You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+1-64
Original file line number
Diff line number
Diff line change
@@ -7,67 +7,4 @@ Disclaimer: I make no claims as to correct function or usability for any purpose
7
7
8
8
## Dealing with dynamic IPs in a home/small office setting
9
9
10
-
### Basic situation
11
-
- A VDSL conection provided by [Deutsche Telekom](https://telekom.de) in Germany with dynamic IPv4 and IPv6 addresses
12
-
- Other providers are probably very similar
13
-
- An [AVM](https://avm.de) FRITZ!Box as the Router, currently running FRITZ!OS 7.29
14
-
- A LAN with multiple devices
15
-
16
-
The provider advertises 1 public, dynamic IPv4 address to the router using DHCPv4.
17
-
18
-
The provider advertises 1 public, dynamic IPv6 address (/64) to the router. In combination with the EUI64 interface identifier of the router WAN interface this forms the public, dynamic IP of the router.
19
-
20
-
The provider additionally advertises 1 public, dynamic IPv6 /56 address prefix to the router. Incoming traffic addressed to IPs from this prefix will be routed to the public, dynamic IP of the router.
21
-
22
-
The router will advertise a /64 subnet of the public, dynamic IPv6 /56 address prefix to the clients on the LAN. They will typically use SLAAC to configure some of their IPv6 addresses based on this prefix.
23
-
24
-
The router generally blocks traffic from the Internet from reaching the LAN clients. But port forwarding rules can be configured to allow certain traffic to reach specific LAN clients.
25
-
- For IPv4 the combination of the public IPv4 address and a port number and a protocol decide if and where packets are forwarded. (There is also an *exposed host* setting that forwards almost all traffic to the public IPv4 address to one LAN client.)
26
-
- ICMP is a special case.
27
-
- For IPv6 the combination of public IPv6 address prefix, subnet specified by FRITZ!OS and the interface identifier forms the public IPv6 address of the LAN client. This in combination with a port number and a protocol decide if and where packets are forwarded.
28
-
- IPv6 forwarding rules hinge on the 64 bit interface identifier of the LAN client. If that IID changes the rule must be adjusted (manually).
29
-
- ICMPv6 is a special case.
30
-
- For the normal LAN the subnet specified by FRITZ!OS is `00`. (For the guest LAN it would be `01`.)
-**IPv6 address prefix advertised to LAN clients:**`2001:dead:cafe::\64`
44
-
45
-
### Issues when trying to have services on LAN clients that are reachable from the Internet
46
-
- All the public IPs are dynamic. They *will* change occasionally.
47
-
- Note: At the time of writing Telekom does not force a change very often. Probably every few weeks to months. However there does not seem to be a fixed schedule so preparations need to be made to handle changes at any time.
48
-
49
-
1. DNS records may need to be updated after a change.
50
-
- For the public IPv4 address and for the public IPv6 address *of the router* the DDNS client in FRITZ!OS can handle this. Note though that the public IPv6 address *of the router* has little practical value unless you want to reach the FRITZ!Box itself.
51
-
- For the public IPv6 addresses of LAN clients the clients will need to handle the updates themselves. It is recommended to use different hostnames than those updated by the DDNS client of FRITZ!OS.
52
-
- Many DDNS services have APIs to allow updates. The details are out of scope for this text.
53
-
2. When IPs change, local firewalls and services on the clients may need to have their configuration adjusted.
54
-
3. When the public IPv6 prefix changes, LAN clients will generate new addresses. By default they will often use pseudo random interface identiers (*SOII*) which will change when the prefix changes. However the FRITZ!OS port forwarding mechanism hinges on identifying the client based on the interface identifier. If it changes the forwarding rule will no longer work! Manual updates of the configuration become necessary in this case.
55
-
- However using stable EUI64 interface identifiers on the relevant LAN clients can solve this problem.
56
-
- Drawback: EUI64 interface identifiers are based on the interface MAC address in a 1:1 mapping. Thus some information about the vendor of the interface will leak to the outside world. If this is a concern then in some cases a manually generated random MAC address can be configured for the interface. This depends on the OS though. For [OpenBSD](https://obenbsd.org) this is known to be possible.
57
-
- Note: For privacy reasons normal clients used mainly for outgoing traffic (web surfing, etc.) should not use stable interface identifiers. SLAAC and SOII will provide good results for this use case.
58
-
4. Detecting changes of the IPv6 prefix can be somewhat challenging.
59
-
- There is no trigger mechanism so polling must be used.
60
-
- Depending on what actions need to be taken when the prefix changes, it may be necessary to know the old and the new prefix, and/or the old and the new IPv6 address.
61
-
- Advertised prefixes and SLAAC take a bit of time to react to changes. E.g. after a reboot it is expected that it will take a few seconds for the IPv6 addresses to become available and stable. An automated solution must take this into account.
62
-
63
-
### Implementation
64
-
65
-
Please note again that this is for [OpenBSD 7.0](https://openbsd.org/70.html). And note that [ksh(1)](https://man.openbsd.org/ksh) is used as the default shell in [OpenBSD](https://openbsd.org).
66
-
67
-
When porting this to a different operating system the [OpenBSD man pages](https://man.openbsd.org/) may be helpful to figure out what this script is supposed to be doing.
68
-
69
-
#### Files
70
-
-`/root/bin/ipv6PrefixCheck.sh` the man script run by cron(8).
71
-
-`/root/bin/ipv6PrefixChanged.em0` one for each relevant interface, named accordingly, created manually to deal with actions.
72
-
-`/root/.lastipv6prefix.em0` one for each relevant interface, named accordingly, created automatically.
73
-
-`/var/log/ipv6prefix.log` log file, created automatically.
0 commit comments