Posted: Sat Nov 19, 2022 16:55 Post subject: Static lease with DHCPv6-PD
I'm trying to figure out how to set some sort of static IP with PD from ISP especially for my raspberrypi running pi-hole. I know I could easily use the EUI-64 address; however, I'm trying to set something even easier and more in line with my IPv4 setup for this raspberrypi and various other devices on the network.
Has anyone been able to successfully configure a static lease (just the suffix) with DHCPv6-PD?
My configuration for DNSMasq, relative to IPv6 is:
...A single --dhcp-host may contain an IPv4 address or one or more IPv6 addresses, or both. IPv6 addresses must be bracketed by square brackets thus: --dhcp-host=laptop,[1234::56] IPv6 addresses may contain only the host-identifier part: --dhcp-host=laptop,[::56] in which case they act as wildcards in constructed DHCP ranges, with the appropriate network part inserted.
If you want dnsmasq to assign a static address via DHCPv6 then you need to identify the DUID (client id) that the Raspberry Pi is providing rather then it's MAC address. If you are successfully assigning a dynamic address to the Pi then you should have a corresponding entry for it towards the end of /tmp/dnsmasq.leases which will list the DUID. Then you can add a second dhcp-host entry for that DUID, for example
I also add firewall rules for devices by hostname so to ensure these can be applied upon bootup and to avoid hard coding the network prefix I use the dynamic-host option in dnsmasq, e.g.
I just run the standard vanilla Buster--nothing special OS wise on the pi(s). Actually, except on one that is running Kali, but I'm not concerned with a static IPv6 address for that one, just the one running Pi-Hole.
Thanks for your direction. I'm going to try a few more variations in the DNSMasq settings. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
If you want dnsmasq to assign a static address via DHCPv6 then you need to identify the DUID (client id) that the Raspberry Pi is providing rather then it's MAC address. If you are successfully assigning a dynamic address to the Pi then you should have a corresponding entry for it towards the end of /tmp/dnsmasq.leases which will list the DUID. Then you can add a second dhcp-host entry for that DUID, for example
I also add firewall rules for devices by hostname so to ensure these can be applied upon bootup and to avoid hard coding the network prefix I use the dynamic-host option in dnsmasq, e.g.
Code:
dynamic-host=raspberrypi.lan,::3,br2
Hope that helps
This helped TREMENDOUSLY. Thank you! You have no idea how long I've been working on this and, as I expected, it was a layer 8 issue. This helped me finally find it.
Here's my finding to help those who might be in a similar situation.
Several years ago, I started using a RaspberryPi running Pi-Hole on my network, much to my family's dismay. I work in InfoSec, so I pride myself in having 5.6M blocked domains currently. Over the years, my network has expanded to have several RaspberryPis for various reasons/learning on my side.
I originally set the static IPv4 for the RaspberryPis on the Pi itself in the /etc/dhcpcd.conf file, so if an SD went bad, I could easily switch to another one and get the network back up and running from a DNS perspective.
Fast forward to now, as I'm going down the journey of implementing IPv6 on my network. After implementing it in a basic fashion back in 2017 (basically do I get an IPv6 address on my clients), to learning to not trust it after the IPv6 setion of the SANS503 GCIA training and certification, to learning to accept it again after an IPv6 training with Hexabuild, and wanting to go a little more advanced with my setup--hence static IPv6 addresses so my clients can use the Pi-Hole for both IPv4 and IPv6 DNS servers--I was off to the races, and mostly beating my head against the wall.
The issue was that the RaspberryPis were not even soliciting any IP from the router (DHCP server), so they were never getting the message to set a specific IPv6 address either.
Once I removed the static IPv4 address, and enabled "duid" over "clientid" in the /etc/dhcpcd.conf file on the RaspberryPis, I began to see the DUID show up in the /tmp/dnsmasq.leases file on the router:
Code:
# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
duid
I still haven't figured out the "dynamic-host" entries like you have, though. I'd like to eventually. Instead, I have figured out how to dynamically implement firewall rules into the ip6tables. As long as the IPv6 network doesn't change outside of a reboot--which I've yet to see happen, I should be OK. Either way IPv4 is always there on the clients
For those interested in that portion, here's a snippet of my firewall rule script that I run at startup (with a sleep 10 in front to ensure it runs OK and as expected--I've seen unexpected results without it):
Code:
#!/bin/sh
echo "Get WAN IP address, Network, and Subnet Mask"
WAN_IP=`nvram get wan_ipaddr`;echo $WAN_IP
WAN_NET=$WAN_IP"/"`nvram get wan_netmask`;echo $WAN_NET
echo
echo "Set LAN Network CIDR, and get LAN Interface IP address and name"
LAN_NET="192.168.X.0/"`nvram get lan_netmask`
IP6_GLOBAL_NET=`nvram get ipv6_prefix`"/"`nvram get ipv6_pf_len`
LAN_IF=`nvram get lan_ipaddr`
IP6_IF=`nvram get ipv6_rtr_addr`
LAN_IFNAME=`nvram get lan_ifname`
IP6_IFNAME=`nvram get lan_ifname`
LAN_BRNAME="br0"
RPI3_IP="192.168.X.53"
RPI3_IP6=`nvram get ipv6_rtr_addr | cut -d ":" -f 1-4`"::802:3:53"
RPI4_IP="192.168.X.54"
RPI4_IP6=`nvram get ipv6_rtr_addr | cut -d ":" -f 1-4`"::802:3:54"
RPI5_IP="192.168.X.55"
RPI5_IP6=`nvram get ipv6_rtr_addr | cut -d ":" -f 1-4`"::802:3:55"
echo
echo "Set Guest Interface/Bridge name and get Guest Interface/Bridge gateway IP address"
GUEST_BRNAME="br1"
GUEST_VIFNAME1="wl0.1"
GUEST_VIFNAME2="wl1.1"
GUEST_GW=`nvram get br1_ipaddr`
GUEST_NETMASK=`nvram get br1_netmask`
Then I go on to list the rules for the INPUT and FORWARD chains for both iptables and ip6tables as necessary. Also, for posterity's sake my ISP is Cox.
