Pihole and Cisco RV340 not working for IPv6

Hello everybody.

I have a RV340 load balancing 2 ISPs. In my LAN I have a Ubuntu server with Pihole, responsible for DHCP and DNS servers. I confirmed that RV340's DHCP is disabled. IPv6 isn't working.

I'm pretty new on IPv6 settings and am kinda confused yet. I now need IPv6, because I have some services on my server that I wanna reach from outside, and one of my ISPs is using CGNAT and I can't use port forward in it by IPv4. When the other ISP starts doing the same I'll become unreachable.

Expected Behaviour:

Every device on network should ping each other's IPv6, ping internet hosts and IPv6 tests should report success.

Actual Behaviour:

Each ISP modem reports a 2804: IP which I'm able to trace from Tracing Tools - IPv6 Traceroute, but https://ipv6-test.com reports IPv6 isn's supported.

One modem is able to trace route outside IP, the other fails because its diagnostic parses IPv6 as a domain and tries to resolve it.

Every PC on LAN is able to ping each other and all of them have a fe80: Link-Local IP. RV340 on the other hand on its LAN > VLAN settings reports its IP is fec0::1. This IP fails ping on every device, and its diagnostic fails pinging any device IP.

As they are all set to get IP automatically, I think Pihole is giving them IPs on different subnet from router.

I don't see in it where to set IP on router, only prefix, so I'd rather setup pihole to use its subnet than change it.

Debug Token:

https://tricorder.pi-hole.net/wlvjeb9l8y

Sorry I haven't had much time to handle this.

I connected my laptop directly on one of the modens, and ipv6-test passed. So it's some misconfiguration between RV340 and Pihole.

I'm still pretty noob on IPv6, I started to worry about it when I was trying and failing to forward ports from this IP to my server, while the other ISP was working. While trying to figure it out I discovered I'm in a CGNAT, then tested how IPv6 is working so I could just ignore IPv6 and discovered it's broken.

Forgetting about 2 ISPs and load balancing, I suppose that any residential modem receives a dynamic IPv6 address range and uses DHCP to distribute addresses to every device. Somehow Pihole should discover this range from modem and do its DHCP thing. Which it's doing wrong, what causes devices to be able to ping each other but fail to see router and reach internet.

I have no idea at all how this should work when there are 2 ISPs providing 2 distinct ranges and router is load balancing.

This is beyond what we are able to support. Try taking the Pi-hole out of the network and trying to get a client to behave as you would like first to make sure it's even possible.

So should I re-enable DHCP on router and stop pihole first, let all devices to update their IPs and see how they behave?

I know this is a very uncommon setup, I was reading another thread here from 2018 where the guy was just trying to get IPv6 working and few ppl were able to replicate it. Any help I get is much appreciated.

The DHCP server in Pi-hole for IPv6 is meant for distributing ULA range address for the local network. It needs a static pool of addresses to distribute. It sounds like you are trying to get a prefix delegated from the ISP(s) and then have the Pi-hole distribute addresses based on the prefix delegated.

We can support configuring the DNS portion of Pi-hole and the debug shows that queries to the Pi-hole on the IPv4 and the IPv6 link local are returning the correct null response but designing complex network topologies is way too involved and beyond the scope of our support.

Yes, I'm asking help to figure out if I did something wrong in my Pi-hole configuration and it's failing to get a prefix from router, or if it's the router that's not providing it.

Almost 2h ago I stopped Pi-hole and enabled router's DHCP, after adding all static IPs to its table. DHCP was enabled separately for IPv4 and IPv6.

In the PC I'm testing, neither IPv4 and IPv6 addresses had changed so far, I ran ipconfig with /release and /renew a couple times. I've set its IPv4 lease to only 5min and PC accordingly reports its lease expiration a few minutes in the future. IPv6 range I left blank as I don't know what to put in it. I suppose I shouldn't manually copy a prefix from a modem.

So far this IP reports DHCP enabled, the only IPv6 addr reported is a link-local starting with fe80: and its gateway also starts with fe80: and it's piggable. ipv6-test fails.

So, is the issue on the router? Or it's like this because I left DHCP ranges blank? I'll wait till tomorrow to see if anything changes.

hikari "IPv6 range I left blank as I don’t know what to put in it."

You need to get this working before you put Pi-hole in the mix.
I'm using dhcp6 with pd in my network. I don't even bother with piholes dhcp.

I finally got it working. I didn't have DHCP-PD set in my VLAN. I upgraded RV340's firmware to try to fix it - wasn't needed in the end, but also didn't hurt, just took a lot of time to sort configs - and in the end I had to turn one of my modens to bridge so that RV340 would grab its prefix and provide it to VLAN's DHCP6.

I'm now able to ping OpenDNS's 2620:119:35::35.

After these tests I back disabled router's DHCP4 and started pihole back.

I'm gonna google and read more about pihole/dnsmasq and DHCP6. My objective now is to bind my devices' names to their IPv6 addrs. IDK if I'm able to set them fixed in pihole as I do with IPv4. I'll also keep track if my ISP changes my prefix.

gj always feels good

That shouldn't change given the number of v6 addresses that exist.

A few hours later and basic IPv6 is working:

1. Win10 reports 1 link-local address and 3 global IPv6 addresses being one temporary (IDK why 3 addresses and what this temporary means). One of them is the one reported on ipv6-test, so I have a valid global address working.

2. Win10 is able to trace route to OpenDNS and ISP's DNS addresses.

3. Ubuntu (where pi-hole runs) reports 5 global addresses and 1 link-local (scopeid 0x20).

4. It is also able to trace route said DNS and having ipv6-test's address.

As you can see below, DHCP for IPv4 is disabled on the router and enabled from IPv6 and using global prefix.

This is the VLAN edition page on the router:

As you can see, for IPv4 I have route's IP set and DHCP disabled.

IPv6 DHCP is enabled and using ISP's modem provided DHCP-PD global prefix. Doing so, I'm able to set range and DNS, which is using ISP's global prefix.

Here's where it gets tricky, I can't find where to set static IPv6 addr for my server.

Reading Use IPv6 ULA addresses for Pi-hole - #12 by DanSchaper, we are suggested to set fixed ULA address for pi-hole server, to avoid having its address changed every time ISP changes our global prefix, or use a script on cron from jpgpi250 to handle global prefix changes.

As you can see on the images, I have nowhere on router's DHCP to set ULA. I have to choose either a fixed prefix (IDK if it's link-local or ULA) or DHCP-PD from WAN.

I see some approaches from now, and would like advises on what to do.

1. Find some way for router to push its WAN DHCP-PD to pi-hole, disable router's IPv6 DHCP and enable pi-hole's. Based on what I read on that link, this seems to not be possible.

2. Keep router responsible for IPv6 DHCP as it is now, find out how to setup pi-hole as a second DHCP, responsible for ULA, and how to make each device get a global address from router and a ULA from pi-hole. Then setup router to point to pi-hole as DNS.

3. Setup fixed link-local addresses on each device, and have pi-hole resolve LAN names into these addresses.

4. Get jpgpi250's script working, and change all devices' address every time ISP changes my global prefix.

These 4 options seem troubling. If IPs change, every connection on LAN will fail until I find new ones and update everything. In example, I have Transmission Remote GUI on my Main PC connected to daemon on my Ubuntu server. I have putty connected to this server and to my NAS, I have SMB network mappings from NAS to Main PC, server, etc. If these IPs change, I'd need to update all settings with some being time consuming. Also, if pi-hole's IP changes and I have router's DHCP pointing to it, everybody will be unable to resolve names until I update router's config and it propagates. So option 4 must be discarded.

Option 2 seems also not possible, as my router seems unable to hande ULA addresses parallel to global prefix/DHCP-PD ones. I suppose it's not possible to have 2 IPv6 DHCP servers on the same LAN either, or it would have been suggested on that thread.

This leave me with option 3, and setup fixed link-local address on each device, and have pi-hole resolve LAN names into these addresses. But this solution is very ugly, as I don't have central setup of all addresses and some devices as Android phone doesn't seem to offer that.

Windows also offers option of obtaining address or setting it up, so I think if I try to set a link-local I'll lose global address.

I also need to reach my server from outside. I suppose I could setup no-ip client on it and hope it updates both IPv4 and IPv6 global addresses.

I really don't know what to do now. I apologize for being noob on IPv6 and thank any help I could get.

This sounds less bangheadable. I'm pretty sure noip can handle v6.

Is there any way at all for dnsmasq (or the software pi-hole uses as DHCP server, sorry if I'm wrong) to receive DHCP-PD from a remote router, and use it to distribute IPv6 global addresses and/or ULAs?

IDK if I'm doing anything wrong, but pi-hole's DHCP page only allows 1 record for a given MAC address. When I try to add the same again, say it to add a second domain to it pointing to the same IP, I'm not allowed.

not afaik
I use dd-wrt for this.

Pi-Hole uses dnsmasq for DNS resolution and DHCP. You can check the dnsmasq mailing list and forums and manual page to see if this is within the capability of dnsmasq.

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

@drewski could you post screenshots of your d-wrt settings? Do you use its DHCP server for both IPv4 and IPv6?

Ipv6 Tab

Dhcp6c custom:Enabled

Dhcp6c config

interface vlan2 {
  send rapid-commit;
  send ia-pd 1;
};

id-assoc pd 1 {
     prefix ::/56 infinity;
     prefix-interface br0 {
          sla-id 0;
         sla-len 8;
     };
     prefix-interface br1 {
          sla-id 1;
         sla-len 8;
     }; 
     prefix-interface br2 {
          sla-id 2;
         sla-len 8;
     }; 
};

dnsmasq

interface=br0,br1,br2
domain=lan
local=/lan/
listen-address=192.168.1.2
dhcp-range=::10,::200,constructor:br0,ra-stateless,ra-names,12h
dhcp-range=::10,::200,constructor:br1,ra-stateless,ra-names,12h 
dhcp-range=::10,::200,constructor:br2,ra-stateless,ra-names,12h
dhcp-range=br0,192.168.1.100,192.168.1.150,255.255.255.0,24h
dhcp-range=br1,192.168.0.100,192.168.0.150,255.255.255.0,24h
dhcp-range=br2,192.168.2.200,192.168.2.250,255.255.255.0,24h
dhcp-option=br0,3,192.168.1.2
dhcp-option=br1,3,192.168.0.1
dhcp-option=br2,3,192.168.2.2
dhcp-option=6,192.168.1.115
server=2607:fcc8:720c:7300::
dhcp-authoritative
cache-size=10000
expand-hosts
no-resolv
filterwin2k
enable-ra
ra-param=*,10,300
quiet-ra
quiet-dhcp
quiet-dhcp6

New%20Bitmap%20Image1280×720 130 KB

^
^
I decide to add a little sauce for anyone who stumbles across this post.

Hope this can help point you in the correct direction

P.S
This dnsmasq config let's my router perform some lookups locally.

Thanks a lot. I'm gonna read its man and understand its options. I finally started to figure out how global prefix is sent over network from WAN to DNS server.

I'm getting more and more disappointed with Cisco and RV340. I was looking today if it's possible to connect to it by SSH, to see if this way I can enable ULA, and mostly what I found was users on official forum trying to figure out how to crack it down, some claiming Cisco had locked SSH, and no Cisco representative at all to confirm that or explain how it's done.

I've alrdy started inspecting for solutions to run load balancing on Ubuntu and planning to build a gateway server next year. I'd rather have a AMD64 CPU and Ubuntu with all its support and packages than some ARM or WRT which has less resources and fewer userbase.

It's a lot to learn and do but I hope it will be worth it. Thanks again for the help!

Np.. I'm not even going to pretend to understand an ⅛ of v6. I was just lucky to get it going I suppose. Sucks that Cisco locked that box down like that. GL man