IPv6 assignment and lifetime

Help
,
1

Hi,
after setting Pi-hole up and also activating the DHCP service, I've noticed that I should assign my RaspberryPi a static IP-Address as I wasn't able to connect to it using SSH without the DHCP service running. To resolve this issue I've added these few lines at the end of my /etc/dhcpcd.conf:

# static ip setup
interface eth0
static ip_address=192.168.2.2/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.2

Now I tried to setup port sharing on my Fritz!Box to be able to connect to some services from outside my home network. After some failing attempts I've noticed that all my devices, except that RaspberryPi running Pi-hole, have a IPv4 address (over DS-Lite) and multiple IPv6 addresses.
What ip addr returns to me on my PC running Manjaro Linux:

enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether x:x:x:x:x:x brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.20/24 brd 192.168.2.255 scope global dynamic noprefixroute enp0s31f6
       valid_lft 595667sec preferred_lft 595667sec
    inet6 2a02:x:x:x:x:x:x:x/64 scope global dynamic noprefixroute 
       valid_lft 6958sec preferred_lft 3358sec
    inet6 fe80::x:x:x:x/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

If I understand it right, one address is calculated based on my MAC address, lasts forever and is used for connections coming in and the other address is random, lasts only for a limited time and is used for outgoing connections and thus displayed when using curl https://wtfismyip.com/text.
Does static really mean that I don't even need a DDNS service to access this PC from somewhere else?

On my RaspberryPi running RaspberryPi OS 64bit ifconfig -a returns:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::x:x:x:x  prefixlen 64  scopeid 0x20<link>
        ether x:x:x:x:x:x  txqueuelen 1000  (Ethernet)
        RX packets 2083113  bytes 1038306946 (990.2 MiB)
        RX errors 0  dropped 531322  overruns 0  frame 0
        TX packets 864623  bytes 216914725 (206.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

It seams like my RaspberryPi also has an IPv6 address but when using curl https://wtfismyip.com/text I only get an IPv4 address. Is this probably the static address for incoming connections?

In the end I would like my RaspberryPi to also have one random address to stay kind of anonym and one static address to access it from elsewhere. Is something wrong with my Pi-hole setup or do I have to change something in my /etc/dhcpcd.conf?

Thanks in advance, I really appreciate all your work.
Leon

Debug Token:
https://tricorder.pi-hole.net/6e1rekjs5q

2

How does DS-lite come into play here? The DHCP server (on the Pi-hole) should be the only thing responsible for IPv4 addresses in your network (let aside IPv6 for now). It seems something isn't quite right in your network? Are you sure you disabled DHCP in your router? Maybe the router has a bug and didn't really disable it?

You should not obfuscate the first 4 address octets of the address, e.g., 2002 or fe80. They define the type of the address and will not leak any kind of information about your address. Instead, they will allow us to give you better advise because we know what we're talking about.

Please un-obfuscate the addresses slightly.

My guess is that the "permanent" address you are talking about is a fe80 address, i.e., a link-local. It will only work inside your home network and is not reachable from the outside. It has a scope of only the link (= the wired/wireless network after your router)

This is shown by the scope link

The other address is able to communicate with the entire world, hence the scope global

We'll see once you un-obfuscated a bit above but this here shoudl already be helpful :slight_smile:

3

Sorry, I think I wasn't very clear about this. I meant the external IPv4 addresses which are the same for every device in my network. The DHCP setup seems to work so far. Every device but my RaspberryPi gets their internal IPv4 address from Pi-hole.
I have a Fritz!Box 6591 Cable running the newest OS (07.13). Under "Home Network -> Network -> Network Settings" I disabled the DHCP server for IPv4 I've got these settings for IPv6:

image
image1613×409 73.7 KB

I wasn't sure how much I should hide, but now I've added the first 4 characters of every IPv6 address.

Thank you for your explanation about the scopes. But I think the scope link address is kind of visible in the internet:
When I create a port sharing for my PC the Fritz!Box tells me the IPv6 address for this sharing in the internet. This IP address starts with 2a02 and ends with the scope link address except fe80.

4

Okay, your DHCP settings look correct.

No, for sure not.

This is possible but then the device needs to have this address as well (starting in 2a02 !). If this is not the case (it doesn't appear to be the case in your details above), then the Fritzbox has to do some internal routing. So whenever it receives something on 2a02::a:b:c:d it re-routes this internally and sends it to fe80::a:b:c:d where your device can actually be reached. While this is technically possible, it would not be a very elegant solution.
Are you sure the address shown by the Fritzbox is mentioned nowhere on the device itself?

5

I found the address on a Windows partition on my device which I don't use that often:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : 2a02:x:x:x:x:x:x:x
   Temporary IPv6 Address. . . . . . : 2a02:x:x:x:x:x:x:x
   Link-local IPv6 Address . . . . . : fe80::x:x:x:x%14
   IPv4 Address. . . . . . . . . . . : 192.168.2.20
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::x:x:x:x%14
                                       192.168.2.1

(It's the "IPv6 Address", not the temporary one)
I thought that both systems would have the same IPv6 addresses like they have the same IPv4 address.

Okay, so this mystery is seems to be solved, thank you.

This means that my RaspberryPi not having a global scope IPv6 has to do with my static IP setup in that /etc/dhcpcd.conf?

6

As far as I know (I don't know Windows very well, but I read what others write), Windows adds the "temporary IPv6 address" just in addition (it generates it by itself):

The address you are looking for, which is (permanently) reachable from the web is the other one

Linux (so also your Pi-hole) typically doesn't do the temporary address stuff unless explicitly enabled for a few reasons we have only recently discussion somewhere else on this forum. TL;DR: Many consider the effect of this additional privacy very minor to even not existing at all.

The address you are seeing on your Pi-hole

is the one you are looking for on this box. It tells you that this address isn't valid forever because it really isn't. At some point, the address expires. You may get the same address again, it depends on your ISP and if you always get the same prefix.

The only difference here is that Windows doesn't tell you about the fast that this address isn't valid forever, neither does it tell you for how long the current address can be counted on.

Hmm, I'm not sure about this, but the last time I checked this is a long time ago. My configuration in /etc/dhcpcd.conf basically looks the same (+/- the CIDR)

 static ip_address=192.168.4.4
 static routers=192.168.4.1
 static domain_name_servers=192.168.4.1

but my IPv6 connectivity is working fine:

$ ip -6 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000

    inet6 2003:x:x:x:x:x:x:x/64 scope global noprefixroute dynamic 
       valid_lft 604798sec preferred_lft 86398sec # <---- this address is currently in use

    inet6 2003:y:y:y:y:y:y:y/64 scope global deprecated noprefixroute dynamic 
       valid_lft 511879sec preferred_lft 0sec # <---- this address has expired (I got a new prefix from my ISP)

    inet6 fe80::a:a:a:a/64 scope link 
       valid_lft forever preferred_lft forever # <---- this is the link-local address
7

Thank you. Yes. I have nothing to add to this.

8

Thank you both for your replies.

I've found that conversation and get why privacy extension doesn't help at all.

I finally solved the problem with my RaspberryPi not having a global scope IPv6 even though I don't really know why. I've only set my static ip setup as a fallback if there is no DHCP server available.

One final question as I'm new around here: Can I mark multiple replies as a solution? I think all your replies helped me to figure it out.

9

No, the idea is to mark a post as solution so users with a identical/similar problem can find the solution very quickly. If the solution is to run a specific single command, this can be helpful, however, as you already said, in this discussion the journey was the reward. Anyone with a similar question will have to go through everything to fully understand it.

2 Likes
10

All right, thank you.
So in this case I don't mark any post as the solution and simply let the discussion be closed after 3 weeks?

11

I'd say you can mark anything (even my last answer explaining why there is no single answer :wink: ) as "answer". This will show the topic as solved which may be more encouraging users to look at this again in the future.

12

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.