You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
odhcpd currently won't work when put in [[https://wiki.openwrt.org/doc/uci/network6#router_advertisement_dhcpv6|relay mode]] if followed the manual naively. Turns out this is because firewall blocks incoming traffic to DHCPv6 server (port 547) from external DHCPv6 servers (port 547) from WAN zone by default. It may be a good idea to allow this out of the box, though I'm unsure if there are any security complications from this -- I'm a newcomer to IPv6. Replies come with the source global IPv6 address of DHCPv6 server to the global IPv6 address of the router, so it's difficult to make a more constrained rule without hardcoding them or at least the prefix.
Example rule which fixes relay mode:
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '547'
option name 'Allow DHCPv6 Relay'
option family 'ipv6'
option src_port '547'
It is common for DHCPv4 firewall rules to be "udp 67-68 allow input", or that is whatever its just DHCP. Perhaps DHCPv6 / RA is the same. However as a consideration, it is highly recommended that ISP all provide DHCP-PD /64 (option /60 for even residential). WAN RA relay would not be the most common tool.
The potential security/routing complication is that you may end up with devices acquiring prefixes your firewall doesn't know about, and will end up blocking.
as for port 547 to 547, that's "how it's done" here.
Relay, on the other hand can help if have already within your network that needs addresses, and trying to get dhcp that way... but in that case I usually disable the firewall and rely on the main box to have all the prefixes available I can use.
I will fiddle with this, however, in the first case. what would have to happen is the relay agent would have to also punch a hole in the firewall along the way. Even assuming your provider will allow multiple prefixes to be assigned.
abbradar:
odhcpd currently won't work when put in [[https://wiki.openwrt.org/doc/uci/network6#router_advertisement_dhcpv6|relay mode]] if followed the manual naively. Turns out this is because firewall blocks incoming traffic to DHCPv6 server (port 547) from external DHCPv6 servers (port 547) from WAN zone by default. It may be a good idea to allow this out of the box, though I'm unsure if there are any security complications from this -- I'm a newcomer to IPv6. Replies come with the source global IPv6 address of DHCPv6 server to the global IPv6 address of the router, so it's difficult to make a more constrained rule without hardcoding them or at least the prefix.
Example rule which fixes relay mode:
config rule option enabled '1' option target 'ACCEPT' option src 'wan' option proto 'udp' option dest_port '547' option name 'Allow DHCPv6 Relay' option family 'ipv6' option src_port '547'
LEDE revision: 3e7b894
The text was updated successfully, but these errors were encountered: