I'm using an IPv6 prefix filter (wan6) on one of my LAN interfaces to restrict DHCPv6 addresses to my ISP's GUA since my ULA is being used by another interface for NAT6 purposes. This works great (only GUA is assigned) for anything that gets its addresses from DHCPv6 RA, however Android require SLAAC to get an IPv6 address (no GUA is assigned when SLAAC is disabled).
If I enable SLAAC, my Android devices get both the GUA and the ULA that I am trying to avoid. Is there any way to get SLAAC to stop handing out my ULA?
My main concern (security) can be rectified with firewall zones even if the ULA is present on those devices, but I just don't like that they are getting a ULA in the first place, and I'm not sure if it adds overhead to outbound queries. Presumably Android is smart enough to prefer the GUA over the ULA, but I'd rather just manually control this, especially since the ULA isn't a "true" ULA in the context of NAT6 (i.e. it isn't prefixed with "f" and is actually meant to act as a preferred default route on my other VLANs).
SLAAC and ip6class are not connected. If you don't assign a ULA on the interface with ip6class=wan6 then the RA will not contain the ULA prefix.
Post the configuration to make sure you have it right. uci export network; uci export dhcp; ip -6 addr
That's on my vpn interface, where I actually want SLAAC/RA ULA (for NAT6). I'm concerned about my lan interface and not exposing it to the NAT6 ULA.
It is a ULA...I'm not sure how NAT6 is related...I assume that's what it uses...I never deeply studied technologies that went "backwards"
NAT6 requires that the ULA be changed from an f* prefix to "something else" (in this case d*) so that clients will pick it up as the default route in the absence of GUA. This is how my vpn interface needs to work since I am assigned a /128 from my provider. I just want my LAN interface to ignore this completely, which is attainable with RA but not SLAAC, apparently. I would disable SLAAC but then I don't get any IPv6 on Android.
So I'm in a catch 22 of NAT6 for my vpn bleeding into my lan because of lack of SLAAC control.
Could you elaborate, I'm not sure what you mean here.
I don't think you need an ipv6hint...and I just left your ifaceid
I use the hints to provide different IPv6 subnets to my interfaces. I think openwrt would assign them automatically just fine, but I like them to match my IPv4 subnet/VLAN numbering scheme for tidyness. Maybe this is a bad practice.
That's the exact config I'm currently using, unless I'm missing something.
It's on my Android devices connected to lan network.
I get a link-local address on the devices (good), a couple of GUAs (good), and my ULA, i.e. ddc2:9aea:redacted (bad). If I disable SLAAC I don't get GUA or ULA on Android. On my non-android devices on lan I do not get ULA either way (good) so I'm not sure if they just don't use SLAAC at all and/or respect my RA list ip6class 'wan6' setting as intended.
Is there a reason the link-local is not used?
NAT6 requires not using a link-local so devices will actually use the ULA as a default route.
Is there any way to assign a different ULA per interface? Maybe I can use a non-local ULA on vpn for NAT6 and a local ULA on lan so that it is ignored by clients.
But as @trendy already pointed out, the prefix filter setting doesn't apply to SLAAC (it passes out the ULA and GUA, regardless). I have no problem controlling RA with the prefix filter, that part is working perfectly.
Basically what I am asking is if there is no way to stop SLAAC from giving out the ULA, maybe I can spoof it for that particular interface so it gives out a dummy ULA.
But how do I remove it from lan only? I can't see any obvious way to do this. My network is already segmented into VLANs. It's like SLAAC bypasses my interface and grabs the ULA regardless.
The problem is I need a working non-local ULA for NAT6.
I guess in the meantime I will just have to trust the firewall to handle it using vlan + fw zones and hope that Android "black boxes" prefer GUA to SLAAC ULA. It's just weird that SLAAC can "break out of the interface" to grab a ULA. But if Android would just allow DHCPv6 like everything else on earth this wouldn't even be an issue.