Odhcp6c installs bogus default route via DHCPv6 server

jeff · December 31, 2023, 10:08pm

When booting OpenWrt 23.05.2 using a DHCPv6 server on the network segment, it appears that odhcp6c installs a default route via the interface on the DHCPv6 server (ending :f20a) when the address first eth0.2 bound (as per a dump using /etc/odhcp6c.user).

PROTO_IP6ADDR=2601:<myip>/128/590/890/1/
PROTO_ROUTE6=::/0/fe80::12:10ff:fe63:f20a/4096/890//2601:<myip>/128

The DHCPv6 server (kea) is not offering routes according to its configuration and none are seen being offered with Wireshark.

The router is responding to the Router Solicitation as expected and returns the route for the network segment. This is picked up by the OpenWrt box and replaces the bogus route.

This is problematic as the WireGuard links try to come up during boot and use the bogus route, installing an "exact destination" route.

I've tried a few different LuCI-set options to try to disable this behavior, without much luck. Current config is

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'no'
        option peerdns '0'
        option delegate '0'
        list ip6class 'local'
        option metric '500'

Am I missing a setting somewhere or is this a bug with odhcp6c?

Edit:

Tracing this down, the DNS servers are not supplied on this network segment by DHCPv6. This looks like it triggers the following in /lib/netifd/dhcpv6.script

                if [ -z "$RA_ADDRESSES" -a -z "$RA_ROUTES" -a \
                                -z "$RA_DNS" -a "$FAKE_ROUTES" = 1 ]; then
                        RA_ROUTES="::/0,$SERVER,$valid,4096"
                fi

mk24 · January 1, 2024, 2:12am

The "fakeroute" is a workaround in case of a network's main and only router sending improper RA packets which don't announce that the router is the default route. You can use option fakeroute 0 to disable this behavior (the default is 1).

If your network is designed around DHCPv6 and you don't want to act upon RA packets at all, you could also try options noslaaconly 1 and reqaddress force though I'm not sure if that is sufficient to completely disable RA.

jeff · January 1, 2024, 4:32am

Thanks, I appreciate the confirmation.

I'll scratch my head as to "why" the default is to handle broken upstream routers and assume that the default route should be via a DHCP server. Probably something in the dusty past with IPv6 at home was a pretty strange thing. (I go back to at least White Russian.)

commit 8691d75917
Author: Steven Barth <cyrus@openwrt.org>
Date:   Mon Oct 6 11:19:33 2014 +0000

    odhcp6c: add route-workaround for broken IPv6-ISPs
    
    Some ISP seem to only do stateful DHCPv6 and not sending RAs.
    This is technically broken because plain DHCPv6 doesn't carry routes.
    
    We work around here by faking a default route to the DHCPv6 server
    if we do not receive a useful RA from the ISP.
    
    This workaround can be turned off with: option fakeroutes 0
    
    Signed-off-by: Steven Barth <steven@midlink.org>
    
    SVN-Revision: 42803

mk24 · January 1, 2024, 11:13pm

I think the philosophy of the defaults is to have a home router use case able to get online using as many options as possible to different ISPs.

system · January 11, 2024, 11:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.