IPv6 and OpenWRT

 22 September 2017  off-topic

OpenWRT is a project that has amazed me on multiple occasions. It’s an open source Linux-based Internet router firmware project, compatible with large numbers of off-the-shelf home and SoHo Internet broadband routers. Re-flash a compatible router with the OpenWRT firmware, and suddenly your router can do far, far more than than simple home broadband and wifi routing.

What amazes me is that I can come up with complex scenarios, and just about every time, OpenWRT handles it. Want to have it connect to an OpenVPN server, and then bridge the local network onto that remote network? Sure. Want to add a 4G USB dongle to provide a second Internet connection? I can do that. Want to configure it so that some machines prioritise to use the broadband and others the 4G dongle? No problem. It’s a hugely powerful platform, but without making it difficult to use.

I recently switched ISP from a mass-market consumer provider to Andrews and Arnold, a much more niche provider. Where OpenWRT takes a mass-market broadband router and applies bucketloads of Clue™ to it, A&A does the same for the broadband service itself. I wanted to take advantage of A&A’s IPv6 support, so I set to see what OpenWRT can do for me.

This is my first attempt at doing anything with IPv6. Unfortunately “reading up” on IPv6 is easier said than done - it’s not yet reached the level of penetration that means that how it works is common knowledge. It’s much more complex than IPv4 and there’s not a lot of easily-digestible material that’s not aimed at full time network administrators. After reading a few articles I knew a bit about IPv6 but nowhere near enough to configure it myself from first principles. However the OpenWRT wiki assured me that it was fully IPv6 enabled - so maybe I’ll just connect it to my A&A broadband (also fully IPv6 enabled) and see what it does.

Space is big. Really big.

IPv6 came about because 32 bits does not provide enough addresses to meet long-term demand. IPv6 increases the address space to 128 bits. This change has an absolutely mind-boggling effect on the number of possible addresses - I’ve heard it said that it means that every atom in the universe can be given a unique address (although I don’t have a source for that). Whereas IPv4 had relatively few reserved addresses, the designers of IPv6 could reserve huge quantities of addresses for special purposes and still have no problem with the supply of available addresses before the death of the Solar System.

To put this into context, the IPv4 192.168.1.0/24 network is one you have probably seen many times, consisting of 24 bits for the network and 8 bits for the address, giving 250 or so usable addresses. The basic IPv6 address is a /64, meaning the first 64 bits of the 128-bit IPv6 address is for the network, and the remaining 64 bits is for addresses on that network. That means your common, basic IPv6 network can theoretically hold over 18,000,000,000,000,000,000 addresses. I don’t even know how to say that number. It’s the number 18 followed by 18 zeroes. IPv6 reserves many more addresses than IPv4 for special behaviour, but even then, your home wifi is never, ever going to fill up.

What’s more, there’s room for 18,000,000,000,000,000,000 networks, each with 18,000,000,000,000,000,000 addresses (reserved addresses etc. etc.) - so you can see that the global supply of IPv6 addresses is never going to be an issue.

Never mind the manual, switch it on and see what happens

Now back to solid use cases. A&A have assigned me a single static IPv4 address, and a /64 network of IPv6 addresses. How to use this with OpenWRT? They also sent me a broadband router, which works just like a consumer router - it connects to the broadband, and presents a NAT IPv4 network over a handful of Ethernet ports and over Wifi. This being A&A it’s a lot smarter than your typical ISP router, but I’m not actually going to take it much further than that. This router supports a bridge mode in which it switches off its router functionality, and instead just pulls the raw broadband packets off the line and bridges them to PPPoE on the Ethernet ports. So the first thing I do is reconfigure OpenWRT’s WAN connection to use PPPoE.

Then OpenWRT amazes me. It’s detected the IPv6 network A&A have assigned me, and configured its own DHCP server to dish out IPv6 addresses from this network to the devices on my home network. A quick check with another IPv6-enabled server on the Internet and I can see that the individual devices on my network have globally-accessible IPv6 addresses, and I can ping them from the public Internet. Sensibly, OpenWRT’s firewall doesn’t allow anything more advanced than ping through. This is exactly how IPv6 is supposed to work - no NAT, just a single address space for everything! This is just how IPv4 used to work, before the scarcity of addresses became a problem.

Now it’s time to get a bit more advanced. I want to make some devices visible on the public Internet. It makes sense that those devices go into an isolated network, rather than being peers of every device in my home network. With isolation, should an attacker be able to compromise one of the publicly-visible devices, it won’t be easy for them to leapfrog onto the private devices. There is a common pattern for this, the DMZ.

OpenWRT says no problem - onto the Firewall configuration and add a new zone called dmz, and configure it so that it is reachable from both lan and wan, but that it itself can only reach out to wan (and therefore it can’t open connections into the private LAN zone). Next, onto the Switch configuration and add a new VLAN, which I’ve given an ID of 10, and change one of the on-board Ethernet ports to take it out of the first VLAN (with ID 1) and place it in the new VLAN. Finally, onto the Interfaces screen where I add a new interface called dmz, tell it to cover the eth0.10 interface (corresponding to the new VLAN I created), and put it in the dmz firewall zone. Configure a few more things such as its IPv4 address and DHCP server, and we’re done.

So far, this new zone isn’t configured for IPv6. A&A comes to the rescue again - although they’ve assigned me a /64 IPv6 network, that is just one part of a much larger /48 that they have reserved for me. This means that I can potentially run 65,536 separate /64 IPv6 networks - more than I could possibly ever need and yet another example of the mind-boggling size of the IPv6 address space. To get another network, all I have to do is go to the A&A control panel and press a button, and they’ll assign another chunk of my reserved address space. They give me three options - a /64 network (like the one they have already given me), a /60, or a custom number. A /60 is interesting because that can be subdivided into 16 /64 networks, so I can start giving my different zones individual IPv6 networks. I press the button.

At this point I configure the dmz interface on OpenWRT to copy the IPv6 settings from the lan interface (which was set up for me as part of OpenWRT’s default configuration) - I don’t try to understand the options, I just copy them. Then I restart my router to allow it to get its new IP configuration over the broadband and configure its own IP addresses. At this point something interesting has happened - when I look at OpenWRT’s Interfaces page, I can see that the LAN interface has picked up the /64 as before, but also that the DMZ interface has picked up the /60 that I just created and is serving up IPv6 addresses in this network by DHCP. That’s great, but I didn’t configure anything! How did this happen - by magic?

DHCPv6

This all seems to be down to the new DHCPv6 protocol. Compared to DHCP as used in IPv4, DHCPv6 is much more advanced. Unfortunately this makes it more difficult to understand, which is why I’m grateful for OpenWRT doing all of the hard work for me. Whereas DHCPv4 is limited to configuring individual hosts, DHCPv6 has the capacity to configure hierarchies of networks. When OpenWRT brought the interface up, it sent a DHCPv6 query to A&A, and their DHCPv6 service responded with not only a static IPv6 address for the router, but also details of the IPv6 networks that are allocated to me - namely, this /60 IPv6 network that I allocated earlier. OpenWRT then has the ability to divide this /60 network into smaller networks for the different interfaces.

When I copied the “LAN” interface into the “DMZ” interface, I also copied a setting called “IPv6 assignment length”. This had two options, disabled or 64, and it had been set to 64, so OpenWRT would try and use its IPv6 allocations to provide a /64 network for both interfaces. It knows about the /64 and the /60 assigned by A&A; so it can assign the /64 straight to one interface and - the clever bit - it can carve out a chunk of the /60 to get a /64 network, and assign that to the other interface. So not magic, but merely (paraphrasing Arthur C Clark) a sufficiently advanced technology that seems like magic to someone like me who did not understand it.

This is good, but I would like to reduce the amount of magic, or the appearance of it, as things that happen as if by magic have a habit of changing as if by magic, too. In my case my IPv6 address space can be carved up in several different ways, and I was worried that the IPv6 network assigned to my DMZ might change if the router reboots. If I’m wanting to offer Internet-visible services, then these IPv6 addresses must be static IP addresses. Again, OpenWRT and the IPv6 stack have considered this - there’s another setting on the OpenWRT Interface configuration page, “IPv6 assignment hint”. Recall that my /60 network can be divided by OpenWRT into /64 networks. There’s a 4-bit “gap” between a /60 and a /64 network, meaning that splitting a /60 can give me sixteen (2^4) /64 networks, each identified by a hexadecimal digit. By given OpenWRT an “assignment hint”, I can tell OpenWRT which hexadecimal digit I want each interface to have. As long as I give each interface a different value, then my interfaces will have a consistent network assignment.

IPv6 is undoubtedly more complicated than IPv4. I still can’t claim to understand how it works in any detail, but with excellent power tools like OpenWRT (and clueful ISPs like A&A) the task of managing IPv6 networks at home is managable by power users such as myself.

 22 September 2017  off-topic

Comments on this article