OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Nikolay Amiantov - 15.01.2017

FS#389 - odhcpd relay mode is blocked by firewall by default

odhcpd currently won’t work when put in relay mode if followed the manual naively. Turns out this is because firewall blocks incoming traffic to DHCPv6 server (port 547) from external DHCPv6 servers (port 547) from WAN zone by default. It may be a good idea to allow this out of the box, though I’m unsure if there are any security complications from this – I’m a newcomer to IPv6. Replies come with the source global IPv6 address of DHCPv6 server to the global IPv6 address of the router, so it’s difficult to make a more constrained rule without hardcoding them or at least the prefix.

Example rule which fixes relay mode:

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '547'
	option name 'Allow DHCPv6 Relay'
	option family 'ipv6'
	option src_port '547'

LEDE revision: 3e7b894ac08b56343e6e449a38fdb2be7b02a127

Eric Luehrsen commented on 16.01.2017 02:22

It is common for DHCPv4 firewall rules to be "udp 67-68 allow input", or that is whatever its just DHCP. Perhaps DHCPv6 / RA is the same. However as a consideration, it is highly recommended that ISP all provide DHCP-PD /64 (option /60 for even residential). WAN RA relay would not be the most common tool.

Dave Täht commented on 24.01.2017 21:23

The potential security/routing complication is that you may end up with devices acquiring prefixes your firewall doesn't know about, and will end up blocking.

as for port 547 to 547, that's "how it's done" here.

Relay, on the other hand can help if have already within your network that needs addresses, and trying to get dhcp that way... but in that case I usually disable the firewall and rely on the main box to have all the prefixes available I can use.

I will fiddle with this, however, in the first case. what would have to happen is the relay agent would have to also punch a hole in the firewall along the way. Even assuming your provider will allow multiple prefixes to be assigned.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing