Help with Controlling IPv6 Addressing and subnetting WAN IP

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
suli
DD-WRT Novice


Joined: 02 May 2014
Posts: 24
PostPosted: Sun Jan 15, 2017 22:47    Post subject: Help with Controlling IPv6 Addressing and subnetting WAN IP Reply with quote
Preferace: I'm currently using a November k3 build (DD-WRT v3.0-r30880 mega). I use DNSMASQ currently for DNS/DHCP assignments on a few vlans.

My current setup, I have setup similar to:

Networking
WAN Port Assignment: vlan15
Network Config vlan1: unbridged, MTU 1491
192.168.A.254/ 255.255.255.0
Network Config vlan11: unbridged, MTU 1491
192.168.B.254/ 255.255.255.0

Mulitple DHCPD Server
vlan11, start: .20, max: 20, lease time: 360 (DHCP 0, 6hr)

Services
-DNSMasq Options (to enable DHCP to function for vlans)
*NOTE: option 3 is gateway
option 6 are dns servers

Code:
# Enable DHCP on VLAN11
interface=vlan11
dhcp-option=vlan11,3,192.168.B.254
dhcp-option=vlan11,6,192.168.A.2
dhcp-range=vlan11,192.168.B.20,192.168.B.40,255.255.255.0,6h


This works, hoenstly, FANTASTIC for IPv4. I have an internal DNS server for internal items with recursion out to my provider DNS, so I am my own DNS (192.168.A.2), soon to have an additional IPv6 address as well. Also using iptables to control traffic flow, so I'll do the same with IPv6


Now, fun with IPv6....

I'd like to add an additional IPv6 address to each vlan scope so I can dual-home my devices for 4 and 6, but using a subnetted version of the WAN IP I get from my ISP so I can use global IPs. I got lost in the documentation so I'm looking for some assistance. Can I ONLY do this with DNSMASQ or do I need something else? I'm looking to use a /120 for the internal subnets.

For example, the "interface=vlan11" section, I THINK I would need the following added:
Code:
dhcp-option=option6:dns-server,[ip6 of my internal dns server]
dhcp-range=::20,::40,constructor:vlan15,6h
enable-ra


But I would like to subnet the network ID from br0 interface I get from the /64 from my ISP to a /120 per network. I also need to figure out how to assign that network ID/host ID to the router's VLAN interface (like how I have that set as .254 above for each vlan)

Welcome any assistance!
Back to top View user's profile Send private message
Sponsor
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC
PostPosted: Mon Jan 16, 2017 12:27    Post subject: Reply with quote
how are you getting your ipv6? dhcpv6-pd? What size prefix?

fyi a /120 is not the way to go, normally you would assign a /64 to each interface.
Back to top View user's profile Send private message
suli
DD-WRT Novice


Joined: 02 May 2014
Posts: 24
PostPosted: Mon Jan 16, 2017 16:07    Post subject: Reply with quote
I'm getting my IPv6 via DHCPv6-PD.

They're providing a /64
nnnn:nnnn:nnnn:nnnn:hhhh:hhhh:hhhh:hhhh
I checked the nrvarm show |grep ipv6 and the "ipv6_prefix" value validates it's a /64

I wanted to assign each subnet as a range from the provided /64 I get from the ISP so I can assign global addresses (and control it) (aka, each vlan). This way I can get granular control over the routing and allowables through ip6tables just like I do with iptables for v4.

I picked a /120, since I only need 15-20 ip's, and the /120 gives me 254 usable IP addresses.
nnnn:nnnn:nnnn:nnnn:ssss:ssss:ssss:sshh

If I grow these out later, I can easily redo the mask to less than a 120, like a 112.


Two side notes:

-Since I set the vlan15 interface as the WAN, that is what ddwrt assigns my IPv4 address to, but... with IPv6, is assigns it to br0. Not sure how to get that IPv6 address assigned to vlan15.

-I tried a simple ping6 to google and it doesn't work. I left the default ipv6tables rules, so everything outbound is allowed, and inbound is related/established and also icmpv6 are all allowed. It's pretty open. My ip -6 route info has:
[ipv6 prefix from ISP]/64 dev br0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev vlan3 proto kernel metric 256
fe80::/64 dev vlan4 proto kernel metric 256
fe80::/64 dev vlan11 proto kernel metric 256
fe80::/64 dev vlan1 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev vlan2 proto kernel metric 256
fe80::/64 dev vlan15 proto kernel metric 256
default via fe80::201:5cff:fe7a:c46 dev vlan15 proto ra metric 1024 expires 1799sec
unreachable default dev lo proto kernel metric -1 error -128
Back to top View user's profile Send private message
SmallvilleLA
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 20
PostPosted: Thu Jan 19, 2017 12:21    Post subject: These settings are working great for me Reply with quote
I have an R7000

Here's my DNSMasq additional:

dhcp-range=::1,::400,constructor:br0, ra-stateless, ra-names, 4h
dhcp-option=option6:dns-server,[::]
enable-ra

DHCP Server - enable
DNSMasq for DHCP - enable
DNSMasq for DNS - enable
DHCP-Authoritative - enable
Recursive DNS Resolving - disabled
Forced DNS Redirection - enable

IPV6 enabled with DHCPv5 delegation and DNS.watch IPv6 addresses /64

Using DNS.Watch for forwarding DNS

Static DNS 1 - my router IP
Static DNS 2 - DNS.Watch1
Static DNS 4 - DNS Watch2

DNSMasq - Enable
Encrypt DNS - Disable
Local DNS - Enable
No DNS Rebind - Enable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disaable

My set up is Gateway

Your ISP needs to support IPv6 and the modem/router they supply also needs to support it.

These settings pass IPv6 tests and show my internal DNS to be my router IPv4 and IPv6 addresses (ipconfig /all)

No IPLeaks after adding a couple browser extensions

VPN options are next up for me. I had conflicting info about my ISP and their equipment to contend with. After swapping the modem and getting the static DNS order right, it's doing what its supposed to.

Hope this helps
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway
PostPosted: Thu Jan 19, 2017 22:04    Post subject: Reply with quote
@suli

You should get a 48-60 prefix from your isp and break it up in /64 for each interface.
Back to top View user's profile Send private message
suli
DD-WRT Novice


Joined: 02 May 2014
Posts: 24
PostPosted: Fri Feb 03, 2017 20:28    Post subject: Reply with quote
I had other projects, so forgot about this one.

My ISP is only providing a /64, nothing larger.
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway
PostPosted: Sat Feb 04, 2017 10:13    Post subject: Reply with quote
this is what I use for DHCP6C Custom for 3 sub-nets:

Code:
interface vlan2 {
send rapid-commit;
send ia-pd 1;
request domain-name-servers, domain-name;
};

id-assoc pd 1 {
     prefix ::/48 infinity;
     prefix-interface br0 {
          sla-id 0;
         sla-len 16;
     };
     prefix-interface br1 {
          sla-id 1; 
         sla-len 16;
     };
     prefix-interface vlan3 {
          sla-id 2;
         sla-len 16;
     }; 
};


Prefix + sla-len=64

Connecting devices like printers and Android Phones that uses SLAAC and do not support DHCP6 will not work when splitting up a 64 prefix.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum