I am lucky and get both IPv4 (without CGNAT) and IPv6 from my provider. Recently after upgrading my desk router (that is an Netgear WNDR3800 that serves the network on my desk) from OpenWRT to latest LEDE I looked into what can be improved in the IPv6 setup for both my home network (served by a FRITZ!Box) and my desk network.
Unfortunately I was unable to improve the situation compared to what I already had before.
Things that work
Making IPv6 work in general was easy, just a few clicks in the configuration of the FRITZ!Box and it mostly worked. After that I have:
- IPv6 connectivity in the home net
- IPv6 connectivity in the desk net
Things that don't work
There are a few things however that I'd like to have, that are not that easy it seems:
ULA for both nets
I let the two routers announce an ULA prefix each. Unfortunately I was unable to make the LEDE box announce its net on the wan interface for clients in the home net. So the hosts in the desk net know how to reach the hosts in the home net but not the other way round which makes it quite pointless. (It works fine as long as the FRITZ!Box announces a global net, but I'd like to have local communication work independent of the global connectivity.)
To fix this I'd need something like
radvd on my LEDE router, but that isn't
provided by LEDE (or OpenWRT) any more as
odhcpd is supposed to be used which
AFAICT is unable to send RAs on the wan interface though. Ok, probably I could
bird, but that seems a bit oversized. I created an entry in the LEDE
but without any reply up to now.
Alternatively (but less pretty) I could setup an IPv6 route in the FRITZ!Box, but that only works with a newer firmware and as this router is owned by my provider I cannot update it.
The FRITZ!Box has a firewall that is not very configurable. I can punch a hole in it for hosts with a given interface-ID, but that only works for hosts in the home net, not the machines in the delegated subnet behind the LEDE router. In fact I think the FRITZ!Box should delegate firewalling for a delegated net also to the router of that subnet.
So having a global address on the machines on my desk doesn't allow me to reach them from the internet.
Update: according to the German changelog firmware 6.83 seems to include that feature. Cheers AVM. Now waiting for my provider to update ...