Manual:IPv6/DHCP Server: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
mNo edit summary
 
(8 intermediate revisions by one other user not shown)
Line 7: Line 7:
<b>Package:</b> <code>dhcp,ipv6</code>
<b>Package:</b> <code>dhcp,ipv6</code>
</p>
</p>
Starting from v5.9 DHCP-PD server is moved to /ipv6 sub menu
Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their assigned interface.
Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their assigned interface.


Line 17: Line 14:


Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by user;
Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by user;
 
{{ Note |RouterOS DHCPv6 server can only delegate IPv6 prefixes, not addresses. }}
==General==
==General==
<p id="shbox"><b>Sub-menu:</b> <code>/ipv6 dhcp-server</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/ipv6 dhcp-server</code></p>
Line 276: Line 273:
|desc=Set dynamic binding as static.
|desc=Set dynamic binding as static.
}}
}}
===Rate limiting===
It is possible to set a bandwidth to a specific IPv6 address by using DHCPv6 bindings. This can be done by setting a rate limit on the DHCPv6 binding itself, by doing this a dynamic simple queue rule will be added for the IPv6 address that corresponds to the DHCPv6 binding. By using the <code>rate-limit</code> parameter you can conveniently limit a user's bandwidth.
{{ Note | For any queues to work properly, the traffic must not be [[ Manual:IP/Fasttrack | FastTracked]], make sure your Firewall does not FastTrack traffic that you want to limit. }}
First, make the DHCPv6 binding static, otherwise it will not be possible to set a rate limit to a DHCPv6 binding:
<pre>
[admin@MikroTik] > /ipv6 dhcp-server binding print
Flags: X - disabled, D - dynamic
#  ADDRESS                      DUID                      SERVER                      STATUS
0 D fdb4:4de7:a3f8:418c::/66    0x6c3b6b7c413e            DHCPv6_Server              bound
[admin@MikroTik] > /ipv6 dhcp-server binding make-static 0
[admin@MikroTik] > /ipv6 dhcp-server binding print
Flags: X - disabled, D - dynamic
#  ADDRESS                      DUID                      SERVER                      STATUS
0  fdb4:4de7:a3f8:418c::/66    0x6c3b6b7c413e            DHCPv6_Server              bound 
</pre>
Then you need can set a rate to a DHCPv6 binding that will create a new dynamic simple queue entry:
<pre>
[admin@MikroTik] > /ipv6 dhcp-server binding set 0 rate-limit=10M/10
[admin@MikroTik] > /queue simple print   
Flags: X - disabled, I - invalid, D - dynamic
0  D name="dhcp<6c3b6b7c413e fdb4:4de7:a3f8:418c::/66>" target=fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0
      burst-time=0s/0s bucket-size=0.1/0.1
</pre>
{{ Note | By default <code>allow-dual-stack-queue</code> is enabled, this will add a single dynamic simple queue entry for both DCHPv6 binding and DHCPv4 lease, without this option enabled separate dynamic simple queue entries will be added for IPv6 and IPv4. }}
If <code>allow-dual-stack-queue</code> is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:
<pre>
[admin@MikroTik] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0  D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.1.200/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0
      burst-time=0s/0s bucket-size=0.1/0.1
</pre>
====RADIUS Support====
Since RouterOS v6.43 it is possible to use RADIUS to assign a rate-limit per DHCPv6 binding, to do so you need to pass the <var>Mikrotik-Rate-Limit</var> attribute from your RADIUS Server for your DHCPv6 binding. To achieve this you first need to set your DHCPv6 Server to use RADIUS for assigning bindings. Below is an example how to set it up:
<pre>
/radius
add address=10.0.0.1 secret=VERYsecret123 service=dhcp
/ipv6 dhcp-server
set dhcp1 use-radius=yes
</pre>
After that you need to tell your RADIUS Server to pass the <var>Mikrotik-Rate-Limit</var> attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into '''radcheck''' and '''radreply''' tables for a MAC address, that is being used for your DHCPv6 Client. Below is an example for table entries:
<pre>
INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Auth-Type', ':=', 'Accept'),
INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66'),
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');
</pre>
{{ Note | By default <var>allow-dual-stack-queue</var> is enabled and will add a single dynamic queue entry if the MAC address from the IPv4 lease (or DUID, if the DHCPv4 Client supports <code>Node-specific Client Identifiers</code> from RFC4361), but DUID from DHCPv6 Client is not always based on the MAC address from the interface on which the DHCPv6 Client is running on, DUID is generated on per-device basis. For this reason a single dynamic queue entry might not be created, separate dynamic queue entries might be created instead. }}


==Configuration Examples==
==Configuration Examples==

Latest revision as of 09:03, 15 September 2020

Applies to RouterOS: v5.9+


Summary

Standards: RFC 3315, RFC 3633
Package: dhcp,ipv6

Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their assigned interface.

Client binding creates dynamic pool with timeout set to binding's expiration time (note that now dynamic pools can have a timeout), which will be updated every time binding gets renewed.

When client is bound to prefix, DHCP server adds routing information to know how to reach assigned prefix.

Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type and unknown IAID, they should be further updated by user;

Note: RouterOS DHCPv6 server can only delegate IPv6 prefixes, not addresses.


General

Sub-menu: /ipv6 dhcp-server

This sub menu lists and allows to configure DHCP-PD servers.

Properties

Property Description
address-pool (enum | static-only; Default: static-only) IPv6 pool, from which to take IPv6 prefix for the clients.
authoritative (after-10sec-delay | after-2sec-delay | yes | no; Default: after-2sec-delay) Whether the DHCP server is the only one DHCP server for the network:
  • after-10sec-delay - to clients request for an address, dhcp server will wait 10 seconds and if there is another request from the client after this period of time, then dhcp server will offer the address to the client or will send DHCPNAK, if the requested address is not available from this server
  • after-2sec-delay - to clients request for an address, dhcp server will wait 2 seconds and if there is another request from the client after this period of time, then dhcp server will offer the address to the client or will send DHCPNAK, if the requested address is not available from this server
  • yes - to clients request for an address that is not available from this server, dhcp server will send negative acknowledgment (DHCPNAK)
  • no - dhcp server ignores clients requests for addresses that are not available from this server
binding-script (string; Default: ) Script that will be executed after binding is assigned or de-assigned. Internal "global" variables that can be used in the script:
  • bindingBound - set to "1" if bound, otherwise set to "0"
  • bindingServerName - dhcp server name
  • bindingDUID - DUID
  • bindingAddress - active address
  • bindingPrefix - active prefix
delay-threshold (time | none; Default: none) If secs field in DHCP packet is smaller than delay-threshold, then this packet is ignored. If set to none - there is no threshold (all DHCP packets are processed)
disabled (yes | no; Default: no) Whether DHCP-PD server participate in prefix assignment process.
interface (string; Default: ) Interface on which server will be running.
lease-time (time; Default: 3d) The time that a client may use the assigned address. The client will try to renew this address after a half of this time and will request a new address after time limit expires.
name (string; Default: ) Reference name


Read-only Properties

Property Description
dynamic (yes | no)
invalid (yes | no)

Bindings

Sub-menu: /ipv6 dhcp-server binding


DUID is used only for dynamic bindings, so if it changes then client will receive different prefix than previously.


Property Description
address (IPv6 prefix; Default: ) IPv6 prefix that will be assigned to the client
allow-dual-stack-queue (yes | no; Default: yes) Creates a single simple queue entry for both IPv4 and IPv6 addresses, uses the MAC address and DUID for identification. Requires IPv4 DHCP Server to have this option enabled as well to work properly.
comment (string; Default: ) Short description of an item.
disabled (yes | no; Default: no) Whether item is disabled
dhcp-option (string; Default: ) Add additional DHCP options from option list.
dhcp-option-set (string; Default: ) Add additional set of DHCP options.
life-time (time; Default: 3d) Time period after which binding expires/
duid (hex string; Default: ) DUID value. Should be specified only in hexadecimal format.
iaid (integer [0..4294967295]; Default: ) Identity Association Identifier, part of the Client ID.
prefix-pool (string; Default: ) Prefix pool that is being advertised to the DHCPv6 Client.
rate-limit (integer[/integer] [integer[/integer] [integer[/integer] [integer[/integer]]]]; Default: ) Adds a dynamic simple queue to limit IP's bandwidth to a specified rate. Requires the lease to be static. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default.
server (string | all; Default: all) Name of the server. If set to all, then binding applies to all created DHCP-PD servers.


Read-only properties

Property Description
dynamic (yes | no) Whether item is dynamically created.
expires-after (time) Time period after which binding expires.
last-seen (time) Time period since client was last seen.
status (waiting | offered | bound) Three status vales are possible:
  • waiting - Shown for static bindings if it is not used. For dynamic bindings this status is shown if it was used previously, server will wait 10 minutes to allow old client to get this binding, otherwise binding will be cleared and prefix willbe offered to other clients.
  • offered - if solicit message was received, and server responded with advertise message, but request was not received. During this state client have 2 minutes to get this binding, otherwise it is freed or changed status to waiting for static bindings.
  • bound - currently bound.


For example, dynamically assigned /62 prefix

[admin@RB493G] /ipv6 dhcp-server binding> print detail 
Flags: X - disabled, D - dynamic 
 0 D address=2a02:610:7501:ff00::/62 duid="1605fcb400241d1781f7" iaid=0 
     server=local-dhcp life-time=3d status=bound expires-after=2d23h40m10s 
     last-seen=19m50s 

 1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2 
     server=local-dhcp life-time=3d status=bound expires-after=2d23h43m47s 
     last-seen=16m13s 


Menu specific commands

Property Description
make-static () Set dynamic binding as static.

Rate limiting

It is possible to set a bandwidth to a specific IPv6 address by using DHCPv6 bindings. This can be done by setting a rate limit on the DHCPv6 binding itself, by doing this a dynamic simple queue rule will be added for the IPv6 address that corresponds to the DHCPv6 binding. By using the rate-limit parameter you can conveniently limit a user's bandwidth.

Note: For any queues to work properly, the traffic must not be FastTracked, make sure your Firewall does not FastTrack traffic that you want to limit.


First, make the DHCPv6 binding static, otherwise it will not be possible to set a rate limit to a DHCPv6 binding:

[admin@MikroTik] > /ipv6 dhcp-server binding print 
Flags: X - disabled, D - dynamic 
 #   ADDRESS                      DUID                      SERVER                      STATUS 
 0 D fdb4:4de7:a3f8:418c::/66     0x6c3b6b7c413e            DHCPv6_Server               bound

[admin@MikroTik] > /ipv6 dhcp-server binding make-static 0

[admin@MikroTik] > /ipv6 dhcp-server binding print
Flags: X - disabled, D - dynamic 
 #   ADDRESS                      DUID                      SERVER                      STATUS 
 0   fdb4:4de7:a3f8:418c::/66     0x6c3b6b7c413e            DHCPv6_Server               bound  

Then you need can set a rate to a DHCPv6 binding that will create a new dynamic simple queue entry:

[admin@MikroTik] > /ipv6 dhcp-server binding set 0 rate-limit=10M/10

[admin@MikroTik] > /queue simple print     
Flags: X - disabled, I - invalid, D - dynamic 
 0  D name="dhcp<6c3b6b7c413e fdb4:4de7:a3f8:418c::/66>" target=fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0 
      burst-time=0s/0s bucket-size=0.1/0.1 

Note: By default allow-dual-stack-queue is enabled, this will add a single dynamic simple queue entry for both DCHPv6 binding and DHCPv4 lease, without this option enabled separate dynamic simple queue entries will be added for IPv6 and IPv4.


If allow-dual-stack-queue is enabled, then a single dynamic simple queue entry will be created containing both IPv4 and IPv6 addresses:

[admin@MikroTik] > /queue simple print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D name="dhcp-ds<6C:3B:6B:7C:41:3E>" target=192.168.1.200/32,fdb4:4de7:a3f8:418c::/66 parent=none packet-marks="" priority=8/8 queue=default-small/default-small limit-at=10M/10M max-limit=10M/10M burst-limit=0/0 burst-threshold=0/0 
      burst-time=0s/0s bucket-size=0.1/0.1 

RADIUS Support

Since RouterOS v6.43 it is possible to use RADIUS to assign a rate-limit per DHCPv6 binding, to do so you need to pass the Mikrotik-Rate-Limit attribute from your RADIUS Server for your DHCPv6 binding. To achieve this you first need to set your DHCPv6 Server to use RADIUS for assigning bindings. Below is an example how to set it up:

/radius
add address=10.0.0.1 secret=VERYsecret123 service=dhcp
/ipv6 dhcp-server
set dhcp1 use-radius=yes

After that you need to tell your RADIUS Server to pass the Mikrotik-Rate-Limit attribute. In case you are using FreeRADIUS with MySQL, then you need to add appropriate entries into radcheck and radreply tables for a MAC address, that is being used for your DHCPv6 Client. Below is an example for table entries:

INSERT INTO `radcheck` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Auth-Type', ':=', 'Accept'),

INSERT INTO `radreply` (`username`, `attribute`, `op`, `value`) VALUES
('000c4200d464', 'Delegated-IPv6-Prefix', '=', 'fdb4:4de7:a3f8:418c::/66'),
('000c4200d464', 'Mikrotik-Rate-Limit', '=', '10M');

Note: By default allow-dual-stack-queue is enabled and will add a single dynamic queue entry if the MAC address from the IPv4 lease (or DUID, if the DHCPv4 Client supports Node-specific Client Identifiers from RFC4361), but DUID from DHCPv6 Client is not always based on the MAC address from the interface on which the DHCPv6 Client is running on, DUID is generated on per-device basis. For this reason a single dynamic queue entry might not be created, separate dynamic queue entries might be created instead.


Configuration Examples

Enabling IPv6 Prefix delegation

Lets consider that we already have running DHCP server.

To enable IPv6 prefix delegation, first we need to create address pool

/ipv6 pool add name=myPool prefix=2001:db8:7501::/60  prefix-length=62

Notice that prefix-length is 62 bits, it means that clients will receive /62 prefixes from the /60 pool.

Next step is to enable DHCP-PD.

/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local


To test our server we will set up wide-dhcpv6 on ubuntu machine:

  • install wide-dhcpv6-client
  • edit "/etc/wide-dhcpv6/dhcp6c.conf" as above

Note: You can use also RouterOS as DHCP-PD client. Read more >>



interface eth2{
  send ia-pd 0;
};

id-assoc pd {
   prefix-interface eth3{
   sla-id 1;
   sla-len 2;
   };
};

  • Run DHCP-PD client
sudo dhcp6c -d -D -f eth2
  • Verify that prefix was added to eth3
mrz@bumba:/media/aaa$ ip -6 addr
..
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:7501:1:200:ff:fe00:0/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::224:1dff:fe17:81f7/64 scope link 
       valid_lft forever preferred_lft forever
  • You can make binding to specific client static, so that it always receives the same prefix
[admin@RB493G] /ipv6 dhcp-server binding> print 
Flags: X - disabled, D - dynamic 
 #   ADDRESS                                        DU       IAID SER.. STATUS 
 0 D 2001:db8:7501:1::/62                      16          0 loc.. bound 
[admin@RB493G] /ipv6 dhcp-server binding> make-static 0

  • DHCP-PD also installs route to assigned prefix into IPv6 routing table
[admin@RB493G] /ipv6 route> print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE
...
 2 ADS  2001:db8:7501:1::/62     fe80::224:1dff:fe17:8...        1


[ Top | Back to Content ]