Freedombox and native IPv6

Freedombox

Freedombox is very useful and interesting project. It allows people to host cloud services by themselves, so their data are kept private. It can run on any hardware, that supports Debian.  I’m running it on APU2, that has several Ethernet interfaces and therefore it can not only host services for me, but work as a standard router and WiFi AP (using mPCI-E extension card) as well.

DHCPv6-PD and Network Manager

My ISP has native IPv6 support. It gives to every user /64 subnet via DHCPv6-PD. Freedombox uses Network Manager (NM) to handle network connections. NM support prefix deligation (PD) since version 1.6 using ‘shared’ method for IPv6 connections. NM use  DHCPv6 (dhclient, isc-dhcp-client package) for that. For each internal interfaces with ‘shared’ method for IPv6 NM requests separate IPv6 prefix (adds -P to dhclient command line). Sounds good. Unfortunatelly NM requires that DHCPv6 server gives IP address for external uplink interfaces as well. But my ISP only gives a prefix and external interfaces use link-local address to forward IPv6 packets (received using router advertisement). Because NM doesn’t receive IPv6 address for external interface, it decides that DHCP failed and kills dhclient. As a result IPv6 isn’t working after DHCP lease is expired.

To setup native IPv6 I set for external and internal interfaces method ‘auto’ in Network Manager and used this article as a start and took scripts from this repo. But I need some changes to make it working in my case.

Basic idea is here that as NM configures external interface, it calls scripts from /etc/network/if-up.d/ directory. In this directory there is script that starts dhclient with a proper command line parameters. As dhclient receives IPv6 prefix, it calls scripts from /etc/dhcp/dhclient-exit-hooks.d/. This script looks at deligated prefix and updates radvd config in /etc/radvd.conf and restart router advertisement service for internal network.

What changes were necessary for me?

DHCP client identifies itself using DUID (DHCP Unique Identifier). There are different types of it:

  1. Link-layer address plus time (DUID-LLT)
  2. Vendor-assigned unique ID based on Enterprise Number (DUID-EN)
  3. Link-layer address (DUID-LL)
  4. UUID-Based DUID (DUID-UUID)

My ISP (as many others ISPs) requires DUID in format DUID-LL. Most routers support this format already. dhclient uses by default DUID-LLT. It was necessary for me to add ‘-D LL’ to 99-ipv6 file.

Second NM calls if-up.d scripts twice for ADDRFAM=inet and ADDRFAM=inet6. I think it’s not necessary to launch dhclient twice. So I’ve added check into 99-ipv6.

if [ “$ADDRFAM” != “inet6” ]; then
exit 0
fi

And finally I commented out reloading firewall rules (/etc/network/ip6tables reload), because Freedombox is using new firewalld service. We come back later to firewall settings.

But this was not enough. I’ve got problem with dhclient. He reported

Can’t bind to dhcp address: Cannot assign requested address
Please make sure there is no other dhcp server running and that there’s no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server.  If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at http://www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging..
exiting.

It looks like already known bug in Debian bug tracker and still exists in Debian Stretch. But most likely it’s fixed in latest Ubuntu. I fixed by applying Ubuntu patch.

Firewalld

Freedombox has enabled by default firewall. But for some reason forwarding for IPv6 is blocked. Add rule to enable it.

$ firewall-cmd –direct –add-rule ipv6 filter FORWARD 0 -i $INT_IFACE \
-o $EXT_IFACE -j ACCEPT

$ firewall-cmd –persistent –direct –add-rule ipv6 filter FORWARD 0 -i $INT_IFACE \
-o $EXT_IFACE -j ACCEPT

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s