Fixing IPv6 Router Advertisements on the UDM Pro

I recently bought a UniFi Dream Machine Pro to replace the Cisco router used for my home internet (and inter-VLAN routing) function. I’ve really enjoyed using the UniFi wireless and switching gear, so I thought I’d try their router/firewall as well. On the whole the device is pretty cool, but they’ve clearly rushed it into production given the range of bugs found already (and seen in the community). In my case, the one causing me grief was their IPv6 support. It seems they’re using a BusyBox operating system with DNSMasq performing the IPv6 router advertisements and DHCPv6 functions. The configuration more or less forces you to use DHCPv6, which is completely unnecessary for an autoconfigured IPv6 network (which was more or less a key point of IPv6).

The problem encountered was that I was not receiving IPv6 router advertisements from the router, and therefore the clients were not autoconfiguring an IPv6 address. If I enabled DHCPv6, I could then see router advertisements being sent, but with incorrect flags set in the packet.

After a bit of research, I was able to determine that they were using DNSMasq for this function, and that the UniFi application was managing the configuration files for DNSMasq – and incorrectly I might add.

Whilst my ISP supports prefix delegation and I have a static /56 prefix, the prefix delegation function was also misbehaving in the UDM Pro.

I was able to correct the functionality from the UDM Pro with a couple of scripts, and a package created by BoostChicken. The high level steps involved:

  1. I assigned static IPv6 addresses to each LAN interface, and disabled Router Advertisements (they weren’t working anyway), and disabled DHCPv6.
  2. I created a custom DNSMasq configuration file configured to provide stateless router advertisements for the prefixes assigned to my LAN interfaces (/mnt/data/on_boot.d/customipv6.conf).
  3. I created a shell script to copy that DNSMasq configuration file from the persistent storage on the device to the DNSMasq config directory and then restart DNSMasq (/mnt/data/on_boot.d/customipv6.sh).
  4. I used the BoostChicken on boot script package. This was needed to ensure the UDM Pro would execute a script for me on each boot (as it wipes out most other changes you’d make to the OS).

Here’s my /mnt/data/on_boot.d/customipv6.conf file (I’ve replaced my addresses with fake ones for the purpose of the blog). I also assigned the IPv6 DNS servers to internal DNS servers of mine – could have used Google’s or the ISP’s DNS instead.

dhcp-range=240Y:ABCD:XXXX:a900::,ra-stateless
dhcp-range=240Y:ABCD:XXXX:a901::,ra-stateless
dhcp-range=240Y:ABCD:XXXX:a902::,ra-stateless
dhcp-option=option6:dns-server,[240Y:ABCD:XXXX:a900::3],[240Y:ABCD:XXXX:a900::4]

Here’s my /mnt/data/on_boot.d/customipv6.sh script.

#!/bin/sh

cp /mnt/data/on_boot.d/customipv6.conf /run/dnsmasq.conf.d/

start-stop-daemon -K -q -x /usr/sbin/dnsmasq

The installation procedure for the package is defined on the package owner’s GitHub page, but here is a copy of what I used (it may change in future versions of the package however). These commands were executed through SSH into the UDM Pro.

unifi-os shell

curl -L https://raw.githubusercontent.com/boostchicken/udm-utilities/master/on-boot-script/packages/udm-boot_1.0.5_all.deb -o udm-boot_1.0.5_all.deb
dpkg -i udm-boot_1.0.5_all.deb
exit

Once the package was installed, I copied my .conf and .sh files to the /mnt/data/on_boot.d directory on the UDM Pro, and rebooted. Sure enough, I was now receiving the correct stateless router advertisements on all LAN interfaces, my clients then autoconfigured, and everything is working.

I’ll need to keep an eye on this as I do firmware updates on the UDM Pro. Hopefully they’ll offer a stateless (and working) router advertisement configuration in a later release.

~ Mike

22 thoughts on “Fixing IPv6 Router Advertisements on the UDM Pro

  1. This is a fantastic find. Have been annoyed with the broken ipv6 support on the UDM pro since I “upgraded” from the USG.

  2. Thanks for pointing me in the right direction. I needed a slightly different set-up than you: I run my own DHCPv6 on the Management LAN and was getting confused, that the UDM Pro would not advertise the router even though the RA tick was set. This config does it for me:

    enable-ra
    ra-param=br0,high,0
    domain=
    dhcp-range=set:,,ra-only

    Clients get DHCPv6 offer from my DHCP SErver and RA from UDM Pro. Not sure if the “domain” entry does anything, but seems to do no harm either.

    1. I’m currently having this issue on a UDM SE. I also have an external DHCPv6 server and I tried your configuration example but I’m only getting autoconf IPv6 addresses. Here’s what I have in my customipv6.conf file:

      enable-ra
      ra-param=*,high,0
      domain=my.domain
      dhcp-range=2001:470:xxxx::,ra-only
      dhcp-range=2001:470:xxxx:10::,ra-only
      dhcp-range=2001:470:xxxx:20::,ra-only
      dhcp-range=2001:470:xxxx:40::,ra-only

      I’ve also tried ra-names,slaac instead of ra-only but that didn’t make a difference.

      1. Howdy, drop the ra-only from the subnets. enable-ra by ittself should set the appropriate bits in the RA so that the client then looks for a DHCPv6 server for the additional config (e.g. DNS).

      2. After help from Simon Kelley I’d got everything working correctly with the UDM SE and my external DNS and DHCP/DHCPv6 servers.

        This is my /mnt/data/on_boot.d/customipv6.conf file:

        #!/bin/sh
        cp /mnt/data/on_boot.d/customipv6.conf /run/dnsmasq.conf.d/
        cp /mnt/data/on_boot.d/resolv.conf /etc/
        start-stop-daemon -K -q -x /usr/sbin/dnsmasq

        Since this requires disabling DNS in dnsmasq /etc/resolv.conf has to be replaced with a new file pointing to the external DNS servers.

        This is my /mnt/data/on_boot.d/customipv6.conf file:

        # Disable DNS, required to avoid having dnsmasq return
        # the router IP as a DNS server
        port=0
        # Enable RAs
        enable-ra
        # Enable RA on all interfaces with high priority
        ra-param=*,high,0
        # Set the domain
        domain=mydomain
        # Configure each VLAN for RAs but turn off the DHCPv6
        # server and make sure the M and O flags are set and the
        # A flag is reset. If SLAAC IPv6 addresses are desired
        # append “,slaac”
        dhcp-range=2001:470:xxxx::,static
        dhcp-range=2001:470:xxxx:10::,static
        dhcp-range=2001:470:xxxx:20::,static
        dhcp-range=2001:470:xxxx:40::,static

  3. Thank you! I was able to configure and fix IPv6 on my UDM-Base. My ISP assigns me a Static IPv6 LAN and RA was NOT working with the stock UniFi settings, only DHCP. Following you’re guide I just plopped my static IPv6 LAN into the config example you provided and everything works with stateless now. Thanks!!

    1. It still works with the current versions of the platform. I’ve been continuing to upgrade the OS without any issues. If you’re having issues, check if there’s a later version of the on boot component.

  4. Hi Mike,

    I want to use this and i already installed boostchicken.
    That was the easy part 😉

    I’m stuck with the /mnt/data/on_boot.d/customipv6.conf part.
    How do i make the IPv6 dhcp ranges?

    dhcp-range=240Y:ABCD:XXXX:a900::,ra-stateless
    dhcp-range=240Y:ABCD:XXXX:a901::,ra-stateless
    dhcp-range=240Y:ABCD:XXXX:a902::,ra-stateless
    dhcp-option=option6:dns-server,[240Y:ABCD:XXXX:a900::3],[240Y:ABCD:XXXX:a900::4]

  5. Thank you so much for sharing, i was going out of ideas why on earth the RA is not functioning. Great stuff!

  6. Thanks for Mike / Eric using the external DHCPv6 server and using the exact config (with a different address) as Eric pasted above. The UDM is now sending RA and DHCPv6 works! But for some reason, none of my devices can route any IPv6 traffic. traceroute/ping6 all fail and I’m having a heck of a time trying to figure out what I missed.

Leave a Reply to Marco Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s