Re: mpd5: tun0 always get IPv6 address via SLAAC although not configured

On 3/17/2025 06:04, A FreeBSD User wrote:
> Hello,
>
> I'm playing around with a useful setup of a small router/firewall appliance based on FreeBSD
> 14-STABLE and ipfw.
> My/our ISP provides (alleged) ::/56 prefixes. The hardware used has several Intel i210 based
> NICs, on of them is facing towards the ISP as usual with a cloned pseudo device called "tun0"
> (in fact a renamed ng0 device).
>
> The ISP is changing both IPv4 and IPv6 addresses after a 24h period!
>
> Obtaining a ::/56 prefix and delegating the proper network prefixes to their NICs works with
> port net/dhcp6 and FreeBSD's board tool rtadvd(8). The setup is textbook like and straight
> forward.
>
> All inward facing NICs do have the same prefix, a individual 8-bit network portion and a
> (sadly not further controllable) 64bit SLAAC host address.
>
> Problem: I never managed to obtain the ::/56 prefix on tun0! When using "rtsol -i tun0" within
> the link-up.sh script of mpd5, the ISP facing tun0 interface _always_ is configured via SLAAC
> (DHCPv6 on tun0 seems not to work in my case) and its prefix is ALWAYS different fron that
> obtained later via net/dhcp6 and delegated via rtadvd. This causes some trouble identifying my
> router for ssh access from the outside world utilizing DDNS.
>
> Well, some internet HowTo's suggest not to provide tun0/ISP facing NIC with any address
> (except IPv4 address, which is done by default via mpd5). So I declared one of the inner NICs
> as the interface for remote access. But there seems an oddity:
>
> no matter what I configure for mpd5, tun0 ALWAYS obtains a SLAAC IPv6 and after several days
> there are several valid (temporary) IPv6 addresses, none of them is marked "detached" or
> "deprecated".
> How to make mpd5 to suppress obtaining any IPv6 address?
> And: why isn't the IPv6 address deprecated?
>
> In my first attempts configuring the tun0 interface, I used rtsol(8) for obtaining an IPv6
> address which worked very quickly (and provided this address to my DDNS provider). In roughly 6
> out of 10 cases the old IPv6 address is marked deprecated/detached. But in 4 out of 10 cases,
> the outward facing tun0 has at least two valid adresses of which one is not valid anymore from
> the perspective of my ISP!
>
> mpd5's link-up script is simply configuring tun0 with:
>
> 	/sbin/ifconfig ${wan_if} inet6 auto_linklocal -ifdisabled accept_rtadv -no_radr up
>
> (and if desired having SLAAC IPv6 addr on tun0:
> 	/sbin/rtsol ${wan_if} &
> but this is ommited right now).
>
> lin-down.sh does nothing.
>
> Why is deprecating former addresses not working in all cases? Is it a feature that tun0
> magically obtains an IPv6 address via SLAAC on mpd5? How to suppress SLAAC on mpd5?
>
> Sorry for possible confusions, I'm new to IPv6 and would appreciate any hints and tipps.
>
> Kind regards and thanks in advance,
>
> Oliver

rtsold is run on end nodes, but typically should not run on a router 
which is getting a larger prefix via dhcp at all.  rtadvd runs on the 
internal interface(s) but /not /on the external one; it is responsible 
for distributing on your internal network (and thus runs on the gateway 
but not clients); rtsold runs on client machines.

I used to run dhcp6c to get the /56 from my ISP, but switched to dhcpcd 
as it will do both IPv4/v6 and appears to work fine. With dhcp6c to get 
the /56 and the "older" DHCP flag for dynamic on IPv4 you need to use 
the following, but they are not used with dhcpcd as you can see they are 
now commented out:

# Get a primary IPv4 address on the first (near serial port) ethernet 
port # #ifconfig_igb0="inet6 -ifdisabled accept_rtadv auto_linklocal" 
#ifconfig_igb0="DHCP"

# If you are turning on IPv6 then you MUST set both these lines AND look 
in # /usr/local/etc/dhcp6c.conf and make SURE you have the correct 
prefix and # assignments for local prefix length. Note that we only 
accept routing info # on the WAN interface, NEVER on the internal one. # 
#ipv6_cpe_wanif="igb0" #ifconfig_igb0_ipv6="inet6 -ifdisabled 
accept_rtadv auto_linklocal" #ifconfig_igb1_ipv6="inet6 -ifdisabled 
-accept_rtadv" #ipv6_activate_all_interfaces="yes" # # Ipv6 routing; we 
MUST be an IPv6 router for the INTERNAL interface to # distribute SLACC 
IPv6 addresses to client machines # rtadvd_enable="Yes" 
rtadvd_interfaces="igb1" # # Dhcp6c client (get IPv6 addresses; note 
that /usr/local/etc/dhcp6c.conf must # also be edited or this will NOT 
work!) # #dhcp6c_enable="Yes" #dhcp6c_interfaces="igb0" # # Enable 
gateway functionality for both IPv4 and IPv6 # gateway_enable="YES" 
ipv6_gateway_enable="YES"

dhcpcd also has an "exit hook" script call which can be used to push 
changes to a DDNS server and since its "one thing instead of two" if 
you're on dynamic addresses and using DDNS its more-convenient than 
dealing with it in both the "factory" DHCP software for IPv4 and in 
dhcp6c for the "6" side.

-- 
Karl Denninger
karl@denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/