OpenWrt DHCPv6 client - only statelfull address

pmisch · April 19, 2023, 2:33pm

Hi,

I'm using an OpenWrt as dump access point but for management purposes of course it gets an IP address.
I want to configure IPs dynamically so I'm using DHCPv6 client. It works fine, but next to the stateful IP I also get a stateless IP that unfortunately is being used for outgoing connections, rather than the stateful address.

Can I somehow configure the management interface to only fetch an IP via DHCPv6 and just use the provided routes from router advertisement, rather than the also getting a stateless (SLAAC) IP on top?

Thx
junicast

lleachii · April 19, 2023, 2:37pm

~~Theory:~~

~~I think you can make a firewall rule that only applies to that one (or in LuCI, you can go to "Advanced" and select a PHY interface) management Interface and block...ICMPv6 - Router Advertisement.~~

Otherwise, static addressing

I think this is appropriate according to protocol (and good practice) - but you don't state what process is using it.

trendy · April 19, 2023, 4:42pm

If you block that, nothing will work.
It is more possible to achieve the goal with proper flags in RAs. Like M-flag enabled and A-flag disabled for the prefix information. Of course this setting is global for all hosts in the lan.

pmisch · April 19, 2023, 7:20pm

Yes, that's it. This is how my upstream config looks like (of course also OpenWrt):

config dhcp "mgmt"
       option interface "mgmt"
       option leasetime "24h"
       option start "16" 
       option limit "19" 
       list domain "example.com"
       list ra_flags "managed-config"
       list ra_flags "other-config"
       option dhcpv6 "server"
       option ra "server"
       option ra_default "2"
       option ra_management "1"
       option ra_slaac "0"

pmisch · April 26, 2023, 10:58am

Well there is something missing I fear.
Currently I'm getting a default route at my client and it gets also assigned DHCPv6 addresses but with a prefix length of 128, which I just learned is expected behaviour.
Sadly the host cannot connect to other hosts in the /64 subnet since a route is missing.
In this thread it says I need to configure the Router Advertisement without the auto-configure option.

What does that mean with regard to OpenWRT?

trendy · April 26, 2023, 12:56pm

I cannot reproduce your issue, for me it works fine.

config dhcp 'lan'
        option instance 'lan_dns'
        option interface 'lan'
        option start '100'
        option limit '150'
        option force '1'
        option ra_useleasetime '1'
        list dhcp_option '252,"\n"'
        list dhcp_option '15,mrv'
        list dhcp_option '42,10.0.2.1'
        list dhcp_option '44'
        list dhcp_option '2,3600'
        list dhcp_option '4,10.0.2.1'
        list dhcp_option '119,mrv'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'
        option ra_default '2'
        option ra_slaac '0'
        option leasetime '12h'
        list domain 'mrv'

The RA is correct:

14:30:06.598499 IP6 (flowlabel 0xa22ee, hlim 255, next-header ICMPv6 (58) payload length: 152) fe80::20d:48ff:fe66:209e > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 152
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 165s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 00:0d:48:66:20:9e
          mtu option (5), length 8 (1):  1492
          prefix info option (3), length 32 (4): 2a0f::7500::/64, Flags [onlink], valid time 167s, pref. time 137s
          prefix info option (3), length 32 (4): fd00:bbbb::/64, Flags [onlink], valid time 43200s, pref. time 43200s
          rdnss option (25), length 24 (3):  lifetime 165s, addr: fd00:bbbb::1
          dnssl option (31), length 24 (3):  lifetime 165s, domain(s): mrv.
          advertisement interval option (7), length 8 (1):  55000ms

and the hosts get only the dhcp address but install in the routing table the /64

dietpi@raspi:[~]$ ip -6 ro
::1 dev lo proto kernel metric 256 pref medium
2a0f::7500::3 dev eth0 proto kernel metric 256 pref medium
2a0f::7500::/64 dev eth0 proto kernel metric 256 expires 175sec pref medium
fd00:bbbb::3 dev eth0 proto kernel metric 256 pref medium
fd00:bbbb::/64 dev eth0 proto kernel metric 256 expires 43128sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev veth988d5a5 proto kernel metric 256 pref medium
default via fe80::20d:48ff:fe66:209e dev eth0 proto ra metric 1024 expires 174sec mtu 1492 hoplimit 64 pref medium

ping also works

dietpi@raspi:[~]$ ping 2a0f::7500::54
PING 2a0f::7500::54(2a0f::7500::54) 56 data bytes
64 bytes from 2a0f::7500::54: icmp_seq=1 ttl=64 time=1.54 ms
64 bytes from 2a0f::7500::54: icmp_seq=2 ttl=64 time=0.613 ms
^C
--- 2a0f::7500::54 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.613/1.078/1.543/0.465 ms