Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:ipv6:configuration [2023/02/16 06:43] – [ULA prefix] merge from docs:guide-user:network:ipv6:ipv6.nat6 vgaeteradocs:guide-user:network:ipv6:configuration [2024/08/06 22:16] – [Table] fblaese
Line 1: Line 1:
 ====== IPv6 configuration ====== ====== IPv6 configuration ======
 See also: See also:
-[[docs:guide-user:network:routing:examples:routing_with_ipv6|Routing example: IPv6]], +[[docs:guide-user:network:routing:routes_configuration#ipv6_routes|Static IPv6 routes]], 
-[[docs:guide-user:network:ipv6_ipv4_transitioning|IPv4/IPv6 transitioning]]+[[docs:guide-user:network:routing:examples:routing_with_ipv6|IPv6 routing example]], 
 +[[docs:guide-user:network:ipv6_ipv4_transitioning|IPv4/IPv6 transitioning]], 
 +[[docs:guide-user:network:ipv6:ipv6_extras|IPv6 extras]]
  
 The default firmware provides full IPv6 support with a DHCPv6 client (''odhcp6c''), an RA & DHCPv6 Server (''[[docs:techref:odhcpd|odhcpd]]'') and a IPv6 firewall (''ip6tables'').\\ The default firmware provides full IPv6 support with a DHCPv6 client (''odhcp6c''), an RA & DHCPv6 Server (''[[docs:techref:odhcpd|odhcpd]]'') and a IPv6 firewall (''ip6tables'').\\
Line 17: Line 19:
  
 ==== General features ==== ==== General features ====
-  * Prefix Handling+  * Prefix handling:
     * Management of prefixes, addresses and routes from upstream connections and local ULA-prefixes     * Management of prefixes, addresses and routes from upstream connections and local ULA-prefixes
     * Management of prefix unreachable-routes, prefix deprecation ([[https://datatracker.ietf.org/doc/html/rfc7084|RFC 7084]]) and prefix classes     * Management of prefix unreachable-routes, prefix deprecation ([[https://datatracker.ietf.org/doc/html/rfc7084|RFC 7084]]) and prefix classes
Line 58: Line 60:
 See [[docs:guide-user:network:wan:WAN interface protocols]]. **option ipv6** can take the value: See [[docs:guide-user:network:wan:WAN interface protocols]]. **option ipv6** can take the value:
   * **0**: disable IPv6 on the interface    * **0**: disable IPv6 on the interface 
-  * **1**: enable IPCP6 negotiation on the interface, but nothing else. If successful, the parent interface will be assigned a [[https://en.wikipedia.org/wiki/Link-local_address|link-local address]] (prefix fe80::/10). The interface must then be configured manually, as described below.+  * **1**: enable IPCP6 negotiation on the interface, but nothing else. If successful, the parent interface will be assigned a [[wp>Link-local_address|link-local address]] (prefix fe80::/10). All other IPv6 configuration is made in the ''wan6'' interface which must be configured manually, as described below.
   * **auto**: (default) enable IPv6 on the interface. Spawn a virtual interface wan_6 (note the underscore) and start DHCPv6 client odhcp6c to manage prefix assignment. Ensure the lan interface has ''option ip6assign 64'' (or a larger prefix size) set to redistribute the received prefix downstream.   * **auto**: (default) enable IPv6 on the interface. Spawn a virtual interface wan_6 (note the underscore) and start DHCPv6 client odhcp6c to manage prefix assignment. Ensure the lan interface has ''option ip6assign 64'' (or a larger prefix size) set to redistribute the received prefix downstream.
  
Line 84: Line 86:
 | ''reqaddress'' | [try,force,none] | no | try | Behaviour for requesting addresses | | ''reqaddress'' | [try,force,none] | no | try | Behaviour for requesting addresses |
 | ''reqprefix'' | [auto,no,0-64] | no | auto | Behaviour for requesting prefixes (numbers denote hinted prefix length). Use 'no' if you only want a single IPv6 address for the AP itself without a subnet for routing | | ''reqprefix'' | [auto,no,0-64] | no | auto | Behaviour for requesting prefixes (numbers denote hinted prefix length). Use 'no' if you only want a single IPv6 address for the AP itself without a subnet for routing |
-| ''clientid'' | hexstring | no | //system default// | Override client identifier in DHCP requests |+| ''clientid'' | hexstring | no | //DUID-LL (type 3)// | Override client identifier in DHCP requests (Option 1). The odhcp6c default is ''00030001'' concatenated with the ''device'' MAC address - see [[https://datatracker.ietf.org/doc/html/rfc8415#section-11.4|RFC 8415]] |
 | ''ifaceid'' | ipv6 addr | no | //link-local identifier// | Override the interface identifier for adresses received via RA (Router Advertisement) | | ''ifaceid'' | ipv6 addr | no | //link-local identifier// | Override the interface identifier for adresses received via RA (Router Advertisement) |
 | ''dns'' | list of ip addresses | no | //(none)// | Supplement DHCP-assigned DNS server(s), or use only these if peerdns is 0 | | ''dns'' | list of ip addresses | no | //(none)// | Supplement DHCP-assigned DNS server(s), or use only these if peerdns is 0 |
 | ''peerdns'' | boolean | no | ''1'' | Use DHCP-provided DNS server(s) | | ''peerdns'' | boolean | no | ''1'' | Use DHCP-provided DNS server(s) |
 +| ''keep_ra_dnslifetime'' | boolean | no | ''0'' | Ignore default lifetime for RDNSS records [[https://github.com/openwrt/odhcp6c/commit/d420f49396c627ce1072b83170889baf0720bc8b|More info]] |
 | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route via the received gateway | | ''defaultroute'' | boolean | no | ''1'' | Whether to create an IPv6 default route via the received gateway |
 | ''reqopts'' | list of numbers | no | //(none)// | Specifies a list of additional DHCP options to request | | ''reqopts'' | list of numbers | no | //(none)// | Specifies a list of additional DHCP options to request |
 | ''defaultreqopts'' | boolean | no | ''1'' | If set to ''0'', do not request any options except those specified in ''reqopts'' | | ''defaultreqopts'' | boolean | no | ''1'' | If set to ''0'', do not request any options except those specified in ''reqopts'' |
 +| ''sendopts'' | string | no | //(none)// | Space-separated list of additional DHCP options to send to the server. Syntax: ''option:value'' where ''option'' is either an integer code or a symbolic name such as ''hostname''. |
 | ''noslaaconly'' | boolean | no | ''0'' | Don't allow configuration via SLAAC (RAs) only (implied by reqprefix != no) | | ''noslaaconly'' | boolean | no | ''0'' | Don't allow configuration via SLAAC (RAs) only (implied by reqprefix != no) |
 | ''forceprefix'' | boolean | no | ''0'' | Require presence of IPv6 Prefix in received DHCP message | | ''forceprefix'' | boolean | no | ''0'' | Require presence of IPv6 Prefix in received DHCP message |
 | ''norelease'' | boolean | no | ''0'' | Don't send a RELEASE when the interface is brought down | | ''norelease'' | boolean | no | ''0'' | Don't send a RELEASE when the interface is brought down |
 | ''ip6prefix'' | ipv6 prefix | no | //(none)// | Use an (additional) user-provided IPv6 prefix for distribution to clients | | ''ip6prefix'' | ipv6 prefix | no | //(none)// | Use an (additional) user-provided IPv6 prefix for distribution to clients |
 +| ''extendprefix'' | boolean | no | ''0'' | On a 3GPP Mobile WAN link, accept a /64 prefix via SLAAC and extend it on one downstream interface - see [[https://datatracker.ietf.org/doc/html/rfc7278|RFC 7278]] |
 | ''iface_dslite'' | logical interface | no | //(none)// | Logical interface template for auto-configuration of DS-Lite (0 means disable DS-Lite autoconfiguration; every other value will autoconfigure DS-Lite when the AFTR-Name option is received) | | ''iface_dslite'' | logical interface | no | //(none)// | Logical interface template for auto-configuration of DS-Lite (0 means disable DS-Lite autoconfiguration; every other value will autoconfigure DS-Lite when the AFTR-Name option is received) |
 | ''zone_dslite'' | string | no | //(none)// | Firewall zone of the logical DS-Lite interface | | ''zone_dslite'' | string | no | //(none)// | Firewall zone of the logical DS-Lite interface |
Line 103: Line 108:
 | ''zone'' | string | no | //(none)// | Firewall zone to which the interface will be added | | ''zone'' | string | no | //(none)// | Firewall zone to which the interface will be added |
 | ''sourcefilter'' | boolean | no | ''1'' | Whether to enable source based IPv6 routing | | ''sourcefilter'' | boolean | no | ''1'' | Whether to enable source based IPv6 routing |
-| ''vendorclass'' | string | no | //(none)// | Vendor class to be included in the DHCP messages | +| ''vendorclass'' | string | no | //(none)// | Vendor class to be included in the DHCP messages (Option 16)
-| ''userclass'' | string | no | //(none)// | User class to be be included in the DHCP messages |+| ''userclass'' | string | no | //(none)// | User class to be be included in the DHCP messages (Option 15)|
 | ''delegate'' | boolean | no | ''1'' | Whether to enable prefix delegation in case of DS-Lite/map/464xlat | | ''delegate'' | boolean | no | ''1'' | Whether to enable prefix delegation in case of DS-Lite/map/464xlat |
 | ''soltimeout'' | integer | no | ''120'' | The maximum solicit timeout | | ''soltimeout'' | integer | no | ''120'' | The maximum solicit timeout |
 | ''fakeroute'' | boolean | no | ''1'' | Fake default route when no route info via RA is received | | ''fakeroute'' | boolean | no | ''1'' | Fake default route when no route info via RA is received |
 | ''ra_holdoff'' | integer | no | ''3'' | Minimum time in seconds between accepting RA updates | | ''ra_holdoff'' | integer | no | ''3'' | Minimum time in seconds between accepting RA updates |
 +| ''noclientfqdn'' | boolean | no | ''0'' | Don't send Client FQDN option (Option 39). The unset default uses the system hostname e.g. ''OpenWrt''  |
 +| ''noacceptreconfig'' | boolean | no | ''0'' | Don't send Accept Reconfigure option [[https://github.com/openwrt/odhcp6c/commit/dc30922e418be6271ad177f3f9d4ecf0c1eb3f01|More info]]  |
 +| ''noserverunicast'' | boolean | no | ''0'' | Ignore Server Unicast option [[https://github.com/openwrt/odhcp6c/commit/67ae6a71b5762292e114b281d0e329cc24209ae6|More info]] |
 +| ''skpriority'' | integer | no | ''0'' | Set packet kernel priority [[https://github.com/openwrt/odhcp6c/commit/bcd283632ac13391aac3ebdd074d1fd832d76fa3|More info]]  |
 +| ''verbose'' | boolean | no | ''0'' | Increase logging verbosity |
  
 **Note:** To automatically configure ds-lite from dhcpv6, you need to create an interface with ''option auto 0'' and put its name as the 'iface_dslite' parameter. In addition, you also need to add its name to a suitable firewall zone in /etc/config/firewall. **Note:** To automatically configure ds-lite from dhcpv6, you need to create an interface with ''option auto 0'' and put its name as the 'iface_dslite' parameter. In addition, you also need to add its name to a suitable firewall zone in /etc/config/firewall.
Line 134: Line 144:
  
 ==== Protocol "static", IPv6 ==== ==== Protocol "static", IPv6 ====
-^ Name ^ Type ^ Required ^ Default ^ Description ^ +^ Name               ^ Type                  ^ Required                      ^ Default     ^ Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
-| ''ip6addr'' | ipv6 address | yes, if no ''ipaddr'' is set | //(none)// | Assign given IPv6 address to this interface (CIDR notation) | +| ''ip6addr''        | ipv6 address          | yes, if no ''ipaddr'' is set  | //(none)//  | Assign given IPv6 address to this interface (CIDR notation)                                                                                                                                                                                                                                                                                                                                                                                                                                 
-| ''ip6ifaceid'' | ipv6 suffix | no | ::1 | Allowed values: 'eui64', 'random', fixed value like '::1:2'. \\ When IPv6 prefix (like 'a:b:c:d::') is received from a delegating server, use the suffix (like '::1') to form the IPv6 address ('a:b:c:d::1') for this interface. Useful with several routers in LAN. The option was introduced by [[http://git.openwrt.org/?p=project/netifd.git;a=commitdiff;h=0b0e5e2fc5b065092644a5c4717c0a03a9098dcf;hp=e9d2014a478807c7fac0581bb4a145901a3f23b4|this commit]] to netifd in Jan 2015. | +| ''ip6ifaceid''     | ipv6 suffix           | no                            | ::1         | Allowed values: 'eui64', 'random', fixed value like '::1:2'. \\ When IPv6 prefix (like 'a:b:c:d::') is received from a delegating server, use the suffix (like '::1') to form the IPv6 address ('a:b:c:d::1') for this interface. Useful with several routers in LAN. The option was introduced by [[http://git.openwrt.org/?p=project/netifd.git;a=commitdiff;h=0b0e5e2fc5b065092644a5c4717c0a03a9098dcf;hp=e9d2014a478807c7fac0581bb4a145901a3f23b4|this commit]] to netifd in Jan 2015.  
-| ''ip6gw'' | ipv6 address | no | //(none)// | Assign given IPv6 default gateway to this interface | +| ''ip6gw''          | ipv6 address          | no                            | //(none)//  | Assign given IPv6 default gateway to this interface                                                                                                                                                                                                                                                                                                                                                                                                                                         
-| ''ip6assign'' | prefix length | no | //(none)// | Delegate a prefix of given length to this interface (see Downstream configuration below) | +| ''ip6assign''      | prefix length         | no                            | //(none)//  | Delegate a prefix of given length to this interface (see Downstream configuration below)                                                                                                                                                                                                                                                                                                                                                                                                    
-| ''ip6hint'' | prefix hint (hex) | no | //(none)// | Hint the subprefix-ID that should be delegated as hexadecimal number (see Downstream configuration below) |  +| ''ip6hint''        | prefix hint (hex)     | no                            | //(none)//  | Hint the subprefix-ID that should be delegated as hexadecimal number (see Downstream configuration below)                                                                                                                                                                                                                                                                                                                                                                                   
-| ''ip6prefix'' | ipv6 prefix | no | //(none)// | IPv6 prefix routed here for use on other interfaces (Barrier Breaker and later only) | +| ''ip6prefix''      | ipv6 prefix           | no                            | //(none)//  | IPv6 prefix routed here for use on other interfaces (Barrier Breaker and later only)                                                                                                                                                                                                                                                                                                                                                                                                        
-| ''ip6class'' | list of strings | no | //(none)// | Define the IPv6 prefix-classes this interface will accept | +| ''ip6class''       | list of strings       | no                            | //(none)//  | Define the IPv6 prefix-classes this interface will accept                                                                                                                                                                                                                                                                                                                                                                                                                                   | 
-| ''dns'' | list of ip addresses | no | //(none)// | DNS server(s) | +| ''ip6deprecated''  | boolean               | no                            | ''0''       | Set preferred lifetime of IPv6 addresses to zero                                                                                                                                                                                                                                                                                                                                                                                                                                            
-| ''dns_metric'' | integer | no | ''0'' | [[commit>?p=project/netifd.git;a=commitdiff;h=7f6be657e2dabc185417520de4d0d0de2580c27d|DNS metric]] | +| ''dns''            | list of ip addresses  | no                            | //(none)//  | DNS server(s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
-| ''dns_search'' | list of domain names | no | //(none)// | Search list for host-name lookup | +| ''dns_metric''     | integer               | no                            | ''0''       | [[commit>?p=project/netifd.git;a=commitdiff;h=7f6be657e2dabc185417520de4d0d0de2580c27d|DNS metric]]                                                                                                                                                                                                                                                                                                                                                                                         
-| ''metric'' | integer | no | ''0'' | Specifies the default route metric to use |+| ''dns_search''     | list of domain names  | no                            | //(none)//  | Search list for host-name lookup, relevant only for the router                                                                                                                                                                                                                                                                                                                                                                                                                              
 +| ''metric''         | integer               | no                            | ''0''       | Specifies the default route metric to use                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
  
 ===== Downstream configuration for LAN interfaces ===== ===== Downstream configuration for LAN interfaces =====
Line 154: Line 165:
   * Support for RA & DHCPv6-relaying and NDP-proxying to e.g. support uplinks without prefix delegation   * Support for RA & DHCPv6-relaying and NDP-proxying to e.g. support uplinks without prefix delegation
  
-OpenWrt provides a flexible local prefix delegation mechanism.\\+OpenWrt provides a flexible local prefix delegation mechanism. 
 It can be tuned for each downstream-interface individually with 3 parameters which are all optional: It can be tuned for each downstream-interface individually with 3 parameters which are all optional:
   * ''ip6assign'': Prefix size used for assigned prefix to the interface (e.g. 64 will assign /64-prefixes)   * ''ip6assign'': Prefix size used for assigned prefix to the interface (e.g. 64 will assign /64-prefixes)
   * ''ip6hint'': Subprefix ID to be used if available (e.g. 1234 with an ip6assign of 64 will assign prefixes of the form ...:1234::/64 or given LAN ports, LAN & LAN2, and a prefix delegation of /56, use ip6hint of 00 and 80 which would give prefixes of LAN ...:xx00::/64 and LAN2 ...:xx80::/64)   * ''ip6hint'': Subprefix ID to be used if available (e.g. 1234 with an ip6assign of 64 will assign prefixes of the form ...:1234::/64 or given LAN ports, LAN & LAN2, and a prefix delegation of /56, use ip6hint of 00 and 80 which would give prefixes of LAN ...:xx00::/64 and LAN2 ...:xx80::/64)
-  * ''ip6class'': Filter for prefix classes to accept on this interface (e.g. wan6 will only assign prefixes with class "wan6" but not e.g. "local") +  * ''ip6class'': Filter for prefix classes to accept on this interface (e.g. ''wan6''only assign prefix from the respective interface, ''local'' only assign the ULA-prefix)
- +
-ip6assign and / or ip6hint-settings might be ignored if the desired subprefix cannot be assigned. In this case, the system will first try to assign a prefix with the same length but different subprefix-ID. +
-If this fails as well, the prefix length is reduced until the assignment can be satisfied. If ip6hint is not set, an arbitrary ID will be chosen. Setting the ip6assign-parameter to a value < 64 will allow the DHCPv6-server to hand out all but the first /64 via DHCPv6-Prefix Delegation to downstream routers on the interface. If the ip6hint is not suitable for the given ip6assign, it will be rounded down to the nearest possible value.+
  
-If ip6class is not set, then all prefix classes are accepted on this interfaceThe default class for a prefix is the interface-name (e.g. "wan6") or "local" for the ULA-prefix. +''ip6assign'' and / or ''ip6hint'' settings might be ignored if the desired subprefix cannot be assigned. 
-This can be used to select upstream interfaces from which subprefixes are assignedFor prefixes received from dynamic-configuration methods like DHCPv6, it is possible that the prefix-class +In this case, the system will first try to assign a prefix with the same length but different subprefix-ID. 
-is not equal to the source-interface but e.g. augmented with an ISP-provided numeric prefix class-value.+If this fails as well, the prefix length is reduced until the assignment can be satisfied
 +If ''ip6hint'' is not set, an arbitrary ID will be chosen. 
 +Setting the ''ip6assign'' parameter to a value < 64 will allow the DHCPv6-server to hand out all but the first /64 via DHCPv6-Prefix Delegation to downstream routers on the interface. 
 +If ''ip6hint'' is not suitable for the given ''ip6assign'', it will be rounded down to the nearest possible value.
  
-If [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66]] is in use, you can set ip6class to ''local'' to disable leasing GUA addresses and only lease ULA.+If ''ip6class'' is not set, then all prefix classes are accepted on this interface. 
 +Specify one or multiple interface names such as ''wan6'' to accept only prefix from the respective interface, or specify ''local'' accept only the ULA-prefix when using IPv6 NAT or NPT. 
 +This can be used to select upstream interfaces from which subprefixes are assigned. 
 +For prefixes received from dynamic-configuration methods like DHCPv6, it is possible that the prefix-class is not equal to the source-interface but e.g. augmented with an ISP-provided numeric prefix class-value.
  
 <code bash> <code bash>
Line 200: Line 215:
  
 For multiple interfaces, the prefixes are assigned based on firstly the assignment length (smallest first) then on weight and finally alphabetical order of interface names. For multiple interfaces, the prefixes are assigned based on firstly the assignment length (smallest first) then on weight and finally alphabetical order of interface names.
-e.g. if wlan0 and eth1 have ip6assign 61 and eth2 has ip6assign 62, the prefixes are assigned to eth1 then wlan0 (alphabetic) and then eth2 (longest prefix). Note that if there are not enough +e.g. if wlan0 and eth1 have ip6assign 61 and eth2 has ip6assign 62, the prefixes are assigned to eth1 then wlan0 (alphabetic) and then eth2 (longest prefix). 
-prefixes, the last interfaces get no prefix - which would happen to eth2 if the overall prefix length was 60 in this example.+Note that if there are not enough prefixes, the last interfaces get no prefix - which would happen to eth2 if the overall prefix length was 60 in this example.
  
 :!: If the router can ''ping6'' the internet, but lan machines get "Destination unreachable: Unknown code 5" or "Source address failed ingress/egress policy" then the **ip6assign** option is missing on your lan interface. :!: If the router can ''ping6'' the internet, but lan machines get "Destination unreachable: Unknown code 5" or "Source address failed ingress/egress policy" then the **ip6assign** option is missing on your lan interface.
Line 314: Line 329:
  
 ===== ULA prefix ===== ===== ULA prefix =====
-Typically relevant when you do not have a real global prefix assigned by your ISP (in which case your ULA should be a real ULA), AND you want to run local IPv6 (e.g. for NAT66), AND you have applications that preference IPv4 over IPv6 ULA addresses. +IPv6 [[docs:guide-user:network:network_configuration?s=ula_prefix#section_globals|ULA prefix]] can serve the following purposes: 
- +  * Predictable [[docs:guide-user:base-system:dhcp_configuration#static_leases|static IPv6]] suffix allocation with DHCPv6
-A trick to get around this is set your [[wp>Unique_local_address|ULA]] prefix to a non-ULA value. +  * Predictable site-to-site connectivity with dynamic or missing GUA prefix. 
- +  * IPv6 routing for LAN clients behind [[docs:guide-user:network:ipv6:ipv6.nat6|NAT66]] with missing GUA prefix.
-The default ULA prefix represents an address that is not globally routed on the internet by design (only between provider networks). +
- +
-A lot of clients will prefer IPv4 over a ULA IPv6 address if there is no global IPv6 address assigned, so you may need to change your existing ULA prefix to indicate a global address (i.e. trick it with a non-ULA prefix) to ensure traffic goes over IPv6 by default when possible+
- +
-When changing the ULA prefix, it doesn't necessarily have to start with ''d'', but to avoid conflicts, you should use a prefix that is not being used yet+
-The prefix ''fd'' is generally an actual ULA, other ''f'' address have specific meanings, and existing allocated public addresses start with ''2''+
-The letters ''a'' through ''e'' are [[https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml|unassigned for the time being]] and therefore safe choices. +
- +
-Setting ''ula_prefix'' to ''auto'' will auto-generate a new valid ULA prefix. +
- +
-Using your ISP assigned prefix as ULA should also work. +
- +
-However, unless you have a static IPv6 prefix assigned by your ISP, this is not recommended, since it can cause address conflicts once the prefix changes.+
  
-But normally if you have a static prefix that you can delegate across your LAN (i.e. real global addresses)then you won't need to change your ULA prefix.+If IPv6 GUA is not availablea [[docs:guide-user:network:ipv6:ipv6_extras#using_ipv6_by_default|workaround]] is generally required to make applications prefer IPv6 over IPv4.
  
  • Last modified: 2024/11/19 09:11
  • by ynezz