dnsmasq dhcp: Clients accumulating invalid IPv6 addresses when upstream changes

[fab]

Hello dear forum. I'm trying to migrate to the new dnsmasq DNS/DHCP server at the moment. But I have a strange problem, that if upstream [WAN] changes the delegated /56 prefix (when restarting the router for example), my WHOLE network accumulates these new addresses without invalidating the old defunct IPv6 addresses and the servers and workstations still try to use these invalid addresses, which of course ends with an error. And I can't test this without completely restarting my router. I still haven't found an option to trigger this dnsmasq functionality without restarting my router (sorry for being such a noob). It worked flawlessly with the old ISC dhcp server, and the old addresses were invalidated properly. I'm really frustrated, because I have no idea why this is happening. The only thing I can do if upstream [WLAN] disconnects (through a reboot of OpnSense), is restart all my servers and workstations, to get a good set of IPv6 addresses until [WLAN] goes down again.

And there's another problem (which many people seem to have according to google). On some machines there are still "valid" IPv6 addresses which have a lifetime of 24h and I can't get rid of them.

I can't give much of logs (there aren't many informative messages anyway), but I hope someone can help me anyway. But please be a little patient, I'm not dumb, but this kind of problem is completely new to me and IPv6 is really complicated. On one side I want the new functionality (if it worked) and on the other side my old setup with ISC dhcp worked as expected (I have 7 VLANs which worked flawlessly).

Thanks alot,
fab

[Othvez]

This sounds like stale RA lifetimes rather than dnsmasq itself, clients keep old prefixes until they expire. Have you checked if your RA settings properly deprecate old prefixes or tried lowering valid/preferred lifetimes?

[fab]

This sounds like stale RA lifetimes rather than dnsmasq itself, clients keep old prefixes until they expire. Have you checked if your RA settings properly deprecate old prefixes or tried lowering valid/preferred lifetimes?

Dnsmasq should deprecate old prefixes automatically if I use it for the RAs, when set up new, or? But it doesn't. All machines accumulate and try to use these prefixes until their lifetime is up (that was 84600 secs (unconfigured). I set these down to 7200 seconds, but these have still to time out the full lifetime until they are not (erronoeusly) used anymore.

And if I restart my OpnSense Router with dnsmasq set up three times, I get a new set of three "valid" IPv6 addresses on each machine, although the prefixes are deprecated, which are all tried to be used despite being deprecated. I haven't tested but it's also possible that these deprecated addresses are renewed once the lifetime is up despite being deprecated. I'm not sure what's wrong with dnsmasq but it doesn't deprecate old prefixes, it seems. Not sure what settings are wrong.

In the meantime I've gone back to the old, original RA service in the router by completely rolling back my settings from backup. So now I'm using the original RA service with th the old ISC DHCP server and the problems are gone for now. But I really want to use dnsmasq for its advantages in future (together with unbound), because it completely resolves also dynamic IPv6 addresses (DNS) for dhcp(v6), dns and RAs. But if it stays this way, there's no way for me to use dnsmasq.

I would be really thankful, if someone could point out which settings I have to apply to correctly deprecates old prefixes and what could be wrong.

Thank you,
fab