I’m having trouble getting IPv6 DHCP to work properly with my nftables setup. When I run dhclient with IPv6 option, it keeps sending rebind requests but never gets any response back from the server.
Here’s my current nftables configuration:
table inet security {
chain incoming {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "drop invalid connections"
ct state established,related accept comment "allow established connections"
ct helper "ftp" accept
iifname "lo" accept comment "allow loopback traffic"
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname "lo" ip6 saddr != ::1 drop
ip protocol icmp accept comment "allow ICMP traffic"
meta l4proto ipv6-icmp accept comment "Allow IPv6 ICMP"
jump incoming-services
jump outgoing-services
}
chain forwarding {
type filter hook forward priority filter; policy drop;
ct state established,related,new accept
iifname "br0" accept comment "bridge forwarding"
}
chain outgoing {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "loopback output"
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname "lo" ip6 daddr != ::1 drop
}
chain incoming-services {
tcp dport 21 accept
tcp dport 23 accept
}
chain outgoing-services {
tcp dport 20 accept
}
}
The dhclient output shows it’s trying to communicate but not receiving any advertise messages from the DHCP server. When I disable nftables completely, everything works fine with my router. What am I missing in my firewall rules to allow IPv6 DHCP traffic?
Interesting issue! I’ve hit similar problems with IPv6 DHCP and nftables.
Looking at your config, I think you’re not allowing the DHCP traffic itself. Your rules don’t seem to catch DHCPv6 packets - IPv6 DHCP uses UDP ports 546 (client) and 547 (server), but I don’t see any UDP rules in your config. You’ve got TCP ports like 21, 23, etc., but no UDP.
Try adding:
udp sport 546 udp dport 547 accept comment "dhcpv6 client"
udp sport 547 udp dport 546 accept comment "dhcpv6 server"
Also noticed you have that br0 rule in forwarding - are you running this on a bridge? DHCP can get tricky with bridges depending on your network setup.
What interface is dhclient trying to get an address on? Have you tried tcpdump or wireshark to see if packets are actually leaving your machine? That’d help figure out if it’s a firewall issue or something else.
One more thing - some routers are picky about DHCPv6 vs SLAAC. Does your router actually support DHCPv6 or is it expecting stateless autoconfiguration instead?
Your nftables configuration is lacking the necessary UDP rules, which is likely the cause of the DHCPv6 failure. DHCPv6 relies on UDP ports 546 for client requests and 547 for server responses, and your current setup only includes TCP rules. I encountered a similar challenge when I moved from iptables to nftables on my home network.
To resolve this issue, please add the following UDP rules to your incoming-services chain:
udp sport 547 udp dport 546 accept comment "dhcpv6 responses"
udp sport 546 udp dport 547 accept comment "dhcpv6 requests"
Furthermore, DHCPv6 requires access to link-local multicast addresses which isn’t addressed in your current rules. Ensure you allow traffic to the fe80::/10 range and the All_DHCP_Relay_Agents_and_Servers multicast group. Without these configurations, your DHCP client requests will not reach the server, and the server’s responses will fail to return. Given that disabling nftables resolves the issue, it points toward a problem with your current firewall rules rather than the network configuration.
dhcpv6 needs multicast support - your rules might be blocking it. dhcpv6 uses ff02::1:2 for solicitation messages. add ip6 daddr ff02::1:2 accept to your incoming chain. also check if ipv6 forwarding is enabled in sysctl - it can mess with dhcp even on the client side.