DHCPv6 /60 assignment (Turis Omnia)

Omnifarious · November 6, 2023, 11:26am

My ISP began randomly (well, sort of by request, but without telling me that they were doing it) assigning me an IPv6 /60 prefix via DHCPv6. My DHCPv6 request does not include a request for a prefix, but the reply contains one. I now want to split this up into various /64 subnets on my various VLANs. I would like this to continue to work even if my ISP changes the prefix.

What’s the way to do this that will fit the best with Turis’ auto-update strategy so that an update is highly unlikely to bork my setup?

One other interesting datapoint, I’m also getting IPv6 router advertisement packets with an unrelated (well, still within my ISP’s IPv6 range) /64 prefix in it.

Additionally, it would be nice if some hosts on some subnets could have stable IPv6 addresses and a DNS entry, as well as being able to be mostly open to the world from a firewall perspective. How would I accomplish this?

Right now, the whole /60 seems to be being used to hand out IPv6 addresses on one VLAN.

Ondrej_Caletka · November 6, 2023, 4:47pm

This is happening by default. For every interface, you can specify ip6assign option with a prefix length that you would like to have assigned to that particular interface and even ip6hint if you want a particular numeric value. See OpenWRT documentation on this.

The command ifstatus wan6 will show you how the assignments are happening.

That is quite common. The prefix on the WAN link, between your router and your ISP’s router is outside the delegated prefix for you, because this prefix is not under your control, but under ISP’s.

If those hosts support DHCPv6, you can set up stable DHCPv6 leases based on their DUIDs. If those hosts do not support DHCPv6, maybe you can change their interface id generation algorithm to EUI64, this will make the last 64 bits of the IPv6 address stable.

Also, regarding firewall - do not mix hosts with different access rules within the same layer-two network. This is an antipattern. Create separate subnets with different security policies, where the policy is applied to the whole subnet, not just selected hosts.

moeller0 · November 6, 2023, 6:32pm

Please use something else than EUI64 for any address intended to be used not only in your home network, as that will “leak” your ethernet MAC address into the internet and essentially act as a super cookie, making tracking much easier than it would need be. (You can use stable addresses that are not derived from your MAC so you can more easily change them should the need arise).

Omnifarious · November 6, 2023, 7:47pm

I’m aware of the issue with EUI64. I’ve used it in the past because IPv6 is not yet widely enough adopted for this to be an issue. But, over time, this is definitely a concern. This is especially tricky for a machine you want to be able to be contacted directly by the rest of the world, but you also use for a lot of things involving it doing the contacting.

It should probably have a ‘preferred’ address that is ephemeral and frequently changes, but also a not-preferred address with basically an infinite lifetime.

Ondrej_Caletka · November 6, 2023, 8:20pm

If you want to have a particular device accessible from the outside, that sort of implies that such device sit stable in your network and thus there might not be a big point in tracking it - its full IP address is a supercookie. Also the question was about putting it into DNS, then again, any interface id is as good as any other.