Prevent OpenWrt from announcing an IPv6 DNS Server

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

for some reason my 17.01 router announces it's fe80 address as a DNS server which breaks my local dns as I have a separate ipv4 dhcp/dns server.
I already checked "Disable DHCP for this interface.", disabled Router advertisment for the interface, disabled ipv6-service for the interface, disabled ndp-proxy for the interface and set "IPv6 assignment length" to disabled but the router somehow still announces itself as a DNS server via link local.
"Use builtin IPv6-management" in the advanced settings is disabled as well.

Can anyone give me a hint how to disable that behaviour?

2

Please post here the following:
uci show network ; uci show dhcp

What IPv6 functionality do you need to have?

3

I currently don't use any ipv6 on the router but next year I will get an ipv6 enabled DSL contract.
The WAN6 interface is disabled and I even tried to remove it but it doesn't disappear when removing it usign the webui.

# uci show network
network.loopback=interface                                                                                                                                                                                                                                                                                                 
network.loopback.ifname='lo'                                                                                                                                                                                                                                                                                               
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.ifname='eth1'
network.lan.force_link='1'
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.0.0'
network.lan.ipaddr='172.18.0.8'
network.lan.delegate='0'
network.wan=interface
network.wan.ifname='eth0'
network.wan._orig_ifname='eth0'
network.wan._orig_bridge='false'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.proto='aiccu'
network.wan6.username='DHW6-SIXXS'
network.wan6.password='HIDDEN'
network.wan6.tunnelid='T57389'
network.wan6.ip6prefix='2001:6f8:1c00:83d7::/64'
network.wan6.heartbeat='1'
network.wan6.nat='0'
network.wan6.requiretls='0'
network.wan6.verbose='1'
network.wan6.auto='0'
network.vpn=interface
network.vpn.proto='none'
network.vpn.ifname='tap0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 1 2 3 4'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6'
network.@switch_vlan[1].vid='2'
network.@route[0]=route
network.@route[0].interface='vpn'
network.@route[0].target='10.150.0.0'
network.@route[0].netmask='255.255.0.0'
network.@route[0].gateway='44.1.0.42'
network.@route[1]=route
network.@route[1].interface='vpn'
network.@route[1].target='192.168.123.0'
network.@route[1].netmask='255.255.255.0'
network.@route[1].gateway='44.1.0.40'
network.@route[2]=route
network.@route[2].interface='vpn'
network.@route[2].target='172.16.0.0'
network.@route[2].netmask='255.255.0.0'
network.@route[2].gateway='44.1.0.41'
network.@route[3]=route
network.@route[3].interface='vpn'
network.@route[3].target='10.160.0.0'
network.@route[3].netmask='255.255.255.0'
network.@route[3].gateway='44.1.0.45'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].vid='3'
network.@switch_vlan[2].ports='1t 6t'
network.DMZ=interface
network.DMZ.proto='static'
network.DMZ.ifname='eth0.3'
network.DMZ.ipaddr='172.17.0.8/24'
network.DMZ.netmask='255.255.255.0'
network.DMZ.gateway='172.17.0.8'
network.DMZ.broadcast='172.17.0.255'
network.DMZ.type='bridge'



# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.@dnsmasq[0].local='/foo-saphira.lan/'
dhcp.@dnsmasq[0].domain='foo-sapira.lan'
dhcp.@dnsmasq[0].server='/vpn/44.0.0.8' '/abc.lan/44.0.0.8' '/def.lan/44.0.0.8' '/0.44.in-addr.arpa/44.0.0.8' '/1.44.in-addr.arpa/44.0.0.8' '/10.in-addr.arpa/44.0.0.8' '/16.172.in-addr.arpa/44.0.0.8' '/18.172.in-addr.arpa/172.18.0.10' '/123.168.192.in-addr.arpa/44.0.0.8' '/foo.lan/172.16.0.17'
dhcp.@dnsmasq[0].nonwildcard='0'
dhcp.@dnsmasq[0].localservice='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.DMZ=dhcp
dhcp.DMZ.start='100'
dhcp.DMZ.leasetime='12h'
dhcp.DMZ.limit='150'
dhcp.DMZ.interface='DMZ'
dhcp.DMZ.dhcp_option='6,172.18.0.10'
dhcp.@host[0]=host
dhcp.@host[0].mac='86:5e:80:27:ef:d3'
dhcp.@host[0].ip='172.17.0.10'
dhcp.@host[0].name='q3c'
dhcp.@host[1]=host
dhcp.@host[1].name='roborock'
dhcp.@host[1].dns='1'
dhcp.@host[1].mac='40:31:3c:ad:18:7c'
dhcp.@host[1].ip='172.17.0.11
4

You know that this is disabling the DHCP server for IPv4, right?

uci delete network.lan.delegate
uci delete network.wan6
uci set network.wan.ipv6=0
uci set network.wan.iface6rd=0
uci commit
service network restart

Try these and let us know if it got better.

5

Yes - as I sait I have a separate DHCP server that is also doing DNS - at least for the LAN interface.
The OpenWRT DHCP/DNS server is only serving my DMZ network.

I will try that commands when I come home and post an update if it helps.

6

Sadly that didn't help.

7

Try to explicitly disable ra on lan

uci set dhcp.lan.ra=disabled
uci commit dhcp
service odhcpd restart

If it still doesn work, run a
tcpdump -i eth1 -vvn icmp6
and verify that RAs are indeed sent and contain the rdnss.

8

It is still sending RAs:

18:41:56.991328 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff9f:d451: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::221:86ff:fe9f:d451
          unknown option (14), length 8 (1): 
            0x0000:  373a 9cac 58d2
18:41:58.328986 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::221:86ff:fe9f:d451 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has ::
          source link-address option (1), length 8 (1): 00:21:86:9f:d4:51
            0x0000:  0021 869f d451
18:41:58.541341 IP6 (flowlabel 0x1619b, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::221:86ff:fe9f:d451 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 8
18:41:58.543749 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::fad1:11ff:fe30:1a21 > ff02::1:ff9f:d451: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::221:86ff:fe9f:d451
          source link-address option (1), length 8 (1): f8:d1:11:30:1a:21
            0x0000:  f8d1 1130 1a21
18:41:58.544189 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::221:86ff:fe9f:d451 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has ::
          source link-address option (1), length 8 (1): 00:21:86:9f:d4:51
            0x0000:  0021 869f d451
18:41:58.811045 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::221:86ff:fe9f:d451 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has ::
          source link-address option (1), length 8 (1): 00:21:86:9f:d4:51
            0x0000:  0021 869f d451
18:42:39.338061 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::22cf:30ff:fe4c:3213 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has ::
          source link-address option (1), length 8 (1): 20:cf:30:4c:32:13
            0x0000:  20cf 304c 3213
9

I don't see any RA in the dump.
There are RS and NS.

10

Hm - I retried it by capturing on my laptop and I was able to find the RA:

f
f1436×860 228 KB

11

It's weird but maybe we overlooked something. Please post the following as they stand now:

uci show network; uci show firewall; uci show dhcp; \
ip link sh; ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
iptables-save -c; ip6tables-save -c; \
head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
12

http://ix.io/237z

13

The RA was sent by mac address f8:d1:11:30:1a:21
It doesn't match any of the mac addresses of the interfaces of your router.

You need to verify to whom does this MAC belong and why is sending RAs.

14

That MAC address belongs to a separate OpenWRT router that I only use as a vlan enabled switch and additional wifi AP.

Here is the config: http://ix.io/237D

That router is only a DHCP client and is connected to my network via a lan port that carries my normal network untagged and the DMZ lan tagged on tag 3.

I wonder how it can do RA when the LAN interface is set to DHCP client and the WAN interface is not even connected.

This are some lines from the syslog of that router:

Fri Nov 29 17:17:23 2019 daemon.notice netifd: lan (1138): udhcpc: sending renew to 172.18.0.10
Fri Nov 29 17:17:23 2019 daemon.notice netifd: lan (1138): udhcpc: lease of 172.18.0.22 obtained, lease time 600
Fri Nov 29 17:18:27 2019 authpriv.info dropbear[2145]: Child connection from 172.18.0.10:45580
Fri Nov 29 17:18:31 2019 authpriv.notice dropbear[2145]: Password auth succeeded for 'root' from 172.18.0.10:45580
Fri Nov 29 17:19:12 2019 daemon.warn odhcpd[821]: DHCPV6 SOLICIT IA_NA from 000300010015998689dd on br-lan: no addresses available
Fri Nov 29 17:20:18 2019 authpriv.info dropbear[2145]: Exit (root): Disconnect received
Fri Nov 29 17:20:25 2019 authpriv.info dropbear[2233]: Child connection from 172.18.0.10:45598
Fri Nov 29 17:20:30 2019 authpriv.notice dropbear[2233]: Password auth succeeded for 'root' from 172.18.0.10:45598
Fri Nov 29 17:20:30 2019 authpriv.info dropbear[2233]: Exit (root): Disconnect received
Fri Nov 29 17:21:20 2019 daemon.warn odhcpd[821]: DHCPV6 SOLICIT IA_NA from 000300010015998689dd on br-lan: no addresses available
Fri Nov 29 17:22:23 2019 daemon.notice netifd: lan (1138): udhcpc: sending renew to 172.18.0.10
Fri Nov 29 17:22:23 2019 daemon.notice netifd: lan (1138): udhcpc: lease of 172.18.0.22 obtained, lease time 600
Fri Nov 29 17:22:24 2019 user.notice firewall: Reloading firewall due to ifupdate of lan (br-lan)
Fri Nov 29 17:23:14 2019 daemon.warn odhcpd[821]: DHCPV6 SOLICIT IA_NA from 000300010015998689dd on br-lan: no addresses available
15 
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
16

Ah - that fixed it. Thanks for your help!

I really wonder, why that didn't get disabled when I switched the lan interface to DHCP-Client mode when I initially set up that router though.

1 Like
17

Because there are link local addresses and ra and dhcpv6 were activated.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

18

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.