> On Jul 2, 2021, at 8:22 AM, jslee <indigoid@oldcorollas.org> wrote:
>
> On Fri, 2 Jul 2021, at 10:29, Zack Newman wrote:
>> When I start dhcpcd during booting the "normal" way (i.e., rcctl enable
>> dhcpcd), I am able to successfully dump the lease information
>> associated with the alc0 interface (which is connected directly to my
>> bridge modem); however when I start the command inside of
>> /etc/hostname.alc0 during booting, I am unable to get lease information
>> after. When the computer boots up, I successfully acquire a DHCPv6
>> lease as well as have a /60 routed to me. My IPv6 connectivity runs
>> just fine too.
>
> Something that's not entirely clear to me here: why? if you are using
> prefix delegation, dhcpcd is interested in more of your interfaces than
> just your ISP-side... no?
>
> I also use dhcpcd to handle v6 prefix delegation on my gateway
> and just start it in the normal way, no !foo in /etc/hostname.em0, or
> in fact on any other interfaces. Yet it all works quite reliably every
> boot
>
> What am I missing here?
>
> John
Your assumption that "dhcpcd is interested in more of your interfaces than just your ISP-side" is incorrect. It is only configured for alc0:
beta# cat /etc/dhcpcd.conf
ipv6only
noipv6rs
nooption domain_name_servers
nooption domain_name
nooption host_name
nooption ntp_servers
nooption time_servers
leasetime -1
duid
persistent
option rapid_commit
require dhcp_server_identifier
slaac private
script ""
denyinterfaces lo0 em0 enc0 vlan0 vlan1 vlan2 vlan3 wg0 pflog0
allowinterfaces alc0
interface alc0
ipv6rs
iaid 0
ia_na 0
ia_pd 0/::/60
Even though my ISP dynamically assigns IPv4 and IPv6 addresses, for the 4+ years that I have been a customer it has never changed. If this becomes no longer true, then I will adjust my setup accordingly.
By having dhcpcd run via /etc/netstart, it becomes consistent with how dhclient works. This is not only an optics thing either. Since /etc/rc loads a temporary pf ruleset that allows the necessary DHCP and DHCPv6 traffic, I don't have to add such rules in /etc/pf.conf as my "pass out quick" rule is sufficient for DHCP and DHCPv6 renewal (since that is sent unicast to the appropriate DHCP and DHCPv6 servers and the statefulness of pf allows the response traffic). By not having to have something like "pass in quick on alc0 inet6 proto udp from fe80::/10 port 547 to fe80::/10 port 546 no state", I close a very small hole in my firewall allowing a rogue DHCPv6 server attempting to lease my interface IPs. After all, I don't have "pass in quick on alc0 inet proto udp from any port 67 to any port 68 no state" just to handle that one-time multicast DHCP traffic.
Another benefit of having the appropriate IPv6 addresses assigned earlier is for daemons that get started before packaging daemons. For example, /var/unbound/etc/unbound.conf has a few options based on IP (e.g., outgoing-interface). If dhcpcd gets started "normally", then alc0 will not have a globally-routable IPv6 address assigned to it by the time unbound starts leading to an error if you have specified any interface options.
No comments:
Post a Comment