Hello, I'm trying to remove all the ULA:s on OpenWRT and removed ULA Prefix in LuCI. The option is empty, when I do uci show I look through it or do | grep ula or other things that could be connected to it and it still gives me a ULA address, the address is always with the prefix fd8d:9c44:d6fc:e31b::. I've tried to trouble shoot it, change RA settings and what not but it does not go away.
The only interface I have RA on is on the LAN. It's completely disabled for WAN.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru
Should be it!
{
"kernel": "5.10.176",
"hostname": "Cornelis-Router",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.2",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option device 'lan-bridge'
option ip6weight '1'
option delegate '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option ip6assign '64'
option ip6ifaceid 'eui64'
config device
option name 'eth0'
option ipv6 '1'
config device
option name 'wlan0'
option ipv6 '1'
config device
option type 'bridge'
option name 'lan-bridge'
list ports 'eth0'
config interface 'wan'
option device 'eth1'
option proto 'static'
option ipaddr 'pubip'
option netmask '255.255.255.192'
option ip6gw '2a02:ipblock::65'
option gateway 'ispgateway'
option ip6prefix '2a02:ipblock::/56'
list ip6addr '2a02:ipblock::66/64'
list dns '9.9.9.9'
list dns '149.112.112.112'
list dns '2620:fe::fe'
list dns '2620:fe::9'
config device
option name 'eth1'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '9.9.9.9'
list server '149.112.112.112'
list server '2620:fe::fe'
list server '2620:fe::9'
option confdir '/tmp/dnsmasq.d'
option authoritative '1'
option local '/local/'
option domain 'local'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.4,192.168.1.4'
option ra 'server'
list dns '2a02:localserverip'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
option dynamicdhcp '0'
option master '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
there's several hosts here.
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip 'localserverip'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip 'localserverip'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip 'localserverip'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP SSL'
list proto 'tcp'
option src 'wan'
option src_dport '465'
option dest_ip 'localserverip'
option dest_port '465'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP TLS'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip 'localserverip'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAP TLS/SSL'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip 'localserverip'
option dest_port '993'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
list proto 'tcp'
option src 'wan'
option src_dport '39487'
option dest_ip 'localserverip'
option dest_port '32400'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Synology Drive Server'
list proto 'tcp'
option src 'wan'
option src_dport '6690'
option dest_ip 'localserverip'
option dest_port '6690'
config rule
option family 'ipv6'
list proto 'tcp'
list dest_ip '2a02:ipblock'
option dest_port '80'
option target 'ACCEPT'
option name 'HTTP'
option src 'wan'
option dest 'lan'
config rule
option name 'HTTPS'
option family 'ipv6'
list proto 'tcp'
list dest_ip '2a02:ipblock'
option dest_port '443'
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
config rule
option name 'SMTP'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2a02:ipblock'
option dest_port '25'
option target 'ACCEPT'
config rule
option name 'SMTP SSL'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2a02:ipblock'
option dest_port '465'
option target 'ACCEPT'
config rule
option name 'SMTP TLS'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option dest 'lan'
list dest_ip '2a02:ipblock'
option dest_port '587'
option target 'ACCEPT'
config rule
option name 'IMAP SSL/TLS'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
list dest_ip '2a02:ipblock'
option dest_port '993'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Plex'
list proto 'tcp'
option src 'wan'
list dest_ip '2a02:ipblock'
option dest_port '32400'
option target 'ACCEPT'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::ipblock/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:ipblock/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ipblock/64 scope link
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::ipblock/64 scope link
valid_lft forever preferred_lft forever
5: lan-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:ipblock/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 2a02:ipblock/64 scope global deprecated dynamic
valid_lft 5477sec preferred_lft 0sec
inet6 fe80::ipblock/64 scope link
valid_lft forever preferred_lft forever
0: from all lookup local
32766: from all lookup main
4200000000: from 2a02:ipblock/64 iif lan-bridge lookup unspec unreachable
Hope I didn't hide too much.
OpenWrt doesn't have any ULA address configured. Although it should not be the case, remove the option master '1' from wan in dhcp.
Check for some rogue router/server sending RAs with the ULA prefix. Maybe you'll have to capture packets to locate the culprit.
opkg update; opkg install tcpdump; tcpdump -i lan-bridge -evn 'icmp6 && ip6[40] == 134'
Let it run for a few minutes to capture the RAs and locate the router advertising the RA with the ULA prefix.
Okay, so I'm having a hard time reading the results. But definitely looks a bit sketch.
tcpdump: listening on lan-bridge, link-type EN10MB (Ethernet), capture size 262144 bytes
01:41:09.403136 MAC1 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 118: (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::ipblock > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
hop limit 0, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): fd8d:ipblock::/64, Flags [onlink, auto], valid time 1800s, pref. time 1800s
route info option (24), length 16 (2): fd1d:ipblock::/64, pref=medium, lifetime=1800s
01:41:36.502630 MAC2 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 174: (flowlabel 0xeb01d, hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::ipblock > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
hop limit 64, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
source link-address option (1), length 8 (1): MAC2
mtu option (5), length 8 (1): 1500
prefix info option (3), length 32 (4): 2a02:ipblock::/64, Flags [onlink, auto], valid time 3985s, pref. time 0s
route info option (24), length 24 (3): 2a02:ipblock::/56, pref=medium, lifetime=1800s
rdnss option (25), length 24 (3): lifetime 1800s, addr: 2a02:ipblock
advertisement interval option (7), length 8 (1): 600000ms
01:44:42.190620 MAC1 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 118: (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::ipblock > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
hop limit 0, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): fd8d:ipblock::/64, Flags [onlink, auto], valid time 1800s, pref. time 1800s
route info option (24), length 16 (2): fd1d:ipblock::/64, pref=medium, lifetime=1800s
01:46:41.124633 MAC2 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 174: (flowlabel 0xeb01d, hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::ipblock > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
hop limit 64, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
source link-address option (1), length 8 (1): MAC2
mtu option (5), length 8 (1): 1500
prefix info option (3), length 32 (4): 2a02:920:41c7:4200::/64, Flags [onlink, auto], valid time 3680s, pref. time 0s
route info option (24), length 24 (3): 2a02:920:41c7:4200::/56, pref=medium, lifetime=1800s
rdnss option (25), length 24 (3): lifetime 1800s, addr: 2a02:ipblock
advertisement interval option (7), length 8 (1): 600000ms
MAC2 is your OpenWrt, MAC1 is the culprit.
What the actual shit, it's my Google Nest Display. Why the hell is it sending out RAs???
No idea, but I'm glad we found the problem.
Truly the same. Is there any firewall rule I can do to disable this in some way?
Not if it is in the same lan. Traffic must pass through OpenWrt for the firewall to block it. Consider assigning nest in another network/vlan to isolate it.
I'll have to look into setting up a VLAN with IPv6 disabled, how do I assign it to the VLAN? I haven't looked into them before at all before.
Is it connecting by wire or wirelessly? If it is wireless, then you can only create a new SSID and assign it to another network in order to be isolated from the lan. Take as an example the guest wlan guide.
From my testing my WiFi has never worked if I set up another SSID. It often completely disabled my WiFi. It might be a limitation of the WiFi chip on the Pi.
No surprise, the wifi in RPi is very weak.
I'm gonna invest in an AP in the future. A bit unsure if I should get something like a UniFi or similar or go with a USB with external antenna cabling. Any recommendations? Would be nice to manage as much as possible with OpenWRT but the UniFi is more dedicated and probably in the end will have the most features and options to set for the WiFi.
I am quite happy with the Unifi myself for domestic and small office usage.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.