docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon pi-hole

Create IPv6 guide for Fritz!Box routers

Open AlexanderLieret opened this issue 3 years ago • 12 comments

By submitting this pull request, I confirm the following: please fill any appropriate checkboxes, e.g: [X]

  • [x] I have read and understood the contributors guide, as well as this entire template.
  • [x] I have made only one major change in my proposed changes.
  • [ ] I have commented my proposed changes within the code.
  • [x] I have tested my proposed changes, and have included unit tests where possible.
  • [x] I am willing to help maintain this change if there are issues with it later.
  • [x] I give this submission freely and claim no ownership.
  • [x] It is compatible with the EUPL 1.2 license
  • [ ] I have squashed any insignificant commits. (git rebase)

Please make sure you Sign Off all commits. Pi-hole enforces the DCO.

What does this PR aim to accomplish?: This PR adds a section to configure Pi-hole with Fritz!Box routers with IPv6 enabled.

AlexanderLieret avatar Jan 20 '22 12:01 AlexanderLieret

Deploy Preview for pihole-docs ready!

Name Link
Latest commit 26c5e8d916a39b53a8c00a4a44f6c2751b84707d
Latest deploy log https://app.netlify.com/sites/pihole-docs/deploys/63aec6514bdf0d0008871f5b
Deploy Preview https://deploy-preview-647--pihole-docs.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

netlify[bot] avatar Jan 20 '22 12:01 netlify[bot]

Thanks for your PR. I was always hoping someone would write a IPv6 guide for Fritz!Box. I have a few general remarks:

  1. Please add a few information why something should be set the way you recommend it. (E.g. why is it recommend to disable IPv6 privacy extensions, why to change the ULA prefix...)
  2. Please add a section where/how users find out their IPv6 ULA on their Pi-hole device
  3. Please do not duplicate the screenshot. Only show the relevant part. It's a bit confusing if you show the same screenshot for two different sections
  4. Please try to shrink the image file - it's really large.

yubiuser avatar Jan 31 '22 19:01 yubiuser

Thanks for your changes. I think it is much nicer now.

yubiuser avatar Feb 02 '22 20:02 yubiuser

By the way: are you able to write the equivalent German guide?

yubiuser avatar Feb 02 '22 20:02 yubiuser

@AlexanderLieret

Any updated on this? It's still in draft mode...

yubiuser avatar Mar 08 '22 19:03 yubiuser

@yubiuser I am working on the German version now. I need to find a good time slot to restart my Fritz!Box to change the language.

AlexanderLieret avatar Mar 10 '22 16:03 AlexanderLieret

@yubiuser I accepted your remarks. I reworked the IPv6 privacy extension section to include more details. Most importantly it is possible to use them but that requires some OS dependent configuration.

AlexanderLieret avatar Mar 28 '22 11:03 AlexanderLieret

I think the "Disable IPv6 privacy extensions for your Pi-hole" section should be removed completely.

First, modifying sysctl would not be enough - depending on the OS and the network tools it would use, changes to sysctl may not be applied fully or may even be outright ignored, instead being overruled by the network tools in use (all the usual suspects, e.g. systemd-networkd, NetworkManager, netplan, ConnMan,...).

Second, and more importantly, as Privacy Extension addresses are created in addition to other IPv6 addresses, disabling Privacy Extensions is not necessary at all. You'd just have to pick a suitable IPv6 address.

I'd therefore like to propose a slightly different ordering of paragraphs and start the guide with a look at the existing IPv6 addresses of Pi-hole's host: (I use the verbose command, and explicitly limit the output to IPv6 and to the interface associated with Pi-hole)

It is essential to pick a stable IPv6 address for Pi-hole. The following section will help you picking a suitable IPv6 address of your Pi-hole host machine. From a terminal on your Pi-hole host, running the following command should list all IPv6 addresses associated with the network interface that your Pi-hole is configured for: (Substitute eth0 as required. Use the 'Interface settings' from Pi-hole's Settings|DNS web interface to determine the interface name.)

~ $ ip -6 address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:1ce:c01d:bee2:5886:3be8:1032:f39d/64 scope global temporary dynamic
       valid_lft 7176sec preferred_lft 3576sec
    inet6 fd00:1ce:c01d:bee2:face:b055:f1ee:f1ea/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7176sec preferred_lft 3576sec

    inet6 2001:1a57:b007:fa11:a730:2552:35e7:c6e2/64 scope global temporary dynamic
       valid_lft 7176sec preferred_lft 3576sec
    inet6 2001:1a57:b007:fa11:abba:ba1d:face:bf39/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7176sec preferred_lft 3576sec

    inet6 fe80::dead:c0de:500d:f00d/64 scope link
       valid_lft forever preferred_lft forever

When picking an IPv6 address from that list:

  • avoid GUA (range 2000::/3) Your ISP controls your GUA IPv6 prefix it, so it may change, either regularly or on router restarts.
    From the above example, don't use the third and fourth address, starting with 2001:
  • avoid Privacy Extension adresses (marked with temporary) The interface identifier portion of an IPv6 address is designed to change regularly, on some systems as often as every hour. From the above example, avoid the first and the third address.

In the example, this would limit the addresses to pick from to two addresses that are not struck through: inet6 fd00:1ce:c01d:bee2:5886:3be8:1032:f39d/64 scope global temporary dynamic valid_lft 7176sec preferred_lft 3576sec inet6 fd00:1ce:c01d:bee2:face:b055:f1ee:f1ea/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 7176sec preferred_lft 3576sec inet6 2001:1a57:b007:fa11:a730:2552:35e7:c6e2/64 scope global temporary dynamic valid_lft 7176sec preferred_lft 3576sec inet6 2001:1a57:b007:fa11:abba:ba1d:face:bf39/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 7176sec preferred_lft 3576sec inet6 fe80::dead:c0de:500d:f00d/64 scope link valid_lft forever preferred_lft forever

If in doubt, prefer ULA addresses (range fd00::/8) over link-local addresses (range fe80::/10).

If your FritzBox doesn't issue an IPv6 ULA prefix yet, refer to the following steps that will help you in configuring a ULA prefix.

If you decide against using ULA addresses, be aware that link-local addresses are only reachable on the same link. For a standard home network, that would mean all devices connected through the FritzBox directly. Additional network equipment like access points or L3 switches may split your network into multiple links. Still, for most home networks, configuring a link-local IPv6 of Pi-hole's host machine as DNS server in your FritzBox would probably be fine.

Your paragraphs on actual ULA configuration would then follow.

I especially like your note on ULA prefix generation. :) As this is standardised by RFC 4193, I really think that this should have been covered by FritzBox's manufacturer. As it currently isn't, linking two FB networks via VPN with ULA enabled on both sides is likely to produce the very address conflicts that ULAs were designed to avoid, since I doubt an average user would change that prefix or even use a proper random identifier for it. There are a few online tools around that would do so, e.g. https://www.unique-local-ipv6.com. I struggle whether it would be a good idea to include one of those.. But maybe it would - the exemplary link above also has a decent FAQ section omn ULAs. What do you think?

Bucking-Horn avatar Mar 29 '22 08:03 Bucking-Horn

@AlexanderLieret We merged two upstream PRs into this one to fix the upstream issue of the broken netlify preview generation. You need to update your local branch before pushing new changes.

yubiuser avatar Mar 29 '22 19:03 yubiuser

@AlexanderLieret

Any update on the comments from Bucking-Horn

yubiuser avatar May 21 '22 19:05 yubiuser

@yubiuser Sorry for the long delay. I did not receive a notification for Bucking-Horn's comments.

I agree on most comments because of the repetitions. They are left overs from restructuring the guide.

AlexanderLieret avatar May 30 '22 10:05 AlexanderLieret

@AlexanderLieret

I agree on most comments because of the repetitions. They are left overs from restructuring the guide.

Are you going to continue to work on this guide? Did you forget to push changed?

I really would like to see this live :-)

yubiuser avatar Jun 27 '22 15:06 yubiuser

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Dec 19 '22 22:12 github-actions[bot]

Conflicts have been resolved.

github-actions[bot] avatar Dec 29 '22 17:12 github-actions[bot]

I consider this PR abandoned so I took liberty of resolving the merge conflicts myself by rebasing on master. Furthermore, I simplified the instructions by just advising to set up ULA addresses and use them instead of trying to educate users to pick the right address.

While the latter isn't a bad idea, I don't think the text we had here was sufficient for this. Those, who know how to understand 2000::/3 doesn't need to be educated, the others won't understand why some 2001:... address should be within 2000::/3.

DL6ER avatar Dec 29 '22 17:12 DL6ER

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Dec 30 '22 06:12 github-actions[bot]

Conflicts have been resolved.

github-actions[bot] avatar Dec 30 '22 06:12 github-actions[bot]