[PATCH] base-files: Don't enable ULA IPv6 addresses by default in new config

Oldřich Jedlička oldium.pro at gmail.com
Tue Oct 18 07:43:17 PDT 2022 

Hi,

pá 9. 9. 2022 v 11:21 odesílatel Torsten Duwe <duwe at lst.de> napsal:
>
> On Thu, 8 Sep 2022 19:51:06 +0200
> Thibaut <hacks at slashdirt.org> wrote:
>
> > The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:
> >
> > $ ip -6 route
> > 2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
> > fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium
>
> So AFAICS here lies the problem. Same metric, same preference.
> The addresses below are usually tagged link local somewhere, but
> I assume the ULA is not.

When pinging a public IPv6 address the default route should be used.
This should have nothing to do with the two routes above
(2a03:b0c0:3:d0::160e:e001 IPv6 address has no match here).

> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
> > default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium

This default route over bond0 should be actually used during pinging
of git.openwrt.org (2a03:b0c0:3:d0::160e:e001).

> > For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).

When you are pinging global addresses, also global IPv6 address should
be used independently of the presence of ULA. For your public IPv6
prefix 2a0e:e701:11c2::/64 any ping outside should use the IPv6
address of your computer having this prefix. I would be interested in
which address is actually used during pinging. Please share your `ip
-6 address` too. And if possible, also please share `tcpdump -i bond0
-nv icmp6` while the computer is pinging. Important - all of this
assumes that you are delegating your public IPv6 prefix from the
router to all computers (I used to have a static IPv6 configuration on
my OpenWrt router with option `ip6prefix` for that purpose).

There is also a possibility that you mentioned - have NAT66 (ULA to
public IPv6 prefix translation) on the router. This means that you
could remove the public prefix delegation and just keep the ULA
configured. All computers would use the ULA prefix when accessing
public addresses. In this case you would need to change the firewall
and add the following SNAT rule to the NFT firewall for the srcnat_wan
chain:

  ip6 saddr fdc9:6d06:832a::/61 snat prefix to 2a0e:e701:11c2::/64

> >
> > Disabling ULA « fixes » this issue.

There is probably some different issue in your configuration, which
causes this behaviour.

Oldrich.

> Sure. Above, it looks like a game of chance which address is used.
>
> From my understanding, router.lan would need to be told to do IPv6 NAT
> if clients are to reach outside with their ULAs, right?
>
> If I get a vote, I'd enable ULA generation only iff an IPv6 NAT was also
> configured, and, last but not least, I wouldn't randomise it. I'd go for
> e.g. fd00:4f57:5254 ("OWRT"), like all AVR use 192.168.178.0/24 on v4.
>
>         Torsten
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list