How to prevent LAN devices from obtaining IPv6 addresses?

[KMO]

As @KMO said, john9527's fork may have some differences in DHCPv6 settings. Can we disable DHCPv6 on 386_4 via SSH?

You could certainly kill the daemon, sure.

But I don't think you really need to do this. Just turning off the router advertisements via the GUI should be enough for most devices.

IPv6 devices normally shouldn't try to locate a DHCPv6 server unless they see a router advertisement telling them to. (Although conceivably some could).

I think the "disable DHCPv6 server" option is more intended for a split setup where you do want to use DHCPv6, so the router says "stateful" in its adverts, but another box is acting as the server.

 

[Yota]

You could certainly kill the daemon, sure.

I don't know how DHCPv6 is implemented in asuswrt. I guess they are also based on dnsmasq. If this is correct, then obviously I can't kill it.

But I don't think you really need to do this. Just turning off the router advertisements via the GUI should be enough for most devices.

IPv6 devices normally shouldn't try to locate a DHCPv6 server unless they see a router advertisement telling them to. (Although conceivably some could).

I think the "disable DHCPv6 server" option is more intended for a split setup where you do want to use DHCPv6, so the router says "stateful" in its adverts, but another box is acting as the server.

Thank you, I will try to disable advertisement in the GUI next, and see if the client will automatically getting an IPv6 address.


Edit:
Unfortunately, the client will still get a public IPv6 address after advertising is disabled, because there is only one client on the network, I guess this is due to DHCPv6.

 

[KMO]

don't know how DHCPv6 is implemented in asuswrt. I guess they are also based on dnsmasq.

Back on the LTS fork there is a separate dhcp6s process. I don't know what the current code is doing.

Unfortunately, the client will still get a public IPv6 address after advertising is disabled, because there is only one client on the network, I guess this is due to DHCPv6.

I'm not quite following what you're saying there.

Are you seeing a device on your network with a 2601:xxxx:xxxx:xxxx::1xxx address from your DHCPv6 pool?

 

[Yota]

Are you seeing a device on your network with a 2601:xxxx:xxxx:xxxx::1xxx address from your DHCPv6 pool?

Yes, this is exactly what I see on my LAN device.

 

[KMO]

Yes, this is exactly what I see on my LAN device.

Hmm, I wonder if the router advertisements have really stopped. I'd run wireshark or something to check IPv6 traffic on the LAN.

It's possible the device has decided to try DHCPv6 anyway - maybe because it isn't hearing router advertisements. I hoped most devices wouldn't do this, but they're certainly allowed to.

18.  DHCP Configuration Exchanges

   A client initiates a message exchange with a server or servers to
   acquire or update configuration information of interest.  A client
   has many reasons to initiate the configuration exchange.  Some of the
   more common ones are:

   1.  as part of the operating system configuration/bootstrap process,

   2.  when requested to do so by the application layer (through an
       operating-system-specific API),

   3.  when a Router Advertisement indicates that DHCPv6 is available
       for address configuration (see Section 4.2 of [RFC4861]),

   4.  as required to extend the lifetime of address(es) and/or
       delegated prefix(es), using Renew and Rebind messages, or

   5.  upon the receipt of a Reconfigure message, when requested to do
       so by a server.

Is there really no toggle option to enable/disable the DHCPv6 server on Merlin's version? Is it maybe on a general DHCP page, rather than the IPv6 one? If that's now using dnamasq for both DHCPv4 and DHCPv6, maybe the controls are together now.

I can see that there is an nvram variable ipv6_dhcp6s_enable referenced in the code but not 100% sure what it's doing. I can see some DHCPv6 logic is activated if either in stateful mode, or that nvram variable is 1.

You could put something at /jffs/configs/dnamasq.conf.add and it would be appended to the dnamasq config file. Not sure if there's something you can append to disable something already enabled.

 

[john9527]

Back on the LTS fork there is a separate dhcp6s process. I don't know what the current code is doing.

My LTS fork uses a different IPv6 stack. I remember at some point a lot of IPv6 was moved to dnsmasq.....my fork retained a combo of dhcp6s/dhcp6c and radvd.

 

[Yota]

Hmm, I wonder if the router advertisements have really stopped. I'd run wireshark or something to check IPv6 traffic on the LAN.

Good idea, I will try it this week.

It's possible the device has decided to try DHCPv6 anyway - maybe because it isn't hearing router advertisements. I hoped most devices wouldn't do this, but they're certainly allowed to.

18.  DHCP Configuration Exchanges

   A client initiates a message exchange with a server or servers to
   acquire or update configuration information of interest.  A client
   has many reasons to initiate the configuration exchange.  Some of the
   more common ones are:

   1.  as part of the operating system configuration/bootstrap process,

   2.  when requested to do so by the application layer (through an
       operating-system-specific API),

   3.  when a Router Advertisement indicates that DHCPv6 is available
       for address configuration (see Section 4.2 of [RFC4861]),

   4.  as required to extend the lifetime of address(es) and/or
       delegated prefix(es), using Renew and Rebind messages, or

   5.  upon the receipt of a Reconfigure message, when requested to do
       so by a server.

I can see that there is an nvram variable ipv6_dhcp6s_enable referenced in the code but not 100% sure what it's doing. I can see some DHCPv6 logic is activated if either in stateful mode, or that nvram variable is 1.

You could put something at /jffs/configs/dnamasq.conf.add and it would be appended to the dnamasq config file. Not sure if there's something you can append to disable something already enabled.

Yes, they may have moved to dnsmasq, and I need to try to configure dnsmasq to see if DHCPv6 server can be disabled.

I must keep dnsmasq because I need it to run a DHCP server for my IPv4 LAN.

Is there really no toggle option to enable/disable the DHCPv6 server on Merlin's version? Is it maybe on a general DHCP page, rather than the IPv6 one? If that's now using dnamasq for both DHCPv4 and DHCPv6, maybe the controls are together now.

I did not see it on the DHCP page. I don’t know if @RMerlin has any suggestions on how to disable DHCPv6?


Edit:
I found some other variables in nvram, maybe disabling them will work?

ipv61_dhcp6c_release=1
ipv6_dhcp6c_release=1
ipv6_dhcp6s_enable=1

 

[Yota]

My LTS fork uses a different IPv6 stack. I remember at some point a lot of IPv6 was moved to dnsmasq.....my fork retained a combo of dhcp6s/dhcp6c and radvd.

Glad to know.

 

[Yota]

Hello @KMO Thank you very much for your continued help, sorry this is a late reply, because I cannot adjust the settings of my router during the holidays (if there is no WiFi, they will kill me)

I upgraded to 386.4 yesterday, and then took the opportunity to test IPv6. After I disabled router advertisement, I noticed that my PC can still get a public IPv6 address, just like last time. But the IPv6 client in the router GUI did not report that any IPv6 was assigned to the LAN device. So I tried to open an IPv6-only website, like "ipv6.google.com". Unfortunately, did not work. I tried to ping some IPv6 addresses and nothing was returned. I think disabling router advertisement does prohibit LAN devices from using IPv6 to a certain extent, but it does not stop LAN devices from obtaining IPv6 addresses. I tried to modify the IPv6 settings I found in nvram, but they had no effect. the PC can still get an IPv6 address.

 

[KMO]

Just switched over to using my new RT-AX88U, and giving it 386.4 myself, so I'm now on a similar page to you, at least.

If router advertisements are disabled, then regardless of how your devices are getting addresses, they won't know where a router is, so won't know what to use as the first hop for IPv6 traffic.

You would need to statically configure the router address. Although I would expect a local "no route to host" error, rather than no response.

 

[Yota]

Just switched over to using my new RT-AX88U, and giving it 386.4 myself, so I'm now on a similar page to you, at least.

Is it a new year gift? Congratulations

If router advertisements are disabled, then regardless of how your devices are getting addresses, they won't know where a router is, so won't know what to use as the first hop for IPv6 traffic.

You would need to statically configure the router address.

It looks like I don't need to worry about it, IPv6 won't work. that's great!

Although I would expect a local "no route to host" error, rather than no response.

Actually I am not sure what exactly returned, I have switched to IPv4 only after the test is completed.


Thank you again for your help, now I am ready to enable IPv6 for my router! Of course, there are still some things that need to be tested, such as DDNS and OpenVPN server, but I am looking forward to completing my IPv6 settings this month!

 

[KMO]

It looks like I don't need to worry about it, IPv6 won't work. that's great!

Well, it's great as long as they're not wasting time trying to make IPv6 work. A situation where a device thinks it has a valid IPv6 address, but can't actually route packets is potentially the worst one, as it might delay successful IPv4 traffic.

Generally stuff like web browsers will try both IPv4 and IPv6 simultaneously until they're confident one is working, but not everything is that clever.

 

[Yota]

Well, it's great as long as they're not wasting time trying to make IPv6 work. A situation where a device thinks it has a valid IPv6 address, but can't actually route packets is potentially the worst one, as it might delay successful IPv4 traffic.

Generally stuff like web browsers will try both IPv4 and IPv6 simultaneously until they're confident one is working, but not everything is that clever.

You are right, this is indeed a potential problem. It seems that I still need to find a way to disable DHCPv6.

# dnsmasq -v
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile

It seems that dnsmasq is acting as a DHCPv6 server. I need to check the lengthy help document later to see if I can disable DHCPv6 by configuring dnsmasq.