[IPv6] Two Global and ULA addresses for each SLAAC client?

I have set up my home router with two VLANs, one for IoT and other restricted devices (Guest VLAN) and an unrestricted VLAN (LAN VLAN).

To distinguish the networks, I request a /60 prefix from my ISP, which is granted. Then I give the aaaa:bbbb:cccc:ddd1/64 prefix to the LAN network and the aaaa:bbbb:cccc:ddd2/64 prefix to the Guest network. This makes them easily distinguishable via IP address.

However, I seem to be having an issue with SLAAC. For some reason, every client that connects to the router gets two Global IP addresses and two ULA addresses for their designated /64 subnet.

• My Ubuntu laptop gets 4 address. None of the addresses appear to be EUI-64, but the ULA and Global prefixes match up to /64 for each pair of ULA and Global addresses. The host portion of only one pair of ULA/Global addresses matches, the host portion of the other pair is entirely different.
• My Android phone gets 4 addresses as well. One global and one ULA address is EUI-64, the other pair is seemingly random. However, each ULA/Global pair has the same host portion. For example, two of the addresses are [ULA prefix]:9849:5769:69f8:a48c and [Global prefix]:9849:5769:69f8:a48c (these are the seemingly-random non-EUI-64 addresses).
• My Raspberry Pi (which is on my guest network) does only get one pair of addresses (one Global, one ULA). However, this must be a software setting or something since it's an oddball. However, it being on the guest network isn't the reason for this because when I connect my Android phone to my guest network I get 4 addresses.

I have disabled DCHPv6 on both my Guest and LAN interfaces so that they only give router advertisements, allowing connected clients to only use SLAAC addressing.

I'm about at my wit's end trying to figure out what is causing this issue.

Here are my relevant configs:

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option sequential_ip '1'
	option cachesize '2500'
	list notinterface 'wan'
	list notinterface 'wan6'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'
	list dhcp_option '6,1.1.1.1,1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config host
	option dns '1'
	option name 'raspberrypi'
	option mac 'B8:27:EB:53:DC:C8'
	option leasetime 'infinite'
	option hostid '2'
	option ip '192.168.2.1'

network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:fe79:ee19::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option _orig_ifname 'eth0 wlan0 wlan0-1 wlan1 wlan1-1 wlan2 wlan2-1'
	option _orig_bridge 'true'
	option ifname 'eth0.1'
	option ip6assign '64'
	option ip6hint '1'
	option igmp_snooping '1'
	option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config interface 'wan'
	option ifname 'eth1'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqprefix '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'
	option vid '2'

config interface 'guest'
	option type 'bridge'
	option ifname 'eth0.3'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.2.1'
	option ip6hint '2'
	option igmp_snooping '1'
	option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '2 3 5t'

Unless your clients get IPv6 addresses from both the LAN and the guest prefix at the same time (which would indicate an error in your DHCPv6/RA configuration), this is perfectly normal.

What you see are most likely so-called temporary addresses aka IPv6 Privacy Extension. Most operating systems have Privacy Extensions enabled by default, which means that for every IPv6 prefix advertised, the client will use two addresses at the same time. The first is the stable EUI-64 based address. The other is a random address that changes frequently (at least the suffix does). The idea behind that is that it makes it harder to track IPv6 clients on the internet (although that is debatable). For outgoing traffic the temporary address is usually preferred.

The reason your Raspberry PI doesn't get two addresses is likely that it has Privacy Extensions disabled. You can check that by running
sysctl -a 2>/dev/null | grep use_tempaddr
You will get one line per interface as output. If the resulting lines show the value 0 at the end, it means Privacy Extensions are disabled for that interface. (There is one exception here: If the system has IP forwarding enabled, Privacy Extensions are disabled even if the value is 1. To override this, you need to set it to 2.)

As @silentcreek noted, this is normal.

The 2 address are the management (permanent) and privacy address.

If you don't want this behavior, turn off IPv6 privacy in Ubuntu.

Thanks a bunch for that. In all my studies of IPv6 (even the Cisco CCNA) doesn't cover that aspect of IPv6, so no wonder it was confusing. But, thank you for the clarification!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.