Get IPv6 correctly through another router

Question

My ISP is Unitymedia NRW, Germany. It it a cable (like TV) ISP which has given me a Technicolor TC7200 modem/router. The ISP uses DS-Lite, so I only have a public IPv6 address, and no IPv4 address. This works, except that the modem/router has such limited options and can be managed remotely, that I would like to have my own router between the ISP and my home network.

When I just have the TC7200, my computer has the following global IPv6 addresses:

• 2a02:908:f421:7600:3c4e:c650:974c:ec49/64
• 2a02:908:f421:7600:f2de:f1ff:fede:a290/64

When I access pages like google.com or facebook.com the Firefox plugin “IPvFox” shows me that they indeed load over IPv6.

Now I bought a TP-Link WDR3600 router and set it between my computer and the modem, like route B here:

I set the WAN of the WDR3600 to obtain an IPv6 address via DHCPv6. That works, it gets an IP address. Then, it uses DHCPv6 to assign IPv6 addresses to the connected devices. That works as well, I get an IPv6 address on my computer. From inside out, those are the IPv6 addresses of the whole thing:

2a02:908:f421:7600:f2de:f1ff:fede:a290/128  Computer LAN
2a02:908:f421:7600:ea94:f6ff:fed4:2624/64   WDR3600 LAN
2a02:908:f421:7600::e/64                    WDR3600 WAN
2a02:908:f421:7600:ce35:40ff:fee0:9498/64   TC7200 LAN
2a02:908:f400:2:31c9:7cf5:eb4:75e2/128      TC7200 WAN

When I open google.com, it takes a very long time, then it loads the content quickly over IPv4. I assume that it tries via IPv6 but fails after a timeout. facebook.com is quickly loaded, but also over IPv4.

So I managed to break IPv6 connectivity. I really would like to have a router under my control between the ISP and my home network, but having no IPv6 connectivity seems like a bad idea.

In another forum (German), somebody mentioned that this behavior is expected from most routers. Except for routers running OpenWrt with the latest version, Barrier Breaker. Is there some way I can with the original firmware? They have a simulator online. You can go into the “IPv6 Support” and look at all the options that it has.

Answer 1

There is a vital piece of information missing here:

1. The router Technicolor 7200 does not support prefix delegation and neither bridging (13.10.14). It is disabled by Unitymedia Germany and KabelBW.
2. Prefix delegation is required for operating two routers behind each other, as seen here (read answers 1, 2 and 4e, this is from a CPE, I didn't find the actual spec): http://www.psg.com/lists/v6ops/v6ops.2008/msg00086.html

Knowing 1) and 2) you have to be clear about one thing: Because of the TC7200 inability to offer prefix delegation and because you cannot change your router, the only thing which can save you is some kind of hack. I doubt your WDR3600 will implement this hack (I don't think such a hack exists or is even possible).

---

Having said that, let's talk about at least a theoretical solution. Keep one thing in mind: ipv6 does not have NAT.

ipv4 works, because your router knows how to route it:

1. your pc requests a ipv4 package.
2. it goes to the WDR, the WDR rewrites the source, wiki: "When a computer on the private (internal) network sends an IPv4 packet to the external network, the NAT device replaces the internal IP address in the source field of the packet header (sender's address) with the external IP address of the NAT device" ( Google wikipedia, NAT Translation_of_the_endpoint)
3. The TC7200 does the same (and then routes it through unitymedias ds-lite system) When it comes back the opposite happens and your PC receives the packet.

--> NAT allows the package to traverse all routers, because the package knows at every step where to go.

ipv6

1. your pc sends a ipv6 package
2. your router forwards it as-is (maybe)
3. TC7200 same
4. it comes back
5. The TC7200 can't route it further, because your PC is behind the WDR and the TC7200 does not know it's there. It doesn't know how to route it further. It didn't delegate its subnet, so it's the master of all addresses of this subnet. If it did delegate its subnet, it would send the package to the next router the subnet was delegated to. It has no reason to contact your router.
6. Package dropped --> No NAT means that the target has to be in the routers own network unless that piece of the network was delegated to another router.

So the reason your setup doesn't work is: NAT doesn't exist. TC7200 doesn't know about other router, who took the same subnet.

In that sense I also disagree with the OpenWRT solution you posted: The solution you mentioned is best explained in this thread (I did not check the explanation for validity but it does make sense: URL: unitymediakabelbwforum)

Loose translation: "The OpenWRT solution doesn't bridge the interfaces, but reuses the same subnet prefix as the WAN (thus also breaking the ipv6 spec). Then you will have a router in between, which has its own ipv6 firewall, its own DNS, etc. (...) All this would not be necessary, if it would just support prefix delegation. (...)"

I don't know how this should be possible without OpenWRT faking the devices or bridging the networks to be honest (thereby undermining the whole router behind router idea). The ONLY possible solution I see is if the OpenWRT router would create a virtual bridged interface on the WAN interface with the mac address of every single DHCP-v6 Client and route all traffic 1:1 (through the firewall of course) to the bridged IP. That would make it known to the TC7200. I would ask the author of the forum post and maybe the OpenWRT devs about that solution.

Answer 2

Now that I think longer of it I am convinced that you have not configured the WDR3600 correctly. You must configure it to send out router advertisements on the LAN with an individual network prefix. Making an educated guess I see that you have the routing prefix 2a02:908:f421:7600::/56. That is, you have 256 subnet IDs at your disposal (of which 00 is already used). Pick another one for link "B" and configure the router accordingly.