero with "constructor:" argument at line 21 of /etc/dnsmasq.conf

So, this only works for the 64 suffix bits and not the prefix.

Tried again and change the prefix in the command to 56 and range ::1:0:0:0:0 - ::1:ffff:ffff:ffff:ffff

Code: 
dhcp-range=lan,::1:0:0:0:0,::1:ffff:ffff:ffff:ffff,constructor:br0,ra-stateless,56,600

But now I learned from my mistake and checked syslog before reconnecting:
Code: 
dnsmasq[26461]: prefix length must be at least 64 at line 21 of /etc/dnsmasq.conf

One final attempt:
Code: 
dhcp-range=lan,::1:0:0:0,::1:ffff:ffff:ffff,constructor:br0,ra-stateless,64,600
Figuring I could use smaller subnets and it was atleast accepted by the system.

But it did not do any change. Adresses on br0 did not comply with the limited adress and wl1.2 still get br0 adresses.

Bummer...

This could possibly be because the lan prefix I entered in gui is 64... will try to change that to 48 tomorrow... I'm curious how the adresses gets arranged and may permit me to use the above command with 48 prefix and limit the range since SLAAC only needs the last 64 bits...
 
Last edited:
Changing lan prefix did not really change anything except the br0 prefix and the route changed. But dnsmasq still advertise /64 based on br0 (and br0 is assigned manually in gui as dhcp-pd=off)
I had hoped to get a glimpse on how the router would handle a /48 prefix delegated via dhcp-pd.

Currently keeping wl0.1, wl1.1, wl1.2 outside br0 as described above is a working solution and this allows me to use ordinary policy based routing based on source address.

Wl0.1 and wl1.1 is routed to wan but since I don't have a wan ipv6 I want to block these from any ipv6. Wl1.2 should have access to br0 and router and be routed out my second wireguard client (different country output).

YazFi firewall rules still work as the interfaces are moved outside br0 as they are specified by interface name anyway.
When enabling ipv6 the router sets up a basic stateful firewall which I feel is good enough right now (for my setup), with the following change for ipv6 I put in YazFi custom config file:
Code: 
#2-way to guest 2
ip6tables -I FORWARD -i wl1.2 -o br0 -j ACCEPT
ip6tables -I FORWARD -i br0 -o wl1.2 -j ACCEPT

#allow guest wifi 2 to access local services
ip6tables -I INPUT -i wl1.2 -j ACCEPT

#drop all guest 1 ipv6
ip6tables -I FORWARD -i wl0.1 -j DROP
ip6tables -I INPUT -i wl0.1 -j DROP
ip6tables -I OUTPUT -o wl0.1 -j DROP

ip6tables -I FORWARD -i wl1.1 -j DROP
ip6tables -I INPUT -i wl1.1 -j DROP
ip6tables -I OUTPUT -o wl0.1 -j DROP

Currently though I'm not able to access router gui from wl1.2 ipv6 but via ipv4 works fine.

//Zeb
 
Last edited:
You must log in or register to reply here.

Similar threads

John Tetreault
How to open ipv6 firewall to a port on the router?
Replies
4
Views
617
sfx2000
sfx2000
janico82
sbnMerlin 1.2.1 - Network Isolation Tool based on Guest Networks, April 19 2024
2 3 4
Replies
65
Views
4K
visortgw
visortgw
M
IPv6 and Router Advertisement adding route to delegated /56 via WAN interface
Replies
0
Views
214
MrC99
M
jetonr
DSL-AC68U with 3 SSID and 3 VLAN as AP slow and unstable!
Replies
5
Views
1K
drinkingbird
drinkingbird
N
LLDPD on Bonded/LAG Ports
Replies
10
Views
596
NickBurns
N
Similar threads
Thread starter Title Forum Replies Date
pmcarrion VPNMON Block IPv6 on devices routed through a VPN Asuswrt-Merlin AddOns 2
U Scribe syslog-ng not starting on boot if IPv6 enabled. Asuswrt-Merlin AddOns 31
D YazFi Prevent guests from being given IPv6 access Asuswrt-Merlin AddOns 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 638 (members: 18, guests: 620)
Top