LAN with ot-daemon only, source address binding necessary

[zougloub]

I have setup a mesh network made of Linux hosts running ot-daemon (deliberately not running a border router, to keep things simple).

I notice that in this configuration, when I ping ML-EID addresses from ot-cmd, it works:

> ping fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d
16 bytes from fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d: icmp_seq=2 hlim=64 time=13ms
1 packets transmitted, 1 packets received. Packet loss = 0.0%. Round-trip min/avg/max = 13/13.0/13 ms.
Done

However when the addresses are pinged from linux, it doesn't work, unless I force-bind the source IPs:

$ ping -6 fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d -c 1 -w 1
PING fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d(fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d) 56 data bytes
1 packets transmitted, 0 received, 100% packet loss, time 0ms

$ ping -6 -I fdd6:bc3e:4571:7e67:fd2b:9df7:7fc0:2f6a fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d -c 1
PING fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d(fdd6:bc3e:4571:7e67:1bcf:82a:7bcf:a17d) from fdd6:bc3e:4571:7e67:fd2b:9df7:7fc0:2f6a : 56 data bytes
1 packets transmitted, 1 received, 0% packet loss, time 0ms

In the same fashion there is a way to get bidirectional UDP traffic to work, but I was wondering if there was a possible or recommended way to avoid the contortions.

[wgtdkp]

The problem is that Mesh Local addresses (including ML-EID, ALOC and RLOC) of the Thread interface (i.e. wpan0) are set to deprecated which makes the kernel not to choose those as source address for your traffics initiated from linux host. If you take a look in ot-daemon logs, you can see the ULA (or GUA) of your Wi-Fi or Ethernet interface may be selected as the source address of your ping request.

./build/src/posix/ot-daemon[1845759]: 00:07:03.731 [I] MeshForwarder-: Sent IPv6 ICMP6 msg, len:104, chksum:a2c0, ecn:no, to:0x7800, sec:yes, prio:low
./build/src/posix/ot-daemon[1845759]: 00:07:03.731 [I] MeshForwarder-:     src:[2401:fa00:41:23:6cb8:ea62:706b:8cd6]
./build/src/posix/ot-daemon[1845759]: 00:07:03.731 [I] MeshForwarder-:     dst:[fdde:ad00:beef:0:47b9:8a1a:b7cf:b4af]

But since you are not running as a border router, there is no routes in the Thread netdata that can be used to direct the ping reply back to your linux host.

To solve this issue, you can rebuild ot-daemon with -DOT_BORDER_ROUTER=ON -DOT_NETDATA_PUBLISHER=ON and add a default route:

sudo ./build/src/posix/ot-ctl netdata publish route ::/0 s high

---

There is actually another issue that you can only ping with ML-EID - ALOC and RLOC doesn't work, even they are specified as the source address. This should be resolved by #8203

[HiFiPhile]

Hi @wgtdkp,

Thanks for your explanation, could you elaborate why Mesh Local addresses are set to deprecated ? And is there anyway to disable this behavior ?

We are building an IoT box who has Internet access but with isolated Thread network, so I disabled OT_BORDER_ROUTER to prevent Thread devices communicate with outside world.

[jwhui]

Many uses cases require Thread devices to communicate with Wi-Fi devices across the border router, which is different from the public Internet. One of the benefits of IP is to allow combining multiple networks (e.g. Wi-Fi and Thread) within the same home.

In general, a Thread Border Router will configure an off-mesh routable prefix, which means that setting the mesh-local address as deprecated should be fine.

Rather than completely disabling Thread Border Router support, would it work to setup firewall rules to block communication with the public Internet?

[HiFiPhile]

Wi-Fi devices across the border router, which is different from the public Internet.

You mean the case where border router has 2 network interfaces, one for local Thread devices, another for Internet access ?

would it work to setup firewall rules to block communication with the public Internet?

Once border router is enabled it will announce BR ULA prefix through the backbone network, I don't want any information leak into the backbone.

In addition in our case backbone network is not always the same, it switches between WiFi Client/AP, wired, 4G etc, which makes firewall rule update complicated.

For now I'm using this workaround :

sudo ip -6 addr change `sudo ot-ctl ipaddr mleid | head -n 1 | tr -dc ‘[:print:]‘` dev wpan0 preferred_lft forever