My setup is as follows:
the primary router is pfsense and uses a static IPv6 address on the WAN, inside I have set up a DHCPv6 server and the RA mode is set to Managed (or Assisted). Then all clients on the LAN get one GUA address, nice!
On the same LAN I use an OpenWrt router to connect wireless clients, I also set a static IPv6 address on the WAN and LAN. OpenWrt assigns IPv6 to the clients, connectivity works. However, all of its clients (no matter if they are wired or cable) get 3 GUA addresses. I don't like this situation because it is impossible to predict what address will connect to the Internet.
I tried to reconfigure RA flags (M only, O only, M + O) but with no success. How to set OpenWrt to assign only one GUA to clients, what am I missing ?
You need to disable SLAAC. If you're using LuCi then there's a checkbox on the same tab as where you can select RA flags. If editing by hand then you should add ra_slaac='0' to the lan section of /etc/config/dhcp
The only alternative would be to disable SLAAC directly on each client (if that's a supported option). Although having multiple GUAs is (as most of us know) a perfectly normal situation when using IPv6.
I have looked into disabling the private extension on the client and this is doable but cumbersome, so for my PBR needs I use the MAC address instead of IPv6/IPv4 address and that works well.
Since the client could be an Android device, I should use stateless DHCPv6. This means that the IPv6 address will be obtained using SLAAC and, optionally, other information will be obtained from DHCPv6. However, I don't know how to do this in OpenWrt. pfSense provides such a mode.
Assisted: The firewall will send out RA packets and addresses can be assigned to clients by DHCPv6 or SLAAC.
OR
Stateless DHCP: The firewall will send out RA packets and addresses can be assigned to clients by SLAAC while providing additional information such as DNS and NTP from DHCPv6.
Ipv6 is designed to have multiple addresses on an interface.
If you for some reason want a single address then configure your clients accordingly or just live with the fact. The only issue with multiple addresses is that some folks overcomplicating shit and sometimes hold it wrong.
What is the exact issue you encountered with multiple addresses?
I'm mainly wondering why it's different compared to PFsense. Then look at the following Windows client example (some part of address is randomized but not Interface ID):
When I open test-ipv6.com it identify client according to "Temporary IPv6 Address" - this is confusing. I would expect one of the "IPv6 Address", preferably the first one.
I think I also encountered a problem where it was possible to ping only one GUA from Pfsense.
Not really. Windows creates temporary addresses for that very purpose. It's for outgoings connections and is intended to improve an end user's privacy. The address will regularly change so long term tracking of the IP can't be carried out.
Interesting, I didn't know that. But then it's strange that it doesn't happen on pfsense. And it's the same client, I'm just swapping cables in the ethernet controller (between pfsense and OpenWrt).
You can disable the Windows temporary IPv6 address see e.g.:
But for outgoing traffic e.g. for PBR, I use the MAC address, for incoming traffic I use DHCPv6 to handout a static IPv6 lease, so my windows boxes have an Static IPv6 address, a SLAAC IPv6 address and a temporary IPv6 address.
I did a packet capture, most of flags are same, expect RouterPreference.
pfsense sent this:
MessageType: Router Advertisement, 134(0x86)
- RouterAdvertisementFlag:
M: (1.......) Managed address configuration
O: (.1......) Other stateful configuration
A: (..0.....) Not a Mobile IP Home Agent
RouterPreference: (...11...) Reserved,3(0x3)
- PrefixInformation:
PrefixLength: 60 (0x3C)
- Flags: 192 (0xC0)
L: (1.......) On-Link determination allowed
A: (.1......) Autonomous address-configuration
R: (..0.....) Not router Address
S: (...0....) Not a site prefix
P: (....0...) Not a router prefix
Rsv: (.....000)
OpenWrt sent this:
MessageType: Router Advertisement, 134(0x86)
- RouterAdvertisementFlag:
M: (1.......) Managed address configuration
O: (.1......) Other stateful configuration
A: (..0.....) Not a Mobile IP Home Agent
RouterPreference: (...00...) Medium,0(0x0)
- PrefixInformation:
PrefixLength: 64 (0x40)
- Flags: 192 (0xC0)
L: (1.......) On-Link determination allowed
A: (.1......) Autonomous address-configuration
R: (..0.....) Not router Address
S: (...0....) Not a site prefix
P: (....0...) Not a router prefix
Rsv: (.....000)
But then I noticed a different PrefixLength and realized that SLAAC can only work with a length of 64. But in pfsense I use 60 for its interface (it's a residue from the lab experiments). After I changed the PrefixLength to 64, the client in pfsense also got more GUA addresses, mystery solved.
And there is a problem with the Windows client, once it gets IPv6 from DHCPv6, it remembers it even after rebooting the OS. So when you change the RA flags, it may seem that nothing has changed for the clients, but in fact it is an OS problem and you need to try the new RA flags with the NEW windows client.
(or does anyone know how to flush such an IP ? ipconfig /release6 doesn't help, because the IP appears back when you reconnect the cable)
So the conclusion is: when I changed the RA flags in Openwrt to "O only" and disabled the creation of a Temporary IPv6 address, then the clients only gets one GUA address.
