How to prevent LAN devices from obtaining IPv6 addresses?

[Yota]

A long time ago, I liked public IPv4 addresses, so my router had a unique IP address, and I could connect to my OpenVPN server from anywhere. but about 3 years ago, my ISP stopped providing public IPv4 addresses. They used a technology called CGNAT to save their IPv4 resources. Instead, they started to provide IPv6 support when they cut off public IPv4.

Since my IPS provided IPv6, I started trying to know IPv6, and I found that I don't like it. The biggest reason is that IPv6 does not support NAT. This will provide a public IP for each of my devices, which will cause my devices to have to face ping even port scans from the Internet, and I am not sure whether the existing firewall can cope with the threat. I understand that it is impractical to run an IP scan on an IPv6 network, but this does not mean that there is zero threat (scan6). and because IPv6 is bound to the mac address of device, it will make more difficult for my device to protect privacy and prevent Google and Facebook's ad network tracking.

My only requirement for IPv6 as a substitute for public IPv4 addresses, so I can run IPv6 OpenVPN server on the router and remotely access my LAN via IPv6, at least until I'm ready, I have no plans to enable IPv6 for my LAN devices.


So can I enable IPv6 only on the router, but prevent any LAN devices from obtaining public IPv6 addresses?


I know that this is against the design philosophy of IPv6. I think I have many reasons not to enable IPv6 for my LAN devices, and I know that I can disable the IPv6 stack on some of my LAN devices to turn off IPv6 support, But I hope to find a solution on the router.

Thanks for any suggestions

 

[Yota]

I know I am too conservative with IPv6

 

[KMO]

I'll skip my skepticism about whether this is a worthwhile exercise.

But in principle, setting the IPv6 network to "stateful" would stop the devices auto-generating addresses.

And then if you kill the DHCPv6 server, they won't be able to get addresses that way either.

Then you could kill the router advertisement daemon (which would render the "stateful" option moot), and you could configure all interfaces to not forward via sysctl -w net.ipv6.conf.all.forwarding=0.

Just shutting off the forwarding would cause performance problems because the devices would have addresses and try to use them. So you need to stop them getting addresses first, even though stopping forwarding is a more definite block.

But if forwarding is on and all the services shut down, there's nothing stopping devices from being statically configured and going through the router.

What to do depends whether you're trying to absolutely block devices using IPv6, or just not allow it to happen easily.

And exactly how to do the above automatically would need investigating, as the system is going to be trying to keep those services running. A few kills in certain scripts might do it, or maybe some "rc rc_service stop_xxx".

(I'm assuming there's nothing easy in the UI, like restricting the DHCPv6 server to only known addresses).

Edit: Actually, you can disable the router advertisements and DHCPv6 server via the GUI at least in john's fork. That's 90% of the job.

 

[ColinTaylor]

The router's IPv6 firewall is more than capable of blocking unsolicited connection attempts directed at LAN clients.

 

[Yota]

I'll skip my skepticism about whether this is a worthwhile exercise.

But in principle, setting the IPv6 network to "stateful" would stop the devices auto-generating addresses.

And then if you kill the DHCPv6 server, they won't be able to get addresses that way either.

Then you could kill the router advertisement daemon (which would render the "stateful" option moot), and you could configure all interfaces to not forward via sysctl -w net.ipv6.conf.all.forwarding=0.

Just shutting off the forwarding would cause performance problems because the devices would have addresses and try to use them. So you need to stop them getting addresses first, even though stopping forwarding is a more definite block.

But if forwarding is on and all the services shut down, there's nothing stopping devices from being statically configured and going through the router.

What to do depends whether you're trying to absolutely block devices using IPv6, or just not allow it to happen easily.

And exactly how to do the above automatically would need investigating, as the system is going to be trying to keep those services running. A few kills in certain scripts might do it, or maybe some "rc rc_service stop_xxx".

(I'm assuming there's nothing easy in the UI, like restricting the DHCPv6 server to only known addresses).

Edit: Actually, you can disable the router advertisements and DHCPv6 server via the GUI at least in john's fork. That's 90% of the job.

Thank you for your reply. please forgive my very limited knowledge of IPv6. I found DHCP-PD and Enable Router Advertisement in the GUI of the current 386_4 beta firmware. I assume that these are DHCPv6 and NDP, so I just need to disable them to prevent the device from automatically obtaining a public IP address?

 

[Yota]

The router's IPv6 firewall is more than capable of blocking unsolicited connection attempts directed at LAN clients.

Thank you, and yes, I believe it can do that, but maybe I need more, and my knowledge is not enough to support my customization, so until I fully understand how it works, maybe I should postpone the use of IPv6 on my LAN?

For example, I want to prevent any IPv6 ping response to LAN devices. The router assigns IPv6 addresses no longer based on the device's MAC address, but completely randomly. and I hope that IPv6 will not significantly increase the fingerprint recognition of my LAN devices.

 

[KMO]

Thank you for your reply. please forgive my very limited knowledge of IPv6. I found "DHCP-PD" and "Enable Router Advertisement" in the GUI of the current 386_4 beta firmware. I assume that these are "DHCPv6" and "NDP", so I just need to disable them to prevent the device from automatically obtaining a public IP address?

I'm probably not on the same firmware as you, so mine won't align.

I have "Auto Configuration: Stateful / Stateless", "Enable DHCPv6 Server" and "Enable Router Advertisement". Those should be set to Stateful, Disable, Disable.

(Edit: Actually, the stateless shouldn't matter. That will only determine the contents of the router advertisements, and if you're not sending them...)

The Router Advertisements are the part of the neigbour discovery system that let devices autoconfigure themselves. With that disabled, IPv6 will still be functioning, but only for statically-configured devices (where someone has assigned them an IPv6 address and set the default route).

IPv6 devices normally look for router advertisements first, and they either tell the devices to generate their own addresses, or issue a DHCPv6 request. But you can manually configure IPv6 devices to always attempt DHCP, or have fixed addresses.

You probably don't want to touch a DHCP-PD setting - that probably refers to the DHCP-PD client for the ISP. (It's a part of DHCPv6 to get entire network prefixes rather than host addresses). Although if it is specifically "DHCP-PD server" or "relay", you can turn it off too.

For example, I want to prevent any IPv6 ping response to LAN devices. The router assigns IPv6 addresses no longer based on the device's MAC address, but completely randomly. and I hope that IPv6 will not significantly increase the fingerprint recognition of my LAN devices.

Obviously the firewall would block incoming ping requests by default, just like all unsolicited incoming traffic.

When stateless, the devices assign themselves their own addresses, and would normally use random cycling temporary addresses for general traffic, although it's up to them. Some might use MAC-based addresses.

If you switch to "stateful", then the server will hand out addresses from a DHCP pool just like IPv4. They won't fingerprint like a MAC, but they will tend to associate with a device longterm, unlike the stateless temporary addresses. (Not sure if there's an option to make the DHCPv6 server cycle addresses.)

 

[Yota]

I'm probably not on the same firmware as you, so mine won't align.

I have "Auto Configuration: Stateful / Stateless", "Enable DHCPv6 Server" and "Enable Router Advertisement". Those should be set to Stateful, Disable, Disable.

(Edit: Actually, the stateless shouldn't matter. That will only determine the contents of the router advertisements, and if you're not sending them...)

The Router Advertisements are the part of the neigbour discovery system that let devices autoconfigure themselves. With that disabled, IPv6 will still be functioning, but only for statically-configured devices (where someone has assigned them an IPv6 address and set the default route).

Thanks, maybe I haven't applied the changes to enable IPv6, so I can't see the "Enable DHCPv6 Server" option. as shown in the screenshot below, my GUI may be different from yours. Edit: Removed the screenshot, because it clearly didn't help.

IPv6 devices normally look for router advertisements first, and they either tell the devices to generate their own addresses, or issue a DHCPv6 request. But you can manually configure IPv6 devices to always attempt DHCP, or have fixed addresses.

You probably don't want to touch a DHCP-PD setting - that probably refers to the DHCP-PD client for the ISP. (It's a part of DHCPv6 to get entire network prefixes rather than host addresses). Although if it is specifically "DHCP-PD server" or "relay", you can turn it off too.

Thank you, this knowledge is very helpful. Yes, I just don’t want the device to automatically obtain an IPv6 address, it would be helpful to be able to use a fixed address when needed.

Obviously the firewall would block incoming ping requests by default, just like all unsolicited incoming traffic.

I am glad to know this.

When stateless, the devices assign themselves their own addresses, and would normally use random cycling temporary addresses for general traffic, although it's up to them. Some might use MAC-based addresses.

If you switch to "stateful", then the server will hand out addresses from a DHCP pool just like IPv4. They won't fingerprint like a MAC, but they will tend to associate with a device longterm, unlike the stateless temporary addresses. (Not sure if there's an option to make the DHCPv6 server cycle addresses.)

Thank you, you taught me a lot of useful knowledge.



Edit:

Not sure if there's an option to make the DHCPv6 server cycle addresses.

I did a search and found that RFC 8415 has standards for this, but I don't know whether the DHCPv6 server used by Asuswrt can be configured in this way.

6.5. DHCP for Temporary Addresses

Temporary addresses were originally introduced to avoid privacy
concerns with stateless address autoconfiguration, which based
64 bits of the address on the EUI-64 (see [RFC4941]. They were added
to DHCP to provide complementary support when stateful address
assignment is used.

Temporary address assignment works mostly like non-temporary address
assignment (see Section 6.2); however, these addresses are generally
intended to be used for a short period of time and not to have their
lifetimes extended, though they can be if required.

 

[Yota]

Another idea:
Is it possible to specify the IPv6 subnet mask? like modify it to /128, so that IPv6 should only work on router.

 

[LostNetSpace]

As @ColinTaylor noted, the IPv6 firewall will block unwanted inbound connections. So the only gripe I see is regarding privacy and those gripes assume that there is one MAC based public IPv6 address on each LAN device that is being used to access the internet. At least on the devices I have that support IPv6 there are multiple public IPv6 addresses being used: One based on MAC address that, near as I can tell, the device only listens on. And one or more picked at random out of the typical /64 address space and only used for a short period of time (minutes).

So if an external entity is trying to monitor/track my laptop they don’t have a fixed public IPv6 address to monitor, they have to guess what IPv6 address my laptop picked at random out of a /64 range. And then in a few minutes they will have to guess again. I suppose a state level actor could monitor and track you but I think you are safe from the typical commercial tracking used by people trying to profile you for “a personalized Internet experience”.

I don’t do Windows so I can’t say how their desktop, etc. clients deal with IPv6 but I am pretty sure that Linux (including Android) work the way my MacOS laptop does. At least when I look at my log files for my Linux boxes they seem to rotate among random IPv6 addresses the same way I see my Mac doing it.

 

[RMerlin]

Obviously the firewall would block incoming ping requests by default, just like all unsolicited incoming traffic.

RFCs state that for IPv6, clients are expected to properly responds to pings.

 

[KMO]

Thanks, maybe I haven't applied the changes to enable IPv6, so I can't see the "Enable DHCPv6 Server" option. as shown in the screenshot below, my GUI may be different from yours.

It may be that the DHCPv6 server option doesn't appear unless you select Stateful auto configuration, and is disabled otherwise. The DHCP-PD option there is talking about your WAN connection, so it needs to be set according to your ISP. (Probably on).

Another idea:
Is it possible to specify the IPv6 subnet mask? like modify it to /128, so that IPv6 should only work on router.

No, an Ethernet network has to be /64. Although, actually, that made me realise. If you DO turn off the DHCP-PD then that stops your router asking for the ISP for a prefix for the LAN /64. That stops your LAN having a valid global address. Only the router will have a WAN address.

You can then generate and configure a ULA (Unique Local Address) prefix for the LAN, which is the IPv6 equivalent of 192.168.1.0/24, which would let LAN devices talk to each other. But you wouldn't be able to get to the global internet.

And you could in theory then NAT the ULA. I don't know if there are any NAT66 setup packages available for the router. I would imagine not. NAT66 is not a thing people do much.

I don’t do Windows so I can’t say how their desktop, etc. clients deal with IPv6 but I am pretty sure that Linux (including Android) work the way my MacOS laptop does. At least when I look at my log files for my Linux boxes they seem to rotate among random IPv6 addresses the same way I see my Mac doing it.

Windows does use IPv6 temporary addresses by default - IIRC it was Microsoft who led their standardisation.

 

[KMO]

RFCs state that for IPv6, clients are expected to properly responds to pings.

I stand corrected. I was assuming it was extra paranoid.

The (LTS fork) web UI kind of suggests paranoia with the "Any other inbound traffic must be specifically allowed here." on the IPv6 firewall page and "Respond Ping Request from WAN" option.

At least on my LTS fork, the firewall filter table looks like:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      eth0   any     anywhere             anywhere             state INVALID
28402   20M ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 DROP       all      any    any     anywhere             anywhere             rt type:0 segsleft:0
  320 78240 ACCEPT     all      br0    eth0    anywhere             anywhere
    0     0 ACCEPT     all      br0    br0     anywhere             anywhere
    0     0 ACCEPT     ipv6-nonxt    any    any     anywhere             anywhere             length 40
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp destination-unreachable
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp packet-too-big
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp time-exceeded
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp parameter-problem
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp echo-request
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp echo-reply
    0     0 DROP       all      any    any     anywhere             anywhere

So pings and other important control messages are permitted in. But no other traffic unrelated to an existing connection is.

So, yes, an external person can ping an internal device. If they can find its address, which will be impossible if using temporary addresses. Your LAN address space is around a billion times bigger than the IPv4 address space. And if they hit it, then what? The firewall won't permit any other traffic to it.

 

[Yota]

As @ColinTaylor noted, the IPv6 firewall will block unwanted inbound connections. So the only gripe I see is regarding privacy and those gripes assume that there is one MAC based public IPv6 address on each LAN device that is being used to access the internet. At least on the devices I have that support IPv6 there are multiple public IPv6 addresses being used: One based on MAC address that, near as I can tell, the device only listens on. And one or more picked at random out of the typical /64 address space and only used for a short period of time (minutes).

So if an external entity is trying to monitor/track my laptop they don’t have a fixed public IPv6 address to monitor, they have to guess what IPv6 address my laptop picked at random out of a /64 range. And then in a few minutes they will have to guess again. I suppose a state level actor could monitor and track you but I think you are safe from the typical commercial tracking used by people trying to profile you for “a personalized Internet experience”.

I don’t do Windows so I can’t say how their desktop, etc. clients deal with IPv6 but I am pretty sure that Linux (including Android) work the way my MacOS laptop does. At least when I look at my log files for my Linux boxes they seem to rotate among random IPv6 addresses the same way I see my Mac doing it.

Thanks, I'm too paranoid, haha.

Edit:
Of course I have some security reasons:
Because IPv6 is independent of IPv4, I need to redo all protection measures against IPv4 on IPv6. and due to the lack of knowledge about IPv6, I cannot ensure that my IPv6 network can be as secure as my IPv4 network. After I fully understand IPv6 and have sufficient resources to deal with the potential threats brought by IPv6, I am glad to switch to IPv6. So for now, I am more willing to use IPv6 on demand.

However, there are other reasons that, besides IPv6 can alleviate the CGNAT problem, I don't see other usage requirements. Because IPv4 can do well in other requirements.

 

[Yota]

RFCs state that for IPv6, clients are expected to properly responds to pings.

Thank you for clarifying this point, yes, in my impression you can't ban IPv6 ping. Do you have any suggestions about enabling IPv6 only for router? I want to use IPv6 to enable an OpenVPN server for the router.

 

[Yota]

It may be that the DHCPv6 server option doesn't appear unless you select Stateful auto configuration, and is disabled otherwise. The DHCP-PD option there is talking about your WAN connection, so it needs to be set according to your ISP. (Probably on).

I am enabling IPv6, and after setting Auto Configuration Setting to "Stateful", I still can't find where I can disable DHCPv6.

No, an Ethernet network has to be /64. Although, actually, that made me realise. If you DO turn off the DHCP-PD then that stops your router asking for the ISP for a prefix for the LAN /64. That stops your LAN having a valid global address. Only the router will have a WAN address.

You can then generate and configure a ULA (Unique Local Address) prefix for the LAN, which is the IPv6 equivalent of 192.168.1.0/24, which would let LAN devices talk to each other. But you wouldn't be able to get to the global internet.

When DHCP-PD is disabled and the LAN IPv6 is set to fe80::, IPv6 does not work at all. the WAN address of the router also becomes a local address.

And you could in theory then NAT the ULA. I don't know if there are any NAT66 setup packages available for the router. I would imagine not. NAT66 is not a thing people do much.

I think I will have more trouble with NAT66, so I don't plan to embark on this path.

Windows does use IPv6 temporary addresses by default - IIRC it was Microsoft who led their standardisation.

So these functions are implemented by the client, not the DHCP server?

 

[RMerlin]

Thank you for clarifying this point, yes, in my impression you can't ban IPv6 ping. Do you have any suggestions about enabling IPv6 only for router? I want to use IPv6 to enable an OpenVPN server for the router.

I don't know, I don't use IPv6. You can typically disable IPv6 in client devices.

 

[KMO]

I am enabling IPv6, and after setting Auto Configuration Setting to "Stateful", I still can't find where I can disable DHCPv6.

Hmm. Dunno then on that. LTS fork has the option. Don't know if it's moved, disappeared, or only existed on the fork.

When DHCP-PD is disabled and the LAN IPv6 is set to fe80::, IPv6 does not work at all. the WAN address of the router also becomes a local address.

Ah, okay, I was hoping that would disable only the DHCP-PD client as it says, but it looks like it's disabled the basic DHCPv6 client too. Does the same on mine. Doesn't seem terribly logical. If you want to not use DHCPv6 on the WAN, there's the "static" option, right?

(To be fair, they're actually the same client - one DHCPv6 request could ask for both the router's WAN IPv6 address and a LAN IPv6 prefix. But the DHCP-PD option should only be shutting off the prefix request, not the entire client).

So these functions are implemented by the client, not the DHCP server?

Stateless means the clients make up their own addresses, and don't use the DHCPv6 server. Random temporary addresses were initially added as a new mechanism for that first, in place of the original use-your-MAC-address approach.

Stateful means clients contact the DHCPv6 server for addresses. And the RFC 8415 is talking about how the DHCP server would provide temporary addresses. (Normally if you're using a DHCP server you're doing it because you want static addresses, but maybe you want static only for certain devices, or only for local addresses, so you'd want a way to do temporary for other devices).

 

[Yota]

I don't know, I don't use IPv6. You can typically disable IPv6 in client devices.

Actually I originally planned to enable IPv6 but disable the IPv6 stack on all LAN devices, but almost all phones do not allow me to disable IPv6 for wifi, so I think I have to find a way to disable it on the router.

As @KMO said, john9527's fork may have some differences in DHCPv6 settings. Can we disable DHCPv6 on 386_4 via SSH?

Finally, thank you again for all your work to support IPv6!!

 

[Yota]

Hmm. Dunno then on that. LTS fork has the option. Don't know if it's moved, disappeared, or only existed on the fork.

Ah, okay, I was hoping that would disable only the DHCP-PD client as it says, but it looks like it's disabled the basic DHCPv6 client too. Does the same on mine. Doesn't seem terribly logical. If you want to not use DHCPv6 on the WAN, there's the "static" option, right?

(To be fair, they're actually the same client - one DHCPv6 request could ask for both the router's WAN IPv6 address and a LAN IPv6 prefix. But the DHCP-PD option should only be shutting off the prefix request, not the entire client).

Yes, Asuswrt lacks rich configuration options like IPv4. This is another reason why I don’t want to use IPv6. maybe the options I need can be found in the magical SSH terminal, but it will be very time-consuming to find them.

Stateless means the clients make up their own addresses, and don't use the DHCPv6 server. Random temporary addresses were initially added as a new mechanism for that first, in place of the original use-your-MAC-address approach.

Stateful means clients contact the DHCPv6 server for addresses. And the RFC 8415 is talking about how the DHCP server would provide temporary addresses. (Normally if you're using a DHCP server you're doing it because you want static addresses, but maybe you want static only for certain devices, or only for local addresses, so you'd want a way to do temporary for other devices).

It seems that there is still a long way to go on IPv6.