IPv6 GUAs for Isolated Guest Network?

[Ceejus]

Can anyone tell me if it's possible for a guest network on an isolated VLAN and IPv4 subnet without intranet access to receive IPv6 global addresses via the GUI or does this require scripts?

I would imagine this would also require a different IPv6 subnet but the GUI currently doesn't offer a means to create one.

Running a GT-BE98 Pro with the latest 3006.102.4 firmware.

Not overly concerned if it's not possible, but I have read a few threads on here with people reporting clients on their isolated guest networks receiving IPv6 addresses.

 

[sfx2000]

Not sure what you're trying to do - but typically if one is on a LAN/VLAN with IPv4 only, you'll get an IPv6 ULA... that will be good enough for internal addressing (for example, using mDNS and .local) for that segment...

 

[Ceejus]

Not sure what you're trying to do - but typically if one is on a LAN/VLAN with IPv4 only, you'll get an IPv6 ULA... that will be good enough for internal addressing (for example, using mDNS and .local) for that segment...

Trying to allow clients on my guest network to get GUAs from my /64 subnet with the prefix given by the ISP via DHCP-PD. Currently, only the clients on my main subnet get them. Wondering if this is by design or if there are specific settings that are needed to get this to work. I would imagine the clients on the guest network VLAN are still getting the RAs from the router.

 

[sfx2000]

Trying to allow clients on my guest network to get GUAs from my /64 subnet

/64 will have issues with subnet's on your local LAN...

If you can get a /56 or /48 - that's good...

 

[Ceejus]

/64 will have issues with subnet's on your local LAN...

If you can get a /56 or /48 - that's good...

Well, the WAN prefix is a /56, but the LAN prefix is locked to a /64. From my understanding, this is the case for the majority of ISPs. Either way, there's no way to create IPv6 subnets in the GUI.

Shouldn't the RAs be reaching the clients on the guest network VLAN?

 

[dave14305]

If only the main br0 is being assigned a /64, then anything on br52, 53, etc won’t get any RA from dnsmasq. Check which bridges have global prefixes assigned.

ip -6 addr show scope global

 

[Ceejus]

If only the main br0 is being assigned a /64, then anything on br52, 53, etc won’t get any RA from dnsmasq. Check which bridges have global prefixes assigned.

ip -6 addr show scope global

It's just br0 for me. So I'm guessing I was right then - the guest network needs its own /64 subnet? How would I go about getting it assigned a /64?

 

[dave14305]

It's just br0 for me. So I'm guessing I was right then - the guest network needs its own /64 subnet? How would I go about getting it assigned a /64?

You would need to calculate the next /64 subnet after the main /64 subnet from your /56 prefix and manually assign it via ssh. Eventually, you could create a dhcpc-event script to add it after a bound6 event. But first, try manually assigning it like:

ip -6 addr add 2600:dead:beef:cafe::1/64 br52

Replacing the IPv6 address and the bridge interface name to match your environment.

 

[Ceejus]

You would need to calculate the next /64 subnet after the main /64 subnet from your /56 prefix and manually assign it via ssh. Eventually, you could create a dhcpc-event script to add it after a bound6 event. But first, try manually assigning it like:

ip -6 addr add 2600:dead:beef:cafe::1/64 br52

Replacing the IPv6 address and the bridge interface name to match your environment.

Thanks for your help. I had my fingers crossed there was somehow a way to do this without having to write any scripts but I guess it couldn't hurt to use this as a learning opportunity. Friendly heads up that this would be my first time doing this. My network knowledge doesn't currently extend beyond CCNA.

Question: I'm assuming this command is asking for the gateway address, not the subnet address (ie: 4400:2700:5A80:1101::1/64 rather than 4400:2700:5A80:1101::/64?) Also, it looks like my guest network is on br58 judging by the fact that it's the only other br listed in my routing table aside from br0 and I can see my IPv4 guest subnet associated with it along with the IPv6 LLAs. Just want to be sure that br58 is what I want to use for this.

 

[dave14305]

I'm assuming this command is asking for the gateway address, not the subnet address (ie: 4400:2700:5A80:1101::1/64 rather than 4400:2700:5A80:1101::/64?)

You are assigning the router an IP on this new /64 to be used on br58, so you would use ::1 or whatever host address you prefer the router to have.

None of this will be persistent without a script, so if you mess up just reboot.

 

[Ceejus]

You are assigning the router an IP on this new /64 to be used on br58, so you would use ::1 or whatever host address you prefer the router to have.

None of this will be persistent without a script, so if you mess up just reboot.

Thanks. I'm getting the following error message when I attempt this:

Error: either "local" is duplicate, or "br58" is a garbage.

 

[dave14305]

Thanks. I'm getting the following error message when I attempt this:

Error: either "local" is duplicate, or "br58" is a garbage.

That’s because I forgot dev.

ip -6 addr add 4400:2700:5A80:1101::1/64 dev br58

 

[Ceejus]

That’s because I forgot dev.

ip -6 addr add 4400:2700:5A80:1101::1/64 dev br58

Thanks. So, let's assume for the sake of this exercise that random IPv6 prefix I came up with is what I'm using. I can now see both 4400:2700:5A80:1101::1/64 and 4400:2700:5A80:1101::/64 in my routing table and associated with interface br58. However, none of the devices on my guest network are getting IPv6 GUAs (I've confirmed they do support IPv6 and have been showing LLAs).

Is there something else that needs to be done? Perhaps a command to enable RAs on the interface?

I'm hoping I actually subnetted correctly. Based on the dummy prefix I provided, this is the original /56 I (theoretically) worked off of:

4400:2700:5A80:1100::/56 (from ISP)
4400:2700:5A80:1100::/64 (main LAN subnet)
4400:2700:5A80:1100::/64 (main LAN gateway)

I changed the final hexadecimal in the /64 prefix to a 1 to get the new guest network /64 prefix.

 

[dave14305]

It’s really an uphill battle. Now you have to configure dnsmasq to emit RAs for br58 and then deal with firewall rules to allow IPv6 traffic from this isolated network.

 

[ZebMcKayhan]

Is there something else that needs to be done?

Long time ago I set this up in dnsmasq.conf.add to get ipv6 to clients:

### wl1.2 ipv6 config ###
interface=wl1.2
ra-param=wl1.2,10,600 #set ra-interval, lifetime
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 # set stateless based on interface
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9] #set dns
### end wl1.2 ipv6 config

https://github.com/ZebMcKayhan/Wire...tup-yazfi-for-ipv6-subnet-to-route-out-wg-vpn

This was for 386 FW so you will need to adapt both to your config and to the new firmware.

 

[Ceejus]

Long time ago I set this up in dnsmasq.conf.add to get ipv6 to clients:

### wl1.2 ipv6 config ###
interface=wl1.2
ra-param=wl1.2,10,600 #set ra-interval, lifetime
dhcp-range=wl1.2,::,constructor:wl1.2,ra-stateless,64,600 # set stateless based on interface
dhcp-option=wl1.2,option6:23,[2620:fe::fe],[2620:fe::9] #set dns
### end wl1.2 ipv6 config

https://github.com/ZebMcKayhan/Wire...tup-yazfi-for-ipv6-subnet-to-route-out-wg-vpn

This was for 386 FW so you will need to adapt both to your config and to the new firmware.

Guessing in my case like dave said this would be a bit more involved since my clients are on an isolated VLAN without intranet access. Sounds like the syntax may have changed since 386 as well. Seeing as I've never written dnsmasq scripts, I'm probably better off waiting until this gets implemented in the GUI. I find it strange that it hasn't seeing as Asus' SDN implementation already allows you to do this with IPv4 in the guest network settings.

 

[Swistheater]

I can tell you what worked for me, my ISP provides residential customers with a prefix that has a /60 subnet (about 16-/64 networks). I have my main router setting up the VLAN for the guest networks. For example, my guest network is on VLAN 52. My main network uses standard 192.168.1.1/24 network and gets XXXX:XXXX:XXXX:XXX0::1/64 ipv6 prefix. My Guest network gets 192.168.2.1 and XXXX:XXXX:XXXX:XXX1::1/64. This is all possible on Asuswrt Guest Network Pro.

 

[Ceejus]

I can tell you what worked for me, my ISP provides residential customers with a prefix that has a /60 subnet (about 16-/64 networks). I have my main router setting up the VLAN for the guest networks. For example, my guest network is on VLAN 52. My main network uses standard 192.168.1.1/24 network and gets XXXX:XXXX:XXXX:XXX0::1/64 ipv6 prefix. My Guest network gets 192.168.2.1 and XXXX:XXXX:XXXX:XXX1::1/64. This is all possible on Asuswrt Guest Network Pro.

You are saying you set up the ISP-provided global prefix XXXX:XXXX:XXXX:XXX1::1/64 for your guest network on VLAN 52 via the GUI without any custom scripts? How? The GUI doesn't offer the means to create a second IPv6 subnet like it does with IPv4.

 

[Swistheater]

You are saying you set up the ISP-provided global prefix XXXX:XXXX:XXXX:XXX1::1/64 for your guest network on VLAN 52 via the GUI without any custom scripts? How? The GUI doesn't offer the means to create a second IPv6 subnet like it does with IPv4.

I have my Asus router running in Aimesh router AP mode, and I have another router acting as dhcp and vlan switch connected to the modem. The modem hands out a /60 prefix. I have two separate networks one that is tagged as the main network, and one that is tagged as the 52 network. Each network uses an available /64 ipv6 subnet that resides inside the main /60 subnet.The router sends all packets to the asus router that is acting as Aimesh parent in AP mode. It properly assigns the guestnetwork access to the packets that are tagged 52.

 

[Ceejus]

I have my Asus router running in Aimesh router AP mode, and I have another router acting as dhcp and vlan switch connected to the modem. The modem hands out a /60 prefix. I have two separate networks one that is tagged as the main network, and one that is tagged as the 52 network. Each network uses an available /64 ipv6 subnet that resides inside the main /60 subnet.The router sends all packets to the asus router that is acting as Aimesh parent in AP mode. It properly assigns the guestnetwork access to the packets that are tagged 52.

In other words, you have a non-Asus router connected to your modem with firmware capable of assigning two separate IPv6 global subnets through its GUI.

I'm looking to set this guest IPv6 global subnet up on an Asus router.