I am lucky and get both IPv4 (without CGNAT) and IPv6 from my provider.
Recently after upgrading my desk router (that is an Netgear WNDR3800 that
serves the network on my desk) from OpenWRT to latest LEDE I looked into what
can be improved in the IPv6 setup for both my home network (served by a
FRITZ!Box) and my desk network.
Unfortunately I was unable to improve the situation compared to what I already
had before.
Things that work
Making IPv6 work in general was easy, just a few clicks in the configuration of the FRITZ!Box and it mostly worked. After that I have:
- IPv6 connectivity in the home net
- IPv6 connectivity in the desk net
Things that don't work
There are a few things however that I'd like to have, that are not that easy it
seems:
ULA for both nets
I let the two routers announce an ULA prefix each. Unfortunately I was unable
to make the LEDE box announce its net on the wan interface for clients in the
home net. So the hosts in the desk net know how to reach the hosts in the home
net but not the other way round which makes it quite pointless. (It works fine
as long as the FRITZ!Box announces a global net, but I'd like to have local
communication work independent of the global connectivity.)
To fix this I'd need something like radvd
on my LEDE router, but that isn't
provided by LEDE (or OpenWRT) any more as odhcpd
is supposed to be used which
AFAICT is unable to send RAs on the wan interface though. Ok, probably I could
install bird
, but that seems a bit oversized. I created an entry in the LEDE
forum
but without any reply up to now.
Alternatively (but less pretty) I could setup an IPv6 route in the FRITZ!Box,
but that only works with a newer firmware and as this router is owned by my
provider I cannot update it.
Firewalling
The FRITZ!Box has a firewall that is not very configurable. I can punch a hole
in it for hosts with a given interface-ID, but that only works for hosts in the
home net, not the machines in the delegated subnet behind the LEDE router. In
fact I think the FRITZ!Box should delegate firewalling for a delegated net also
to the router of that subnet.
So having a global address on the machines on my desk doesn't allow me to reach
them from the internet.
Update: according to the German changelog firmware 6.83 seems to include that
feature. Cheers AVM. Now waiting for my provider to update ...