I have a freedombox on a raspberry pi 4 behind a router (turris omnia) that is running a DHCPv6 server and provides RA, both using a delegated prefix from my ISP’s router.
I have the configuration of IPv4 and IPv6 as automatic, with a static DHCP lease configured on the router. The freedombox gets the private IPv4 address selected on the router and an public IPv6 address (GUA) with a /64 prefix, which I understand means it is from SLAAC, not from DHCPv6 (which gives /128 as prefix, as I could see on several other machines).
I’d like to always have the same IPv6 address on the freedombox, so that I can set an AAAAA record accordingly (and firewall rules on the router).
In plinth, on the network settings, I tried to modify the wan connection and set IPv6 to “automatic (DHCP only)” which is the second option. Then I saved and I rebooted. After that, the freedombox only has a link local adress.
Is there a way to get a an IPv6 address from DHCPv6 on the freedombox, like I get it on other machines on the same network running Trisquel? Otherwise, I guess I could try configuring the IPv6 address manually on the freedombox, but I have no clue whether I need to leave the gateway and DNS fields empty, or put an IPv6 of the lan interface of the router, and if so, whether to put the GUA, ULA or link local address.
EDIT: I tried manual configuration, for the gateway and DNS, I used the GUA of the LAN interface of the router. After rebooting the freedombox and setting rules to allow ports 80 and 443 from the WAN to the IPv6 address I have manually set for the freedombox, I can access the freedombox via IPv6. Perhaps DHCPv6 is not that useful?
I set up a IPv6 static address on my FBX once. I don’t remember the details, but I do recall adding the IPv6 address using Cockpit->Network->Interfaces-><iface>->IPv6->edit. At that point I think I had to choose Manual in the drop-down listbox. I think I just specified my desired ip6 address, maybe with CIDR notation of /128? I think I left everything else automatic. Whether I got the rest of the config from DHCPv6 I can’t say for sure. I don’t think my UBNT Edgerouter-X is running DHCPv6. …but it worked fine until Starlink changed my delegate-prefix.
I do recall struggling a little to remove the old static address. My notes don’t record how I got that resolved.
DHCPv6 uses different UDP ports (546 & 547) than (ipv4)DHCP. A protocol sniff should reveal whether that conversation happens.
It was the first time it happened, so yes I manually updated removed the address. In my config the delegate-prefix is the first 64 bits of the ip6 address. That change happened automatically at the router, but that invalidated the manual\static address I had added to FBX, and the router didn’t automatically update pertinent firewall rules. FBX and the other computers picked up the DP change, and assigned themselves new GUAs, but that manual\static one persisted.
Although Starlink won’t change the DP often, it can happen. This event forced me to think thru router and Domain Registar configs to reduce the maintenance chore when dealing with this.
I haven’t re-assigned a static\manual ip6 address to FBX because the GUA it generates appears to be long-lived, although it’s not easy to remember. I may explore dyndns scripting to handle this in the future.
I haven’t (knowingly) messed with DHCPv6. Seems that it should handle the DP changes. Dyndns would handle registrar updates. I guess that leaves any external router\firewall… what updates it (if necessary)?
I’m still experimenting with “IPv6 only” WAN accessibility. For my needs, the GUA of my cell phone allows me access and to tether my laptop. WiFi hotspots almost never issue GUAs, so that’s a bit of a bummer.
I was surprised by the discovery that the TOR network appears to provide 4to6 bridging? I was able to get to my FBX from a ip4 Wifi hotspot using the TOR browser
I like ip6, but I’m still digesting its’ implications for security.
At work, I am using a cellular connection with an openWRT router for my personal PC and the connection is IPv6-only. When I had IPv4-only at home, for some reason I still could access the web interface of the freedombox, but nothing else (no ssh, no VPN), hence why I finally decided to spend time activating and configuring IPv6 at home.
Whether it is Freedombox or OpenWRT, most documentation is IPv4-only, it is like IPv6 does not exist. That makes things terribly difficult when you must deal with IPv6.
From what I heard, unlike what people usually think, most security issues come from rogue (or cracked) devices on the local network. Fake DHCP messages can create issues, and so do fake DHCPv6 and Router Advertisement messages. Not the same protocols, some details are different but the issue are the same, and so are the solutions (use switches that block DHCP/RA not coming from the port where the router is connected).
On my router, all IPv6 traffic from the WAN interface that isn’t a reply to a TCP connection originating on the LAN is blocked by default, you need to add rules for anything that needs to go through.
