Score:1

How to properly implement DHCPv6-PD to downstream router with Linux?

sa flag

I am trying to configure a DIY Linux based IPv6 router / firewall to do the following:

  • Obtain a /56 prefix from the ISP on interface "wan0"
  • Provide /64 addresses to hosts on "lan1"
  • Provide /60 subnet to a downstream router on "lan2"

My initial choice of software to do this was systemd-networkd, with which the first two items were easy, but the third one is not supported (apparently, please correct me if I'm wrong).

I switched to a combination of dhcpcd, ISC DHCP and radvd (through the packages provided in Arch Linux, but I suppose there should not be any meaningful differences to the upstream software).

dhcpcd has been configured to obtain that /56 and assign addresses:

duid
persistent
vendorclassid
option domain_name_servers, domain_name, domain_search
option classless_static_routes
option interface_mtu
option host_name
option rapid_commit
require dhcp_server_identifier
slaac private
noipv4ll
waitip 6
waitip 4
interface wan0
    ipv6rs
    ia_na 1
    ia_pd 1/::/56 lan1/0/64 lan2/2/60
interface lan1
    noipv6rs
    static ip_address=172.21.0.1
interface lan2
    static ip_address=172.22.0.1

This results in the interfaces getting addresses based on the ISP's configuration, and seems to be correct.

DHCP has been configured to further advertise the downstream addresses and subnets:

default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;
dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";

subnet6 2XXX:YYYY:ZZZZ:dd00::/64 {
  range6 2XXX:YYYY:ZZZZ:dd00::2 2XXX:YYYY:ZZZZ:dd00:ffff:ffff:ffff:ffff;
}
subnet6 2XXX:YYYY:ZZZZ:dd20::/60 {
  prefix6 2XXX:YYYY:ZZZZ:dd20:: 2XXX:YYYY:ZZZZ:dd20:: /60;
  range6 2XXX:YYYY:ZZZZ:dd20::2 2XXX:YYYY:ZZZZ:dd20::ffff;
}

This also seems to be correct, as those ranges and subnets are eventually used by the downstream hosts on "lan1" and the downstream router on "lan2".

Initially, the above information were advertised through the following radvd configuration:

interface lan1 {
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvSendAdvert on;
    AdvDefaultPreference high;
    prefix ::/64 {
        AdvOnLink on;
        AdvAutonomous on;
    };
};

interface lan2 {
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvSendAdvert on;
    AdvDefaultPreference high;
    route ::/60 {
    };
};

I then replaced the latter interface stanza with a simpler: interface lan2 { }; which I think worked better (or maybe the same, but anyways is much shorter).

This also seems to be correct, in the sense that it is necessary for the hosts and routers to actually configure their interfaces.

However, all this configuration fails to do one crucial thing: the routes are not set up correctly. On this DIY router, the routes look like this:

$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2XXX:YYYY:ZZZZ:dd00::/64 dev lan1 proto dhcp metric 1003 pref medium
2XXX:YYYY:ZZZZ:dd20::/60 dev lan2 proto dhcp metric 1004 pref medium
unreachable 2XXX:YYYY:ZZZZ:dd00::/56 dev lo proto dhcp metric 1001 pref medium
fe80::/64 dev lan2 proto kernel metric 256 pref medium
fe80::/64 dev wan0 proto kernel metric 256 pref medium
fe80::/64 dev lan1 proto kernel metric 256 pref medium
default via fe80::AAAA:BBBB:CCCC:DDDD dev wan0 proto ra metric 1002 mtu 1500 pref medium

If I manually add (with a smaller metric), or replace the route relevant for the /60 subnet, like so: ip -6 r replace 2XXX:YYYY:ZZZZ:dd20::/60 via fe80::DOWN:STRE:AMRO:UTER dev lan2 and vice versa on the downstream router, with the DIY router's link local address, things start to work.

My questions:

  1. How do I configure my DIY router to do this last step automatically? (I have tried to poke different values at accept_ra, accept_ra_defrtr and router_solicitations in sysctl's net.ipv6.conf under all and individual interfaces portions, but didn't see a difference in behavior.)
  2. Can I use some other (open source) software on Linux to achieve what I want, in a more streamlined fashion? What I mean is that when my ISP allocates to me a different /56 prefix, I will need to change DHCP configuration file to use that instead. I can (and will) make a script to address this, if there isn't software to support my use case, but having to do so seems quite fragile.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.