Reply
Highlighted
Emerging Member
Posts: 40
Registered: ‎08-16-2016
Kudos: 9
Solutions: 4

Static IPv6 IPs for LAN clients?

[ Edited ]

Hey all,


I've got an IPv6 tunnel set up to HE's TunnelBroker, and it's providing my network with proper IPv6 support. 

My next step is i'd like to get the ability to set some static host IPs on my network - my local Pi-Hole DNS server instances, for example. How can I do this and thoghts on what I'm doing wrong based on the configs below? I've searched pretty extensively today and could not find a solution.

 

My relevant IPv6 configs:

 

ryanb@ubnt01# show firewall ipv6-name 
 ipv6-name WAN6_IN {
     default-action drop
     description "Internet to LAN"
     rule 10 {
         action accept
         description "Allow Established/Related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop Invalid IPv6"
         state {
             invalid enable
         }
     }
     rule 50 {
         action accept
         description "Allow ICMPv6"
         log enable
         protocol icmpv6
     }
 }
 ipv6-name WAN6_LOCAL {
     default-action drop
     description "Internet to Router"
     rule 1 {
         action accept
         description "Drop Invalid state"
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
     rule 5 {
         action accept
         description "Allow ICMPv6"
         log enable
         protocol icmpv6
     }
 }

ryanb@ubnt01# show interfaces tunnel 
 tunnel tun0 {
     address 2001:470:1234:1234::2/64
     description "HE.NET IPv6 Tunnel"
     encapsulation sit
     firewall {
         in {
             ipv6-name WAN6_IN
         }
         local {
             ipv6-name WAN6_LOCAL
         }
     }
     local-ip 1.2.3.4
     remote-ip 5.6.7.8
 }

 ryanb@ubnt01# show interfaces ethernet eth1 
 address 10.1.1.1/24
 address 2001:470:1234:1::1/64
 description LAN
 dhcpv6-options {
     parameters-only
 }
 duplex auto
 ipv6 {
     dup-addr-detect-transmits 1
     router-advert {
         cur-hop-limit 64
         default-preference high
         link-mtu 1280
         managed-flag false
         max-interval 600
         other-config-flag true
         prefix 2001:470:1234:1::/64 {
             autonomous-flag true
             on-link-flag true
             valid-lifetime 2592000
         }
         reachable-time 0
         retrans-timer 0
         send-advert true
     }
 }
 speed auto

I've tried to set up a DHCPv6 server using the following, but clients just get random IPv6 IPs outside of these ranges:

 

ryanb@ubnt01# show service dhcpv6-server 
 shared-network-name LANv6 {
     subnet 2001:470:1234:1::/64 {
         address-range {
             start 2001:470:1234::2 {
                 stop 2001:470:1234::255
             }
         }
     }
 }

 

ER version info:

 

ryanb@ubnt01:~$ show version 
Version:      v1.10.5
Build ID:     5098942
Build on:     06/22/18 16:11
Copyright:    2012-2018 Ubiquiti Networks, Inc.
HW model:     EdgeRouter 4
HW S/N:       redacted
Uptime:       18:41:50 up 11:22,  2 users,  load average: 0.51, 0.59, 0.59
Regular Member
Posts: 686
Registered: ‎04-08-2013
Kudos: 385
Solutions: 64

Re: Static IPv6 IPs for LAN clients?

[ Edited ]

I think you want "managed flag true" in the ethernet eth1 stanza to have DHCPv6 used by clients (at least the ones which will do DHCPv6 — Android will not). The clients will also adopt (additional) SLAAC addresses because of the "autonomous-flag true". They will also adopt link-local addresses. They may also adopt (additional) RFC 4941 addresses via SLAAC.

 

The DHCPv6-assigned addresses will not be "static", though they will likely be durable. And they will be randomly assigned from within the pool.

 

That pool, by the way, lacks name-server definitions (omission may or may not have been deliberate). Ditto lease-time. And the name-server omission seems to be in conflict with the "other-config-flag true" setting.

 

Separately, if your effective WAN MTU is 1500 or so you can likely use an IPv6 link-mtu of 1480.

 

You have ICMPv6 wide open in WAN6_IN and WAN6_LOCAL. RFC 4890 has some more discreet recommendations, e.g.,

Spoiler
        rule 201 {
            action accept
            description "icmpv6 destination-unreachable"
            icmpv6 {
                type destination-unreachable
            }
            protocol ipv6-icmp
        }
        rule 202 {
            action accept
            description "icmpv6 packet-too-big"
            icmpv6 {
                type packet-too-big
            }
            protocol ipv6-icmp
        }
        rule 203 {
            action accept
            description "icmpv6 time-exceeded"
            icmpv6 {
                type time-exceeded
            }
            protocol ipv6-icmp
        }
        rule 204 {
            action accept
            description "icmpv6 parameter-problem"
            icmpv6 {
                type parameter-problem
            }
            protocol ipv6-icmp
        }
        rule 205 {
            action accept
            description "icmpv6 echo-request"
            icmpv6 {
                type echo-request
            }
            protocol ipv6-icmp
        }

 (Edited to fix discrete vs discreet blunder)

Reply