Difference between revisions of "IPv6: Mikrotik: DHCPv6"
Onnowpurbo (talk | contribs) (Created page with "{{Versions|v5.9+}} ==Summary== <p id="shbox"><b>Standards:</b> <code>RFC 3315, RFC 3633</code><br /> <b>Package:</b> <code>dhcp,ipv6</code> </p> Starting from v5.9 DHCP-PD...") |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
==Summary== | ==Summary== | ||
| − | + | Standards: RFC 3315, RFC 3633 | |
| − | + | Package: dhcp,ipv6 | |
| − | |||
Starting from v5.9 DHCP-PD server is moved to /ipv6 sub menu | Starting from v5.9 DHCP-PD server is moved to /ipv6 sub menu | ||
Revision as of 10:21, 6 February 2019
Summary
Standards: RFC 3315, RFC 3633 Package: dhcp,ipv6
Starting from v5.9 DHCP-PD server is moved to /ipv6 sub menu
Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their assigned interface.
Client binding creates dynamic pool with timeout set to binding's expiration time (note that now dynamic pools can have a timeout), which will be updated every time binding gets renewed.
When client is bound to prefix, DHCP server adds routing information to know how to reach assigned prefix.
Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by user;
General
Sub-menu: /ipv6 dhcp-server
This sub menu lists and allows to configure DHCP-PD servers.
Properties
Read-only Properties
Bindings
Sub-menu: /ipv6 dhcp-server binding
DUID is used only for dynamic bindings, so if it changes then client will receive different prefix than previously.
Read-only properties
For example, dynamically assigned /62 prefix
[admin@RB493G] /ipv6 dhcp-server binding> print detail
Flags: X - disabled, D - dynamic
0 D address=2a02:610:7501:ff00::/62 duid="1605fcb400241d1781f7" iaid=0
server=local-dhcp life-time=3d status=bound expires-after=2d23h40m10s
last-seen=19m50s
1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2
server=local-dhcp life-time=3d status=bound expires-after=2d23h43m47s
last-seen=16m13s
Menu specific commands
Rate limiting
It is possible to set a bandwidth to a specific IPv6 address by using DHCPv6 bindings. This can be done by setting a rate limit on the DHCPv6 binding itself, by doing this a dynamic simple queue rule will be added for the IPv6 address that corresponds to the DHCPv6 binding. By using the rate-limit parameter you can conveniently limit a user's bandwidth.
First, make the DHCPv6 binding static, otherwise it will not be possible to set a rate limit to a DHCPv6 binding:
[admin@MikroTik] > /ipv6 dhcp-server binding print Flags: X - disabled, D - dynamic # ADDRESS DUID SERVER STATUS 0 D fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound [admin@MikroTik] > /ipv6 dhcp-server binding make-static 0 [admin@MikroTik] > /ipv6 dhcp-server binding print Flags: X - disabled, D - dynamic # ADDRESS DUID SERVER STATUS 0 fdb4:4de7:a3f8:418c::/66 0x6c3b6b7c413e DHCPv6_Server bound
Then you need can set a rate to a DHCPv6 binding that will create a new dynamic simple queue entry:
[admin@MikroTik] > /ipv6 dhcp-server binding set 0 rate-limit=10M/10
[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp<6c3b6b7c413e fdb4:4de7:a3f8:418c::/66>" target=fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s bucket-size=0.1/0.1
If allow-dual-stack-queue is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:
[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.1.200/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0
burst-time=0s/0s bucket-size=0.1/0.1
RADIUS Support
Since RouterOS v6.43 it is possible to use RADIUS to assign a rate-limit per DHCPv6 binding, to do so you need to pass the Mikrotik-Rate-Limit attribute from your RADIUS Server for your DHCPv6 binding. To achieve this you first need to set your DHCPv6 Server to use RADIUS for assigning bindings. Below is an example how to set it up:
/radius add address=10.0.0.1 secret=VERYsecret123 service=dhcp /ipv6 dhcp-server set dhcp1 use-radius=yes
After that you need to tell your RADIUS Server to pass the Mikrotik-Rate-Limit attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into radcheck and radreply tables for a MAC address, that is being used for your DHCPv6 Client. Below is an example for table entries:
INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Auth-Type', ':=', 'Accept'),
INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66'),
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');
Configuration Examples
Enabling IPv6 Prefix delegation
Lets consider that we already have running DHCP server.
To enable IPv6 prefix delegation, first we need to create address pool
/ipv6 pool add name=myPool prefix=2001:db8:7501::/60 prefix-length=62
Notice that prefix-length is 62 bits, it means that clients will receive /62 prefixes from the /60 pool.
Next step is to enable DHCP-PD.
/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local
To test our server we will set up wide-dhcpv6 on ubuntu machine:
- install wide-dhcpv6-client
- edit "/etc/wide-dhcpv6/dhcp6c.conf" as above
interface eth2{
send ia-pd 0;
};
id-assoc pd {
prefix-interface eth3{
sla-id 1;
sla-len 2;
};
};
- Run DHCP-PD client
sudo dhcp6c -d -D -f eth2
- Verify that prefix was added to eth3
mrz@bumba:/media/aaa$ ip -6 addr
..
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:7501:1:200:ff:fe00:0/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::224:1dff:fe17:81f7/64 scope link
valid_lft forever preferred_lft forever
- You can make binding to specific client static, so that it always receives the same prefix
[admin@RB493G] /ipv6 dhcp-server binding> print Flags: X - disabled, D - dynamic # ADDRESS DU IAID SER.. STATUS 0 D 2001:db8:7501:1::/62 16 0 loc.. bound [admin@RB493G] /ipv6 dhcp-server binding> make-static 0
- DHCP-PD also installs route to assigned prefix into IPv6 routing table
[admin@RB493G] /ipv6 route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable # DST-ADDRESS GATEWAY DISTANCE
...
2 ADS 2001:db8:7501:1::/62 fe80::224:1dff:fe17:8... 1