IPv6 routing questions

A recent router firmware upgrade has broken things for me. I have a server that has a static address and was the target of my TBBQM and now it isn't accessible. Apparently I didn't understand IPv6 as well as I thought

IDNet's portal state this for my IPv6 connection:

Route: 2A02:390:6C03::/48

Prefix: 2A02:390:FEED:6C03::/64

And my router is picking up the prefix. Machines on my LAN are being assigned addresses with that prefix.

But here's where I'm confused. My server and corresponding TBBQM are configured to the address starting 2A02:390:6C03:1:.... And I remember choosing '1' on the grounds that I had to start from somewhere

But the server can't be accessed on its IP address from LAN or WAN (LAN gives 'TTL expired in transit' WAN says 'Network unreachable'). I can get the LAN side working by setting up a static route on my router but the WAN side still won't work.

Now I think this is because I have to use the prefix but:
1)How has my server been working for the last four or five years if its address was never valid?
2)What is the significance of the FEED in the prefix? I could understand it better if it came after 6C03. I thought 'my network' was anything starting 2A02:390:6C03

Edited by Andrue (Tue 22-Oct-24 08:59:29)

In reply to a post by Andrue:

2)What is the significance of the FEED in the prefix? I could understand it better if it came after 6C03. I thought 'my network' was anything starting 2A02:390:6C03

I'm also on IDNet and I've also often wondered if the presence of a (possibly) relevant English word in there was more than just coincidence... but it would be hard to under-estimate my understanding of IPv6 so I've just accepted it

A router has 2 or more networks so each interface will have their own address on distinct subnets.

For your router:
The /64 subnet with FEED in it is the (point to point) WAN connection between your router and IDNet.
This is only used by your router to talk to IDNet and is never assigned to any devices on the LAN side.

The /48 network is the delegation to your router to provide LAN subnets (up 64K of networks 0000 through ffff so xxxx).
The router will pick a subnet for the default LAN often it will be the 0th network

In your case that would be 2a02:390:6c03:0::/64
which would be shortened to 2a02:390:6c03::/64 ( inside the :: )
Check in the router for what it has assigned to the LAN and whether you have changed the 0 to a 1 yourself there?
Note that the router will put out router advertisements (RA) for that subnet so that hosts can configure themselves in that subnet and will normally also advertise DNS information. DHCPv6 is optional in this setup.

Let's call whatever your LAN subnet in use is as LAN::/64
and each host on your LAN will have its own address of the form LAN::host/64

Normally the host address of your router on the LAN will either be 1 or an EUI based on its MAC address (in which case you will se ff:fe in the middle of the host address.

While you can manually pick additional subnets from the /48 and they are yours to use, additional subnets won't automatically talk to the router unless it has multiple LAN interfaces (not just the LAN switch ports as on a typical home router) and these subnets are generally used by assigning to additional VLANs.
In that case the router needs an interface with a distinct address on each VLAN.

For example:
* 2a02:390:6c03:1::/64
* 2a02:390:6c03:2::/64
* 2a02:390:6c03:a::/64
* 2a02:390:6c03:a1::/64
* 2a02:390:6c03:bc1::/64
* 2a02:390:6c03:def1::/64

would all be valid and distinct LAN subnets from your /48 assignment and the host part of the address of the router could be 1 on each distinct subnet on different interfaces

Edited by prlzx (Tue 22-Oct-24 13:10:30)

Thank you! That's what I thought. I'm beginning to think it's a bug that Draytek have introduced. My laptop has been assigned this address at the moment:

2a02:390:feed:6c03:8e5e:f456:f24:xxxx (Preferred)

Which if I've understood your reply (which agrees with my understanding) is incorrect. So my server is set at a valid address but the router is handing out addresses on an invalid subnet meaning they can't talk to it without a static address. And presumably the router won't allow incoming packets to the server because it for the same reason doesn't think it's a valid subnet?

Edited by Andrue (Tue 22-Oct-24 13:15:09)

That's an address from the WAN side which can only happen if the Draytek configuration has bridged the WAN interface to one or more ports on the LAN side.

I guess this can result from if the Draytek configured to pass public IPs directly though to a secondary LAN.
However that kind of setup is not really valid for a fully routed IPv6

It is more often seen where someone receives a /29 directly on their IPv4 WAN interface and is trying to add up to 4 additional hosts to the WAN subnet (alongside the router itself),
rather than having the router claim the additional IPs (as IP aliases) and then using 1:1 NAT to hosts in a DMZ subnet using private addressing which is a less confusing option for IPv4 and a standard approach with a pfSense router for example.

For IPv6 as you have a fully routed /48 allocation (delegation) for 1 or many LANs you only use /64s chosen from that assignment.

Draytek can have additional LAN interfaces assigned to its switched ports but it is very easy to unintentionally arrive at a bridged result and I used to find their UI confusing on that aspect.

However there is generally no need to use more than one LAN network if you want the server to participate in the LAN,
unless you really want all traffic between different subnets to have to go via the router so it can use rules (ACLs or firewall rules) between them.

Edited by prlzx (Tue 22-Oct-24 13:34:40)

I've passed some of your comments onto Draytek to see if it prompts them to offer a configuration change. Their last response was typically unhelpful, asking me to check that IPv6 was enabled so I'm not overly hopeful.

But if I understand this correctly my devices at the moment are in effect on IDNet's network albeit a subnet set aside for just my router. Whereas I want them to be on one of my subnets like the server is.

I hope there's a configuration setting or two that will fix this but with FTTP supposedly coming soon I was considering changing the router anyway. It's had a long life. Mind you I'm still using the original HG612 as a modem so that's lasted well also

Yes and additionally there is a risk if most of your kit is sitting on the "outside" subnet of your Draytek
you are completely exposed if the Internet access is such that your first hop is an IDNet router instead of behind the Draytek firewall.

IDNet are also not expecting to see multiple "routers" on that WAN feed /64 even if they are tolerating it.

Edited by prlzx (Tue 22-Oct-24 14:21:19)

In reply to a post by prlzx:

Yes and additionally there is a risk if most of your kit is sitting on the "outside" subnet of your Draytek
you are completely exposed if the Internet access is such that your first hop is an IDNet router instead of behind the Draytek firewall.

IDNet are also not expecting to see multiple "routers" on that WAN feed /64 even if they are tolerating it.

Ouch! I think I'm safe because tracert shows the first hop as being my router.

Draytek have escalated me ticket so I might get a useful response. The 2762 is end of life but given that I updated the firmware to address a security vulnerability they might take it seriously.

I believe I've found the solution. I disabled 'Auto IPv6 Range' on the DHCPv6 configuration page and specified a range manually a02:0390:6c03:1:: to a02:0390:6c03:1:ffff::.

Everything seems to be back working again now LAN and WAN. My only concern is that nothing seems to be reserving the address the server uses but it's the one machine that will always be up so it shouldn't matter. And perhaps I should add it as a static route.

I don't remember having to do that before so I don't know if it's a new setting for that firmware or a setting that got overwritten by the firmware update.

I had a response from IDNet yesterday. From their response it appears they are happy to have routers use the FEED address for hosts:

We give 2 sets of IPv6 details /64 & /48 for historic reasons and to cope with various ways routers handle things. The FEED address can be used by the router to configure itself with an IPv6 address, the routed block is then meant to be delegated by the router to end clients. Other routers will just take the 1st address from the routed /48 instead.

Our gateways will allow both DHCP-v6 and Prefix Delegation depending on how the router is configured.

In reply to a post by Andrue:

The FEED address can be used by the router to configure itself with an IPv6 address, the routed block is then meant to be delegated by the router to end clients. Other routers will just take the 1st address from the routed /48 instead.

The routed block refers to the /48 (not FEED) from which the router is supposed to assign to LAN hosts.

What the second sentence above means that it is a valid option for the router itself to only use a link-local on the WAN interface to configure as the default route to Internet and then choose an address from the routed /48 as its own primary management GUA IP.
By design this can still work for connecting to the router UI from both internal and external connections though it depends on the specifics of the firewall policy.

The reply is not saying it is meant for LAN clients to end up alongside the router on the WAN interface IP subnet.

For work we have multiple sites on IDNet circuits and I manage the configuration for our routers.
We have circuits from various ISPs (including some Starlink) so there's some static assignment and some using SLAAC and/or DHCPv6-PD in the mix and even some scenarios where our v4 option is only CGNAT.

As per sig though I have vanilla FTTC Zen at home it works the same way with regards to the /64 WAN and then routed /48 for LAN.

Edited by prlzx (Thu 24-Oct-24 01:36:09)

It it is what it looks like, it's quite a neat way of having some self documenting addresses; the /64 point-to-point WAN subnet is documented as "feeding" the /48 delegation

For what it's worth I wound back the firmware update and the router immediately started issuing addresses on the ::1 subnet and routing to my server was working again. Draytek support responded to that stating that as it was a bug introduced by a security update a fix would be released (after previously noting that as the router is End of Life no fixes would be released).

I suppose it remains to be seen whether such a fix will appear. There are 'no known issues' with the current firmware according to the readme so I'm sceptical. I will be considering replacing my router when FTTP arrives here (some time this year I suspect from the recent Openreach activity around town). To be fair Draytek support was better than I expected in that they at least engaged with me but at the end of the day engagement is only a good start. It's not the same as fixing a fault.

If I can ask a side Q here as it relates to IPv6...

I am in CH and Swisscom have enable IPv6 on my router by default, but as I will never have more devices than IPv4 can cope with... Is there ANY advantage in using IPv6 on a home network... in my reading I can only see problems... that and I can relatively easily remember an IPv4 address, but haven't a cat-in-hell's chance of remembering an IPv6 one.

A

In reply to a post by nonymouse:

Is there ANY advantage in using IPv6 on a home network... in my reading I can only see problems... that and I can relatively easily remember an IPv4 address, but haven't a cat-in-hell's chance of remembering an IPv6 one.

Let's think about address memorisation first: you should have a reliable DNS setup which means you very rarely need to type, let alone remember, an IP address. If your DNS isn't reliable then I'd suggest fixing that.

IPv6 gives you the option (assuming your firewall allows it) of end to end connections between the devices on your network and other devices on the internet, including devices on networks where there are inadequate IPv4 addresses. It's possible that your ISP has given you a generous allocation of IPv4 addresses, but it's likely that you're using NAT to share a single address, in which case enabling IPv6 will reduce the amount of work that your router needs to do for NAT. The same is true of the other side -- you might be able to bypass congested paths involving shared IPv4 addresses in favour of a direct path over IPv6.