IPv6 on Time Warner with VLANs using OpenWrt

I’ve retired the old Linksys e3000 running TomatoUSB and have replaced it with a ZyXEL NBG6716 802.11AC router that is running OpenWrt Chaos Calmer.  One of the things I was never able to get to work on the e3000 with Tomato-USB was getting each of the four VLANs an IPv6 subnet.  I could only seem to pull down a /64 from Time Warner, which would then get assigned automatically to my first VLAN.  The good news is, I am now running with a /56 assignment from Time Warner with each VLAN assigned a /64.

My current setup looks like:

  • ZyXEL NBG6716 AC router
  • OpenWrt Chaos Calmer r43762 (snapshot of trunk at the time)

So, to start out, make sure you have the following software packages installed:

  • ip6tables
  • ip6tables-extra
  • kmod-8021q
  • kmod-ip6tables
  • kmod-ipv6
  • odhcp6c
  • (optional) luci-proto-ipv6

Setup WAN

At this point, I configured the WAN interfaces to pull an IPv6 address (Network -> Interfaces).  Edit the WAN6 interface to update the following settings:

  • General Setup Tab
    • Protocol: DHCPv6 client
    • Request IPv6-address: try
    • Request IPv6-prefix of length: 56
  • Advanced Settings Tab
    • Bring up on boot: checked
    • Use builtin IPv6-management: checked
    • Use default gateway: checked
    • Use DNS servers advertised by peer: check (even though TW hasn’t passed IPv6 DNS servers to me yet)
  • Physical Settings Tab
    • Bridge interfaces: unchecked
      • Interface: “Ethernet Adapter: “eth1”
  • Firewall Settings
    • Create / Assign firewall-zone: wan

Create VLANs

Now create the VLANs that you want to use (Network -> Switch).  Make sure that each of the VLANs you create are tagged for the CPU.  In my setup, I have the VLANS: Management, Home, Guest, DMZ.

Create Interfaces for the VLANs

Now we’re going to setup the different bridges so that each VLAN we setup will get assigned IPv6 address.  Go back into the interfaces section (Network -> Interfaces).  I wanted all my bridges to be named the same, so I actually deleted the original LAN interface.  There really is no need to do that, but it does make the br-<name> interface nice by matching the interface name.  Also, make sure to only “Save” and not “Apply” until you have all interfaces created.  I also created each interface as a bridge so that I can move the wireless interfaces in if needed (testing and setup).

So, when adding the new interface, these are the values that I entered:

  • Name of the new interface: <pick a name, ie. DMZ, Guest, etc>
  • Protocol of the new interface: Static address
  • Create a bridge over multiple interfaces: checked
  • Cover the following interfaces: <check the VLAN you want it to be in.  If you want to put a wireless network in there too, click that.  Do not click eth0 or eth1>

After clicking Submit, you will be taken to the interface screen, update the following values:

  • IPv4 and IPv4 netmask (if you want to have IPv4 in this VLAN)
  • IPv6 assignment length: 64
  • IPv6 assignment hint: This can be left empty, but I like the /64 assigned to have the VLAN ID to be part of the ipv6 address.  I also have concerns about keeping it consistent if configs get changed.

If you enable the DHCP Server, set the following values in the “IPv6 Settings” tab:

  • Router Advertisement-Service: server mode
  • DHCPv6-Service: server mode
  • NDP-Proxy: disabled
  • DHCPv6-Mode: stateless + stateful

Create Firewall Zones for VLANs

In the Firewall Settings (Network -> Firewall), I usually start out by putting the new zones under the same LAN firewall zone by default.  I go back afterwards and create a firewall zone for each VLAN and assign them when I create the firewall zone.

At this point hit “Save” and add the next one. Once you finish your last one, click “Save & Apply”.

The next task is to create new firewall zones for each VLAN if you want.  I have a Home, Guest, DMZ, and Management VLAN, so I want access that each zone has to and from to be different depending on the VLAN somebody is in.  Like the interfaces, don’t apply to you get to the last one. Also, I like to delete the rename original Firewall Zone so that it matches the name of one of my VLANs.

The major settings to change (the rest are up to user to decide which networks can come in and out without more detailed firewall rules) are:

  • General Settings tab
    • Covered networks: <Select the VLAN interface you created earlier you want the firewall zone to be in>
    • Inter-Zone Forwarding Note:  I like using this for full access to networks.  An example of my house is my management VLAN has access to all VLANS, but no VLANs have access in (I use a firewall rule to allow one IP in from the Home network).  My Home VLAN has access to Guest and DMZ.  My Guest VLAN has access to DMZ.  My DMZ has access to no other zones.
  • Advanced Settings tab
    • Restrict to address family: IPv4 and IPv6

At this point, on the last one, apply the changes.  Each interface should now be in the correct zone.  Also, you should now be setup to have a couple VLANs which each have their own /64 address.

For port forwarding between IPv4 and IPv6, you do have to set those in two different locations.  IPv4 should be entered under “Port Forwards” tab and the IPv6 port forward (not actually port forwarding) should go under “Traffic Rules”.  I do like how Tomato-USB does it better where even though IPv6 is not doing port forwarding, the setup for opening up ports in the firewall is identical to setting them up in IPv4.  Anyways, I might do another article on how I did it, but not today.

Support Files

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>