[[BUG][DHCPv6 client] Cannot acquire ULA prefix via Prefix Delegation]

Fixed in v. 4.1 alpha 17, thank you.

[[BUG][DHCPv6 client] Cannot acquire ULA prefix via Prefix Delegation]

1 hour ago, vst said:

We will check this situation. Is there anything in the logs?

I have found this log:

However, I believe that delegating ULA prefixes can be useful in a local environment with multiple routers. Also, I believe the ULA address space is fc00::/7, so fd00::/8 is not the entirety of the address space.

Even if you wanted to block any non globally routable prefix, I can delegate prefixes outside of 2000::/3 as I showed on the first post.

By the way, I hope you decide not to block the ULA address space.

[[BUG][DHCPv6 client] Cannot acquire ULA prefix via Prefix Delegation]

Version tested: latest stable (4.0.5)

If I delegate a ULA address from a DHCPv6 server to the Keenetic, the server will confirm that the Keenetic requested the ULA prefix and that it is bound:

However, the prefix is not found on the Keenetic and cannot be used:

Instead, if I try to add a non-ULA prefix, even a non-routable one, the Keenetic correctly acquires it and subnets from it can be advertised on the local segments:

[IPv6 in IPv4 tunelling ICMP error]

You have to allow ICMP on the firewall. By default it's dropped.

[4.0 Alpha 2 IPV6 not working]

5 hours ago, C4L0X said:

It looks like your Keenetic gets a single IP address and not a prefix, so the devices on your LAN have no IPv6 addresses.

[4.0 Alpha 2 IPV6 not working]

Can you post the IPv6 routing table, both for the router and your PC?

[4.0 Alpha 2 - dhcpd: Unable to pick client address: no IPv6 pools on this shared network]

14 hours ago, Ahmed Ensar said:

Google Translate:

With the alpha 2 update, the ipv6 route came back, but ipv6 was not like this before, I think there is a problem with the settings. Websites load slowly. and my ipv6 address is different on sites.

The /128 routes you see on the Web GUI are addresses assigned to the router's network interfaces, while the address you see on the ipv6 test website is your computer's. So it's normal they are different.

But I have two fe80::/10 routes too, one is "proto: kernel" and the other is "proto:boot". I don't know if it's intended that both get added and displayed.

[4.0 Alpha 1 - ipv6 route not defined]

I have similar problems, at first I couldn't get a prefix via DHCPv6-PD from my provider (via PPPoE), then I got the prefix but the routes are strange, and no default gateway, so no IPv6 connectivity:

Also the logs are full of this errors:

Edit: regarding the last problem, it looks like the new cli command is now "show ipv6 route" and not "routes", so maybe that's the cause.

[Push DNS server via SLAAC (or DHCPv6)]

Today I was looking around and found that the standard radvd daemon is used for sending router advertisements in the LAN. It is launched with the configuration file located at /var/run/radvd.conf (which is a symlink to /tmp/run). This means that the configuration file is generated at runtime and can't be edited by the user 🥲

This is the content of the file (one entry for each subnet, IP addresses redacted):

/tmp/run # cat radvd.conf 
interface br0 {
        AdvSendAdvert on;
        AdvOtherConfigFlag on;
        AdvManagedFlag off;
        prefix 2a00:xxxx:xxxx::/64 {
                AdvOnLink on;
                DeprecatePrefix on;
                AdvAutonomous on;
                DecrementLifetimes on;
                AdvPreferredLifetime 716;
                AdvValidLifetime 716;
        };
        RDNSS fe80::xxxx:xxxx:xxxx:xxxx { };
};

The DNS server is advertised with the RDNSS option, so hopefully a CLI command can be added to have the user set the preferred DNS server 👍

[Allow IPv6 subnet in firewall]

34 minutes ago, vst said:

Yes, ICMPv6 ping forwarding rules were deleted.

Isn't ICMPv6 necessary for IPv6 to work correctly?

 

34 minutes ago, vst said:

We have implemented DHCPv6 prefix delegation since NDMS 4.x.

Oh wow, prefix delegation would be excellent! However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?

[Allow IPv6 subnet in firewall]

My ISP delegates a /56 IPv6 prefix, which is assigned to my Keenetic gateway and everything works fine.

I'd like to statically add a /64 subnet to another router connected to my LAN (or to some VMs behind a supervisor). I can easily achieve this configuration with a static route on the Keenetic.

However, I noticed that if the IPv6 firewall is enabled no communication is possible from the Internet. If the firewall is disabled, everything works, but I don't want to completely disable the firewall. Is there any way to allow traffic to a specific subnet?

Also, I'm running version 3.9 Beta 1 and I noticed that with the IPv6 firewall enabled hosts on the LAN do not reply to ICMPv6 echo requests (and possibly to ICMPv6 altogether), while the router still answers to pings to the IPv6 address on the Bridge0 interface. Is this an intended change? I'm pretty sure that ICMPv6 used to not be filtered by the firewall.

[IPv6 DNS-over-TLS]

I'm trying to setup an IPv6 address as my DoT resolver, as I read it should be now supported by version 3.9.

I can't do it in the web GUI (the IPv6 address is not accepted), and in the CLI I can add it with "dns-proxy tls upstream <IP address>" but then it doesn't seem to work (web sites will just timeout).

I'm using a Skipper.

[Delete setting via HTTP API]

2 hours ago, Le ecureuil said:

POST /rci/ip/hotspot/host/policy

with body:

{
"mac": "ec:44:33:00:11:22",
"no" : true
}

or

DELETE /rci/ip/hotspot/host/policy?mac=ec:44:33:00:11:22

Thank you! This was not immediately clear to me after reading the Command Reference Guide.

[Delete setting via HTTP API]

Hi,

I'm in the process of learning how to use the API and I succeeded in retrieving information from the router and to change settings.

However, I can't find a way to delete a setting and reverting it to default. For example, I'm able to set a connection policy for a client, passing a "mac" and "policy" parameter with a POST method, but I don't know how to delete this setting. I tried with a DELETE method but I always receive an error.

In short, I'd like to know the HTTP request for "no ip hotspot host <mac> policy".

[[IPv6] Do not wait for RA option or automatically add default route]

My ISP assigns a IPv6 prefix via PPPoE. However, they do not send a Router Advertisement packet. I don't know if it's a technical limitation of IPv6 via PPPoE or choice by the ISP.

The result is that the Keenetic router gains the delegated prefix, but no IPv6 default gateway is set, and with no default gateway IPv6 addresses are not distributed on the LAN via SLAAC or DHCPv6.

Back in May 2021 I discussed this issue with Keenetic Support, and at last they suggested to run the command

interface PPPoE0 ipv6 force-default

After appliying this command the PPPoE interface is set as IPv6 default gateway and all devices start getting IPv6 addresses.

So, currently a CLI command is required in order to have a functional IPv6 setup.

I'd like request that Keenetic implemets one of the two following solutions:

1. Add a "Do not wait for RA" option, like pfSense does. This way the Keenetic router will not wait endlessly for a RA packet that will never arrive, and setup the default gateway autonomously.
2. Automatically set the default gateway as the PPPoE interface, or use the link-local address of the ISP router as gateway. This is what OpenWrt does, as I tested it on network contract.

I don't know if every ISP does not send RA packets via PPPoE, but I know of at least two ISPs in my country with this "problem". As of today checking the "Use IPv6" box in the PPPoE section of the Keenetic router does not result in a functional IPv6 setup, because an additional CLI command is required.

[MAP-T]

Hello, are there any news on the MAP-T implementation? Since mid December Sky Italia officially switched to MAP-T, especially for new customers. Old customers are in MAP 1:16, MAP 1:1 if port forwarding is detected and in dual stack in some rare cases (but bound to switch to MAP-T in January).

Sky Italia seems to be one of the fastest growing ISPs in Italy, and there's currently no alternative to their CPE besides customized OpenWrt which is not feasible for non techincal users. It would be nice to have Keenetic as an option.

[IPv6 firewall]

4 hours ago, Le ecureuil said:

It's possible and works as expected. You need two rules: one per device mac.

It works, thank you! I thought you could only add one rule per port.

By the way, I'd argue that this system with MAC addresses is not simpler than using the IP addresses, and you are using the CLI anyway... Also you are allowing connections to every IP address on that interface.

Anyway it works for what I want to do at the moment 🙂

[IPv6 firewall]

14 minutes ago, Le ecureuil said:

Input interface is set here as incoming direction for applying rules, no address from this interface will be used.
Suppose you have ISP with addr 2::100, ISP2 with addr 3::100 and host in LAN with addrs 2::1 and 3::2.
so after cmd
ipv6 static tcpudp ISP <mac> 80
you will  be able to get access from the internet to [2::1]:80 when connection comes from ISP. When connection comes from ISP2 it will be rejected, the separate rule is needed to allow traffic from ISP2. Just notice, that ISP and it's address 2::100 is never used.

Ok, that's what I thought, but I want to access host 1 to [2::1]:80 and host 2 to [3::2]:80 behind the same ISP. Am I right that this is currently not possible?

[IPv6 firewall]

5 minutes ago, Le ecureuil said:

Yes, you can. 'ipv6 stati'c doesn't perform any type of NAT/PAT, it is just about opening ports. So if your PC1 has addrs 2::1 and 3::1, and PC2 has addrs 2::2 and 3::2, you can host different services on PC1 on addresses 2::1 and 3::1, and access from Internet to [2::1]:80 an to [3::1]:80 will not be mixed, but delivered properly. Moreover, you can host another two services on PC2 on 2::2 and 3::2, and access to [2::2]:80 and [3::2]:80 will not be interleaved or confused with access to [2::1]:80 or [3::1]:80. All four {ip,port} combinations will be available from Internet directly without NAT or port forward.

How do I do this? I'm looking at the manual and it seems to me I can set an input interface, not an address:

[IPv6 firewall]

29 minutes ago, Le ecureuil said:

Did you tried to connect to all IPv6 addresses on host from Internet? As far as I know port is forwarded for all addresses, so multiple connections are well supported.

Yes, I tried and it works, but:

• If I have 1 device with 2 IP addresses, I can't host different services on different addresses but same port;
• Even worse, I can't host 2 services on 2 different addresses on DIFFERENT hosts. For example, if I wanted to host 2 web servers on 2 different comuters, on port 80, I coudn't because the router will forward every connection on port 80 to a single MAC address. So I'm forced to host web servers on one host for the entire network. This is just an example but applies to every kind of service, for example an IP cam.

[IPv6 firewall]

15 minutes ago, Le ecureuil said:

Any recognised IPv6 address on device will be forwarded, that's the reason to use MAC in command instead of explicit IPv6 address. By the way, IPv6 privacy extensions can be enabled on device, so effective IPv6 address will be changed every 3/6/12 hours by random. Router tracks current set of available IPv6 addresses for every host and update translation table automatically.

Forward will be performed at L3, so there is no reason to worry about possible L2 leaks.

I'm aware of the privacy extensions but I think anyone hosting a service will set a static address, there's not shortage of that in IPv6 anyway 😃

7 minutes ago, admin said:

This is overcomplicated for an ordinary home user. We are for an "automatic" user-friendly approach.

I can see that, but why not allowing this kind of configuration at least on the CLI? It's already available for IPv4 with the "access-list" commands where one can input IP addresses. One of the main points of IPv6 is having multiple public IP addresses. Currently on Keenetic routers it's not possible to accept multiple connections on the same port for different IPv6 addresses.

[IPv6 firewall]

I have full IPv6 connectivity from my ISP. I also have the

ipv6 firewall

command enabled as default, because otherwise my whole network would be exposed.

I'm trying to allow connections to some of the IPv6 addresses. For example, let's say I want to host a web server on one of my devices. As I understand, at the moment I have to use the command:

ipv6 static tcp <WAN interface> <device MAC> 80

This way, I can reach my web server from outside on its IPv6 address because I think that every TCP connection on port 80 on my prefix will be forwarded to the device, but at layer 2 level.

But what if the device has two IPv6 addresses?

Or, what if I want to host two web servers on the different devices? How can I allow connections to port 80 for two IPv6 addresses?

Why isn't an IP-based firewall avalable for IPv6, like for IPv4?

[IPv6 leak when using Policy Based Routing]

Hello.

I created an IKEv2 connection to a VPN service on my Keenetic router. I created a new connection policy and selected the VPN connection as the only conenction for that policy.

When I assign clients to the VPN policy, their IPv4 traffic is correctly routed via the VPN service. However, the IPv6 traffic keeps going through the main ISP, thus leaking my real IPv6 addresses. The only way to stop this is to disable IPv6 on every client when I assign them to the VPN policy, but this is annoying because I frequently move clients to and from the VPN policy.

I guess maybe it's difficult to block the IPv6 traffic because SLAAC is stateless and the Keenetic router doesn't know which device has an IPv6, but maybe it's possibile to track the MAC addresses?

[Router responds REFUSED for specific DNS via DoT]

2 hours ago, Le ecureuil said:

I need to investigate it further.

Were you able to reproduce this?

[MAP-T]

54 minutes ago, Le ecureuil said:

Interesting idea, but we need example set of settings.

In their configuration page they just say this:

• IPoE IPv4/IPv6 protocol
• NAT: MAP-T Mapping of Address and Port, Translation mode (RFC7599)

I will post more information when they make the switch or if they release new information.