I want to turn off dynamic DHCPv6 address assignment. Addresses with a known DUID/MAC should get a static IP address, all other devices should not (i.e. IPv4 only).
I've turned off SLAAC, and defined the static hosts I want by DUID, but I'm unable to figure out how to stop other hosts from grabbing randomly assigned IPv6 addresses.
Static IP addresses are configured on the host, they are not obtained or "gotten" via a DHCP(v6) server. In that regard, the "static address" configuration in the web GUI is a misnomer.
In other words, you cannot both turn off DHCPv6 and also leave it enabled to assign address using that method.
Even if you want to assign static addresses please do not disable RA at all. If you want to not allow clients to use a prefix for address selection then just disable that bit. Full featured RA software like radvd or bird2 can do that.
But even static assigned hosts provit from auto config like DNS nameserver or available gateways.
OK, perhaps there's a better way to go about what I'm trying to achieve. I'm trying to 'soft-brick' network traffic for devices I haven't set entries for in DNSMasq (doesn't have to be uncircumventable, just needs to be obvious when something isn't tagged, I don't care about MAC cloning). Fairly straightforward to do with IPv4, but now with IPv6 I have devices assigning themselves addresses and using IPv6 stack only, trying to stop that.
Just block traffic with the firewall?
Or buy enterprise grade switches which offer some security features to prevent traffic directly on the switch level...
But why can't you use the firewall?
Suppose I could just use a MAC whitelist on the firewall since what I care about is not having untagged MACs, was trying to avoid having to figure out how generate an ip set from the dhcp config file
Is there some requirement these devices remain in the same network as the devices with Internet connectivity?
In other words, could you create a second LAN?
I realize with IPv4, you can specify the amount of IPs in the pool and limit them to those on the Static list. Not sure IPv6 does that.
If you want to that clients do not use slaac for auto address selection just set that bit in the router advertisement. But you need a fully featured RA daemon for that.
I do want the devices to have an internet connection, I just want them to be tagged with a hostname first. MAC rotation is happening on some devices (out of my control) often enough that it screws with that, so cutting off internet until the device in question gets the tag updated to it's new MAC is what I settled on for IPv4. Dual stacking IPv6 broke that.
I can't follow.
This thread started with:
You want to have hosts on IPv6 with only "static" addresses. Be it via DHCPv6 or static configuration on the host, right?
And I said 2 times: Disable the auto address selection bit on the Router Advertisement.
And I said: This can not be done with the default software on OpenWrt, and you have to use either bird2 or radvd.
With bird2, see https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.14
Which you just need to disable.
Then a client can only obtain an address via DHCPv6 or when statically configured on the hosts OS.