From nobody Mon Mar 17 10:04:17 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZGVvP4Csfz5qLpg for ; Mon, 17 Mar 2025 10:04:49 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp5.goneo.de [IPv6:2001:1640:5::8:30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZGVvN5VvXz3R13 for ; Mon, 17 Mar 2025 10:04:48 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=jS5P0pEQ; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@walstatt-de.de designates 2001:1640:5::8:30 as permitted sender) smtp.mailfrom=freebsd@walstatt-de.de Received: from hub1.goneo.de (hub1.goneo.de [IPv6:2001:1640:5::8:52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id BA453240DB8 for ; Mon, 17 Mar 2025 11:04:46 +0100 (CET) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 23DDA240990 for ; Mon, 17 Mar 2025 11:04:45 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1742205885; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=9bDO8lXoQYPFuIoY8CKGee2wBSB+y3kOeKcHyHPaRfk=; b=jS5P0pEQT4SONyboyVyjchO4I5Ko0sto5SaLx8mZoYkDXolY5wRZRMF8+21jSDiYM2IfA9 OVQTI1GyE+TFnow76bbFjRkw0dh/rnm90lx4oiL+OkZfWAcKBIh8KU0xFcAbhiuDmU6HgK tuQzqQubpKRHWpfbNq/x0mLH/tazB78f6Z/ZG7+FOK4MdNL2gCKec/YW3msXPE+kQa7gRK 7/kEkgkp3SyMlgkHze5upDBE0JTBMlWHT1UySlX9WBlLCwqqsgXZDINyFaORjxD8MXvO+P r5qIvLh5LHHTE/do5GMxm8sZvSvN/9NNU/y9zXiZkXokJrrPhyhIKE8T+1+6/w== Received: from thor.sb211.local (dynamic-093-128-029-161.93.128.pool.telefonica.de [93.128.29.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id E549D24027A for ; Mon, 17 Mar 2025 11:04:44 +0100 (CET) Date: Mon, 17 Mar 2025 11:04:17 +0100 From: A FreeBSD User To: freebsd-net@freebsd.org Subject: mpd5: tun0 always get IPv6 address via SLAAC although not configured Message-ID: <20250317110444.2d1e4c28@thor.sb211.local> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/Um/mr5y7Pnp=oIDtNpq+mB="; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Rspamd-UID: 465f46 X-Rspamd-UID: 7f56ea X-Spamd-Result: default: False [-4.77 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-0.99)[-0.994]; NEURAL_HAM_MEDIUM(-0.93)[-0.931]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; R_SPF_ALLOW(-0.20)[+ip6:2001:1640:5::8:0/112]; NEURAL_HAM_SHORT(-0.15)[-0.147]; RCVD_IN_DNSWL_LOW(-0.10)[2001:1640:5::8:30:from]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:25394, ipnet:2001:1640::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[walstatt-de.de]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[walstatt-de.de:+] X-Rspamd-Queue-Id: 4ZGVvN5VvXz3R13 X-Spamd-Bar: ---- --Sig_/Um/mr5y7Pnp=oIDtNpq+mB= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello, I'm playing around with a useful setup of a small router/firewall appliance= based on FreeBSD 14-STABLE and ipfw. My/our ISP provides (alleged) ::/56 prefixes. The hardware used has several= Intel i210 based NICs, on of them is facing towards the ISP as usual with a cloned pseudo de= vice called "tun0" (in fact a renamed ng0 device). The ISP is changing both IPv4 and IPv6 addresses after a 24h period! Obtaining a ::/56 prefix and delegating the proper network prefixes to thei= r NICs works with port net/dhcp6 and FreeBSD's board tool rtadvd(8). The setup is textbook li= ke and straight forward. All inward facing NICs do have the same prefix, a individual 8-bit network = portion and a (sadly not further controllable) 64bit SLAAC host address. Problem: I never managed to obtain the ::/56 prefix on tun0! When using "rt= sol -i tun0" within the link-up.sh script of mpd5, the ISP facing tun0 interface _always_ is co= nfigured via SLAAC (DHCPv6 on tun0 seems not to work in my case) and its prefix is ALWAYS diff= erent fron that obtained later via net/dhcp6 and delegated via rtadvd. This causes some tro= uble identifying my router for ssh access from the outside world utilizing DDNS. Well, some internet HowTo's suggest not to provide tun0/ISP facing NIC with= any address (except IPv4 address, which is done by default via mpd5). So I declared one= of the inner NICs as the interface for remote access. But there seems an oddity:=20 no matter what I configure for mpd5, tun0 ALWAYS obtains a SLAAC IPv6 and a= fter several days there are several valid (temporary) IPv6 addresses, none of them is marked = "detached" or "deprecated".=20 How to make mpd5 to suppress obtaining any IPv6 address? And: why isn't the IPv6 address deprecated? In my first attempts configuring the tun0 interface, I used rtsol(8) for ob= taining an IPv6 address which worked very quickly (and provided this address to my DDNS pro= vider). In roughly 6 out of 10 cases the old IPv6 address is marked deprecated/detached. But in = 4 out of 10 cases, the outward facing tun0 has at least two valid adresses of which one is not= valid anymore from the perspective of my ISP! mpd5's link-up script is simply configuring tun0 with: /sbin/ifconfig ${wan_if} inet6 auto_linklocal -ifdisabled accept_rtadv -no= _radr up (and if desired having SLAAC IPv6 addr on tun0:=20 /sbin/rtsol ${wan_if} & but this is ommited right now). lin-down.sh does nothing. Why is deprecating former addresses not working in all cases? Is it a featu= re that tun0 magically obtains an IPv6 address via SLAAC on mpd5? How to suppress SLAAC = on mpd5? Sorry for possible confusions, I'm new to IPv6 and would appreciate any hin= ts and tipps. Kind regards and thanks in advance, Oliver =09 --=20 A FreeBSD user --Sig_/Um/mr5y7Pnp=oIDtNpq+mB= Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRQheDybVktG5eW/1Kxzvs8OqokrwUCZ9fzvAAKCRCxzvs8Oqok r+BuAQC6/pGous97C1nD09LDKIa3M7XsRRoWInp7J6QtCOBf1wD+JGIWmS5aNIa5 U7v6t+40we9cZN1FAHiNiOgqdCLiLwc= =0TgZ -----END PGP SIGNATURE----- --Sig_/Um/mr5y7Pnp=oIDtNpq+mB=--