Router does generate multiple routable ipv6 addresses

nicolas-van · February 15, 2022, 8:26am

I recently installed OpenWRT OpenWrt 21.02.1 r16325-88151b8303 on my home router. I'm using PPPoE as provided by my ISP.

After some configuration of multiple packages (ddns, openvpn, trying then uninstalling multiple qos solutions,...) I figured that it now assigns two globally-routable ipv6 addresses to all my devices. (I'm of course excluding local-only ipv6 addresses). I don't know if it already had that behavior before installing all my packages.

Example for one of my devices:

2a02:a03f:a0af:da00:211:32ff:fe59:768e
2a02:a03f:a0af:da00::134

The first one seems to be a modified EUI address (that was the same scheme that this device chose to use previously on my stock firmware). The second one seems to be based on the IPV4 address (10.42.0.134 for this device).

Both of these addresses are pingable from WAN.

Edit: Please note this has nothing to do with IPV6 privacy extensions. They are disabled on that device.

I don't like this behavior because it messes with DDNS autoconfiguration I installed on my devices (some of them uses one of these IPs in a random fashion) and makes firewall configuration more complicated (cause I have to track multiple possible ips).

Is it possible to disable this behavior and just have the first address ?

Also, as a side note, do you know if that is OpenWRT's default behavior or did I activated some configuration without knowing it by installing some packages ?

Thanks in advance.

slh · February 15, 2022, 9:25am

Having multiple IPv6 is normal, your first address is (mostly likely) the privext address (privacy extensions), the second your DHCPv6 assigned one. Your system usually uses the privext address for outgoing connections, and will change to another one in regular intervals (trying to hide your IP from the outside) - the DHCPv6 address is your 'real' persistent address available for incoming connections.

Using privext or not is a client side decision, it needs to be enabled/ disabled there.

nicolas-van · February 16, 2022, 7:56am

No no no. This has nothing to do with IPV6 privacy extensions. The addresses I put in the first message come from a server that have them disabled.

My devices that have privacy extensions enabled actually have three globally routable IPV6 addresses. Example on a Ubuntu Desktop device:

    inet 10.42.0.149/16 brd 10.42.255.255 scope global dynamic noprefixroute wlx0022b06a75de
       valid_lft 43179sec preferred_lft 43179sec
    inet6 2a02:a03f:a0af:da00::241/128 scope global dynamic noprefixroute 
       valid_lft 43178sec preferred_lft 43178sec
    inet6 2a02:a03f:a0af:da00:15bc:ac6d:ebc1:93ff/64 scope global temporary dynamic 
       valid_lft 66710sec preferred_lft 52310sec
    inet6 2a02:a03f:a0af:da00:108d:feab:b746:a7f6/64 scope global dynamic mngtmpaddr noprefixroute

See ?

2a02:a03f:a0af:da00:108d:feab:b746:a7f6 address is the "normal" one
2a02:a03f:a0af:da00:15bc:ac6d:ebc1:93ff is the privacy extensions one
2a02:a03f:a0af:da00::241 is the additional one that seems to be based on the IPV4 address and that I want to get rid of

I edited the original message to be clear on that subject.

nicolas-van · February 16, 2022, 8:53am

I managed to solve my problem, even though I don't really know how. Here are the things I did:

Uninstall openvpn server (it didn't worked well according to my taste anyway)
In the LAN interface disable IPV6 RA-service and DHCP6-service.
Re-enable RA-service and DHCP6-service (that probably reset all parameters for those services to defaults)
Reboot

No more ::134 -like IPV6 addresses on my devices. I don't know if it has anything to do with openvpn, probably not.

If anyone knows which configuration parameter caused those IPV6 addresses to be generated that could be useful to someone else. Personally I kind of solved my problem.

lleachii · February 17, 2022, 4:12pm

Management - IP will be same...use for a server
Temporary - privacy
Noprefixroute - no route (so your statement is untrue and you wouldn't need to get rid of it for the reason you stated)

Hope this helps.

Can you show us your config?

Quazil · May 21, 2023, 2:33am

I had the same issue and bouncing the RA/DHPv6 settings worked for me.
I also happen to use a "large" PC Engine APU4 based router so I have the luxury of tracking my config directory on the router with git.

The following settings were removed:

list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_mtu '1500'

As were a number of list domain settings though I doubt they were the culprit.
It is/was one or both of the ra_flags settings. The mtu setting shouldn't matter (and there's no reason to set it to the default of 1500).