That subject line is more a list of search keywords than anything meaningful. π I wanted to put this out there months ago but was lazy and didn’t bother blogging.
My ISP is HyperOptic, who are great. Not only do they give amazing fiber speeds but they also give IPv6 (which the only other fiber provider in the UK – Virgin Media – do not yet provide). Thing is I use the HyperOptic provided router but then I have a second router behind it (an Asus RT-AC68U running the excellent AsusWRT Merlin firmware). This second router is where I run NextDNS and local DHCP etc., and I want to stick on with it rather than using the HyperOptic provided router which has less functionality. I suppose I could replace the HyperOptic router with this, or move the functionality of this to one of my Raspberry Pis… but I also have this thing in my head of having an additional layer between the ISP router and my home network. Probably an overkill, but it’s kind of along the lines of how you’d never expose a Windows machine to the public network directly coz of course who’s doing to trust that π… in a similar vein I like having all my home machines behind a router whose firmware I trust and which I have more control over (I have no control over the HyperOptic (or before that Virgin Media) provided routers… sure I can do basic stuff like set a Wi-fi password, DHCP range etc., but that’s it! Heck with the HyperOptic one I can’t even set a /23 DHCP subnet if I wanted to… it’s just /24, live with it).
Anyhoo, the dual router setup worked fine but I couldn’t get IPv6 working. And I wasn’t sure how to configure it in this sort of a setup. With IPv4 it’s straight-forward because the HyperOptic NATs the public IP to an internal IP on the Asus router, and that in turn NATs all my machines behind it. This is probably a bad setup too to begin with because I don’t think this double NATing is a good idea; I am not a 100% sure but I remember reading something along those lines and that it causes port exhaustion. Additionally HyperOptic does Carrier Grade NAT for IPv4, so I don’t really have a public IPv4 address from them – it is an IPv4 public IP from the CGNAT pool (adding yet another NAT layer, not good I guess).
I don’t know if all this NATing is good or bad. Anecdotally I think it had a negative impact as I did notice connections taking a while sometimes. It’s not that any speed tests were slow or streaming or downloads were slow; but sometimes opening a website would hang for a bit, streaming something from Netflix would have a delay before it starts… all of which are symptoms of port exhaustion. I figured it was time to get IPv6 sorted as that should address this issue.
With IPv6 I can’t assign a private pool of IPv6 addresses to my home network. They have to be public. The HyperOptic router is assigned a prefix and everything behind it gets IPv6 addresses from that prefix. The WAN side of the HyperOptic router had a prefix like “2a01:4c00:8209:d500::/56” in my case. If I connected a device to the HyperOptic router it would get an address from a /64 subnet with the above prefix. The Asus router too connected to the HyperOptic router had a /64 address on its WAN side. This stumped me for a while because if the WAN side of the Asus router had a /64 then I couldn’t hand out any addresses from the Asus router to my home network as they’d all have to be smaller than /64, and IPv6 does not like handing out addresses smaller than /64.
That was the first problem. The second problem was that while the HyperOptic router showed the above prefix on its WAN side, there was no address I could see on it. From an external IPv6 VM I pinged the “2a01:4c00:8209:d500::1/64″ address and that responded – so I guess that’s the HyperOptic router’s WAN side IPv6 address.
I poked around in the DHCPv6 section of the HyperOptic router but there was nothing I could tweak. It simply gave out addresses based on that prefix, there was no option to say hand out /60 only instead of /64 (the thinking being this way the Asus router would have a /60 on its WAN side, and it could distribute /64 on the LAN side to all my machines). I raised a ticket with HyperOptic but I don’t think they’ve had much requests like these as it took a long time with them escalating to 3rd line etc., and the final respones was that we can’t change anything.
I tried to do things like set a static IPv6 address on the WAN side of the Asus router from a /60 subnet (off the /56 subnet HyperOptic was getting), hoping the HyperOptic router would see that and “magically” start working π but it didn’t. I tried assigning static /64 addresses anyways to my home machines (either manually or via an IPv6 SLAAC server on the Asus Router (using dnsmasq)) but that didn’t help – the HyperOptic router refused to route back to these addresses as it didn’t know them (as they were behind the Asus router). I tried fiddling with the neighbour discovery protocol on the Asus router to see if there’s anything I could do there… but nope, nothing helped.
Eventually I managed to fix it; and the fix was so simple I feel stupid for not having discovered it in the first place.
On the Asus side I have the following options for IPv6:
The native and static IPv6 had been what I was fooling around with so far. I wasn’t sure what Passthrough is. But towards the end, in the spirit of troubleshooting by clicking whatever buttons you see and selecting whatever options you have, I selected Passthrough… and boom, it worked!
It turns out once you do Passthrough the Asus router bridges its WAN and LAN interfaces for IPv6. So the Asus router no longer acts as a router for IPv6, it is like a bridge… it simply passes along whatever IPv6 addresses HyperOptic dishes out on its LAN side. When my home clients ask for an IPv6 address, it is passed on via the Asus router to HyperOptic who assigns an IPv6 address that is passed back. All my home clients thus have the public IPv6 addresses from the HyperOptic prefix even though they are behind the Asus router.
For what its worth I feel that my Internet performance too has improved after switching to IPv6 as I don’t see the occassional slowness anymore.