RA vs DHCP? Advertise DNS?

[takoateli]

I'm able to configure my Mikrotik router as per HE's suggested settings and all works well. But I have no control over which client receives which IPv6 address. There are times when I want to identify and/or bandwidth manage certain clients, so I'd like to know who has which IP address. If I turn off RA and switch to IPv6 DHCP can I accomplish this by handing out certain IPv6 IPs to certain DUIDs?

Also how do I advertise the IPv6 DNS server? In my Mikrotik I can set it up so I can have clients query the Mikrotik router for DNS, but I'd like to have the clients go directly to an IPv6 DNS server. How can I configure the Mikrotik router to give out that info?

And lastly, when I configure the Mikrotik's IPv6 DHCP client it doesn't seem to get a DHCP lease from HE. Is that normal?

Thanks!
Greg

[broquea]

You still need RA running with the correct flags set, for DHCPv6 to work. That will let you propagate out the DNS servers. HE doesn't operate DHCPv6 so you shouldn't be expecting a lease from their side, everything for the tunnel is statically configured. I do not know if DHCPv6 allows the hosts to configure privacy addresses, but that might still be an issue (assuming it was with RA autoconf, otherwise with a bit of conversion you could just match the last 64bits of an auto-conf address to the MAC in the IPv4 ARP, managed switch and mac-addr-table, etc etc).

[takoateli]

Thanks for the reply! This is new territory for me. I've got some googlin to do.


Greg

[kasperd]

But I have no control over which client receives which IPv6 address.

If you use SLAAC, then you have little control over how they are assigned. There are still some addresses left in the segment, which means you can use a few static addresses for individual hosts and let the rest have automatically assigned addresses.

There are times when I want to identify and/or bandwidth manage certain clients, so I'd like to know who has which IP address.

The router knows which MAC address each IPv6 address is used by. So if the router has proper support, it should be able to manage all of this by MAC address rather than by IP address.

If I turn off RA and switch to IPv6 DHCP can I accomplish this by handing out certain IPv6 IPs to certain DUIDs?

Also how do I advertise the IPv6 DNS server? In my Mikrotik I can set it up so I can have clients query the Mikrotik router for DNS, but I'd like to have the clients go directly to an IPv6 DNS server. How can I configure the Mikrotik router to give out that info?

There are a few different ways it can be configured.

• Static configuration without any RA or DHCPv6. This would require you to manually configure each host.
• RA and SLAAC with no DHCPv6. Addresses are assigned either by MAC address or randomly. It is decided by each host, which method to use. You have little control over it. IPv6 address of DNS servers can be included in RA options, but this option may not be supported by everything yet.
• RA, SLAAC and DHCPv6. You can use SLAAC to assign addresses and query a DHCPv6 server just for some additional static configuration information, such as list of DNS servers.
• RA and DHCPv6. SLAAC is only meant for /64 networks. If you make your prefix longer than /64, SLAAC is disabled. (I think there is also a way to disable SLAAC on /64 prefixes. But if you don't want SLAAC, there isn't any major drawback from using a longer prefix). With SLAAC disabled you can use DHCPv6 for assigning addresses.

I'm not sure if you can combine SLAAC and DHCPv6 assigned addresses on the same segment. There certainly are enough addresses in a /64 to allow for both, but I am not sure if there is a way to let each host know, which of the two it is supposed to use.

And lastly, when I configure the Mikrotik's IPv6 DHCP client it doesn't seem to get a DHCP lease from HE. Is that normal?

The tunnel link is supposed to be statically configured, so there is no need to use RA, SLAAC or DHCPv6 on that link. I don't know if HE is going to respond to router-solicitation or DHCPv6 requests, if you do send them over the tunnel. I have never needed to send any of those on any of my tunnels.

Only ::1 and ::2 are mentioned as having a specific purpose on the tunnel link. AFAIK the entire range from ::2 through ::ffff:ffff:ffff:ffff is treated identical by the tunnel server. But the ::2 is pinged to verify that there is actually a tunnel endpoint responding.