I’d like to activate IPv6 on an interface without setting an address (so, it should only have a link local address… either configured manually or automatically…). How can I do this?
Background info:
Why I need this? Well, I’d like to use this VyOS as default router for my network. That’s why it needs this link local address. But it should not distribute prefixes or something else, since everything behind it is configured with static IPs… but, currently I’m struggling with the question how to configure this routing stuff.
In the IPv4 world, we had a to set a static ip for the router, then configure this as “default gateway” on the servers and it worked… now, in the IPv6 world, I have some problems… either I’ve to configure my VyOS router with a static link local address so that I can set this in the server configuration or… it has to have a dynamic link local address and send an RA, but without prefix advertisement (no autonomous flag and stuff like that)… for me both options are fine, but… I cannot activate IPv6 on the VyOS interface without also activating all the prefix-auto-config stuff… and I also don’t want my router to get a public IPv6 address… it doesn’t need it and it’s only a security risk.
News:
Oh and see? Now… when I use “show interfaces ethernet eth1”, it shows me, that it does have a link local address… but I don’t understand what caused it. What did I do/activate that it get’s it now? … is it, that because I activate DHCPv6-PD on a completely other interface, that every interface does now get a link local IPv6 address, because this activated IPv6 globally in the system? … those points are hard to understand… that’s why people always say “the system suddendly does something” or why even airline pilots are sometimes (too ofen) asking “what is it doing now??” …
would be nice to get an explanation of this behaviour…
Correct me if i’m wrong but as I understood you want to create IPv6 interface with kind of DHCP which gives addresses only to spesific connects without connetion any others?
hi
what I try to do is to create a router for a subnet with static addresses
like in the IPv4 world where you had 1 modem → 1 router → 6 serves with static ip addresses…
in the IPv4 world you simply had to set the IP of the router and that’s it… but with IPv6 you have to inform your ISP via DHCP-PD about the existance of this router… and then when you have done this, you somehow have to inform those 6 servers (which you want to assign static IPv6 addresses, because they are dns servers and webservers and whatever) about the router… the general idea was to use RA packages, but… that doesn’t work very well… because, the systems seem not to work corectly then… has to do with auto-config flags and stuff like that… so that’s why I wanted to give my router a static link local address and enter this manually into the config of those 6 servers… and… luckily VyOS seems to use an algorithm to form those link local addresses so that they are somehow static (derived from the MAC as far as I have seen)… that’s why for the moment the solution seems to work, but if IPv6 should become the solution of the future, most solutions need a makeover and a lot of debugging…
ISP provide an IPv6 prefix or address?
If the ISP provides a prefix - the route to you already exists. You already use this prefix on the router.
If the ISP provides an address you can try to use NAT66 for IPv6.
You can send your configuration?
I got a prefix (/48), but the route doesn’t exist. And, they don’t accept RA packages. I have to “register” my router via DHCP-PD… that’s the only option they give me. And that’s quite common for all ISPs (at least around here) … I think, there’s still a lot we/they have to learn until we can use IPv6 in production.
Hey there. Have you experimented with any configuration on getting this going? Can you share any existing config you have? Do you get IPv6 connectivity on the VyOS router? What version of VyOS are you using?
Here’s the start of some documentation for DHCP-PD in 1.3 that may help you.
I’m using PD to fetch the full /48 range and then I created some static routes
the link local addresses are all static (or “the algorithm that generates them, does build them from the MAC address” … which results in “static”) … that’s why I can create a static route6 with a /64 range to an interface (ethX) and configure all servers connected to this ethX-segment manually (setting the default gateway and stuff like that plus disabling all auto-configs for IPv6)
plus… I can create a static route for the subnet that I’m using in my LAN… internally I’m then using DHCPv6 and other configurations to configure my LAN (which is the easy part… the problem is always the static part outside your router)
… I can try to document this and upload it to somewhere.
nope… not NAT, but I have an outer network (ipv6/64 for mail servers and stuff like that with static IPs), then two routers into two different subnets (ipv6 /64) and those subnets do contain windows active directory domains
the problem is simple… those subnets need to be static and I need some control over it, because e.g. domain controllers and dns servers need static ips (also for IPv6)… that’s why I cannot auto configure everything… at least some parts need to be static (like the prefix and the possibility to build static ips inside this subnet that will never collide… not even when the machine is offline for a day and then returning… also in this case, the ip should be available… that’s why stuff like “collision detection” doesn’t help at all… I need a guarantee that this ip I’m using for my DC will NEVER be used from anyone else) … oh and then it would be nice to have some “stateful firewall” (instead of NAT) … just to improve the security a little bit… in case a printer on my network is vulnerable or something (because, what I’m doing means assigning every computer a publicly available ip)…
so… in theory, that all is very easy, but when you start setting this up, you see, that there are a lot of details that don’t work correctly… (especially when you have autoconfigured addresses for AD services… even if those ips are only the additional ones beside the statically assigned ones)
oh and… try to set up a firewall rule in your router for e.g. your DC (nobody should contact it from outside) if this DC does have dynamicly generated addresses… (multiple)
Ah, I think I have a better understanding of your situation now and that does all sound rather tricky. My GNS3 machine is packed away currently, I was hoping I could have helped you set up dhcp-pd, slaac, and called it good. I would like to expand my IPv6 knowledge though so I’m interested if someone else has a solution for this or what I can come up when I can finally lab it.