IPV6: Ubiquiti Router, Ubuntu Client

Question

I have a Ubiquiti router on which ipv6 appears to be working fine. The output of radvdump, along with various other relevant data, is below. My trouble is with ipv6 on an ubuntu 16.04 machine behind the router.

Setting the router as DHCP client on the WAN side and Prefix Delegation/{stateless,stateful} DHCP Server on the LAN side leaves me with only link-local addresses on the client. Setting the router as {DHCP client,SLAAC} on the WAN side, a static address on the LAN side, and the {stateless,stateful} DHCP Server for the client, provides me with ipv6 adresses on the client, but no connectivity.

I am understanding that I may need to edit the Network Manager config, /etc/dhclient.conf, and that while the keys in sysctl are also relevant, they may not play well with Network Manager. I'd appreciate any input on how to start.

Also, I am hesitating to install radvd on the Ubuntu client. I am concerned it may conflict with DHCP or SLAAC functionality on the client. Is that an issue?

--------------------------------------------------------------------

# radvdump [run on the router]

interface ath0
{
    AdvSendAdvert on;
    # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
    AdvManagedFlag off;
    AdvOtherConfigFlag on;
    AdvReachableTime 0;
    AdvRetransTimer 0;
    AdvCurHopLimit 64;
    AdvDefaultLifetime 1800;
    AdvHomeAgentFlag off;
    AdvDefaultPreference medium;
    AdvSourceLLAddress on;

    RDNSS 2607:X:X:X::53
    {
        AdvRDNSSPreference 0;
        AdvRDNSSOpen off;
        AdvRDNSSLifetime 1800;
    }; # End of RDNSS definition


    prefix 2607:X:Y:Y::/64
    {
        AdvValidLifetime 2592000;
        AdvPreferredLifetime 604800;
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
    }; # End of prefix definition

}; # End of interface definition
#
# radvd configuration generated by radvdump 1.2
# based on Router Advertisement from fe80::Z:Z:Z:Z
# received by interface ath0

ip -6 addr [on the router]

inet6 2607:X:X:X:Y:yff:fey:Y/64 scope global dynamic
plus a link-local address

$ ip -6 addr [on the client. first address only present when using the stateful server]

inet6 2607:X:X:X::x/128         scope global dynamic
inet6 2607:X:X:X:Y':Y':Y':Y'/64 scope global temporary dynamic 
inet6 2607:X:X:X:Z:Z:Z:Z/64     scope global mngtmpaddr noprefixroute dynamic

$ ip -6 route [on the client. first route only present when using the stateful server and fe80::Y:yff:fey:Y is the link-local ip of the router's LAN interface]

2607:X:X:X::x dev enp0s25 proto kernel metric 256 expires 86292sec pref medium 
2607:X:X:X::/64 via fe80::Y:yff:fey:Y dev enp0s25 proto ra metric 100 pref medium
2607:X:X:X::/64 dev enp0s25 proto kernel metric 256 expires 7090sec pref medium
fe80::/64 dev enp0s25 proto kernel metric 256 pref medium
default via fe80::Y:yff:fey:Y dev enp0s25 proto static metric 100 pref medium
plus a link-local address

$ cat /etc/network/interfaces [unchanged from the ubuntu install]

auto lo
iface lo inet loopback

$ sudo sysctl -a | grep accept_ra

net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_from_local = 0
net.ipv6.conf.all.accept_ra_min_hop_limit = 1
net.ipv6.conf.all.accept_ra_mtu = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_from_local = 0
net.ipv6.conf.default.accept_ra_min_hop_limit = 1
net.ipv6.conf.default.accept_ra_mtu = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 1
net.ipv6.conf.enp0s25.accept_ra = 1
net.ipv6.conf.enp0s25.accept_ra_defrtr = 0
net.ipv6.conf.enp0s25.accept_ra_from_local = 0
net.ipv6.conf.enp0s25.accept_ra_min_hop_limit = 1
net.ipv6.conf.enp0s25.accept_ra_mtu = 1
net.ipv6.conf.enp0s25.accept_ra_pinfo = 0
net.ipv6.conf.enp0s25.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.enp0s25.accept_ra_rtr_pref = 0
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_from_local = 0
net.ipv6.conf.lo.accept_ra_min_hop_limit = 1
net.ipv6.conf.lo.accept_ra_mtu = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.lo.accept_ra_rtr_pref = 1
net.ipv6.conf.virbr0.accept_ra = 0
net.ipv6.conf.virbr0.accept_ra_defrtr = 1
net.ipv6.conf.virbr0.accept_ra_from_local = 0
net.ipv6.conf.virbr0.accept_ra_min_hop_limit = 1
net.ipv6.conf.virbr0.accept_ra_mtu = 1
net.ipv6.conf.virbr0.accept_ra_pinfo = 1
net.ipv6.conf.virbr0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.virbr0.accept_ra_rtr_pref = 1
net.ipv6.conf.virbr0-nic.accept_ra = 1
net.ipv6.conf.virbr0-nic.accept_ra_defrtr = 1
net.ipv6.conf.virbr0-nic.accept_ra_from_local = 0
net.ipv6.conf.virbr0-nic.accept_ra_min_hop_limit = 1
net.ipv6.conf.virbr0-nic.accept_ra_mtu = 1
net.ipv6.conf.virbr0-nic.accept_ra_pinfo = 1
net.ipv6.conf.virbr0-nic.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.virbr0-nic.accept_ra_rtr_pref = 1
net.ipv6.conf.wlp3s0.accept_ra = 0
net.ipv6.conf.wlp3s0.accept_ra_defrtr = 0
net.ipv6.conf.wlp3s0.accept_ra_from_local = 0
net.ipv6.conf.wlp3s0.accept_ra_min_hop_limit = 1
net.ipv6.conf.wlp3s0.accept_ra_mtu = 1
net.ipv6.conf.wlp3s0.accept_ra_pinfo = 0
net.ipv6.conf.wlp3s0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.wlp3s0.accept_ra_rtr_pref = 0

What address does the router assign to its WAN interface, and what prefix are you statically configuring on the LAN side? Unedited addresses would be greatly appreciated. — u1686_grawity, Oct 16 '18 at 07:23
@grawity Well, I don't really want to give you unedited addresses, as the WAN side gets one based on the MAC of the network interface, as indicated above (2607:X:X:X:Y:yff:fey:Y/64). If you look at the output of `radvdump` you see there the prefix and mask, so I use: 2607:X:X:X:: and /64. — Diagon, Oct 16 '18 at 07:26
@harrymc - I'm not sure I understand your question. I've got a router connecting to a network, which works fine, then behind it is a client that I'd like to have access the IPV6 net. — Diagon, Oct 16 '18 at 07:28
@Diagon: That means you're setting up a LAN prefix _identical_ to your WAN prefix (as you show 2607:X:X:X::/64 on both the router's WAN dump, and the client's route table)? That's definitely not going to work. — u1686_grawity, Oct 16 '18 at 07:29
Ok. while I'm new at this, I thought the RA was supposed to offer the prefix and mask. Could you clarify? (Is there a chat interface on superuser? Some of the stackexchanges have that.) — Diagon, Oct 16 '18 at 07:30
No, it offers the same as DHCP does: the prefix that the device's WAN interface itself is in. Not the prefix that it's supposed to use on some other interface. — u1686_grawity, Oct 16 '18 at 07:32
Ok, well. How are we *supposed* to do this?? As I say, any help would be appreciated. I did try shorter masks: /48, /32, /16. None of those worked. — Diagon, Oct 16 '18 at 07:33
I thought I might try a subnet of the subnet. I was, after all, offered any of the addresses in 2607:X:X:X::/64 by what is effectively the ISP. I thought I could grab some of those. It only allowed me to take the whole /64. But maybe I don't understand your question. — Diagon, Oct 16 '18 at 07:38
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/84516/discussion-between-diagon-and-grawity). — Diagon, Oct 16 '18 at 07:39

u1686_grawity · Answer 1 · 2018-10-16T07:45:16.813

1

Setting the router as DHCP client on the WAN side and Prefix Delegation/{stateless,stateful} DHCP Server on the LAN side leaves me with only link-local addresses on the client. Setting the router as {DHCP client,SLAAC} on the WAN side, a static address on the LAN side, and the {stateless,stateful} DHCP Server for the client, provides me with ipv6 adresses on the client, but no connectivity.

Based on this, and on your comments, it seems that you are copying the SLAAC-advertised WAN prefix directly onto your LAN interface's configuration. That is not going to work (for the same reason that it wouldn't with WAN DHCP on IPv4).

In IPv6 SLAAC, just like in IPv4 DHCP, the advertised prefix simply indicates what subnet the WAN interface is in, and the router picks its own WAN address from that subnet. However, that has nothing to do with the LAN side – your router is a router, not a bridge, therefore the LAN is its own network and needs its own prefix.

To obtain a prefix for the LAN interfaces, your router must usually send a prefix delegation request by using DHCPv6-PD on the WAN side. (Usually there is some integration that automatically starts advertising the delegated prefix to the LAN.)

https://help.ubnt.com/hc/en-us/articles/115005868927-UniFi-USG-Addressing-How-to-Implement-IPv6-with-DHCPv6-and-Prefix-Delegation

How large a prefix you can request depends on the ISP (some provide up to a /60, others up to a /56, etc.) – but the individual LAN interfaces must still use /64s.

(That said, not all ISPs do DHCPv6-PD; sometimes you have to request an IPv6 prefix yourself and configure that manually. There is also the option of continuing the IPv4 practice of using a private address range for the LAN, and 1:many NAT (masquerading) done on the router. Though I wouldn't recommend 1:many NAT except as the last resort; it is already bad enough on IPv4.)

Also, I am hesitating to install radvd on the Ubuntu client.

No, it is absolutely not needed. That's like trying to install a DHCP server on a client.

edited Oct 16 '18 at 07:45

answered Oct 16 '18 at 07:40

u1686_grawity

426,297
64
894
966

Ok, thanks. As I mentioned in the question, I did try prefix delegation, but only get link-local addresses on the client. Could there be mis-configurations on the client, in dhcp, network-manager or sysctl? Or, is there some way to tell if the "ISP" (a campus network) is or is not offering PD? – Diagon Oct 16 '18 at 07:42
A campus network is very unlikely to offer PD, and if there's no PD, then your router has no global prefix that it could advertise on the LAN. (That probably falls under "sometimes you have to request an IPv6 prefix yourself".) But PD remains the official method for doing this, whether it works with your particular ISP or not. – u1686_grawity Oct 16 '18 at 07:47
I see, yes. When I use DHCP on the WAN side and PD on the LAN side, I only get a link-local address on the LAN side (and thus the client, when I turn on DHCP for the LAN). Could you clarify, "Sometimes you have to request an IPV6 prefix yourself"? I guess my alternative is to use the router as a bridge? – Diagon Oct 16 '18 at 07:51
Not likely, it's a very locked down network for visitors. I'd have to do something else. A bridge, I suppose. Or the ipv6 equivalent of NAT, as you mentioned. If you have a convenient link for the latter, I'd appreciate it. Otherwise I'll simply google. (I do have other questions, like how I get something other than a MAC based IP from this "ISP", but I suppose that's for another SE question?) – Diagon Oct 16 '18 at 07:59
By "request" I meant calling/emailing/walking to the campus IT team and telling them that you want to use IPv6 with your own router. – u1686_grawity Oct 16 '18 at 08:22
It is a completely separate question, but – SLAAC doesn't provide addreses; it provides the network prefix. Your devices (your router in this case) choose their own suffixes, or "interface identifiers". MAC-based interface identifiers are not the only choice for SLAAC, and a choice that is becoming relatively less common. (See also RFC 4941, RFC 7217, https://superuser.com/q/243669/1686.) They also were never required for 'static' DHCPv6 at all. – u1686_grawity Oct 16 '18 at 08:25
Thanks, but by "not likely" I mean, it's not going to happen! They don't give any support resources at all to this part of the network. We're on our own.... [just reading your second comment...] Alright so the MAC based address is a Ubiquiti issue. Thanks. I can ask there. – Diagon Oct 16 '18 at 08:25
The upstream router advertises _only_ a prefix. As long as it permits SLAAC at all, it doesn't have any say on what interface identifier(s) your devices will select for it. Your router doesn't use privacy addressing because it doesn't want it; routers don't change locations much nor make outgoing connections to random sites on the user's behalf, so in short they have different needs and priorities than PCs do. – u1686_grawity Oct 16 '18 at 08:29
Yes, I got it, thanks. Your second message came after my response - though it confuses me that I get the *same* IP when I use DHCP on the WAN. It seems the campus DHCP server is also supplying a MAC based addr (?) Or maybe Ubiquiti has a fall-back to SLAAC (?) Do you know of a tool to check for PD messages, similar to radvdump for RA's? – Diagon Oct 16 '18 at 08:38
From your link: "If the USG has received a prefix delegation (PD) from the ISP, it will advertise the prefix that clients will use with stateless address auto-configuration (SLAAC) and the EUI-64 process." This is why I was asking about installing radvdump on the *client*. That way I could see if those messages are present. – Diagon Oct 16 '18 at 09:04
Okay. In that case, tcpdump or Wireshark (generic packet capture tools) is always a good start. `tcpdump -e -v -n -i eth0 "icmp6 or (udp port 546 or 547)"`. On Ubuntu, it's safe to install radvd (it won't do anything until configured), but `rdisc6` from ndisc6 is better at requesting showing RAs on demand than radvdump is. – u1686_grawity Oct 16 '18 at 09:27

IPV6: Ubiquiti Router, Ubuntu Client

ip -6 addr [on the router]

1 Answers1