Tested with:
v1.9.7+hotfix.4
, Wave G in Seattlev1.10.5
, Comcast in the South Bay Area
set interfaces ethernet eth0 description LAN
set interfaces ethernet eth1 description WAN
set interfaces ethernet eth2 description WLAN
Since IPv6 does not require NAT, connected devices are directly accessible to the Internet at-large unless a firewall prevents it.
set firewall ipv6-name WAN_INBOUND default-action drop
set firewall ipv6-name WAN_INBOUND rule 10 action accept
set firewall ipv6-name WAN_INBOUND rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_INBOUND rule 10 protocol all
set firewall ipv6-name WAN_INBOUND rule 10 state established enable
set firewall ipv6-name WAN_INBOUND rule 10 state related enable
set firewall ipv6-name WAN_INBOUND rule 20 action accept
set firewall ipv6-name WAN_INBOUND rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_INBOUND rule 20 protocol icmpv6
set interfaces ethernet eth1 firewall in ipv6-name WAN_INBOUND
set firewall ipv6-name WAN_LOCAL default-action drop
set firewall ipv6-name WAN_LOCAL rule 10 action accept
set firewall ipv6-name WAN_LOCAL rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_LOCAL rule 10 protocol all
set firewall ipv6-name WAN_LOCAL rule 10 state established enable
set firewall ipv6-name WAN_LOCAL rule 10 state related enable
set firewall ipv6-name WAN_LOCAL rule 20 action accept
set firewall ipv6-name WAN_LOCAL rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_LOCAL rule 20 protocol icmpv6
set firewall ipv6-name WAN_LOCAL rule 30 action accept
set firewall ipv6-name WAN_LOCAL rule 30 description "Accept DHCP"
set firewall ipv6-name WAN_LOCAL rule 30 protocol udp
set firewall ipv6-name WAN_LOCAL rule 30 destination port 546
set firewall ipv6-name WAN_LOCAL rule 30 source port 547
set interfaces ethernet eth1 firewall local ipv6-name WAN_LOCAL
firewall {
ipv6-name WAN_INBOUND {
default-action drop
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP"
protocol icmpv6
}
}
ipv6-name WAN_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP"
protocol icmpv6
}
rule 30 {
action accept
description "Accept DHCP"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
}
The WAN interface can get an IPv6 address via SLAAC (ipv6 address autoconf
). This is not required, though. What matters is that hosts on the LAN(s) are able to get IPv6 addresses via SLAAC. To achieve that, Wave G delegates /60
prefixes via DHCP-PD which is great because it allows you to deploy up to 16 different IPv6 subnets. The following configuration takes advantage of this by delegating a unique subnet to each of the LANs:
set interfaces ethernet eth1 dhcpv6-pd prefix-only
set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service prefix-id :1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service prefix-id :2
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service slaac
interfaces {
ethernet eth0 {
description LAN
}
ethernet eth1 {
description WAN
dhcpv6-pd {
pd 0 {
interface eth0 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
prefix-length 60
}
prefix-only
}
firewall {
in {
ipv6-name WAN_INBOUND
}
local {
ipv6-name WAN_LOCAL
}
}
}
ethernet eth2 {
description WLAN
}
}
Did you see this regress recently on Wave G, too? Any guidance?