How to setup stateful DHCPv6 on VyOS

networking IPv6 Guides VyOS
Stateful DHCPv6 server setup in VyOS 1.5x

Overview

In some instances, network administrators may desire more control over address allocation than SLAAC or stateless DHCP offers. In this guide, I'm going to do a quick rundown on how to configure a stateful DHCPv6 server on VyOS 1.5.

This guide assumes the reader understands not only IPv6 networking but also the differences between fully automatic, assisted and managed address configuration. The guide also assumes you have at least one client-facing interface already configured. For reference, our router will have the following interface example configurations:

  1. eth0: WAN (fd99:abcd:0001::1/128)
  2. eth1: LAN (fd34:5678:9abc:de00::/64)

Where eth0 is configured as a DHCPv6-PD client. Obviously replace the addresses with your prefix.

1. Verify interface configuration

show interfaces ethernet eth1

Which should return something like:

eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:24:12:dc:26:0c brd ff:ff:ff:ff:ff:ff
    altname eth0
    inet6 fd34:5678:9abc:de00::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::bc24:11ff:fedf:130c/64 scope link 
       valid_lft forever preferred_lft forever

    RX:        bytes   packets  errors  dropped  overrun       mcast
          0   0       0        0        0           0
    TX:        bytes   packets  errors  dropped  carrier  collisions
         0  0       0        0        0           0

2. Configure the DHCPv6 server

Now let's setup our DHCPv6 server.

  1. Enter configuration mode

    config

  2. Create the server and assign it to the LAN interface. Replace LAN1 with your specific shared network name.

    set service dhcpv6-server shared-network-name LAN1 interface eth1

  3. Set the address lease time in seconds

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 lease-time default 2073600

  4. Set the DNS servers that clients will be told to use. In this example we're using Quad9 privacy DNS

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 option name-server '2620:fe::fe'

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 option name-server '2620:fe::9'

  5. Set our address pool range. Note: VyOS allows you to carve out multiple ranges/pools from the same subnet, however we will not be covering that in this guide.

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 range 1 start 'fd34:5678:9abc:de00::5'

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 range 1 stop 'fd34:5678:9abc:de00::100'

  6. Assign a subnet ID. Normally a subnet ID is used for a prefix delegation server as part of the address synthesis. However, VyOS still requires one despite the fact that we are not handing out entire prefixes to our clients.

    set service dhcpv6-server shared-network-name LAN1 subnet fd34:5678:9abc:de00::/64 subnet-id '1'

  7. Save our progress

    commit

3. Configure router advertisements

In the IPv6 world, router advertisements (RAs) are required for all three forms of automatic address configuration. So even though our clients get all their configuration attributes from the DHCP server, we still need to inform them how our network is set up. Without a correctly configured RA, our client will not know if our network is using SLAAC, assisted or managed DHCPv6.

werid-al-ipv6-meme

  1. Setup RA service on the LAN interface

    set service router-advert interface eth1

  2. Set our RAs to tell clients we are using managed DHCPv6

    set service router-advert interface eth1 managed-flag

    set service router-advert interface eth1 other-config-flag

  3. Set our DNS servers. Though redundant, some clients still expect to get DNS information from the RA despite the fact that we're supplying it via DHCP.

    set service router-advert interface eth1 name-server '2620:fe::fe'

    set service router-advert interface eth1 name-server '2620:fe::9'

  4. Set the prefix and route advertisement.

    set service router-advert interface eth1 prefix fd34:5678:9abc:de00::/64 no-autonomous-flag

    Note: At the end of this command we have "no-autonomous-flag." This instructs clients not to derive privacy addresses from their IID. Without this flag clients will auto-assign addresses in addition to the /128 our server will lease them.

    set service router-advert interface eth1 route fd34:5678:9abc:de00::/64

  5. Commit our configuration and apply it.

    commit

    save && exit

Final notes

At this point you should have DHCPv6 service up and running. The scope of this guide will not cover troubleshooting, however, I'll provide a few pointers if you find yourself unable to get the service functioning:

  1. Check for typos! When staring at VyOS configs for hours it's easy to miss fat-fingered addresses etc...
  2. Verify your RA configuration. RAs are a common trip hazard for those new to IPv6 networking. If they are not configured exactly correct you can expect wonky behavior.
  3. Verify that solicitations are in-fact making it back and fourth using your traffic analysis tool of choice (tcpdump, t-shark, wireshark etc...).
  4. See if your client needs a kick in the pants. If you've verified RAs are making it to your client, trying manually initiating an RS: sudo rdisc6 -m <interface>

In the next post we'll cover RA guarding. So stay tuned to see how to harden your IPv6 network.

Previous Post Next Post