Re: R82: IPv6 with Prefix-Delegation Problem

jwelzel

Good morning,
I've been trying to get IPv6 running with prefix delegation in my testlab for a few days now. I have configured my router (AVM Fritz!Box) so that it distributes a prefix via DHCPv6 (assign prefix (IA_PD) and IPv6 address (IA_NA)).

On the Checkpoint 3600 (R82 JHT19) I have activated IPv6 and configured the options as I consider them necessary for prefix delegation.

Unfortunately, no IPv6 address arrives on the interfaces and I cannot find any DHCPv6 packets in a tcpdump either.

cp-gw01> show dhcp6 prefix-delegation all 
Client status:  Enabled
Prefix-Delegation Method:  rdisc6
Requesting Interface (Prefix Delegation Client):  eth2 
Assigned Interfaces:  eth1.10 eth1.40 eth1.41

cp-gw01> show interface eth2 
state on
mac-addr 00:1c:7f:ac:27:85
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 1000M
ipv6-autoconfig on
monitor-mode off
duplex full
link-speed 1000M/full
comments 
ipv4-address 192.168.100.10/24
ipv6-address Not Configured
ipv6-local-link-address fe80::21c:7fff:feac:2785/64

Statistics: 
TX bytes:3350605214 packets:12686033 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:28712154137 packets:22235203 errors:0 dropped:79454 overruns:0 frame:0

SD-WAN: Not Configured
cp-gw01> show interface eth1.10
state on
mac-addr 00:1c:7f:ac:27:84
type vlan
link-state not available
mtu 1500
auto-negotiation on (eth1)
speed 1000M (eth1)
ipv6-autoconfig off
monitor-mode Not configured
duplex full (eth1)
link-speed 1000M/full (eth1)
comments LAN
ipv4-address 192.168.110.1/24
ipv6-address Not Configured
ipv6-local-link-address fe80::21c:7fff:feac:2784/64

Statistics: 
TX bytes:78404221271 packets:59483126 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:3844836673 packets:15803471 errors:0 dropped:0 overruns:0 frame:0

SD-WAN: Not Configured
cp-gw01> show interface eth1.11
state on
mac-addr 00:1c:7f:ac:27:84
type vlan
link-state not available
mtu 1500
auto-negotiation on (eth1)
speed 1000M (eth1)
ipv6-autoconfig on
monitor-mode Not configured
duplex full (eth1)
link-speed 1000M/full (eth1)
comments Smarthome
ipv4-address 192.168.111.1/24
ipv6-address Not Configured
ipv6-local-link-address fe80::21c:7fff:feac:2784/64

Statistics: 
TX bytes:278265289 packets:413338 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:100991079 packets:1068426 errors:0 dropped:0 overruns:0 frame:0

SD-WAN: Not Configured

Have I forgotten anything else?

the_rock

Let me see if I can test this in my R82 lab.

Andy

the_rock

@jwelzel Sorry about delay, was just watching MOST EPIC Roland Garros final...that was so worth it, goooo Alcaraz, hehe 🙂

Anyway, will test it in a bit and update you.

Andy

the_rock

Sorry mate, not having much luck either, will try more tomorrow.

Andy

the_rock

Question...do you have dhcp6 server enabled? When I try enable it, it throws attached error, which makes no logical sense to me, since subnet is there and enabled.

Andy

jwelzel

No, DHCPv6 Server is disabled. I only need DHCPv6 Client and behind the checkpoint SLAAC and IPv6-RA.

the_rock

Got it. Let me keep checking and will update you.

Andy

the_rock

Sorry mate, just taking brak for studying for CCTE exam, let me check this now.

Andy

the_rock

Im trying to remember now exactly steps I followed, but this looks right to me...thoughts?

Andy

R82> save config
R82> show interface eth1
state on
mac-addr 50:01:00:01:00:01
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed 1000M
ipv6-autoconfig off
monitor-mode off
duplex full
link-speed 1000M/full
comments internal
ipv4-address 192.168.10.253/24
ipv6-address ::ffff:c0a8:afd/96
ipv6-local-link-address fe80::5201:ff:fe01:1/64

Statistics:
TX bytes:452 packets:6 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:6548123962 packets:22517887 errors:66946 dropped:87806 overruns:0 frame:0

SD-WAN: Not Configured
R82>

jwelzel

Did you set the IPv6 suffix on this interface manually? This is your internal Interface?

the_rock

I did, yes.

jwelzel

Ok, whats your exact configuration and is Prefix-Delegation via DCHPv6 working?

the_rock

Will send you that little later on when I take break from CCTE studying 🙂

Andy

the_rock

There you go.

Andy

oa_munich

Prefix delegation won't work if higher router send IA_NA, only IA_PD seems to be supported.
Not sure you can influence this on your Fritzbox, but it helps to set:
Minimum RA interval = 200
Maximum RA interval = 600
Lifetime = 7200
The router needs to advertise a prefix larger than /64, e.g. /62, /60, /56 etc.

Your parent interface needs to have NO ipv6 address (no autoconfig, not anything else).
Your child interface needs to have "obtain via prefix delegation).
Policy needs to permit protocols required on child and upstream interfaces / zones.

dhclient would write log to /var/log/messages which you can access via syslog / expert mode.

See some comments I shared previously on this subject.

the_rock

Thanks for sharing that @oa_munich

jwelzel

Ok, thanks for your hints. I did set the Router now on IA_PD only. An /57 prefix should be advertised by the router.

This is all I can see with tcpdump on external Checkpoint IF

[Expert@cp-gw01:0]# tcpdump -i eth2 -n -vv '(udp port 546 or 547) or icmp6'
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
12:10:46.517509 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 128) fe80::3a10:d5ff:fe5d:9fee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 128
        hop limit 255, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans time 0ms
          prefix info option (3), length 32 (4): 2003:f6:2703:3c00::/64, Flags [onlink, auto], valid time 7200s, pref. time 1213s
            0x0000:  40c0 0000 1c20 0000 04bd 0000 0000 2003
            0x0010:  00f6 2703 3c00 0000 0000 0000 0000
          rdnss option (25), length 40 (5):  lifetime 1200s, addr: fd00::3a10:d5ff:fe5d:9fee addr: 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee
            0x0000:  0000 0000 04b0 fd00 0000 0000 0000 3a10
            0x0010:  d5ff fe5d 9fee 2003 00f6 2703 3c00 3a10
            0x0020:  d5ff fe5d 9fee
          mtu option (5), length 8 (1):  1492
            0x0000:  0000 0000 05d4
          route info option (24), length 8 (1):  ::/0, pref=medium, lifetime=1800s
            0x0000:  0000 0000 0708
          route info option (24), length 16 (2):  2003:f6:2703:3c00::/56, pref=medium, lifetime=1800s
            0x0000:  3800 0000 0708 2003 00f6 2703 3c00
          source link-address option (1), length 8 (1): 38:10:d5:5d:9f:ee
            0x0000:  3810 d55d 9fee
12:15:59.577622 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 128) fe80::3a10:d5ff:fe5d:9fee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 128
        hop limit 255, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans time 0ms
          prefix info option (3), length 32 (4): 2003:f6:2703:3c00::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
            0x0000:  40c0 0000 1c20 0000 0708 0000 0000 2003
            0x0010:  00f6 2703 3c00 0000 0000 0000 0000
          rdnss option (25), length 40 (5):  lifetime 1200s, addr: fd00::3a10:d5ff:fe5d:9fee addr: 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee
            0x0000:  0000 0000 04b0 fd00 0000 0000 0000 3a10
            0x0010:  d5ff fe5d 9fee 2003 00f6 2703 3c00 3a10
            0x0020:  d5ff fe5d 9fee
          mtu option (5), length 8 (1):  1492
            0x0000:  0000 0000 05d4
          route info option (24), length 8 (1):  ::/0, pref=medium, lifetime=1800s
            0x0000:  0000 0000 0708
          route info option (24), length 16 (2):  2003:f6:2703:3c00::/56, pref=medium, lifetime=1800s
            0x0000:  3800 0000 0708 2003 00f6 2703 3c00
          source link-address option (1), length 8 (1): 38:10:d5:5d:9f:ee
            0x0000:  3810 d55d 9fee
12:16:00.580629 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 128) fe80::3a10:d5ff:fe5d:9fee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 128
        hop limit 255, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans time 0ms
          prefix info option (3), length 32 (4): 2003:f6:2703:3c00::/64, Flags [onlink, auto], valid time 7200s, pref. time 1799s
            0x0000:  40c0 0000 1c20 0000 0707 0000 0000 2003
            0x0010:  00f6 2703 3c00 0000 0000 0000 0000
          rdnss option (25), length 40 (5):  lifetime 1200s, addr: fd00::3a10:d5ff:fe5d:9fee addr: 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee
            0x0000:  0000 0000 04b0 fd00 0000 0000 0000 3a10
            0x0010:  d5ff fe5d 9fee 2003 00f6 2703 3c00 3a10
            0x0020:  d5ff fe5d 9fee
          mtu option (5), length 8 (1):  1492
            0x0000:  0000 0000 05d4
          route info option (24), length 8 (1):  ::/0, pref=medium, lifetime=1800s
            0x0000:  0000 0000 0708
          route info option (24), length 16 (2):  2003:f6:2703:3c00::/56, pref=medium, lifetime=1800s
            0x0000:  3800 0000 0708 2003 00f6 2703 3c00
          source link-address option (1), length 8 (1): 38:10:d5:5d:9f:ee
            0x0000:  3810 d55d 9fee

Should these suffix pools be filled?

oa_munich

Once received, your DHCPv6 Server Subnet Configuration will get populated automatically (so will the IPv6 address on the child interface), see screenshot (DHCPv6 in this context does not mean you will be sending the M-flag). Sending O or M flags is configured under IPv6 Router Discovery (second screenshot).

I can spot a minor difference of your dump compared to mine: my router is sending both A and O flags, yours is sending just A flag. If you are distributing RDNS, you should be sending O-flag too (third screenshot).

jwelzel

It's a bit better now. It looks like the checkpoint now requests a prefix, but only a /62 which is not big enough.

[Expert@cp-gw01:0]# tcpdump -i eth2 -n -vv '(udp port 546 or 547) or icmp6'  
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes  
14:08:51.911998 IP6 (flowlabel 0x7e204, hlim 1, next-header UDP (17) payload length: 103) fe80::21c:7fff:feac:2785.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 renew (xid=858679 (client-ID hwaddr/time type 1 time 802185531 001c7fac2785) (server-ID hwaddr type 1 3810d55d9fee) (option-request DNS-server DNS-search-list) (elapsed-time 0) (IA_PD IAID:2141988741 T1:3600 T2:5400 (IA_PD-prefix 2003:f6:2703:3cfc::/62 pltime:7200 vltime:7500)))  
14:08:51.926183 IP6 (hlim 64, next-header UDP (17) payload length: 150) fe80::3a10:d5ff:fe5d:9fee.dhcpv6-server > fe80::21c:7fff:feac:2785.dhcpv6-client: [udp sum ok] dhcp6 reply (xid=858679 (client-ID hwaddr/time type 1 time 802185531  
001c7fac2785) (server-ID hwaddr type 1 3810d55d9fee) (preference 0) (DNS-server fd00::3a10:d5ff:fe5d:9fee 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee) (opt_86) (IA_PD IAID:2141988741 T1:1800 T2:2880 (IA_PD-prefix 2003:f6:2703:3cfc::/62 pltime  
:3600 vltime:7200)))  
14:08:56.933653 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::3a10:d5ff:fe5d:9fee > fe80::21c:7fff:feac:2785: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::21c:7fff:feac:2785 source link-address option (1), length 8 (1): 38:10:d5:5d:9f:ee 0x0000:  3810 d55d 9fee  
14:08:56.934382 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::21c:7fff:feac:2785 > fe80::3a10:d5ff:fe5d:9fee: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::21c:7fff:feac:2785, Flags [router, solicited]  
14:09:01.968893 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:7fff:feac:2785 > fe80::3a10:d5ff:fe5d:9fee: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::3a10:d5ff:fe5d:9fee source link-address option (1), length 8 (1): 00:1c:7f:ac:27:85 0x0000:  001c 7fac 2785  
14:09:01.969296 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::3a10:d5ff:fe5d:9fee > fe80::21c:7fff:feac:2785: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::3a10:d5ff:fe5d:9fee, Flags [router, solicited]  
14:09:02.789416 IP6 (flowlabel 0x7e204, hlim 1, next-header UDP (17) payload length: 103) fe80::21c:7fff:feac:2785.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 renew (xid=858679 (client-ID hwaddr/time type 1 time 80218553 1 001c7fac2785) (server-ID hwaddr type 1 3810d55d9fee) (option-request DNS-server DNS-search-list) (elapsed-time 1087) (IA_PD IAID:2141988741 T1:3600 T2:5400 (IA_PD-prefix 2003:f6:2703:3cfc::/62 pltime:7200 vltime:7500)))  
14:09:02.802479 IP6 (hlim 64, next-header UDP (17) payload length: 150) fe80::3a10:d5ff:fe5d:9fee.dhcpv6-server > fe80::21c:7fff:feac:2785.dhcpv6-client: [udp sum ok] dhcp6 reply (xid=858679 (client-ID hwaddr/time type 1 time 802185531  
001c7fac2785) (server-ID hwaddr type 1 3810d55d9fee) (preference 0) (DNS-server fd00::3a10:d5ff:fe5d:9fee 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee) (opt_86) (IA_PD IAID:2141988741 T1:1800 T2:2880 (IA_PD-prefix 2003:f6:2703:3cfc::/62 pltime  
:3600 vltime:7200)))  
14:09:18.834517 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 128) fe80::3a10:d5ff:fe5d:9fee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 128 hop limit 255, Flags [other stateful], pref high, router lifetime 1800s, reachable time 0ms, retrans time 0ms prefix info option (3), length 32 (4): 2003:f6:2703:3c00::/64, Flags [onlink, auto], valid time 7200s, pref. time 1307s  
           0x0000:  40c0 0000 1c20 0000 051b 0000 0000 2003  
           0x0010:  00f6 2703 3c00 0000 0000 0000 0000  
         rdnss option (25), length 40 (5):  lifetime 1200s, addr: fd00::3a10:d5ff:fe5d:9fee addr: 2003:f6:2703:3c00:3a10:d5ff:fe5d:9fee  
           0x0000:  0000 0000 04b0 fd00 0000 0000 0000 3a10  
           0x0010:  d5ff fe5d 9fee 2003 00f6 2703 3c00 3a10  
           0x0020:  d5ff fe5d 9fee  
         mtu option (5), length 8 (1):  1492  
           0x0000:  0000 0000 05d4  
         route info option (24), length 8 (1):  ::/0, pref=high, lifetime=1800s  
           0x0000:  0008 0000 0708  
         route info option (24), length 16 (2):  2003:f6:2703:3c00::/56, pref=high, lifetime=1800s  
           0x0000:  3808 0000 0708 2003 00f6 2703 3c00  
         source link-address option (1), length 8 (1): 38:10:d5:5d:9f:ee  
           0x0000:  3810 d55d 9fee

Unfortunately the checkpoint is trying to set the same IPv6 address on multiple interfaces which is not working.

Jun 11 17:29:40 2025 cp-gw01 clish[17067]: cmd by admin: Processing : set interface eth1.41 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 101c31e701aadca33f4f2038158eb11f)  
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: Adding New IPv6 Address 2003:f6:2703:3cfc:21c:7fff:feac:2784/64  
Jun 11 17:29:40 2025 cp-gw01 clish[17067]: cmd by admin: Processing : set interface eth1.10 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 95b8aec691a142954807745dd73fc3eb)  
Jun 11 17:33:04 2025 cp-gw01 clish[18701]: cmd by admin: Processing : set interface eth1.41 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 101c31e701aadca33f4f2038158eb11f)  
Jun 11 17:33:04 2025 cp-gw01 clish[18701]: cmd by admin: Processing : set interface eth1.11 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 86a7e069a29533b8bf1052dd94fee833)  
Jun 11 17:33:32 2025 cp-gw01 clish[18895]: cmd by admin: Processing : set interface eth1.44 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: d710ac6fd4ff2fab7cdc633d6d85f703)  
Jun 11 17:33:36 2025 cp-gw01 clish[19015]: cmd by admin: Processing : set interface eth1.50 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 2239cc77bf59bb3ddb2136e246240565)  
Jun 11 17:33:40 2025 cp-gw01 clish[19146]: cmd by admin: Processing : set interface eth1.50 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 2239cc77bf59bb3ddb2136e246240565)  
Jun 11 17:33:45 2025 cp-gw01 clish[19282]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 18:33:44 2025 cp-gw01 dhclient[13861]: PRC: Prefix 2003:f6:2703:3cfc::/62 depreferred.  
Jun 11 19:33:46 2025 cp-gw01 dhclient[13861]: PRC: Prefix 2003:f6:2703:3cfc::/62 expired.  
Jun 11 19:33:48 2025 cp-gw01 clish[2893]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 20:03:58 2025 cp-gw01 clish[12372]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 20:33:59 2025 cp-gw01 clish[21955]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 21:04:09 2025 cp-gw01 clish[32767]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 21:34:18 2025 cp-gw01 clish[9737]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 22:04:30 2025 cp-gw01 clish[19374]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 22:34:39 2025 cp-gw01 clish[28798]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 23:04:49 2025 cp-gw01 clish[5797]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 11 23:34:59 2025 cp-gw01 clish[15335]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 00:05:10 2025 cp-gw01 clish[31582]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 00:35:20 2025 cp-gw01 clish[12750]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 01:05:30 2025 cp-gw01 clish[22391]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 01:35:41 2025 cp-gw01 clish[31811]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 02:05:51 2025 cp-gw01 clish[8822]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 02:36:01 2025 cp-gw01 clish[18489]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 03:06:10 2025 cp-gw01 clish[31820]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 03:36:19 2025 cp-gw01 clish[10091]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 04:06:18 2025 cp-gw01 clish[19711]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 04:36:30 2025 cp-gw01 clish[29141]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 05:06:40 2025 cp-gw01 clish[6147]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 05:36:49 2025 cp-gw01 clish[15687]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 06:06:50 2025 cp-gw01 clish[30463]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 06:36:50 2025 cp-gw01 clish[8648]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 07:07:00 2025 cp-gw01 clish[18271]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 07:37:11 2025 cp-gw01 clish[27811]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 08:07:12 2025 cp-gw01 clish[4815]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 08:37:23 2025 cp-gw01 clish[14289]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 09:07:31 2025 cp-gw01 clish[29578]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 09:37:41 2025 cp-gw01 clish[26024]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)  
Jun 12 13:41:59 2025 cp-gw01 clish[17163]: cmd by admin: Processing : set interface eth1.11 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 86a7e069a29533b8bf1052dd94fee833)  
Jun 12 14:09:03 2025 cp-gw01 clish[26075]: cmd by admin: Processing : set interface eth1.30 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 7a3fb31de57c40851222c593697c4c19)

Jun 11 17:29:40 2025 cp-gw01 clish[17067]: cmd by admin: Processing : set interface eth1.41 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 101c31e701aadca33f4f2038158eb11f)
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: Adding New IPv6 Address 2003:f6:2703:3cfc:21c:7fff:feac:2784/64
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: eth1.41: New instance = 0, old instance = 0, target instance = -1
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: netis_netif_selective_link_reconf: NS validation succeeded, interface: eth1.41 vsid: 0
Jun 11 17:29:40 2025 cp-gw01 HCP_stateAgent[14978]: auditLogClient init succeed
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: log info: objectName: Interfaces,administrator: admin, operation: Add Object, facility: Web-UI, message: Created new IPv6 prefix 200300f627033cfc021c7ffffeac2784 with mask 64 for the interface 
eth1.41 
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: admin localhost t +interface:eth1.41:ip6addr:200300f627033cfc021c7ffffeac2784 t 
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: admin localhost t +interface:eth1.41:ip6addr:200300f627033cfc021c7ffffeac2784:mask 64 
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: Configuration changed from localhost by user admin
Jun 11 17:29:40 2025 cp-gw01 HCP_stateAgent[14978]: auditLogClient::sendLog>Send log successfully
Jun 11 17:29:40 2025 cp-gw01 clish[17067]: cmd by admin: Processing : set interface eth1.41 state on (cmd md5: c232d551a3734a3a22a4805b2da79b79)
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: Configuration changed from localhost by user admin
Jun 11 17:29:40 2025 cp-gw01 clish[17067]: cmd by admin: Processing : set interface eth1.10 ipv6-address 2003:f6:2703:3cfc:21c:7fff:feac:2784 mask-length 64 (cmd md5: 95b8aec691a142954807745dd73fc3eb)
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: instance name is [default]
Jun 11 17:29:40 2025 cp-gw01 xpand[13847]: admin localhost t -volatile:clish:admin:17067  
Jun 11 17:29:40 2025 cp-gw01 clish[17067]: User admin finished running clish -f due to an error from CLI shell

Is it possible to define somewhere what size the requstet prefix should have? And how the individual nets are distributed to the interfaces?

Regards, Jochen

oa_munich

/62 contains 4 /64 prefixes, are you trying to hand out more?

With prefixes smaller than /64 SLAAC won't work in many cases.

R82 uses DHCP Client 4.2.5. The "right" way would adding the --prefix-len-hint parameter to the command line
/sbin/dhclient6 -6 -P -d -lf /var/lib/dhclient/dhclient6_pd.lease [parent interface]

but I do not know where the dhclient6 is started from, and whether the parameters can be changed. I'd love to find out, though. There are many parameters, which one could need to change, like -N to request IA_NA with IA_PD to avoid the problem with HTTPS inspection I reported a while ago.

jwelzel

Yes, a /62 is enough for 4 child interfaces. But unfortunately the checkpoint tries to assign the same IPv6-Address to every child interface, which isn't working. It would be great if there would be an option to assign a "subnetid" or something like this to every child interface.

@oa_munich wrote:
Your parent interface needs to have NO ipv6 address (no autoconfig, not anything else).

How can IPv6 routing work with this option, when the parent/outbound interface has no IPv6 address. So there is no IPv6 default route and ipv6-routing is not working.

@oa_munich wrote:
R82 uses DHCP Client 4.2.5. The "right" way would adding the --prefix-len-hint parameter to the command line
/sbin/dhclient6 -6 -P -d -lf /var/lib/dhclient/dhclient6_pd.lease [parent interface]

but I do not know where the dhclient6 is started from, and whether the parameters can be changed. I'd love to find out, though. There are many parameters, which one could need to change, like -N to request IA_NA with IA_PD to avoid the problem with HTTPS inspection I reported a while ago.

With a short grep I didn't find any dhclient configuration in the configuration directories.

oa_munich

Link-local addresses are used as gateway IPs in IPv6, not public addresses. It is not a requirement to have a public ipv6 address on your parent connection.

Not having one on the parent interface does raise a strange downside. When HTTPS inspection is used, a probe performs its connection initiating from the parent interface - which has only a link-local address. Here's a lengthier thread on this. The consensus was to NAT66 the link-local ipv6 address of the gateway by the parent router. I do not consider this a valid solution myself, but it works as a workaround.

There is a /etc/dhclient6.conf file.

jwelzel

@oa_munich wrote:
Link-local addresses are used as gateway IPs in IPv6, not public addresses. It is not a requirement to have a public ipv6 address on your parent connection.

Yes, but how can I set them in Checkpoint IPv6 Static Default route. I can only set an address or an interface.

The config file I have to check, when I'm at home.

oa_munich

Your clients will have the default route to your gateway already. Am I understanding correctly that your Fritzbox is not advertising ::/0 route and the gateway does not have it as its default gateway? Can you share the screenshot of your Routing Monitor?
If this isn't happening, you can set the default gateway manually and point it to the link local address of the router.

Are you a member of CheckMates?

R82: IPv6 with Prefix-Delegation Problem