On 3/17/2025 06:04, A FreeBSD User wrote:
Hello,I'm playing around with a useful setup of a small router/firewall appliance based on FreeBSD 14-STABLE and ipfw. My/our ISP provides (alleged) ::/56 prefixes. The hardware used has several Intel i210 based NICs, on of them is facing towards the ISP as usual with a cloned pseudo device called "tun0" (in fact a renamed ng0 device). The ISP is changing both IPv4 and IPv6 addresses after a 24h period! Obtaining a ::/56 prefix and delegating the proper network prefixes to their NICs works with port net/dhcp6 and FreeBSD's board tool rtadvd(8). The setup is textbook like and straight forward. All inward facing NICs do have the same prefix, a individual 8-bit network portion and a (sadly not further controllable) 64bit SLAAC host address. Problem: I never managed to obtain the ::/56 prefix on tun0! When using "rtsol -i tun0" within the link-up.sh script of mpd5, the ISP facing tun0 interface _always_ is configured via SLAAC (DHCPv6 on tun0 seems not to work in my case) and its prefix is ALWAYS different fron that obtained later via net/dhcp6 and delegated via rtadvd. This causes some trouble identifying my router for ssh access from the outside world utilizing DDNS. Well, some internet HowTo's suggest not to provide tun0/ISP facing NIC with any address (except IPv4 address, which is done by default via mpd5). So I declared one of the inner NICs as the interface for remote access. But there seems an oddity: no matter what I configure for mpd5, tun0 ALWAYS obtains a SLAAC IPv6 and after several days there are several valid (temporary) IPv6 addresses, none of them is marked "detached" or "deprecated". How to make mpd5 to suppress obtaining any IPv6 address? And: why isn't the IPv6 address deprecated? In my first attempts configuring the tun0 interface, I used rtsol(8) for obtaining an IPv6 address which worked very quickly (and provided this address to my DDNS provider). In roughly 6 out of 10 cases the old IPv6 address is marked deprecated/detached. But in 4 out of 10 cases, the outward facing tun0 has at least two valid adresses of which one is not valid anymore from the perspective of my ISP! mpd5's link-up script is simply configuring tun0 with: /sbin/ifconfig ${wan_if} inet6 auto_linklocal -ifdisabled accept_rtadv -no_radr up (and if desired having SLAAC IPv6 addr on tun0: /sbin/rtsol ${wan_if} & but this is ommited right now). lin-down.sh does nothing. Why is deprecating former addresses not working in all cases? Is it a feature that tun0 magically obtains an IPv6 address via SLAAC on mpd5? How to suppress SLAAC on mpd5? Sorry for possible confusions, I'm new to IPv6 and would appreciate any hints and tipps. Kind regards and thanks in advance, Oliver
rtsold is run on end nodes, but typically should not run on a router which is getting a larger prefix via dhcp at all. rtadvd runs on the internal interface(s) but /not /on the external one; it is responsible for distributing on your internal network (and thus runs on the gateway but not clients); rtsold runs on client machines.
I used to run dhcp6c to get the /56 from my ISP, but switched to dhcpcd as it will do both IPv4/v6 and appears to work fine. With dhcp6c to get the /56 and the "older" DHCP flag for dynamic on IPv4 you need to use the following, but they are not used with dhcpcd as you can see they are now commented out:
# Get a primary IPv4 address on the first (near serial port) ethernet port # #ifconfig_igb0="inet6 -ifdisabled accept_rtadv auto_linklocal" #ifconfig_igb0="DHCP"
# If you are turning on IPv6 then you MUST set both these lines AND look in # /usr/local/etc/dhcp6c.conf and make SURE you have the correct prefix and # assignments for local prefix length. Note that we only accept routing info # on the WAN interface, NEVER on the internal one. # #ipv6_cpe_wanif="igb0" #ifconfig_igb0_ipv6="inet6 -ifdisabled accept_rtadv auto_linklocal" #ifconfig_igb1_ipv6="inet6 -ifdisabled -accept_rtadv" #ipv6_activate_all_interfaces="yes" # # Ipv6 routing; we MUST be an IPv6 router for the INTERNAL interface to # distribute SLACC IPv6 addresses to client machines # rtadvd_enable="Yes" rtadvd_interfaces="igb1" # # Dhcp6c client (get IPv6 addresses; note that /usr/local/etc/dhcp6c.conf must # also be edited or this will NOT work!) # #dhcp6c_enable="Yes" #dhcp6c_interfaces="igb0" # # Enable gateway functionality for both IPv4 and IPv6 # gateway_enable="YES" ipv6_gateway_enable="YES"
dhcpcd also has an "exit hook" script call which can be used to push changes to a DDNS server and since its "one thing instead of two" if you're on dynamic addresses and using DDNS its more-convenient than dealing with it in both the "factory" DHCP software for IPv4 and in dhcp6c for the "6" side.
-- Karl Denninger k...@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
