Aaaannnddd… here I am again. Sorry ;).
Next issue I have is that my clients don’t get an IPv6 address via DHCP. The relevant config:
set interfaces ethernet eth2 vif 7
set interfaces ethernet eth2 vif 7 description 'Clients'
set interfaces ethernet eth2 vif 7 mtu 9000
set interfaces ethernet eth2 vif 7 address 172.19.15.1/24
set interfaces ethernet eth2 vif 7 address fdfd:dead:beef:cafe:0:1:f:1/112
set service dhcpv6-server listen-interface eth2.7
set service router-advert interface eth2.7 managed-flag
set service router-advert interface eth2.7 prefix ::/112
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 subnet-id 9
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 option name-server fdfd:dead:beef:cafe:0:1:a:5
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 lease-time default 86400
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 lease-time minimum 3600
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 range 0 start fdfd:dead:beef:cafe:0:1:f:0
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 range 0 stop fdfd:dead:beef:cafe:0:1:f:ffff
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 static-mapping 'alfred.local' duid 00:04:a5:5e:42:85:bc:0d:b2:40:15:7d:bf:0a:e2:fb:ec:87
set service dhcpv6-server shared-network-name 'CLIENTS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 static-mapping 'alfred.local' ipv6-address fdfd:dead:beef:cafe:0:1:f:52
I have allowed icmp-ipv6 in, and I see requests coming in:
vyos@srvr2-fw:~$ sudo tcpdump -ntvi eth2.7 port 546 or port 547
tcpdump: listening on eth2.7, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP6 (flowlabel 0x15668, hlim 1, next-header UDP (17) payload length: 93) fe80::651b:2b2e:25db:b77d.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=e37a2b (rapid-commit) (IA_NA IAID:1183161055 T1:0 T2:0) (Client-FQDN) (option-request DNS-server DNS-search-list SNTP-servers NTP-server opt_82) (client-ID type 4) (elapsed-time 0))
IP6 (flowlabel 0x15668, hlim 1, next-header UDP (17) payload length: 93) fe80::651b:2b2e:25db:b77d.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=e37a2b (rapid-commit) (IA_NA IAID:1183161055 T1:0 T2:0) (Client-FQDN) (option-request DNS-server DNS-search-list SNTP-servers NTP-server opt_82) (client-ID type 4) (elapsed-time 106))
IP6 (flowlabel 0x15668, hlim 1, next-header UDP (17) payload length: 93) fe80::651b:2b2e:25db:b77d.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=e37a2b (rapid-commit) (IA_NA IAID:1183161055 T1:0 T2:0) (Client-FQDN) (option-request DNS-server DNS-search-list SNTP-servers NTP-server opt_82) (client-ID type 4) (elapsed-time 310))
IP6 (flowlabel 0x15668, hlim 1, next-header UDP (17) payload length: 93) fe80::651b:2b2e:25db:b77d.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=e37a2b (rapid-commit) (IA_NA IAID:1183161055 T1:0 T2:0) (Client-FQDN) (option-request DNS-server DNS-search-list SNTP-servers NTP-server opt_82) (client-ID type 4) (elapsed-time 703))
but no response ever goes back. Server is running
vyos@srvr2-fw:~$ ps -ef | grep kea
_kea 150437 1 0 09:14 ? 00:00:01 /usr/sbin/kea-dhcp4 -c /var/run/kea/kea-dhcp4.conf
_kea 1082372 1 0 12:36 ? 00:00:00 /usr/sbin/kea-dhcp6 -c /var/run/kea/kea-dhcp6.conf
Did I forget anything? I don’t (want to) use SLAAC.
Solution: add in input rule for every LAN interface on which DHCPv6 is active that allows UDP traffic. Unlike the DHCP v4 server. This was reported here as an ommission in the docs back in 2022, but the docs still have not been updated.
set firewall ipv6 input filter rule 21 description 'LAN DHCPv6 responses'
set firewall ipv6 input filter rule 21 action jump
set firewall ipv6 input filter rule 21 jump-target INPUT-6-RULE000021
set firewall ipv6 name INPUT-6-RULE000021 default-action return
set firewall ipv6 name INPUT-6-RULE000021 rule 1 source group interface-group INPUT-4-RULE000026-SI
set firewall ipv6 name INPUT-6-RULE000021 rule 1 protocol udp
set firewall ipv6 name INPUT-6-RULE000021 rule 1 source port 546
set firewall ipv6 name INPUT-6-RULE000021 rule 1 destination port 547
set firewall ipv6 name INPUT-6-RULE000021 rule 1 action accept
( I use an interface group so I can add/remove interfaces without adding new rules).
What also isn’t clear in the docs is that if your ISP provides you with a prefix using autoconf, you need to add this rule too:
set firewall ipv6 input filter rule 26 description 'WAN DHCPv6 requests'
set firewall ipv6 input filter rule 26 action jump
set firewall ipv6 input filter rule 26 jump-target INPUT-6-RULE000026
set firewall ipv6 name INPUT-6-RULE000026 default-action return
set firewall ipv6 name INPUT-6-RULE000026 rule 1 source group interface-group INPUT-4-RULE000026-SI
set firewall ipv6 name INPUT-6-RULE000026 rule 1 protocol udp
set firewall ipv6 name INPUT-6-RULE000026 rule 1 source port 547
set firewall ipv6 name INPUT-6-RULE000026 rule 1 destination port 546
set firewall ipv6 name INPUT-6-RULE000026 rule 1 action accept
( this interface group contains the interface connected to the ISP, in my case pppoe0)
And to make it complete, you also need to activate router-advertising on all LAN interfaces with DHCPv6 active:
set service router-advert interface eth2.3 prefix <your-prefix>
set service router-advert interface eth2.3 managed-flag
set service router-advert interface eth2.3 other-config-flag
set service router-advert interface eth2.3 name-server '<your DNS server>'
Still some issues.
static mappings work fine, but handing out addresses from the pool stops behaves weird
Configuration:
set service router-advert interface eth2.7 prefix fdfd:dead:beef:cafe:0000:0001:f::/112
set service router-advert interface eth2.7 managed-flag
set service router-advert interface eth2.7 other-config-flag
set service router-advert interface eth2.7 name-server 'fdfd:dead:beef:cafe:0:1:a:5'
set service dhcpv6-server listen-interface eth2.7
set service dhcpv6-server shared-network-name 'USERS-6' interface eth2.7
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 subnet-id 9
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 option name-server fdfd:dead:beef:cafe:0:1:a:5
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 lease-time default 86400
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 lease-time minimum 3600
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 range 0 start fdfd:dead:beef:cafe:0:1:f:ff00
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 range 0 stop fdfd:dead:beef:cafe:0:1:f:ffff
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 static-mapping 'alfred.local' duid 00:04:a5:5e:42:85:bc:0d:b2:40:15:7d:bf:0a:e2:fb:ec:87
set service dhcpv6-server shared-network-name 'USERS-6' subnet fdfd:dead:beef:cafe:0000:0001:f::/112 static-mapping 'alfred.local' ipv6-address fdfd:dead:beef:cafe:0:1:f:52
Status:
vyos@srvr2-fw:~$ show dhcpv6 server leases pool USERS-6
IPv6 address MAC address State Last communication Lease expiration Remaining Pool Hostname Type DUID
------------------------------ ----------------- ------- ------------------------- ------------------------- ----------- ------ ----------------------------- ------ -----------------------------------------------------
fdfd:dead:beef:cafe:0:1:f:52 - active 2026-05-31 06:50:25+00:00 2026-06-01 06:50:25+00:00 17:03:15 USERS-6 alfred.local IA_NA 00:04:a5:5e:42:85:bc:0d:b2:40:15:7d:bf:0a:e2:fb:ec:87
fdfd:dead:beef:cafe:0:1:f:ff00 08:00:27:e3:a9:10 active 2026-05-31 13:46:49+00:00 2026-06-01 13:46:49+00:00 23:59:39 USERS-6 windows7.office.flexcoders.eu IA_NA 00:01:00:01:1c:0b:89:7d:08:00:27:e3:a9:10
vyos@svrv2-fw:~$ show dhcpv6 server statistics pool USERS-6
Pool Size Leases Available Usage
------- ------ -------- ----------- -------
USERS-6 256 2 254 1%
so, plenty of addresses in the pool.
It has issued the static mapping without issues, and it has issued the first address from the pool to a Windows 7 VM on the users subnet.
But an Android mobile phone does not get an address:
May 31 13:24:47 kea-dhcp6[116982]: INFO DHCP6_PACKET_RECEIVED duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980: SOLICIT (type 1) received from fe80::64d2:b3ff:fea7:32d3 to ff02::1:2 on interface eth2.7
May 31 13:24:47 kea-dhcp6[116982]: WARN ALLOC_ENGINE_V6_ALLOC_FAIL_SHARED_NETWORK duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980: failed to allocate a lease in the shared network USERS-6: 0 subnets have no available leases, 3 subnets have no matching pools
May 31 13:24:47 kea-dhcp6[116982]: WARN ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980: no pools were available for the lease allocation
May 31 13:24:47 kea-dhcp6[116982]: WARN ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980: Failed to allocate an IPv6 address for client with classes: ALL, UNKNOWN
May 31 13:24:47 kea-dhcp6[116982]: INFO DHCP6_PACKET_SEND duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980: trying to send packet ADVERTISE (type 2) from [ff02::1:2]:547 to [fe80::64d2:b3ff:fea7:32d3]:546 on interface eth2.7
May 31 13:24:49 kea-dhcp6[116982]: INFO DHCP6_QUERY_LABEL received query: duid=[00:03:00:01:66:d2:b3:a7:32:d3], [no hwaddr info], tid=0xc9d980
What, “no matching pool”? An address was just issued to an other client, and there are 254 adresses left in the pool?
Grmpff, me again. Android doesn’t support DHCPv6, only SLAAC.
But…
The request in the log, from fe80::64d2:b3ff:fea7:32d3, is from an Android phone?
I have created https://vyos.dev/T8949 as I can’t configure prefix delegation at the moment, due to an artificial prefix length limitation in the CLI.