Routing

Expand all | Collapse all

Subscriber management and dhcpv6 renew

Jump to Best Answer
  • 1.  Subscriber management and dhcpv6 renew

    Posted 08-27-2018 10:34

    Hello everyone.

    I`ve encountered a problem with subscriber management and dhcpv6.

    I`ve got subscriber with ipv6 enabled that i should disable access to Internet.

    For that purpose i`ve got dynamic-profile OFF_V6 that looks like this:

     

    And if i enable it for subs i`ve got problems with dhcpv6 renew.

    And it looks like this for now:

    firewall {
        family inet6 {
            filter "$filter_in_v6" {
                interface-specific;
                term ACCEPT-DHCP-V6 {
                    from {
                        next-header udp;
                        source-port 546;
                        destination-port 547;
                    }
                    then accept;
                }
                term ACCEPT-DHCP-V6-2 {
                    from {
                        next-header udp;
                        source-port 547;
                        destination-port 546;
                    }
                    then accept;
                }
                term ICMP-V6 {
                    from {
                        icmp-type [ certificate-path-advertisement certificate-path-solicitation destination-unreachable home-agent-address-discovery-reply home-agent-address-discovery-request inverse-neighbor-discovery-advertisement inverse-neighbor-discovery-solicitation membership-query membership-report membership-termination mobile-prefix-advertisement-reply mobile-prefix-solicitation neighbor-advertisement neighbor-solicit node-information-reply node-information-request packet-too-big parameter-problem redirect router-advertisement
                        router-renumbering router-solicit time-exceeded ];
                    }
                    then accept;
                }
                term REJECT {
                    then discard;
                }
            }
        }
    

    There is some garbage - i tried to figure out what to add )

     

    Session starts and if subscriber has profile OFF_V6 instead of renew i got release from client. If i disable this profile everything works fine.

    19:31:28.173431  In IP6 fe80::9ade:d0ff:fe89:e375 > ff02::2: ICMP6, router solicitation , length 16
    19:31:28.173609 Out IP6 fe80::ab2:58ff:fe26:c54d > ff02::1: ICMP6, router advertisement, length 24
    19:31:31.129367  In IP6 2a00:f440:a:3::210d > ff02::2: ICMP6, router solicitation , length 16
    19:31:31.129528 Out IP6 fe80::ab2:58ff:fe26:c54d > ff02::1: ICMP6, router advertisement, length 24
    19:31:31.869664  In IP6 fe80::9ade:d0ff:fe89:e375 > 2a00:f440:a:3::1: ICMP6, neighbor solicitation, who has 2a00:f440:a:3::1, length 32
    19:31:31.869827 Out IP6 2a00:f440:a:3::1 > fe80::9ade:d0ff:fe89:e375: ICMP6, neighbor advertisement, tgt is 2a00:f440:a:3::1, length 24
    19:31:37.857763  In IP6 fe80::9ade:d0ff:fe89:e375 > fe80::ab2:58ff:fe26:c54d: ICMP6, neighbor solicitation, who has fe80::ab2:58ff:fe26:c54d, length 32
    19:31:37.857932 Out IP6 2a00:f440:a:3::1 > fe80::9ade:d0ff:fe89:e375: ICMP6, neighbor advertisement, tgt is fe80::ab2:58ff:fe26:c54d, length 24
    19:32:14.925980  In IP6 fe80::9ade:d0ff:fe89:e375.546 > ff02::1:2.547: dhcp6 Release

     

     



  • 2.  RE: Subscriber management and dhcpv6 renew
    Best Answer

    Posted 08-28-2018 01:05

    Problem solved by allowing cpe with no Internet access to ping link-local addresses.

    Some CPE (like TP-Link routers) always ping google dns and link-local address. If ping discarded then it starts address neogation process from very beginning.