OpenWRT routers: Difference between revisions
(The problems with 'option ipv6 auto') |
(What 'option ipv6 auto' actually means) |
||
Line 13: | Line 13: | ||
= Configuring the WAN interface to access AAISP = |
= Configuring the WAN interface to access AAISP = |
||
In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be done by DHCPv6. |
In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be normally be done by DHCPv6. |
||
In the vlan configuration the value of '''vid''' will depend on your connection method. Use '''911''' if you are connected using City Fiber, '''101''' for VDSL connections. For Openreach FTTP the vlan is not needed. If you are on the ADSL then and ADSL modem is required and this is usually not supported on OpenWRT devices. See the [[General_Router_Settings|General Router Settings]] page for details. |
In the vlan configuration the value of '''vid''' will depend on your connection method. Use '''911''' if you are connected using City Fiber, '''101''' for VDSL connections. For Openreach FTTP the vlan is not needed. If you are on the ADSL then and ADSL modem is required and this is usually not supported on OpenWRT devices. See the [[General_Router_Settings|General Router Settings]] page for details. |
||
Line 31: | Line 31: | ||
option password 'ItIsASecret' |
option password 'ItIsASecret' |
||
option ipv6 'auto' |
option ipv6 'auto' |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
The ''option ipv6 auto'' line will cause a virtual interface named ''wan_6'' to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options. In order to use the delegated prefix, the LAN should be configured to expect it, e.g.: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
list ipaddr '81.187.xx.yy/29' |
|||
⚫ | |||
⚫ | |||
⚫ | |||
== Multiple routed IPv6 /64 blocks == |
== Multiple routed IPv6 /64 blocks == |
Revision as of 16:22, 18 February 2024
Overview
OpenWrt is an open source operating system specifically designed for Routers. It was originally released by Linksys as the firmware for the WRT54G series of routers that use software licenced under the GPL. The software has been modified from this point and is available for many brands of router, and is supplied as the firmware on others.
The current range of Technicolor routers (e.g. DGA0122) use a customised version of OpenWrt.
OpenWrt can be configured using the shell commands when accessing the router with ssh or a serial console. This uses the Unified Configuration Interface (UCI) commands. You can also edit the configuration files directly, though there is no verification of settings made via this route, use with caution. There is also a web based configuration management system that can be run if you have sufficient memory and resources. The LuCI web configuration system may need to be installed onto the base system.
Securing the Router
OpenWrt is a very secure operating system. This is the result of the open nature of the development process. Many eyes mean that all bugs are shallow, and and problems that are found are fixed quickly as there is no opaque company that has to do the development. But you should do the basic steps to your new installation of changing the base password to a long complex one ideally one generated by your password manager.
Configuring the WAN interface to access AAISP
In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be normally be done by DHCPv6.
In the vlan configuration the value of vid will depend on your connection method. Use 911 if you are connected using City Fiber, 101 for VDSL connections. For Openreach FTTP the vlan is not needed. If you are on the ADSL then and ADSL modem is required and this is usually not supported on OpenWRT devices. See the General Router Settings page for details.
The appropriate entries in /etc/config/network will look like:
config device option type '8021q' option ifname 'wan' option vid '911' option name 'vlan0' config interface 'wan' option device 'vlan0' option proto 'pppoe' option username 'XXXX@a.1' option password 'ItIsASecret' option ipv6 'auto'
The option ipv6 auto line will cause a virtual interface named wan_6 to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options. In order to use the delegated prefix, the LAN should be configured to expect it, e.g.:
config interface 'lan' option device 'br-lan' option proto 'static' option defaultroute '1' list ipaddr '81.187.xx.yy/29' list ip6class 'wan_6' option ip6ifaceid 'eui64' option ip6assign '64'
Multiple routed IPv6 /64 blocks
There's a gotcha for users who have multiple /64 blocks routed to them by AAISP. OpenWrt uses Policy-Based Routing (PBR) which allows routing to be configured according to multiple rules, not just be destination address.
If DHCPv6 is used to request Prefix Delegation (PD), AAISP reply with one /64 block. OpenWrt uses this to set the LAN address and netmask, and then enables routing from just this block from LAN to WAN. Any other /64 blocks routed to you won't be able to send packets to the Internet.
To quote from OpenWrt Wiki - Routing basics Note that by default OpenWrt announces IPv6 default route only for GUA and applies source filter for IPv6 that allows routing only for prefixes delegated from the upstream router.
In my case, I have 2001:8b0:xxxx:4534::/64, ...:4535/64, ...:4536::/64 and ...:4537::/64 routed to me, but only 4534:: is routed back.
# ip -f inet6 route ... default from 2001:8b0:xxxx:4534::/64 via fe80::203:97ff:feba:900 dev pppoe-wan metric 512 ...
odhcp6c
Key to understanding the delegation of /64 blocks is the DHCPv6 client, which is odhcp6c on OpenWrt.
Looking back at the wan interface config there is an option ipv6 line. The default value is auto, which has the effect of automatically creating a virtual interface named wan_6 and running odhcp6c on it BUT ignoring any config you may wish to supply. A better value if multiple /64 blocks are to be used is 1 which allows you to configure ipv6 the way you want (static, dhcpv6, ...)
Solutions
We need a way for the WAN to tell the LAN about the wider routing block, whilst letting the LAN only use for itself the first /64 block.
I'm investigating the options:
- Configure IPv6 on the WAN manually, not using DHCPv6
- Configure automatically with DHCPv6, and then add the missing route(s)
# ip -f inet6 route add default via fe80::203:97ff:feba:900 dev pppoe-wan
- See whether delegating a /60 is any better - does DHCPv6 PD reply with the /60 or just one /64 ?
Enabling IPv6 in the local network
OpenWrt fully supports IPv6, as well as IPv4 and dual stacks to enable the mix of both protocols.