November 15, 20241 yr Following my previous post IPv6 is working, superb BUT I found an ... unwanted behavior. I've defined a static IPv6 on my PiHole DoT Doh container = Fixed IP address (optional): [192.168.1.2, 2606:6d00:xxxx:xxxx::1:2] Subnet: 192.168.1.0/24, 2606:6d00:xxxx:xxxx::/64 Now to be super sure that all my DNS queries goes to my PiHole to forward queries to Cloudflare via DoH, I made some Firewall Ingress LAN rules on my router. Essentially, Block all ports 53 and 853 from entering the routers from the LAN EXCEPT my PiHole (v4 and v6 defined up there), Unraid and my own gateway's interface Ip. Block all traffic destined to any of the IPs (v4 or v6) of known public DNS supporting DoH (Ain't nothing bypassing my own DNS server trying to use DoH themselves) So following that ... I had a lot of instability for my dns requests, timeouts and such. I went inside my PiHole container's Shell and did some tests. IPv4 was working fine, IPv6, not so much, could not reach cloudflare with a ping ... I did an ip addr : Oh there is the culprit, the container had assigned himself a routable v6 IP trough SLAAC beside the link local and the static IP defined in the GUI. Added the IP to my allow list on my firewall, Problem fixed ! Now ... I don't want my containers configured with a Fixed IP to go and get another One trough SLAAC (or even generating a link local?). I tried this in "Extra parameters" with no success : --sysctl net.ipv6.conf.all.autoconf=0 --sysctl net.ipv6.conf.all.accept_ra=0 Even after adding that, and restarting the container, when i shell into the container and do an ip addr, the damn SLAAC IPv6 address is still there ... any idea on what I could do ? fun fact, I added --sysctl net.ipv6.conf.all.disable_ipv6=1 to 2 of my containers that were not playing nice with cookies exchange, and it effectively disabled IPv6 on those containers.
November 16, 20241 yr Community Expert First of all: I go with you! I also seek a "legal" way to disable SLAAC. But almost every OS today has turned it on (even Microsoft reverted to it although former versions honored the "static only" request correctly). What you need to do is to add the MAC address to your firewall instead of the IP! This is common now because the providers usually only offer dynamic prefixes today. So you need to prepare your setup to dynamic addresses. (It's somewhat a step 20yrs backwards, but its the only thing guaranteed to work)
November 30, 20241 yr Author I don't have a problem with dynamic adresses per say, and my isp provides static Prefixes on demand, so i'm good there. I am just super annoyed that a device (container) I set with a static IPv6 adresse still gets a SLAAC one on the side
November 30, 20241 yr Community Expert 3 hours ago, Altheran said: I am just super annoyed that a device (container) I set with a static IPv6 adresse still gets a SLAAC one on the side If you have a static prefix, you do not need to worry about this. Just dont publish the SLAAC address and you are done with it. And, as I said already, the same happens on almost ANY other OS I know. No way to turn it off. Usually an address or more do not hurt anybody. The only OSs that really do what you want (and expect, I agree) are BSD based. They just create SLAAC if they are asked for by the router as defined in the RFCs. But Linux (and Windows) are rather poor copys when it comes to networking. They think they "need to help" the user too much in my opinion. This often ends into automatics that have dubious benefit.
December 3, 20241 yr Author On 11/30/2024 at 12:37 AM, MAM59 said: If you have a static prefix, you do not need to worry about this. Just dont publish the SLAAC address and you are done with it. And, as I said already, the same happens on almost ANY other OS I know. No way to turn it off. Usually an address or more do not hurt anybody. The only OSs that really do what you want (and expect, I agree) are BSD based. They just create SLAAC if they are asked for by the router as defined in the RFCs. But Linux (and Windows) are rather poor copys when it comes to networking. They think they "need to help" the user too much in my opinion. This often ends into automatics that have dubious benefit. The issue was that my pi-hole container was making upstream dns queries using the automatic Address that I did not configure and did not allows trough my firewall (Because I had specifically configured a fixed IP !), so I had MASSIVE dns timeouts until I also allowed the surprise SLAAC IP. That behavior is gonna be a PAIN to manage in larger organizations .... some "quirks" of IPv6 are still to be polished ...
December 3, 20241 yr Community Expert 28 minutes ago, Altheran said: some "quirks" of IPv6 are still to be polished This is no Problem of IPv6, just the implementation in Linux and Windows is very faulty. The original IPv6 only allows SLAAC "on request", first some OSs started to include it as default, later on they even did not allow to turn it off anymore. So, they have introduced the problem which did not exist before. Windows is even worse, it also has turned on privacy extensions by default, so computers get another, ever-changing, address. But the firewall problem with a static prefix can be easily resolved, just allow ANY outgoing traffic from this prefix and you are done. I only filter incoming stuff. (addon: it MAY be a fault of your router too. If he annouces #64 ('o') in raflags, it tells the clients to use SLAAC. Check it out. But at least Windows does not honor this bit and always activates SLAAC, whatever you do. Linux (including UNRAID) works correctly then, so I would say: check your router!) Edited December 3, 20241 yr by MAM59
December 3, 20241 yr Author 11 hours ago, MAM59 said: This is no Problem of IPv6, just the implementation in Linux and Windows is very faulty. The original IPv6 only allows SLAAC "on request", first some OSs started to include it as default, later on they even did not allow to turn it off anymore. So, they have introduced the problem which did not exist before. Windows is even worse, it also has turned on privacy extensions by default, so computers get another, ever-changing, address. But the firewall problem with a static prefix can be easily resolved, just allow ANY outgoing traffic from this prefix and you are done. I only filter incoming stuff. (addon: it MAY be a fault of your router too. If he annouces #64 ('o') in raflags, it tells the clients to use SLAAC. Check it out. But at least Windows does not honor this bit and always activates SLAAC, whatever you do. Linux (including UNRAID) works correctly then, so I would say: check your router!) The outgoing rule is planned, I want to block all other clients (Except my UNRAID server itself and my router) on my LAN from making DNS queries anywhere else but my Pi-Hole. And I DID enable RA in my router, I want my devices on my LAN to use SLAAC. I don't have issues with SLAAC by itself. It's just that when I configure a "STATIC" IPv6 on a device, I don't want it to go out of it's way and not use said Static IPv6 ;). Edited December 3, 20241 yr by Altheran
December 3, 20241 yr Community Expert 29 minutes ago, Altheran said: I want my devices on my LAN to use SLAAC. I don't have issues with SLAAC by itself. It's just that when I configure a "STATIC" IPv6 on a device, I don't want it to go out of it's way and not use said Static IPv6 ;). Aaaah! now we found the culprit ! 🙂 You think, you could overrule the RA with a static address, thats wrong. Its no bug, its a feature. V6 is designed to use multiple addresses from different sources, by enabling a scheme you add an address, you do not prohibit others. For instance, you could tell your router to annouce "o" + "m" (#128) which would result for each client to generate an SLAAC address and to ask for another address from a DHCP6 server. You need to keep your UNRAID from receiving these RA packets from your router. Then the SLAAC address will vanish (after a reboot).
December 6, 20241 yr Author On 12/3/2024 at 1:32 PM, MAM59 said: Aaaah! now we found the culprit ! 🙂 You think, you could overrule the RA with a static address, thats wrong. Its no bug, its a feature. V6 is designed to use multiple addresses from different sources, by enabling a scheme you add an address, you do not prohibit others. For instance, you could tell your router to annouce "o" + "m" (#128) which would result for each client to generate an SLAAC address and to ask for another address from a DHCP6 server. You need to keep your UNRAID from receiving these RA packets from your router. Then the SLAAC address will vanish (after a reboot). Ok, now we are getting somewhere. I tried this in "Extra parameters" in my containers with no success : --sysctl net.ipv6.conf.all.autoconf=0 --sysctl net.ipv6.conf.all.accept_ra=0 Soooo, what else is there for me to try ?
December 6, 20241 yr Community Expert 48 minutes ago, Altheran said: Soooo, what else is there for me to try ? Nonono, you've got me wrong... There is no parameter that you can set to turn it off. IPV6 works the other way round. Somebody (usually the router) requests SLAAC, the receiving machines just obey. You have to configure your firewall so that the UNRAID host does not get the Router Advertisment Packet (the request) from your router. Unless you have a DHCP6 Server in your LAN, SLAAC must be turned on for the other machines. But to prevent the additional address being set on Unraid, you need to filter out these packets. Try to filter "protocol icmp6, icmptype 134". (note, that by filtering them out you will also prevent Unraid from getting other config data like default gateway (6) and dns servers (6). You have to set them manually too.) Edited December 6, 20241 yr by MAM59
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.