My OpenWrt IPv6 Configuration

Notes on how I set up IPv6 on my OpenWrt router.
Covers SLAAC for Android, firewall rules, and how it works with Docker and NPMplus.
Just a reference for my own setup.

My Network

• WAN
  • ISP: Viettel
  • IPv6 prefix: 2001:1900:iced:cafe::/64
• Host
  • MAC: bb:bf:1b:71:fe:20 (example)
  • IPv6 address: 2001:1900:iced:cafe:b9bf:1bff:fe71:fe20 (calculated via EUI-64)

OpenWrt Config

Interfaces → WAN

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server → IPv6 Settings
  • RA-Service: disabled
  • DHCPv6-Service: disabled
  • NDP-Proxy: disabled

Interfaces → LAN

• Advanced Settings
  • Delegate IPv6 prefixes: ✅
• DHCP Server → IPv6 Settings
  • Designated master: ❌ (unchecked)
  • RA-Service: server mode
  • DHCPv6-Service: disabled
  • Announced IPv6 DNS servers: null
  • Local IPv6 DNS server: ✅
  • Announced DNS domains: null
  • NDP-Proxy: disabled
• IPv6 RA Settings
  • Default router: automatic
  • Enable SLAAC: ✅
  • RA Flags: other config (O) (set to none for Android compatibility)
  • NAT64 prefix: null

Firewall → Traffic Rules

Allow-IPv6-HTTP

• General Settings
  • Name: Allow-IPv6-HTTP
  • Protocol: TCP
  • Source zone: wan
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 80
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Allow-IPv6-HTTPS

• General Settings
  • Name: Allow-IPv6-HTTPS
  • Protocol: TCP, UDP
  • Source zone: wan
  • Source port: any
  • Destination zone: lan
  • Destination address: ::b9bf:1bff:fe71:fe20/-64
  • Destination port: 443
  • Action: accept

• Advanced Settings
  • Restrict to address family: IPv6 only

Docker

Not configured yet.
Maybe enable IPv6 and assign an IPv6 address to the NPMplus container, and use a link-local address for the reverse proxy. Need to read more docs.

Temporary solution: run the NPMplus container in host mode — Nginx will automatically handle IPv6-to-IPv4.
I run separate GoDNS containers to update both IPv4 and IPv6 addresses to Cloudflare.

Tools

• EUI-64 Calculator
• ping.pe — for testing
• go-httpbin — for testing

References

• IPv6 configuration
• Dynamic prefix forwarding — negative netmask notation /-64