Starlink just added full IPv6 recently. I'm using openwrt on my wifi router hooked to it. I was very happy to find out they are doing prefix delegation.
Thank you very much for this tutorial. Helped me a lot !!!! I have an OpenWRT behind a fritzbox. Had to enable "Assign DNS server, prefix (IA_PD) and IPv6 address (IA_NA)" on the fritzbox under > "Home Network" > "Network" > "IPv6 Addresses"
This is the best Ipv6 tutorial till date (at least for me). Never got it to work (unable to get a valid ipv6 address and failed the test ipv6 test site) a year ago and gave up. You have shown and explained the settings for Lan, Wan6 (recreated if deleted) and why certain check boxes must be unchecked. Follow your guide, it is a break through for me, got valid ipv6 addresses for all devices especially android phones. Currently, Openwrt 21.02.6, WAN side is using PPPOE, WAN6 recreated solution as per your guide. Lan & WAN6 follow your settings. For the WAN side Advanced Settings, I chose "Disabled" for "Obtain IPv6 address" and "UNcheck" "Delegate IPv6 prefixes". Actually I have tried Checked and UnChecked "Delegate IPv6 prefixes", but both options still intermittently failed the test ipv6 site for android phones and Windows 10 PC. My understanding is to unchecked "Delegate IPv6 prefixes" for WAN because WAN6 (recreated) already checked this option . Am I right ? Just want to know the correct settings. Thanks !
I had a fully working IPv6 setup but I could tweak it and simplify and relax it while also improving it thanks to some of the examples and explanations you gave. Like matching v4 and v6 address end for some particular devices and turning off NDP-Proxy (in my case).
Hi, many thanks for the feedback. Yes, I was exactly in your situation. Once I had it working, I was reluctant to do changes because I was actually afraid of breaking things. The key to me was to create a test lab where I could play around without being afraid of creating any impact to the users ;-)
I did most of the changes that youve suggested in this tutorial and my gaming quality took a bad hit, then i suspected like before that IPV6 was the culprit, i stopped the service and tested the gaming quality...it was pretty amazing! No more desync "shoot first and die first" gaming quality, i only had problems against cheaters with 3rd party device's or cheaters using network manipulation like such programs UDP unicorn and other methods of creating a desync in their favor thus causing the shoot first die first for the poor bastards against them lol, thank you very much! ✌👍😃
Hi, many thanks for the feedback and sharing - much appreciated. I was not aware that IPv6 could have a negative impact on gaming. Anyhow, glad it helped ;-)
I'm lucky enough to have full IPv6 from my ISP, Cox in SoCal. I walked through my main router's config as you presented options, and we're pretty much identical, except that I've got SLAAC and ULA turned on. I've been using DHCPv6 with ULA for all my routers, switches, servers and such, as I find it easier to make up memorable prefixes, like fd0a:bad:dad:: and fd00:ca11:911:: . 😁
Thanks so much for this. It helped me understand and work through my Starlink setup. I wanted a my HomeAssistant, behind my router to have a routable address and ipv6 is my only choice since Starlink only gives a CGNAT IP address. I still have an issue where the Starlink PD disappears after 20 minutes or so. If I reboot the router I get the PD back, but I haven't found any other way. For now I just turn on DHCP, get the ipv6 IP, PD etc then set that as static. I'm hoping the PD disappearing is a temporary Starlink issue. Anyway....Thank you, thank you, thank you. I'm going now to add you to my Patreon support.
Hi! Great thanks for your videos from Hungary! I can't wait for your Ipv6 nat via OpenWrt video.:) I was succeed with Mikrotik Router OS earlier in Ipv6 natting but not with OpenWrt.
For anyone else using Starlink, when they send back the DHCPv6 replies, the source is a global IP (2605:....). The firewall default 'Allow-DHCPv6' rule has 'Source address' set to fc00::.6. This blocks the Starlink DHCPv6 replies. When the router first comes up, these replies must be getting through because at first it gets a good IP address and Prefix Delegation. Presumably the firewall doesn't block the replies until it's fully up and running. After some period of time (5 to 20 minutes or so) the router would try to renew. This would fail, but it would keep it's IP address, but the Prefix Delegation would disappear. Frustrating. I just deleted the Source Address in the filter, so DHCPv6 replies can come from any source. It took port mirroring and Wireshark to figure it out, but it's working great now. Thanks again OneMarcFifty for all your great information. I hope this helps other Starlink/OpenWrt users.
Thanks a lot for your videos about ipv6! Now the only thing left to figure out is how to properly set up dynamic dns on openwrt for a node on the LAN 🤔
@@OneMarcFifty Hi OneMarc, so I see the performance boost in your case. After watching this video and the other ipv6 video several times, I began to understand some of he concepts. Thank you. Now, must I use open wrt on my asus router to disable Nat once I have turned on ipv6? Or can I just go to the asus gui then Wan, under basic config, hit the No radio button for “Enable Nat”? I have Upnp disabled but I am using want aggregation . Thanks in advance
It would be great an explanation with subnetting (delegate IPv6 prefixes option enabled). It is simple when you just pick a /64 and set your hint but when downstream routers comes to play I find really confusing the scenario and the lack of information in OpenWRT sources makes it harder that it should be.
Thanks for the advices. I could configure NDP on my WAN6, then simply on the LAN firewall zone activate IPV6 masquerading masq6=1 ... it works well. I have no prefix delegation, nor box DHCPV6 (freebox, DHCPv6 is not advised as some androit clienst may dydfunction)...
As a Chinese user, I primarily use Openwrt to set up a transparent proxy, allowing devices in my home to bypass the Chinese government's Great Firewall (GFW). However, when using the Openclash, a client for Clash on Openwrt, I consistently encounter issues with incompatibility with IPv6. In some proxy modes, my x86 Openwrt software router has a WAN IPv6 address, and devices connected to the router are also correctly assigned LAN IPv6 addresses. But IPv6 tests cannot pass normally. It works fine when not using Openclash. I am currently researching and learning the basic principles of the Clash kernel to understand what conflicts are happening.
I'm tuning up my openWRT with IPv6, thanks to this video. I don't have a fixed IPv6 prefix, I rather get a new one from the ISP every 24 hours or something. As explained in minute (15:40) I did get to assign a static node address to a server inside my LAN (this will be a second DNS server and other services). What I'd like to know is how to announce this server as a second DNS server, (as in the IPv6 Settings minute 11:57). I have checked "Local IPv6 DNS server" to announce the router as primary IPv6 DNS server, then I don't know input the secondary DNS server because I won't know exactly what IPv6 it will have. Is there a trick how to do it? Maybe something like minute 19:22? Thanks in advance.
again great work! i think that i will work with ULAs in a small company, because i dont like the idea of changing server ips when the isp changes ips. also i have more internet uplinks, so i dont know, which provider the clients would choose. this is what keeps me not using ipv6 till now.
Many thanks for your feedback. I think it's absolutely OK to have servers have a (static / fix) ULA address - this way you can reach them even if your ISP's IPv6 is down. I am just removing this from the router so that the ULA addresses do not get assigned everywhere.
Lovely stuff there Marc. Just one small problem which you carefully danced around, same as everybody else that talks about ipv6. HOW do you make firewall rules to allow incoming traffic for SLAAC hosts that refuse to register on your dhcp6. Which btw happens to be every phone out there. And it's not only google that's making a mess of things. God damn FreeBSD itself doesn't have a dhcp6 client for jails. And don't get me started on docker. So yeah, suggestion for next video: firewall rules for SLAAC. Pretty sure the C stands for Cancer.
I mean is there NO POSSIBLE way to have two (or more) different "lan" subnets when your ISP only gives you a /64 prefix? For example, could I do the whole relay thing for my lan interface/subnet and then for a guest interface us the ULA addresses with a NAT rule to then MASQUERADE all the guest ULA addresses to the wan ipv6? I am using AT&T Switched Ethernet Service and they gave me a static ipv4 as well as a ipv6 address along with a gateway for each and a /64 prefix. Its wild that a business focused ISP service that cost at a bare minimum $600/mo can't manage to give out anything more than a /64
Every time I think about how convoluted IPv4 has become I just don't understand why we didn't go with IPv6 right at the start. It was available. I guess it comes down to not want to redo all of the data centers and offices.
@@OneMarcFiftyyou are more capable then what I'm, but if you need several examples for mwan3 it's just tell me and I could provide screen dumps or recordings of my setup :D
In my case with Verizon FiOS in NYC, I get a /56 delegation which then I slice off 256 bits for each internal LAN segment to isolate traffic BUT the ISP does not issue a global IPv6 address to the WAN. there is no WAN address hop only the link local between the internal client and the ISP side of the WAN link.
@@OneMarcFifty just the WAN I/f. This has to do with how Verizons CO routers are configured. They issue a single IPv4 public address and a delegated IPv6 prefix if requested. Some customers have been lucky to escalate to NetOps and ask for a global IPv6 address for the external interface, but I have not been so lucky. It's really a headache to contact support and get the escalation done properly... I gave up.
Hi, there should be a miredo package for OpenWrt. But as far as I know, Teredo does not provide you with a prefix, only an IPv6 address for your router.
Interfaces>>Lan>>IPv6 Settings : Announced IPv6 DNS servers (1) and Announced DNS domains (2), may I know what is the difference between (1) and (2) ? I added the service provider DNS to (1), performance speeds up. (if not, there is a lag in performance). What should I fill in (2) if needed ? Please advise. Thanks !
The first setting tells the client which DNS server to contact in order to do look ups, e.g. your local router or 8.8.8.8 or the like. The second setting tells the client which DNS domain it is in. When you do a lookup for a short name, e.g. myserver and your DNS domain is mydomain.com, then the OS might do a lookup for myerver.mydomain.com. If you don't add in anything, then the router announces itself as the DNS server. Hence your DNs queries go to your local router and from there to your ISP, which is one hop more and also uses CPU on the router. How big was that performance hit ?
@@OneMarcFifty Thanks for your explanation. Currently, IPv6 very unstable, although I am able to sftp back to my home harddisk attached to the Openwrt Router, but overall performance is bad. Few days ago, it take a few secs just to open a new browser tab on window pc. It seems to hang, wait for a few secs, then can continue to other website. So, just use ipv4 now. I am just a beginner user of Openwrt, just view, understand (hope so) and follow the settings from youtube tutorials. Actually, didn't find a good tutorial for basic home setup (modem->openwrt router->(PC,android phones,etcs) , didn't show the full settings for wan(PPPOE), lan, wan6. another setting "enable default gateway", wan, wan6, lan interfaces, what is the right settings for them ? if you can elaborate on it, will be helpful to understand them. Thanks again.
Hi Marc, tks for sharing. From ISP I have an ipv6-pd /64 on main router, if i use relay mode on second router clients can use ipv6 but lose after few minutes.
Hi Marc, thanks for putting this one up, it is really thorough and helpful. I can now have some idea of what I am doing and why. :-) I have been using OpenWRT for a couple of years now, deploying configuration with Ansible (not a very sophisticated setup). Recently I moved to a different ISP (down here in New Zealand), and contrary to the previous one, the new one does provide IPv6-PD. Unfortunately, I am struggling to get the IPv6 allocation to happen in the clients. I have managed to setup the WAN6 interface properly, and I see the PD address showing up in the LAN interface. I have double checked the configs you showed for DHCPv6 with PD, and although it looks right, in the computer all I see is the fe80:xxx address. I will double check everything again in the next days, but done it before without success. Any tip on what/where I could be investigating to find the issue? Short of wiresharking the whole DHCP transaction, I am running out of ideas.
Yeah, I figured out the problem. I was missing the odhcpd package installed (as well as ip6tables). As I mentioned my setup is performed with Ansible and removing that package is NOT in the playbook. I have upgraded just last week with the latest firmware - and I always clear all the configs, so that I can test the playbook once more. So I reckon maybe the default image is not coming with odhcpd installed. I will double check on that shortly.
Hi Franco - yes I've tried (you might have seen my pull request on the asu project). I have however not yet tried setting the x86 image size value to a higher value (as we have the 104 MB limit there...)
Hi Franco, I must admit that I have not really searched for an alternative after I had found them. But true, in South America there are not that many end points (actually the only one you can pick is Colombia even though I think they have ISPs in Brazil...) Maybe someone else knows any 6in4 provider in South America ?
Does anyone know what option 'ipv6' in PPPoE interface does? If I explicitly create a wan6 interface, it seems settings that option to '0' or '1' has no effect. config interface 'wan1' option device 'eth1' option proto 'pppoe' option username '' option password '' option ipv6 '0' # it doesn't matter if the value is '0' or '1' config interface 'wan1_6' option device '@wan1' option proto 'dhcpv6'
Hi JB, well.... for in house communication - there is no advantage really, as you can do everything with IPv4 probably. For communication outbound and inbound - you get rid of the NAT. In my case that is worth 1-2 ms better ping time. Accessing from the outside is easier as you don't need DNAT/Port forwarding.
Thanks a lot for this video which helped me configure ipv6 successfully, but I'm still confused. ::5:0:0:0:245/::f:ffff:ffff:ffff:ffff confuses me, it is similar to "subnet mask" but I don't understand the meaning. I didn't find an explanation on IETF, I want to know how to use it, thanks!
Yes - I remember it was tough to find info on that one. It's more or less like IPv4 subnets really. What it means is that the (firewall rule for example) will only look at the portions of the address that have a "1" bit set in the subnet mask (in the example the last 17 bytes). You might as well use 2003:de:/ffff:ff:: in order to identify anything coming from Deutsche Telekom for example. In a nutshell, you "fix" everything with a set bit in the subnet mask and can have everything else variable.
Oh yes. Recently I payed attention to the fact that my ISP routers a really a mess, because no way to configure DNS Server or ipv6 while getting dual stack. Having a amd64 hardware ready to replace it, just stumbling again over ipv6 in my environment and you come around with openwrt as the savior. Thank you again for being always ahead.
grobes video wie ich das mit ipv6 auf linux (oder *bsd) von hand machen muss mit telekom quatsch ipv6 (die hätten ruhig static raus geben können) wäre extrem schön :) gibt fast keine dokumentation über telekom ipv6.. wenn doch verlinkung(en) bitte :)
It is a useful tutorial! My university's dormitory (my ISP) does not support prefix delegation and I have to use router advertisement for dhcp/ndp/slaac relay.
many thanks for this video and your other videos on IPv6, I learned a lot. I am lucky enough I have an ISP that gives me a whole /48 and I seem to have setup prefix delegation on my OPNsense router successfully. At least from what I can tell all my devices have IPv6 addresses. Unfortunately the way OPNsense does things is pretty different from OpenWrt so while I looked around for things that had the same name I wasnt able to find everything. What I was unable to do was setup static leases for my servers. I can see the active leases so it appears I'm doing something, but I still dont really know what im doing lol. I couldnt find any settings related to the icmpv6 router advertisement stuff and dhcpv6 configuration which might be the reason why I cannot set static leases as I think I am not in control of those as I have probably not configured my DHCP server correctly. The leases it does list are probably those kind of ipv6 addresses that are being generated by the clients? Not sure I completely understand this fully Either way, you don't happen to know how this works on OPNsense do you? Would love to give my servers static ipv6 addresses that I can control and set as static leases in my router that are reachable from the outside world. All my stuff is now reachable via ipv4 with NAT, but I want to experiment with ipv6 where NAT shouldnt be needed. (I have both a static ipv4 address and a static ipv6 range from my isp) In any case, even if you dont have an answer to these questions I already greatly appreciate these videos, they contain a ton of info and are super well explained, thanks!
Hi Olle, not sure where to find these on OpnSense (I might need to check in my test lab later). In pfsense you can find most of those settings under Services - DHCPv6
@@OneMarcFifty there is surprisingly little there, some settings related to DHCPv6 relay (which I dont think I need?) and a page with current leases, but no settings. Under DHCPv4 I can select my lan interface and do a bunch of settings there (range, static leases, etc), non of that exists for DHCPv6, which makes me think I have most likely misconfigured something in Interfaces->LAN1. I'm gonna play around with these settings, I suppose worst case my ipv6 doesnt work anymore on my local devices. As long as ipv4 keeps working I dont care for now :P
@@OneMarcFifty oh hey, I think I made some progress lol, I had to check a checkbox that was marked "Use with care" so I overlooked it, but with that enabled it allows me to configure DHCPv6 settings for my LAN interface, and give static leases. Now lets see if I can manage to not mess this up lol
@@OneMarcFifty it took me forever to realize but under Services besides DHCPv6 (which was already there, just couldnt configure anything on my LAN interface) a new service appeared with the very obvious name "Router Advertisements", was looking for those settings everywhere but there lol. Anyways, I now have finally a setup with SLAAC+DHCPv6 and I can configure static DHCPv6 leases (static suffix), only took me a few hours (+half a day the other day) hahaha. Next step will be to see if I can configure ipv6 rules in my firewall with those static suffixes as lan address instead of the full address, but thats for another day, first sleep
This is an amazingly well explained video Marc. I have recently moved from an ISP who only had IPV4 addresses to an ISP that was able to give me an IPV6 address. I wish I came across this video earlier, as I had trouble with setting up a VLAN ID tag for my new connection. Luckily your VLAN video gave me a lot of good pointers to work from. Thanks again.
I've watched three videos, it's a bit hard to process them all at once, but at least it became a little clearer, because I used to switch off ipv6 like as an unnecessary problem. Thanks
Thank you for this as it has helped me better understand the "joy" of IPv6. Unfortunately, it seems that my ISP (Spectrum) delegates a single /128 address via DHCPv6. I tried getting a /48 through /64 and it always returns a /128. I haven't tried setting the WAN6's "Request IPv6-address" to the "force" option yet.
My interface shows this for LAN 192.168.1.1/24 and the WAN shows XXX.XXX.XXX.XXX/20 the bits at the end don't match, /24 & /20, should i be concerned and adjust the settings? If so, please make a video, thank you ✌😊
