Mini-tutorial: IPv6 with DHCPv6 on Asahi Net & OpenWRT

Mini-tutorial: IPv6 with DHCPv6 on Asahi Net & OpenWRT
Photo by Denny Müller / Unsplash

The chance that this article will come in handy to anyone else than future me is minuscule, so I’ll mostly keep it brief, mostly as a note for when I need to do this setup again in the future.

After seeing the glowing reviews for the GL.iNet Flint 2 wireless access point/switch/router combo device, I was instantly sold – a device that shaves off all the 🐄💩 of modern-day routers that’s sufficiently powerful, doesn’t cost an arm and a leg (UniFi cries in the corner, and I cry with it), has a chance to work with 🇯🇵-specific Internet shenanigans such as DS-Lite[1], doesn’t force a terrible admin panel written in terrible Japanese on me and runs OpenWRT under the hood? Count me in!

However, getting IPv6 working took a bit more effort than I would have liked, so listed below are the steps I had to take to get everything working. A word of note, the way Asahi Net seems to provide IPv6 connectivity is a bit… interesting, instead of delegating a /56 prefix to you, they give you a /64 address, which… seems to mean that the best you can do is relay the address to your local network. I’d apologise to all the network engineers who had to read the previous paragraph but fortunately, they all died of a brain aneurysm after seeing me butcher the terminology[2].

While all of these things can be configured in the LuCI web interface, I didn’t like that a single click of a setting can and often will result in multiple (unrelated!) options being written into a config file, so I performed all of the necessary changes over an SSH connection.

# The following was necessary because the wan6 interface
# was an alias of @wan, which just simply didn’t work.
# Immediately after changing the device to eth1, wan6 could
# obtain a IPv6 address via DHCPv6 and could ping an IPv6
# address.
uci set network.wan6.device=eth1

# The rest of the commands relate to relaying the address to
# the local network.
uci set dhcp.wan6=dhcp
uci set dhcp.wan6.dhcpv6=relay
uci set dhcp.wan6.ra=relay
uci set dhcp.wan6.ndp=relay
uci set dhcp.wan6.master=1
uci set dhcp.wan6.interface=wan6

uci set dhcp.lan.dhcpv6=relay
uci set dhcp.lan.ra=relay
uci set dhcp.lan.ndp=relay

uci commit

I think that this is the minimal set of changes that had to be done, and after restarting the WAN6 interface, I could see an IPv6 address in the Internet section of GL.iNet’s pretty, pretty admin panel. IPv6 test reports a score of 10/10, which feels nice.

The only thing that I haven’t set up yet is DS-Lite, which I think would yeet IPv4 traffic over an IPv6 connection, potentially resulting in better network performance in peak/congested hours, and while that seems worthwhile for sure, it also seems to come with certain drawbacks:

While you retain your PPPoE public IPv4 address, you also gain a new IPv4 address representing this DS-Lite connection, and this DS-Lite IPv4 address is what gets detected when using commands such as curl -s -4, and this IPv4 address might not be resolvable back to you directly (hidden behind a carrier-grade NAT possibly?), thus making tunnelling back to a home network… trickier.

Otherwise, getting DS-Lite up and running for a test run was a breeze, one just had to install the ds-lite package, restart the device, then add a new connection of DS-Lite type, specify that the AFTR address is (or 2001:c28:5:301::11) and adjust firewall settings which I definitely did[3]. For some reason, this address is being kept as an industry secret 🤷‍♂️

  1. … that I didn’t end up using for the time being, oops 🫢 It would make tunnelling back into my home network with Wireguard… probably not impossible, but trickier. I might get back to it one day, though.

  2. I have stopped counting the hours I spent watching YouTube videos and trying to understand IPv6. Some fights are, indeed, futile. Also, it’s possible that the fact that they give you a /64 prefix might be a necessary prerequisite for DS-Lite to work? I wouldn’t know…

  3. Honestly, seeing how incomprehensible the firewall configuration is and how scary the consequences of an incorrect setup could be, this is the reason why I decided to forego a DS-Lite setup for now, and be happy with a regular dual-stack configuration. The dynamic DNS problem mentioned before – that I think I could work around, but getting the firewall configured just right will need more determination than I have right now.