Stop Openwrt client presenting itself as IPv6 router

Hello!
Since Atlas Probe does not ship out HW probes anymore, i have setup a LXC proxmox container running openwrt, on which a software probe is running.

Everything works fine: i have created a LAN interface which it getting IPs from my upstream router, disabled dnsmasq and odhcpd services and the atlas probe works just fine.

However, i am having huge issues with Openwrt still presenting itself as a router on the network. This causes my Mikrotik upstream router to add it as a neighbor, and so all traffic starts flowing to openwrt (which, however, should only be a client):


(you can see the "feeb:d2de" neighbor on the bridge is marked as "R", aka router)

When i shutdown the Openwrt VM and reset the IPv6 configuration on my clients, IPv6 works fine. As soon as i turn it back on, all new clients will add a route to Openwrt which will dramatically break the network.

This is my configuration:

root@atlas-probe:~# cat /etc/config/network 

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'lan6'
        option proto 'dhcpv6'
        option device 'eth0'
root@atlas-probe:~# cat /etc/config/dhcp 

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'lan6'
        option interface 'lan6'
        option ignore '1'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Do you have any details on how Mikrotiks router detection works?
If it is for example using icmp/ping to the address of all routers in the link-local (try ping -6 FF02::02), which the openwrt router replies to it may be recognized as router even though it is not sending out RAs?
A tcpdump of the OpenWrt's lan interface may give you a hint, which mechanism is used or if the OpenWrt router is still sending RAs.

If the router detection by the Mikrotik is indeed done via icmp to the all routers link local multicast you could try blocking it on the OpenWrt's lan interface with:

config rule
	option name 'block_icmpv6_allrouters'
	list proto 'icmp'
	option src 'lan'
	list dest_ip 'ff02::2'
	option target 'DROP'

in /etc/config/firewall

Try this:

echo "net.ipv6.conf.br-lan.forwarding = 0" >> /etc/sysctl.conf
service sysctl restart

This is assuming your LAN interface is the standard br-lan device.

Hello, according to mikrotik, it will send ND on the enabled interfaces.

Openwrt responds with "Multicast listener report message":

Frame 428: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
Ethernet II, Src: ProxmoxS_eb:d2:de (bc:24:11:eb:d2:de), Dst: IPv6mcast_16 (33:33:00:00:00:16)
Internet Protocol Version 6, Src: fe80::be24:11ff:feeb:d2de, Dst: ff02::16
Internet Control Message Protocol v6
    Type: Multicast Listener Report Message v2 (143)
    Code: 0
    Checksum: 0xf2ff [correct]
    [Checksum Status: Good]
    Reserved: 0000
    Number of Multicast Address Records: 4
    Multicast Address Record Changed to exclude: ff02::1:ff00:0
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::1:ff00:0
    Multicast Address Record Changed to exclude: ff02::1:ffeb:d2de
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::1:ffeb:d2de
    Multicast Address Record Changed to exclude: ff05::2
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff05::2
    Multicast Address Record Changed to exclude: ff02::2
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::2

Router solicitation:

Frame 313: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: ProxmoxS_eb:d2:de (bc:24:11:eb:d2:de), Dst: IPv6mcast_02 (33:33:00:00:00:02)
Internet Protocol Version 6, Src: fe80::be24:11ff:feeb:d2de, Dst: ff02::2
Internet Control Message Protocol v6
    Type: Router Solicitation (133)
    Code: 0
    Checksum: 0x3951 [correct]
    [Checksum Status: Good]
    Reserved: 00000000
    ICMPv6 Option (Source link-layer address : bc:24:11:eb:d2:de)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: ProxmoxS_eb:d2:de (bc:24:11:eb:d2:de)

A "solicit" (no idea what it means):

Frame 440: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits)
Ethernet II, Src: ProxmoxS_eb:d2:de (bc:24:11:eb:d2:de), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02)
Internet Protocol Version 6, Src: fe80::be24:11ff:feeb:d2de, Dst: ff02::1:2
User Datagram Protocol, Src Port: 546, Dst Port: 547
DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0x548167
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 1080ms
    Option Request
        Option: Option Request (6)
        Length: 24
        Requested Option code: SIP Server Domain Name List (21)
        Requested Option code: SIP Servers IPv6 Address List (22)
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
        Requested Option code: Simple Network Time Protocol Server (31)
        Requested Option code: NTP Server (56)
        Requested Option code: Dual-Stack Lite AFTR Name (64)
        Requested Option code: Prefix Exclude (67)
        Requested Option code: S46 MAP-E Container (94)
        Requested Option code: S46 MAP-T Container (95)
        Requested Option code: S46 Lightweight 4over6 Container (96)
        Requested Option code: SOL_MAX_RT (82)
    Client Identifier
        Option: Client Identifier (1)
        Length: 10
        DUID: 00030001bc2411ebd2de
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: bc:24:11:eb:d2:de
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Client Fully Qualified Domain Name
        Option: Client Fully Qualified Domain Name (39)
        Length: 14
        Flags: 0x00  [CLIENT wants to update its AAAA RRs and SERVER to update its PTR RRs]
            .... .0.. = N bit: Server SHOULD perform PTR RR updates
            .... ...0 = S bit: Server SHOULD NOT perform AAAA RR updates
        Top Level Domain name (TLD): atlas-probe.
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 12
        IAID: 00000001
        T1: 0
        T2: 0
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 12
        IAID: 00000001
        T1: 0
        T2: 0

First verify that the OpenWrt is indeed sending RAs.
opkg update; opkg install tcpdump; tcpdump -i any -c 5 -nn -Q out 'icmp6 && ip6[40] == 134'
If it captures packets, we'll troubleshoot why it does. If there is nothing in a few minutes, it means that it doesn't send any RAs.

Yes, that is Neighbour Discovery (NDP is the ipv6 equivalent of ipv4's ARP).

OpenWrt will reply as a neighbour. It will reply as a router if forwarding is enabled (as it is is by default in OpenWrt, in contrast to generic Linux where it is not).

As your OpenWrt device is NOT acting as a router you must turn forwarding off if it is important for it not to be added as a router by your Microtik.

See my previous post in this thread.... Or am I invisible?

1 Like

Microtik wants to find routers via ndp, so it sends a solicitation by multicast.

OpenWrt sees the solicitation and as it has forwarding enabled it replies with a solicit saying "yes, me, I'm a router".

1 Like

Sorry, i thought i had enabled it, but i forgot to restart sysctl.
Indeed after adding the following options to /etc/sysctl.conf and restarting the router mikrotik does not add the device as a router anymore.

net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.all.forwarding = 0