[solved] IPV6 temporary addresses on a router? (NOT PE)

I/O error :dizzy_face:

I/O error :dizzy_face:

This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.


  • You add it as a line in /etc/sysctl.conf then rebooting

You replace the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx string with the value produced by running the head command syntax. Since you don't have a hardware-based Random Number Generator, use the the urandom command I posted.

1 Like

@lleachii this is my sysctl.conf:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.default.stable_secret = "whatcamefromurandom"

After rebooting, sysctl says:

sysctl: error reading key 'net.edma.default_group3_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group4_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group5_vlan_tag': Operation not permitted
sysctl: error reading key 'net.ipv6.conf.6in4-he_1_nyc.stable_secret': I/O error
net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-guest.stable_secret': I/O error
net.ipv6.conf.br-guest.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.br-lan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.default.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.eth0.101.stable_secret': I/O error
net.ipv6.conf.eth0.101.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.102.stable_secret': I/O error
net.ipv6.conf.eth0.102.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
net.ipv6.conf.eth1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
net.ipv6.conf.ifb0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb4eth1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.lo.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.pppoe-wan.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
net.ipv6.conf.wlan0.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan0-1.stable_secret': I/O error
net.ipv6.conf.wlan0-1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.ipv6.conf.wlan1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1-1.stable_secret': I/O error
net.ipv6.conf.wlan1-1.use_tempaddr = 2

Something fishy is going on here, I'd say.

I would say so. You didn't use quotes, did you?


Aside from those 3 lines, it isn't completely empty, is it?

The tunnel broker uses a 6in4-tunnel interface.
I'm not sure it supports all the native IPv6 features.
It even requires you to configure it statically.

I assigned the string about a year ago based on this thread: Cascading routers, dhcpv6 and unwanted EUI64 w/SLAAC on wan6

I just set this up on my router, it's working on mine. My LAN has a privacy IPv6 address with a prefix from the HE tunnel.

This won't work on the tunnel, it has an assigned IP, you do this on the downstream interfaces (i.e. LAN, Guest, etc.).


Does this apply to your LAN interface or the tunnel interface?
I mean, it likely works for the former, but not the latter.

1 Like

I did use them, when I tried the command live it complained without the quotes.
Trying again without.

Hold on, I added them precisely to enable PE as discussed with @silentcreek
Still, commenting them out...

/etc/sysctl.conf only had those 3 lines, the defaults live in files under /etc/sysctl.d/

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings






# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings


Rebooted, still have the I/O errors, still no PE addresses BUT... the secret is now set!
Readding the "2" mode, rebooting... nope ;(

Ok, now I have to do a language test for school, then I'll read the thread @lleachii posted and get back here.

LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.

It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).

Setting a string enables them. You enabled temporary addresses.

You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.

Did you set on your interface:

	option ip6assign '64'
	option ip6ifaceid 'random'
	option ip6class '<henet_interface_name> local'
  • Do you have a /48 issued from HE?
1 Like

Yeah I am having a hard time understanding the problem, this works?

In addition every restart of the interface brings it something different. I am sure you could get proper privacy extensions working but likely at a loss of network stability if a device happens to miss an RA. In a perfect world it would be marked as depreciated and continue accepting the traffic, but as its forwarding I struggle to understand the benefit to it as it won't show anywhere upstream anyways?

Hold on, now I'm lost: I understood temporary addresses were the actual result of enabling PE.
In fact, on my raspi all I had to do to get them was setting tempaddr to 2 and reboot: I just checked and I have no stable_secret key there, yet temporary addresses exist and are correctly used.

Oh, I check the output of "sysctl -a" after rebooting:

net.ipv6.conf.6in4-he_1_nyc.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.br-guest.stable_secret = xxxx
net.ipv6.conf.br-lan.stable_secret = xxxx
net.ipv6.conf.default.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.101.stable_secret = xxxx
net.ipv6.conf.eth0.102.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.tun0.stable_secret = xxxx
net.ipv6.conf.wlan0.stable_secret = xxxx
net.ipv6.conf.wlan0-1.stable_secret = xxxx
net.ipv6.conf.wlan1.stable_secret = xxxx
net.ipv6.conf.wlan1-1.stable_secret = xxxx
net.ipv6.ip6frag_secret_interval = 0

Yes for both br-lan and br-guest.

Nope, I used a specific value as suggested earlier

Nope, if I do that I get no IPV6 addresses at all. That's still an open issue for me.

Yes, according to he.net control panel and ifstatus.
I have 3 different /64 assigned to lan, guest and vpn interfaces.

If you entered a value in ip6ifaceid, then it's impossible that it would would use the random secret, agreed?

Change to random.

"Temporary" and "private" IPv6 addresses are actually 2 separate concepts. You can have a privacy IPs without enabling temporary ones. See: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

The link you provided is wrong if you're editing the file manually (and not using UCI):

# add under /etc/config/network in your interface config
option ip6class 'he_1_nyc local'

Are you sure your interface name is he_1_nyc?

I could agree but it would be almost meaningless: I'm not sure I fully appreciate the difference.
Anyhow, I did it and now I get a random address which looks just as random as a temporary address, to me.

The source of my confusion is perhaps NetworkManager... Come to think of it, also @silentcreek wrote something similar in the referenced post

I must have misunderstood this: I conflated PE and temporary addresses. Let me try to put it in my own words and see if I get it right: PE is a way to produce a predictable address that gives away no information about the MAC yet is stable within a prefix. Pass?

Then the documentation is also wrong: the table says "list of strings" and the config sample uses "list" instead of "option" for ip6class. I changed the config, restarted the interface and now I get addresses from both ULA and he.net prefixes, with my chosen suffix.
Using just one of the names also works as expected.

Yes, it is what I use for ifup / ifdown.

Up to now,

  • I've found out that I wanted temporary addresses and learnt instead how to enable PE (changed title of post)
  • I still have no clue why I can't get temporary addresses :frowning: for the he.net prefix (for the ULA one it is pointless, of course)


It seems that you did so correctly, I simply provided instructions for Privacy. If you so desire, just enable it. The result should be 1-2 rotating IPs in addition to the one that doesn't change. I've nevr tried on a router because you can miss and RA (as @SeSe1 noted - albeit he misidentified as privacy-only, instead as temporary).

Temporary addresses rotate during uptime, a privacy IP alone is per boot.

  • Because it's a Layer 3 tunnel, it doesn't even need an address.
  • Because HE assigned an IP to your side

Ah-ha, so it might actually be a bad idea altogether? Wonderful :smiley:

I'll rephrase: I still have no clue why I can't get a temporary address on lan and guest for addresses derived from the he.net/64 assigned to each interface. I know the tunnel is fixed, I wasn't talking about that.

OK, I added to the bottom of my sysctrl.conf:


After rebooting, I see no "temporary" IPs - only the privacy extension-based IP. I find it very hard to believe a router could rotate its IP safely anyways.

1 Like

Point taken.

Couple of final (?) questions:

  • @jow could you please verify my finding regarding the documentation of ipclass?
    (EDIT: nevermind...)
  • @lleachii with your PE-setup, do you deal with cases where you need to reference the router lan IPV6 in a config?

PEs from my experience don't have a LAN.

For CEs (or any device with a Public IPv6 address), you can assign/bind any address you desire to the interface. So yes, I have.

  • I've handed out the DNS server IP of the assigned LAN IPv6 address (not the default link local). I had that config for years until configuring the above to test in this thread. When I enabled privacy extensions in the past, I had to assign an IP due to the link local rotating. I did it to explicitly state the IP in firewall configs. I edited it to a 53/udp accept input from zone x
  • I've assigned an IPv6 address so the one issued by HE wasn't used in an AAAA record. You can assign the IP to any interface with proper firewall rules/route/prefix

If you need to reference the LAN IP in a config, you'll have to assign it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.