Need help configuring my Tomato router dnsmasq server with IPv6

Discussion in 'Tomato Firmware' started by Nazgulled, Apr 11, 2019.

  1. Nazgulled

    Nazgulled Serious Server Member

    Following this topic I decided to review my network related to IPv6 and now I'm trying to configure the same thing I currently have for IPv4 but for IPv6 enabled clients.

    Ok, first things first... I currently have static IPs defined for each known client on my network, one of those is a custom DNS server, which is pushed to all IPv4 clients with a custom dnsmasq configuration (dhcp-option=tag:br0,6,192.168.0.99). Everything is working as expected and now I want to replicate this for IPv6 enabled clients.

    Please correct me if I'm wrong but here's what I think I need to do to get this working:
    • Setup my router with my ISP and get IPv6 working in the first place.
    • Setup IPv6 on the client running the DNS Server.
    • Set a static IPv6 (on the router) for the client running the DNS Server.
    • Push, with dnsmasq, the static IPv6 above to all IPv6 enabled clients.
    The first step is done and working correctly, here's my router configuration for my ISP:

    upload_2019-4-11_18-18-32.png

    My ISP has a test page to make sure IPv6 is working, which I used, and everything looks fine. My main Windows PC correctly gets an IPv6 and everything seems to be working, no issues here. But I have a few questions about the above:

    a) LAN1 (br1) refers to my guest Wi-Fi network, should I enable this for some reason? Why isn't there a similar option for LAN (br0) that refers to my main network? Is it /64 by default or /56?

    b) Is there any other setting from the screen above that I should change? Why?

    Second step is to setup the client running the DNS Server with IPv6, a Synology NAS. I've set this to "Auto":

    upload_2019-4-11_18-32-55.png

    And there's also a link-local address associated (by default, I didn't do anything):

    upload_2019-4-11_18-22-2.png

    Questions about this:

    c) Should I manually set these IPv6 settings and change the "prefix length" to match the 56 from the ISP?
    d) Is that link-local address dynamic or static? Do I still need to set a static IPv6 on the router somehow?

    Question d) leads me to the next question...

    e) I'm assuming it's not a static address on d) and that I still need to set a static address for the machine running the DNS Server so I can push it to clients. How do I use dnsmasq on the Tomato router to configure static IPv6 addresses for specific clients that support IPv6?

    And now the latest step...

    f) How do I push the static IPv6 address belonging to the DNS Server machine (the Synology NAS) to all IPv6 enabled clients?

    Am I missing anything?
     
  2. Sean B.

    Sean B. Network Guru Member

    You can't set a static IPv6 IP for the client as your IPv6 setup is dynamic ( DHCPv6 ). Remember that with IPv6 the addresses your router will be handing out are all global, and therefor the clients address must change dynamically as well. You can push the clients link local address for use as DNS server instead, as this will not change.

    No. The router uses a 64 ( one 64 subnet for each configured LAN ) derived out of the larger 56 prefix served by your ISP. The config is correct.

    I'll answer more when I have time later today.
     
    Nazgulled likes this.
  3. Nazgulled

    Nazgulled Serious Server Member

    I understand I cannot set a global IPv6 (starting with 2001: ) cause that's issued by my ISP, just like the IPv4 one. But just like I've configured my router to have the 192.168.0.254 IPv4, I thought I could do the same for IPv6. I guess "the same" is the link local address?

    But who set this link local address in the first place? Is it derived from some other information? Is it not possible to pick one myself, starting with fe80:? I mean, say I change to a different router in the future with a different firmware and I want to replicate my configuration as much as possible. It's easy to pick the same IPv4 addresses for all my clients, but can I do that for fe80: IPv6 addresses?
     
  4. Nazgulled

    Nazgulled Serious Server Member

    Anyway, looked at dnsmasq man page and researched a bit and got to this:

    Code:
    dhcp-option=tag:br0,option6:dns-server,[fe80::211:32ff:fe7b:9a85]
    And this:

    Code:
    dhcp-option-force=tag:br0,option6:dns-server,[fe80::211:32ff:fe7b:9a85]
    But it doesn't seem to work either way.

    The IPv6 DNS on the clients are set to the router global address starting with 2001:, not sure what I'm missing.
     
  5. Sean B.

    Sean B. Network Guru Member

    You should do some reading up on IPv6, as the concepts and logic you're using from IPv4 are not applicable to IPv6. There is no more NAT ( IE: the 192.168 type internal network you compared to does not exist ). Link-local addresses are the "local only" version for IPv6, and it is not a "network" that you configure. The network stack of the client configures the address automatically, and it will not route over hops ( hence the "link" in link local ).

    I may have missed it, as I haven't read everything, but I don't see a post showing your LAN side V6 config. Whether you're using SLAAC, DHCPv6 statefull or stateless, or a combination, will determine how/what/if clients are configured with the settings you want.
     
  6. Nazgulled

    Nazgulled Serious Server Member

    I always had both enabled:

    upload_2019-4-12_8-0-39.png

    Should I just have one of those enabled?

    Read this link to try and understand the differences between the two but I don't understand a few things:

    DHCP

    If the router's DHCP server is responsible for this, the address will be dynamic and could change for some reason, right?

    SLAAC

    With this option I'm forced to pick IPv6 addresses, manually, for each client on their own network configuration, right?

    Now I'm not sure which mode I should even use...
     
  7. Nazgulled

    Nazgulled Serious Server Member

    Found this related topic with answers from yourself and it feels like I'm on the right path but I can't get it working.

    It seems to me that this is what I'm looking for:

    But I'm not sure if I should have "Announce IPv6 on LAN" for both SLAAC and DHCP enabled and use the dhcp-option or if I should just enabled "Announce IPv6 on LAN (SLAAC)" and use the dhcp-option to push the DNS server.

    Tried both methods but clients don't seem to pick up the DNS server I configured with the dhcp-option.
     
  8. Sean B.

    Sean B. Network Guru Member

    The answer is yes.. and no :). You need to configure it manually rather than checking the boxes for SLAAC and DHCPv6, otherwise Tomato's options will collide with yours. Leave the stated boxes unchecked and enter this into the custom config box:

    Code:
    enable-ra
    dhcp-range=tag:br0,::100,::150,constructor:br0,64,1440m
    dhcp-option=tag:br0,option6:dns-server,[LINK-IP]
    Where LINK-IP is the link-local IP of the DNS server. Make duplicate lines for the range and option changing br0 to br1 for the guest network.

    If for some reason the link-local IP will not work for the option line, then I'd suggest letting the router advertise its own global IPv6 IP as DNS server, then setting the link-local IP of the DNS server as the static DNS under Basic->IPv6.

    **NOTE** Remember, routers will not forward link local addressing, so the DNS server must be locally connected ( no VPN's, no crossing subnets etc ) to use the link local IP.
     
    Last edited: Apr 12, 2019
  9. Nazgulled

    Nazgulled Serious Server Member

    This seems to have worked, partially at least...

    I mean, I've reset both the network connections on my PC and my NAS and while the PC got the link-local IP for the DNS server, the NAS doesn't (it defaults to the gateway 2001: address). I can't seem to understand why the NAS doesn't pick it up. I also have a SHIELD Android TV and that device also seems to have picked the pushed DNS server:

    Code:
    04-13 11:18:54.045  3768  3902 D ConnectivityService: Setting DNS servers for network 101 to [/fe80::211:32ff:fe7b:9a85%eth0, /192.168.0.99]
    So, it works for some devices, it doesn't for others. It's weird because even when I set the IPv6 configuration on the NAS to disabled:

    upload_2019-4-13_11-20-59.png

    It still shows some "preferred DNS server" filled with the gateway 2001: address... Of course, I can set this to manual and configure the DNS Server myself but I'm trying to avoid that. This could be some issue, bug or misconfiguration on my NAS side, but I'm oblivious to what could be causing this.

    Anyway, I still have a few questions about all this...
    1. Won't this link-local IP address ever change under no circumstances? Say I switch to a different ASUS router model (and keep using Tomato), will the link-local address for the NAS (where the DNS server is running) be the same and I won't have to adjust my dnsmasq configuration?
    2. Could you please clarify the dhcp-range option you gave me above and why does it need to be different from the ones that Tomato sets when checking the SLACC/DHCP options? I understand the tag bit, but the rest not so much.
    3. I tried to browse to http://[2001:...]:3000 (the DNS server admin interface) and it worked, however, browsing to http://[fe80:...]:3000 did not. Shouldn't both addresses have worked? I have a feeling that if this didn't work, why would [fe80:...]:53 work for all the devices that are picking up this address as their DNS server?
    4. You mentioned "no crossing subnets", does that mean that I won't be able to use this local-link address on any of my guest network clients by adding a firewall rule like (for IPv6) similar to what we did here? I'm confused because you also said "make duplicate lines for the range and option changing br0 to br1 for the guest network". What does it all mean? Will the link-local address work in the guest network or not? Do I need a firewall rule or not?
     
  10. Sean B.

    Sean B. Network Guru Member

    DHCPv6/SLAAC had a rocky start, mainly with setting a standard on how clients receive information from both protocols. This could very well be an issue with how the NAS thinks it should be done. You could try changing dhcp-option to dhcp-option-force and see if that changes anything.

    A clients link-local address has nothing to do with the router or what it's connected to. It will not change unless hardware on the client itself changes.

    When you check the boxes in the GUI for SLAAC and DHCPv6, tomato adds in the corresponding dhcp-option=option6 line for DNS a long with others. The default is to use the routers global IPv6 IP, adding your own dhcp-option line stacks in line. Some options take the last one in line, others will outright conflict. The enable-ra and range lines are simply setting the base configurations for DHCPv6 and SLAAC, as the GUI boxes are not checked.

    When using link-local addresses you need to specify an interface identifier. Note how the Android TV shows the address:

    See the %eth0 it tacked on the end? It also depends on whether or not the service you're connecting to has bound itself to just the global IP, or is listening to all addressing on the interface.

    Maybe, maybe not. Technically no, as by RFC spec routers are not to forward fe80 addressed packets. However, if the source and destination interfaces are local to the router, it may consider that a link. It's a grey area that you'll have to try and see, as I've never needed to use the link-locals in your fashion.

    Here's quote from some docs regarding link-local:

    As you can see, the rabbit hole gets rather deep with IPv6, and some of it will just need testing in order to grasp its behavior. The router, knowing the interfaces, may forward link-local between the two.. or.. it may not ;).
     
    Last edited: Apr 13, 2019
  11. Sean B.

    Sean B. Network Guru Member

    Here's what I think will likely need to happen:

    Allow your router to advertise its own global IPv6 address as the DNS server to clients. This will be a different address for your private and guest networks, as the router will use a different /64 for each network. Then for the routers static DNS server set the link-local IP of your DNS server client using the interface identifier.. IE: if the DNS server clients link-local IP is fe80:1:1:1::2 and is connected to the br0 LAN, you'd put

    Code:
    fe80:1:1:1::2%br0
    In the static IPv6 DNS box in the GUI. This will allow the DNS server pushed to clients to be dynamic, as the router will send its own global address, yet all queries will be forwarded to the DNS server client.
     
  12. Nazgulled

    Nazgulled Serious Server Member

    Thanks for the detailed answers @Sean B.

    I've been meaning to reply back and test a few things but I've been preparing for a 2-week trip and haven't had much time. I'm leaving tomorrow and coming back by the end of the month. We'll continue this when I get back if you don't mind.

    Just answer me one thing... What if I pushed the global IP address with dhcp-option instead of the link-local? Wouldn't that be simpler/easier and solve a few issues?
     
  13. Sean B.

    Sean B. Network Guru Member

    Because if your WAN goes down/up and the prefix you receive from your ISP via DHCPv6 changes ( just the same as your WAN IP may change upon reconnect with IPv4 ), the global IPv6 address of your DNS server you previously configured to push out to clients will be invalid ( the prefix handed out by the ISP DHCPv6 server makes up the first 56 bits of this address, then your router subnetting that /56 into a /64 makes up the next 8 bits ). This is why I suggested to let the router push its own global IPs, as it will dynamically change the pushed IPs to match whatever its global addresses are. Then set the link-local IP of your DNS server a long with the interface identifier ( IE: fe80:1:1:1::1%br0 ) as the routers static IPv6 DNS. This results in all IPv6 DNS queries being sent to the routers global IPv6 addresses ( I say plural because it will have 2, one for the private network interface and one for the guest network interface ) from both private and guest networks, and those queries are forwarded to your DNS server link-local address. This gets around the probable issue of using link-local IP from the guest network side while also avoiding the risk of prefix change invalidating the global IP address of the DNS server.
     
    Last edited: Apr 15, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice