Hi,
I'm running OpenWrt 19.07.1 on an Edgerouter X.
There are several downstream interfaces. For my lan interface IPv6 Router Advertisements are activated and work beautifully.
On another downstream interface though (DMZ) IPv6 Router Advertisements or DHCPv6 server is completely disabled since I configure addresses statically.
Regardless the Router sends a Router Advertisement package every 10 minutes out on the DMZ interface, anouncing the prefix from the LAN if wtf
I'm completely stuck and do not understand how this can happen.
This configuration is delegating my downstream interface an IP like this: my prefix:5000::1/64
It's called DHCPv6 Prefix Delegation. It has nothing to do with NDP or Router Advertisement.
And even if it would send out Router Advertisements, why would it use the network identifier of another Interface at all?
The devices in DMZ get their IP addresses configured manually, that's how they know.
It seems you don't understand the problem actually.
Let's just look at the two downstream interfaces, allright?
LAN having myprefix:1b::/64
DMZ having myprefix:5000::/64
Hosts in DMZ are receiving Router Advertisements, ok. I deactivated the router to send Router Advertisements on that interfaces but hey, ok, it's a router - as you say.
But why the heck, does it announce myprefix:1b:: on DMZ??? I ran tcpdump on a client device and yes, it does receive those Advertisement from the router.
Here's a screenshot:
OK, I read the Wikipedia page. It doesn't answer why I'm having this problem, well actually those two problems:
Having OpenWrt sending RA even though it's deactivated and
Sending RA with the wrong network ID.
With other routers like Cisco or Nokia it's no problem to deactivate RA on a downstream Interface at all. Are you trying to say with OpenWrt I cannot disable them?
OK, cool - thank you for reading the Wiki, I'll try my best to explain.
First, I believe you can disable them; but I don't believe you truly desire this.
You did disable "on a downstream interface"...I think you just want all packets to disappear, regardless of the protocol
The other issue (in my mind) is perhaps Cisco or Noika runs the DHCPv6-PD "magic" in another process than default OpenWrt software
I offered what I believe to be the easiest suggestions to troubleshoot:
Verify some NA, or RS, then maybe block them
Block TX of the RA
Not exactly.
I agree you want them to stop. So, can you try to actually disable the process odhcpd in System > Startup - reboot, and see if this is provides the affect you desire?
Again, I suggest the firewalling first; as I don't think the DHCPv6PD will work after truly disabling.
What do you actually mean by this?
I thought we covered this, that's untrue - disabling the process odhcpd should do that. In addition, you seem unwilling to identify the actual packets that prompt routers to respond with an RA.
Router Advertisements communicate a specific prefix to a client so they know within which prefix they shall claim themselves an IP address. For my lan interface for example an advertisement is sent with the prefix myprefix:1b::/64. As a result the clients will claim an IP like this:
myprefix:1b:34da:7d23:17af:2383
That's exactly what I want and is expected behaviour.
As OpenWrt sends such an advertisement not only on my LAN interface but also DMZ, clients within this DMZ domain also get these packages and assign themselves an IP. Well them getting an automatic IP per se is not the problem but the actual problem is that within the DMZ domain (which is 5000, not 1b) they also receive such packets with 1b instead of 5000 in the header. I strongly believe this is a bug, since I can't find a problem in my config whatsoever.
As a result my host in DMZ will get an IP myprefix:1b:x:y:z:1 which is 100% wrong, because those addresses belong to the LAN domain of my network. Thus, their IPv6 connectivity is completely lost because they try to communicate with that IP and that - of course - cannot work.
I could of course just block those packages at the clients but it's some kind of vicious circle because I run my network IPv6 only and I automatically deploy hosts with Ansible. The hosts are not reachable anymore that moment the host in DMZ receives a RA and assigns itself a wrong IP.
What about my config is invalid? I'm totally serious about that.
On my upstream I get delegated a /48 prefix statically. The way I configure my downstream interface (DMZ) is perfectly legitimate.
Do you think I have to assign the IP on DMZ manually instead? I mean I could try that but that's not the way IPv6 is supposed to work. Prefix Delegation is a superb mechanism and I would like to use it.
Still, advertising 1b on DMZ is just wrong, even with my current configuration.
You're giving a hint and seeking a prefix on an interface you also want RAs disabled on - which you also state is statically assigned. You don't see the problem?
Okay.
Then you need no hints and prefixes, you just assign an IP (and obviously a prefix) in a /64, from the /48 - to the DMZ interface. If you have static assignments as you say, simply remove the dynamic configs if you don't want dynamic stuff on your DMZ. Let's test something to see if it actually stops.
I do see the probem, which is the router sending RAs while it's actually deactivated for the downstream interface.
Yeah, that's another way of doing it, but the more cumbersome, since it's harder to deploy.
I just tested it though. Problem persists.
Yeah it is. A's a workaround I tried to disable RA for the DMZ interface completely which in the end just doesn not stop sending RAs. Maybe some people have another definition of "disabled" than I have
I can't find anything in OpenWrt's documentation about onlink bit. Can you please point me?
You can't really expect to have ipv6 without RAs as far as I know. Even with static assignment I'm not sure what happens if a client does NDP asking for a router and the router doesn't respond.
But the thing you're seeing is NOT normal. Lots of people have multiple ipv6 subnets and don't get RAs for the wrong prefix on the wrong subnet. So, I'm not sure what's happening, but basically it's not normal, it's a specific bug in your setup somewhere.
Install tcpdump on the router, if not already installed, and run the following. tcpdump -xvvn -i eth0.13 icmp6 and ip6[40] == 134
Let it run till you get the packet captured and post here the output.
This problem still exists with git. But its buggier than described here: With several Vlan interfaces with different prefixes (hint), instantly after an "service dnsmasq restart" every vlan gets every prefix announced. Also the one which should not get RA at all
I tried with dnsmasq and odhcp, same result. But dnsmasq works less good: Even if dns-server announcement is disabled, it announces itself