Disable container SLAAC IPv6

diasdm · December 3, 2024, 12:56am

I have an AdGuard Home v0.107.53 container that is pointing to an Unbound instance.
It is running on a Mikrotik RB5009UPr.

AdGuard uses a static IPv6 local address and Unbound has an ACL to allow AdGuard’s queries.
However, the AdGuard container also gets a SLAAC IPv6 from the network. So it ends up with 3 IPv6 addresses, like this:

[RB5009] > interface/veth/print 
 0  R ;;; AdGuard Home container virtual interface
      name="veth1_adguard" address=192.168.8.5/24,fd01:192:168:8::5/64 gateway=192.168.8.1
      gateway6=fd01:192:168:8::1

# ip add show eth0
    inet 192.168.8.5/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd01:192:168:8:ecb2:17ff:fe94:cbd7/64 scope global dynamic flags 100   ## unecessary
       valid_lft 2591960sec preferred_lft 604760sec
    inet6 fd01:192:168:8::5/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ecb2:17ff:fe94:cbd7/64 scope link 
       valid_lft forever preferred_lft forever

Whenever the container is rebooted, it gets a different IPv6 from RA.
This causes some queries from AdGuard to Unbound to fail due to the static ACL.

I would like to disable this IPv6 addressing based on router advertisements on this container, and keep only the static one, but could not find such a configuration.

Any suggestions?

Kentzo · December 3, 2024, 5:05pm

IIRC it’s based on Debian and uses systemd-networkd, in which case you want to read up on [IPv6AcceptRA] Section Options.

diasdm · December 4, 2024, 3:32am

I’ve downloaded the Adguard Home container from the Docker registry and I’m using the “lastest” tag, which uses the Alpine distribution. It doesn’t have SystemD.

Kentzo · December 4, 2024, 2:43pm

In that case refer to the corresponding doc from Alpine…

diasdm · December 4, 2024, 3:09pm

I’ve disabled the container IPv6 “autoconf” and RA acceptance, but it still configures the SLAAC address.

# sysctl net.ipv6.conf.all.accept_ra
net.ipv6.conf.all.accept_ra = 0
# sysctl net.ipv6.conf.all.autoconf
net.ipv6.conf.all.autoconf = 0

# ip add show eth0
    inet 192.168.8.5/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd01:192:168:8:ecb2:17ff:fe94:cbd7/64 scope global dynamic flags 100 
       valid_lft 2591680sec preferred_lft 604480sec
    inet6 fd01:192:168:8::5/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ecb2:17ff:fe94:cbd7/64 scope link 
       valid_lft forever preferred_lft forever

So far, I’ve found that when Unbound receives queries, it is receiving on its static IPv6 (fd01:192:168:8::7), but is answering from its SLAAC address. I think this is what is causing the queries to fail.

Currently, RouterOS neighbor discovery is set to “all” interfaces. I thought about changing it to specific interfaces, but the AdGuard and Unbound containers are part of the same VLAN that other clients use, so that doesn’t seem to help.

Any thoughts on this matter?

Kentzo · December 4, 2024, 3:23pm

Perhaps the daemon / routine responsible for configuration of network interfaces overrides these kernel parameters. Have you followed https://wiki.alpinelinux.org/wiki/Configure_Networking?