My ISP (LTE) change IPv6 Prefix every 4 hours and it gives me a /64. I set up a firewall traffic rules on ::2/-64 to open port on my desktop PC, and i've set up DHCP static lease to ::2 for my PC. The problem is that when IPv6 prefix changes, the PC is keeping the old one. How can i force the new prefix to my pc? Right now i have to disconnect the interface (ethernet) on my pc and reconnect so that it gets the new IPv6 prefix from the router
My only ideas so far would be
- to reduce the lease time on ipv6 adresses
or - assign internal ipv6 adresses & NAT66 them on the way out (ugly but that would always work)
update: I am still learning ipv6 and it shows! 
Can you explain the second way?
You don't need to use a prefix in the rules.
See http://blog.dupondje.be/?p=17 as an example. Note that iptables is not in use in OpenWrt anymore.
As @AndrewZ alluded to, firewall rules can still work even in the face of dynamic prefixes.
Fortunately OpenWrt supports this using a negative netmask notation. I've talked about how you can use this in LuCI in a previous post of mine:
Once this is working then you should not need to worry about changing prefixes.
This shouldn't be a problem. When a router announces a prefix either through RA or DHCPv6, the router also sends lifetime information about the prefix. The prefix goes through a validity/deprecation lifecycle so existing connections aren't disrupted. Your PC would then just have multiple IPv6 addresses, one for new connections and the rest for existing ones.
If you're using dynamic DNS, have the updater running on the PC send a AAAA record update with the appropriate TTL every time the PC receives a new prefix. The record should only contain the most recent prefix and not any of the deprecated ones.
1 Like
I was already using negative netmask. The problem is that the PC doesn’t receive the new IPv6 prefix immediately. I have to restart interface on PC to force a new ipv6 prefix. How can I force the pc to receive the new ipv6 prefix immediately and automatically?
DHCP is not a "push" protocol. The clients have to proactively get new information from the server, either when the lease expires or when you reconnect the interface. If you want to keep using DHCP then you need to set a lower lease time. The minimum in OpenWrt is 2 minutes; something like 20 minutes is more reasonable and should still work with the 4 hour window your ISP gives you.
Alternatively, you can use SLAAC. This relies on RA messages instead, which OpenWrt will send on its own accord and the PC doesn't have to poll for it. The RA contains the IPv6 prefix which the PC can combine with some suffix to obtain the full IPv6 address.
This suffix is usually randomly generated by the host and changes on a regular basis. You would need to figure out how to disable this on the PC to make the suffix constant. Reference this suffix in the firewall rules and it should work.
So my option are:
- Set dhcp lease time to 5/10 minutes
- Use SLAAC and find how to setup static prefix in order to enable firewall traffic rules for the device
- I read online that it should be possibile to force DHCPv6 renew. Do you know how in openwrt?
I think you meant static suffix, SLAAC can deal with dynamic prefixes just fine. If you can tell us what operating system the PC is running I may be able to tell you what setting you need to change to make this happen. Personally, I would use this solution because SLAAC is well-supported among IPv6 hosts.
I think odhcpd (the default DHCPv6 server in OpenWrt) supports this, but DHCP client support is not widespread. If the PC's DHCP client supports RFC 6704 this could work.
Yes i made a typo, I have Windows 11 on my Desktop PC.
In an elevated PowerShell prompt:
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled
Restart the interface a few times to verify that the suffix is stable.
Yes i had already tried it, but it disable the IPv6 Privacy Extension (temporary ipv6 address used by the software in the OS) in order not to be tracked online.
I was searching something to apply the firewall rules on all the dynamic ipv6 address. Can i make firewall traffic ipv6 rules based on MAC address?
In alternative, I can just set firewall rule for one ipv6 SLAAC address that has to remain stable (the host suffix), while the other ipv6 address has all the port closed, but I would like to keep temporary ipv6 working.
I don't use Windows 11, so I had to look this up again. It appears the default Windows configuration already does what you want. Run ipconfig on your PC and it should look something like this:
(Screenshot taken from this blog post)
The addresses listed next "IPv6 Address" should be stable, is it not? In this example, the first IPv6 address comes from DHCP, and the second comes from SLAAC. The PC should still be reachable via those addresses, while the temporaries are used for outgoing addresses.
In the default configuration of Windows the IPv6 SLAAC address are not static (host suffix), or at least in my case.
Searching online i've found what I should want:
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Enabled
EDIT: apparently Windows is not implementing the RFC 7217, so disabling RandomIdentifiers is exposing MAC address in the static SLAAC address. But enabling it, the static suffix changes when PC reboot or when restarting network interface.
1 Like
Now i have 2 IPv6 from SLAAC, one that has static host suffix (created based on MAC address) that I can use in firewall rules to open some ports, the other that is temporary (that it's used by the applications) and has all the port closed.
How can i force an applications to use a specific SLAAC address? I mean if I have an X app where I need to open a port, but this app uses the temporary address?
Is there a reason why you can't just have the app listen on all interfaces? It's not a problem if the app makes outgoing connections using temporary addresses, the OpenWrt firewall is smart enough to allow this to work. And presumably the incoming connections will use the stable address, which you have already allowed in the firewall. So all your bases should be covered.
This makes sense. I hope all the apps in which I want to open port listen on all interfaces. Thanks for your help!
I discovered online that Windows 11 should implement the RFC 7217, so theoretically I should be able to configure a STATIC SLAAC suffix without exposing my MAC address. Most modern operating system already implement this since years.
BUT apparently in Windows 11 (Latest Dev Insider Preview) RFC 7217 is not working.
If i set RandomIdentifiers to Enable, i get randomic suffix but it changes when I reboot PC or I unplug and reconnect the ethernet.
If I set to Disabled, I get static address exposing MAC address (this is NOT safe).
Online there is no documentation about it for windows, only that it should be enabled by default in Win 11.
Does someone with Windows 11 tell me if there is something I need to change?
Would it be possible to get what you want here by manually assigning a random locally administered MAC address? Use any one of the online random MAC address generators to make a valid one.