Hey community!
Might be a bit of an edge case here, but I’m posting this in case someone experiences the same issues.
TL;DR
Do not use a public routable IPv6 prefix for handling out addresses through SLAAC.
Use a prefix in the fc::/7 (ULA) range.
I’ve recently bought a Nuki smart lock and wanted to add it to Home Assistant using Thread.
I had IPv6 setup correctly on my IoT network within my FortiGate firewall, enabling both SLAAC and DHCPv6 for giving out addresses and DNS config. Through my ISP I’m given a publicly routable IPv6 /56 prefix. And in the true spirit of IPv6 I set a /64 prefix within this range for my IoT network.
This seemed to work fine. When I connected my iPhone to the IoT network it clearly gave me 3 IPv6 addresses. One link-local address, one from SLAAC, and one from DHCPv6. The last 2 being within the /64 prefix I’ve set. All good right, IPv6 for days!!
When I tried to pair the Nuki via Thread, things turned out not to be so fun. For reference I’m using a Hass ZBT-1 Dongle with the Thread firmware, and the OTBR addon. It constantly give me error messages like this when pairing the device:
00:19:56.629 [N] MeshForwarder-: Failed to send IPv6 UDP msg, len:426, chksum:8e38, ecn:no, to:0xb802, sec:yes, error:NoAck, prio:low, radio:all
00:19:56.629 [N] MeshForwarder-: src:[2a02:22a0:bbba:8523:c1ef:d29c:79dd:7241]:51128
00:19:56.629 [N] MeshForwarder-: dst:[fd98:7c42:b847:1:b551:66a9:9f76:5ea1]:5540
The src address here being my phone and the publicly routable IP it has been assigned. And the dst address being the Nuki device and the IP that has been assigned by the border router within it’s ULA.
After a lot of troubleshooting and pulling my hair out I was like “scrap the IPv6 config and start over”. This time adding a second IPv6 /64 in the fc::/7 (ULA) range to the FortiGate’s interface. And adding this prefix to SLAAC instead of the publicly routable prefix.
This seemed to fix all the issues and the Nuki paired like a charm!!
The exact cause of this issue is still unknown to me. I believe it has something to do with the IPv6 Route Advertisements not propagating when using the publicly routeable prefix. Checking the FortiGate’s logs I didn’t see any RA broadcasts coming by.
So yeah if you find yourself in a similar situation. Hope this helps!