How do I deploy IPv6 within a LAN using a Debian based router and prefix delegation?

linux networking router debian ipv6

10,749

Solution 1

You didn't say who your ISP was, but the following works on Comcast in areas where they have rolled out IPv6.

I had to use wide-dhcpv6-client since none of the other DHCPv6 clients could handle all of getting an address for the ISP-facing interface, prefix delegation, and Comcast's maximum /60 network mask at the same time.

After installing wide-dhcpv6-client, edit /etc/network/interfaces so your eth1 IPv6 settings look like this:

iface eth1 inet6 auto
        post-up sysctl -w net.ipv6.conf.ext0.accept_ra=2

Edit /etc/wide-dhcpv6/dhcp6c.conf so it looks like this:

profile default
{
  information-only;

  request domain-name-servers;
  request domain-name;

  script "/etc/wide-dhcpv6/dhcp6c-script";
};

interface eth1 {
    send rapid-commit;

    send ia-na 0;
    send ia-pd 0;
};

id-assoc na 0 {

};

id-assoc pd 0 {
    prefix ::/60 infinity;

    # Internal interface (LAN)
    prefix-interface eth0 {
        sla-len 4;
        sla-id 0;
        ifid 1;
    };
};

The "na" section gets an IPv6 address for eth1 (facing your ISP). The "pd" section gets a prefix delegation for your internal network and will assign the IPv6 address "[prefix]::1" to eth0 (your internal interface). If you have additional internal networks, you can add additional "prefix-interface" sections for those interfaces and increment the "sla-id" for each one.

Then you need a router advertisement daemon on the system for your internal network. You can use either radvd or dnsmasq.

If you are using dnsmasq, the necessary additions to /etc/dnsmasq.conf for IPv6 are

# Enable IPv6 Router Advertisement (RA) features.
enable-ra

# Advertise delegated prefix based on the IPv6 address of eth0.
dhcp-range = ::1,constructor:eth0,   ra-stateless, ra-names, 4h

You'll need to install the dnsmasq from Debian testing since the version that ships with Debian wheezy does not do router advertisements properly.

Then ifdown and ifup your external interface, make sure dhcp6c is running, and see if both your external and internal interface have IPv6 addresses other than the link-local ones (the "fe80::..." addresses). If all of that worked, restart dnsmasq, and the systems on your LAN should start automatically configuring IPv6 addresses for themselves.

Solution 2

If you're willing to replace your Debian by OpenWRT, then everything is set up automatically — recent versions of OpenWRT will ask for a DHCPv6 prefix delegation on the Wan interface, carve it into /64 bits, and use them for their LAN interfaces using RA and DHCPv6. No configuration is needed, all of this is set up out of the box.

If you have multiple routers in your network, you might want to experiment with having them set up automatically using the Homenet protocol suite. Homenet is implemented for OpenWRT using hnetd, and for Linux using shncpd. (Integrating shncpd into Debian is an ongoing work, we could use your help.)

10,749

Oliver M.

Updated on September 18, 2022

Comments

Oliver M. over 1 year
My ISP started using DHCPv6, which means with this /etc/network/interfaces...
```
auto lo eth0 eth1

iface lo inet loopback

allow-hotplug eth0
iface eth0 inet static
    address 192.168.0.1
    netmask 255.255.255.0

allow-hotplug eth1
iface eth1 inet dhcp
iface eth1 inet6 dhcp
```
... my Debian Wheezy router finally gets an IPv6 address assigned (yay!).

But what do I need to do next in order to get my router to assign IPv6 addresses to all the workstations within the LAN?

With IPv4 all I had to do was to enable the DHCP client on the WAN interface, assign static IPv4 addresses to the router and the workstations and finally set up NAT (I used iptables -t nat -a POSTROUTING -s 192.168.0.0/32 ! -d 192.168.0.0/32 -j MASQUERADE for that).

With IPv6 there is no NAT. I've looked into radvd and isc-dhcp-server, but both seem to require a prefix set in their configuration files (ie. a prefix that doesn't change). My ISP however seems to provide me with a new prefix every time I reconnect.

I'm really lost.
- Daniel B about 10 years
  
  How do you connect to the internet? Does your router manage this connection?
- Oliver M. about 10 years
  
  I connect to the internet via a a cable modem that is hooked up to eth1 and conveniently does all the complicated stuff for me. What exactly do you mean by manage?
- Daniel B about 10 years
  
  Manage as in own. From what you described, it doesn't, which is unfortunate. Unless you can react to the prefix change, you have no way of distributing it.
- Michael Hampton about 10 years
  
  Sounds like you are in Germany. German ISPs seem to do this by default, supposedly for "privacy" reasons. Unfortunately this breaks everything. Ask the ISP to stop doing this.
- Oliver M. about 10 years
  
  @MichaelHampton So German ISPs really have the same reputation internationally that they have nationally? I've got a feeling the entire IPv6 migration process will be extra difficult for Germany.
- Michael Hampton about 10 years
  
  @OliverM. We've seen a lot of IPv6 questions, and to date the only country in which ISPs are doing this particular thing has been Germany. I know nothing about any other aspects of their reputation.
- Oliver M. about 10 years
  
  @MichaelHampton Ha, alright! Thank you anyways!
Oliver M. about 10 years

Thank you so much for your detailed reply. Unfortunately only the router's external interface (eth1) gets an IPv6 address that is not only link-local. Neither the internal interface (eth0) nor any of the workstations (running dnsmasq 2.70-1) get one. I also tried post-up sysctl -w net.ipv6.conf.eth0.accept_ra=2 (ext0->eth0) and prefix ::/64 infinity; (/60->/64), because I that's what ifconfig eth1 showed after the IPv6 address before (with wide-dhcpv6-client it says /128 now), but that didn't help either. I rebooted every time I applied changes and waited a few minutes just to make sure.
Michael Berg about 10 years

@OliverM. Sorry for the delayed response. With wide-dhcpv6-client, if you change the prefix delegation request to prefix ::/64 infinity; you also need to change the sla-len to sla-len 0; and make sure sla-id 0;
Michael Berg about 10 years

@OliverM. You might also try commenting out the send rapid-commit; statement since some ISPs support it and some don't. And to further clarify my previous comment, the number of bits specified with sla-len must correspond to the number of bits being delegated to you. A prefix of ::/64 corresponds to a sla-len of 0, a prefix of ::/60 corresponds to a sla-len of 4, a prefix of ::/48 corresponds to a sla-len of 16, and so on.
TCB13 almost 6 years

"The "na" section gets an IPv6 address for eth1 (facing your ISP)" I don't get any IP on the external interface here, how can I debug? I also don't have an internal interface, I just want to get an IPv6 on the external interface...
Thalys over 5 years

This works for me - I did edit /etc/sysctl , and from my experience "iface eth1 inet6 auto" is redundant - apparently on modern, systemd based distros the systemd unit provided by the distro works well enough
Paul Stelian over 2 years

This was incredibly helpful for my situation where I'm setting up a Proxmox server that connects via Wi-Fi -- so bridging is not an option.