Is it possible to have random or static IPv6 address on WAN interface in relay mode with DHCPv6Client

My router is configured as DHCPv6Client for WAN interface and Relay Mode for DHCP/DNS. It's both WAN and LAN addresses are generated from MAC address.

There is "Advanced Settings" tab under http://router/cgi-bin/luci/admin/network with the field "IPv6 suffix". It's set to ::1 and the info message states:

"Optional. Allowed values: 'eui64', 'random', fixed value like '::1' or '::1:2'. When IPv6 prefix (like 'a:b:c:d::') is received from a delegating server, use the suffix (like '::1') to form the IPv6 address ('a:b:c:d::1') for the interface."

Unfortunately this settings has no effect.

Is there a way to have random or static IPv6 address on both LAN and WAN interfaces in Relay Mode with DHCPv6Client?

A bunch of these settings are mutually exclusive, but LuCI doesn't know to show you that, so for example if your WAN6 interface is using DHCPv6, then the "IPv6 Suffix" is just ignored. This is why, as you say, "has no effect".

DHCPv6 on the WAN6 interface means that you are expecting your ISP to give that interface a full /128, and you have no say in the matter. You get what you get, and that's it.

If you are relaying DHCPv6 to the LAN, then your local devices are under the ISP's control, too, which seems to be the cause of your issues. Is there some reason not to use OpenWrt's DHCP server for the LAN? If your ISP delegates an IPv6 prefix to you (part of the usual DHCPv6 startup sequence on the WAN), then your router can use that to do DHCPv6 or SLAAC for your local clients and it will allow you to specify static reservations or whatever.

(The address format for SLAAC is up to each client, on a Linux client it would be net.ipv6.conf.all.use_tempaddr = 0 for EUI-64, 2 for full private RFC4941 IIDs.)

1 Like

To get a random suffix on wan use reqaddress 'none' and suffix 'random' This address will be used for connections that originate from inside the router, such as forwarded DNS, NTP, "whole house" VPN, any 4-to-6 tunnels, and update downloads.

In relay mode the LAN interface cannot have a GUA (public) IPv6, only a link-local. Without delegated prefixes, the router does not route, it forwards within the same /64 as wan. So there's no such thing as assigning an IPv6 to LAN. The IPv6 suffix that appears on the Internet for connections originated from an endpoint client is the same one held by the endpoint itself, so it is determined by that device. Most operating systems use random addresses by default.

1 Like

Let me clarify my network setup. My OpenWrt router is behind the ISP router. I have no control over this router. It is locked. From what I observe it responds to DHCPv6 requests relying on SLAAC. Because of that I cannot configure OpenWrt as DHCPv6 server.

Acording to SLACC a DHCPv6 client pics its own address within /64 subnet with two options: from MAC address or random address. I don't see why OpenWrt cannot pick a random address.

By definition a LAN interface cannot have GUA regardless of the mode operation. OpenWrt uses MAC address to generate FE80:: link-local address. I have a problem with that, there must be an option to tell OpenWrt to generate a random link-local address address too.

There is either SLAAC or DHCPv6 stateful IP (i.e. controlled by the server not the client) address assignment. These are two different solutions to the problem which may or may not both be offered in parallel on a network. If both are offered the client can choose.

Often in a single-prefix situation, the DHCPv6 server is running but does not issue IP addresses. It does provide information on the availability of other services on the LAN, particularly DNS.

Conventionally a LAN running a delegated prefix assigns <prefix>::1 to the router's LAN interface. Although the clients usually use a link-local to direct packets for the Internet toward the router.

MAC-derived link locals are not a privacy issue since they never appear outside the LAN, and a LAN is using MACs at layer 2 anyway.

2 Likes

I agree that link-local with MAC is not a privacy issue per se but becomes one when pasting the output of tracing or other tools on the internet QAs. Of course everythin can be obfuscated, but life could be easier if MAC is not used.

If it is conventional to have a LAN running a delegated prefix assigns <prefix>::1 to the router's LAN interface, why does OpenWrt not follow this convention?

config interface            'vlan64'
    option  device          'br-vlan64'
    option  proto           'static'
    option  ipaddr          '192.168.64.1/24'
    option  ip6assign       '64'
    option  ip6hint         '40'
    option  ip6ifaceid      '::1'
root@cpe:~# ip -6 -br addr show dev br-vlan64
br-vlan64        UP             2003:e4:XXXX:XX40::1/64 fde6:a09a:b373:40::1/64 fe80::1ff:fe01:40/64

BUT.

Even with IPv4, there can be multiple routers be present on a Layer-2 and Layer-3!

On IPv4 networks, routers usually use VRRP to elect the master of the Virtual-IP-Address (i.e. 192.168.0.1/24).
But, on IPv6 networks, multiple routers can be active. All acting as a default gateway, or even only to certain destinations, like a VPN. But not a single router, needs to use ::1, because Router-Advertisment[1] does not care.
Look, even I configured ::1 for all interfaces on my OpenWRT, my clients give a shit:

$ ip -6 route get 2001:db8::1
2001:db8::1 from :: via fe80::1ff:fe01:40 dev eno1 proto bird src 2003:e4:XXXX:XX40::7ca2 metric 32 pref medium

[1] And OSPF, BGP, etc...

1 Like

(I got email confirmation...) should i still answer your question?