Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#389 - odhcpd relay mode is blocked by firewall by default #5423

Open
openwrt-bot opened this issue Jan 15, 2017 · 0 comments
Open

FS#389 - odhcpd relay mode is blocked by firewall by default #5423

openwrt-bot opened this issue Jan 15, 2017 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

abbradar:

odhcpd currently won't work when put in [[https://wiki.openwrt.org/doc/uci/network6#router_advertisement_dhcpv6|relay mode]] if followed the manual naively. Turns out this is because firewall blocks incoming traffic to DHCPv6 server (port 547) from external DHCPv6 servers (port 547) from WAN zone by default. It may be a good idea to allow this out of the box, though I'm unsure if there are any security complications from this -- I'm a newcomer to IPv6. Replies come with the source global IPv6 address of DHCPv6 server to the global IPv6 address of the router, so it's difficult to make a more constrained rule without hardcoding them or at least the prefix.

Example rule which fixes relay mode:

config rule option enabled '1' option target 'ACCEPT' option src 'wan' option proto 'udp' option dest_port '547' option name 'Allow DHCPv6 Relay' option family 'ipv6' option src_port '547'

LEDE revision: 3e7b894

@openwrt-bot
Copy link
Author

EricLuehrsen:

It is common for DHCPv4 firewall rules to be "udp 67-68 allow input", or that is whatever its just DHCP. Perhaps DHCPv6 / RA is the same. However as a consideration, it is highly recommended that ISP all provide DHCP-PD /64 (option /60 for even residential). WAN RA relay would not be the most common tool.

@openwrt-bot
Copy link
Author

dtaht:

The potential security/routing complication is that you may end up with devices acquiring prefixes your firewall doesn't know about, and will end up blocking.

as for port 547 to 547, that's "how it's done" here.

Relay, on the other hand can help if have already within your network that needs addresses, and trying to get dhcp that way... but in that case I usually disable the firewall and rely on the main box to have all the prefixes available I can use.

I will fiddle with this, however, in the first case. what would have to happen is the relay agent would have to also punch a hole in the firewall along the way. Even assuming your provider will allow multiple prefixes to be assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant