turn IPv6 off on interfaces or at least disable advertising default routes

helmlein

first things first: I would like to do IPv6 PD with TNSR, but at this time, it's not implemented.

I therefore need a second router on the client network for IPv6 (PD and SLAAC advertising), and that's where the problems start.

I am getting advertised default routes on the clients for IPv6 pointing to the local fe80 IPv6 addresses of the TNSR interfaces, and I can't delete them on the clients; they keep reappearing. I have not yet TCPDUMPed the exact behaviour but would like to turn either IPv6 off on the respective TNSR interfaces (which can't be done using "no ipv6 address"; the local link IPv6 address will be kept) or, failing that, turn off IPv6 completely (if it can't be done right, it shouldn't be done at all). But in the present state, TNSR interfaces are somehow messing up IPv6 in my networks.

Has anyone got a suggestion or experienced similar behaviour?

Kind regards

Martin

helmlein

edit/add:

indeed, TNSR sends out IPv6 router advertisements, and while it doesn't advertise a default route technically, the client (in this case openbsd) adds a default route for it:

12:20:35.552319 fe80::3eec:efff:fe38:33f7 > ff02::1: icmp6: router advertisement
12:20:35.552321 fe80::3eec:efff:fe38:33f7 > ff02::1: icmp6: router advertisement

tnsr tnsr#  show inte RADIO 
Interface: RADIO
    Description: RADIO VLAN 3
    Admin status: up
    Link up, link-speed 10 Gbps, unknown duplex
    Link MTU: 1500 bytes
    MAC address: 3c:ec:ef:38:33:f7
    NAT inside
    IPv4 MTU: 0 bytes
    IPv4 Route Table: ipv4-VRF:0
    IPv4 addresses:
        192.168.3.1/24
    IPv6 MTU: 0 bytes
    IPv6 Route Table: ipv6-VRF:0
    IPv6 addresses:
        fe80::3eec:efff:fe38:33f7/64
    VLAN tag rewrite: disable
    Rx-queues
        queue-id 0 : cpu-id 1
    counters:
      received: 8076506222 bytes, 14028807 packets, 0 errors
      transmitted: 32340497834 bytes, 26720262 packets, 0 errors
      protocols: 12845112 IPv4, 240047 IPv6
      1188334 drops, 22 punts, 0 rx miss, 0 rx no buffer

Can this be turned off? If so, how?

Derelict

@helmlein Yes, it should not be sending RAs.

The workaround at the moment is to disable IPv6.

As root on the host shell:
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/50-noipv6.conf
echo net.ipv6.conf.default.disable_ipv6=1' >> /etc/sysctl.d/50-noipv6.conf
dp-exec sysctl -p /etc/sysctl.d/50-noipv6.conf

Then restart the dataplane ((config)# service dataplane restart) or reboot.

helmlein

@derelict Thanks; it's a bit sad TNSR can't do IPv6 PD yet, but at least the workaround (BTW the ' needs to be removed from your echo statement in line 2) stops it from sending RAs.

It would be nice if the RAs could be turned off per interface without disabling the whole IPv6 stack, that can e.g. be done in VyOs or in EdgeOS.

As I'm on the homelab edition I can't really complain; thanks for the quick fix!

M.

Derelict

@helmlein It is not intended to be this way and there is an open bug on the RA. DHCP6 features are simply not implemented yet.