FritzBox, IPv6, prefix delegation and USG

My provider issues a /48 prefix to my Fritz!Box modem/router. I wanted to use prefix delegation (PD) in my underlying network to distribute IPv6 connectivity. It took some trial and error to get this working, but I succeeded. Here’s how

Yes, I have a wonderful Internet Provider, that gives me a /48 prefix on the IPv6 side. I have an enormous address space to hand out (65536 networks!), therefore, and configuring this correctly on my Ubiquiti-based network was important.

However, this wonderful internet provider does not supply an equally wonderful modem. It is the FritzBox 7581 that has some caveats here and there. Google for DECT issues, for instance, or Port Forwarding issues. Brr.

That is why I prefer to delegate a lot of the real networking tasks to my Ubiquiti (Unifi) based setup. I have an USG (3P, the non-PRO version), and a 24-port 250W PoE switch, as well as an UC-AC PRO for wireless access.

Since the new controller version, IPv6 support was added, albeit in an “ALPHA”-state, meaning that users should expect bugs.

Enable IPv6 and PD on the USG

First things first. Follow this guide in order to enable the Ubiquiti-stuff for IPv6. If your modem/router is correctly set-up, this means your USG will have IPv6 connectivity on the WAN connection. In order to really verify this, proper CLI access is needed to the USG. Verify the (outbound) IPv6 connectivity by issuing a ping6, like

ping6 www.google.com

If there is a response, it means outward connectivity is established.

Enable IPv6 on your internal network

Firstly here, it is a good idea to have a rough idea of IPv6 subnets in your internal network. I run several VLANs on IPv4, and I would like to propagate this idea into IPv6 subnets. Use one of the excellent subnet calculators out there to plan for address spaces. I run 5 separate networks (management LAN, Office LAN, Multimedia LAN, guest LAN and IoT LAN), so I need at least 5 networks (in IPv6 speak, five /64 address blocks). Which will fit nicely in the 65536 networks my ISP allocated me 🙂

In the NETWORKS menu in your controller, pick the first network you want to configure and scroll down to the IPv6 part. Prefix Delegation should be pre-selected for you, and there is very little that you actually need to configure, except the Prefix ID, and whether or not to enable the Router Advertisements.

Because one of the nice things of IPv6 is its autoconfiguration ability, it is imperative that you enable the router advertisements, and DISABLE the DHCPv6 server. You don’t want a central agency handing out addresses, you want the client to discover its own address, based on the router it is connected to! Here’s how my Management LAN is configured:

I chose 1 for the prefix-id, because this is also the VLAN indicator…

Make the connections

And then you find out, it doesn’t work. Client only have the link-local address and no IPv6 connectivity. Now what?

Time to do some troubleshooting. Let’s open up a CLI to the USG. Do this directly, if you are connected to the same network, or use the controller (and create a session via a switch, for example).

show ipv6 route
show interfaces

Should give you details on the ipv6 status. As we already confirmed in the first step, there should be at least one (the eth0-interface, or WAN) that has a /128 address, because we established basic IPv6 connectivity. If not, please start from the top of this post.

And, because it doesn’t work, all other networks listed should only have IPv4 addresses. Now, what is wrong?

My go-to command is

cat /var/log/dhcp6c.log

that will display what is happening on the IPv6 side. Which will lead into:

Checking the prefix delegation size

As you remember, my provider allocates me a /48 block, as seen in this snippet from my FritzBox:

So, logically, I configured my USG to a prefix-size of /48, right?

Wrong. This is the prefix size my ISP allocates me. However, I found out through inspection of the dhcp6c.log, that apparently, this is not true:

add_ifprefix: invalid prefix length apparently tells us that the prefix requested does not concur with the prefix available. In my case, I decided for a little trial and error, increasing the prefix-size, eventually ending up at /60. This means 16 networks. A far way away from 65536, but then the result in the log is better:

And also the ipv6 routes are then populated:

And note that the USG is handing out /64 (one network) to the LANs.

TL:DR;

Your ISP’s modem may not relay the full Prefix that your ISP allocates you.
Inspect the USG’s log files to get a clue as to where things are going wrong.
Play around with the prefix sizes, untill it works for you.

Advertisement