Skip to content

Instantly share code, notes, and snippets.

@dmtucker
Last active August 9, 2024 09:13
Show Gist options
  • Save dmtucker/cf3f241cf002367825633c988ff19fcf to your computer and use it in GitHub Desktop.
Save dmtucker/cf3f241cf002367825633c988ff19fcf to your computer and use it in GitHub Desktop.
Configuring IPv6 on EdgeRouter Lite

Configuring IPv6 on EdgeRouter Lite

Tested with:

  • v1.9.7+hotfix.4, Wave G in Seattle
  • v1.10.5, Comcast in the South Bay Area
set interfaces ethernet eth0 description LAN
set interfaces ethernet eth1 description WAN
set interfaces ethernet eth2 description WLAN

Firewall

Since IPv6 does not require NAT, connected devices are directly accessible to the Internet at-large unless a firewall prevents it.

set firewall ipv6-name WAN_INBOUND default-action drop
set firewall ipv6-name WAN_INBOUND rule 10 action accept
set firewall ipv6-name WAN_INBOUND rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_INBOUND rule 10 protocol all
set firewall ipv6-name WAN_INBOUND rule 10 state established enable
set firewall ipv6-name WAN_INBOUND rule 10 state related enable
set firewall ipv6-name WAN_INBOUND rule 20 action accept
set firewall ipv6-name WAN_INBOUND rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_INBOUND rule 20 protocol icmpv6
set interfaces ethernet eth1 firewall in ipv6-name WAN_INBOUND

set firewall ipv6-name WAN_LOCAL default-action drop
set firewall ipv6-name WAN_LOCAL rule 10 action accept
set firewall ipv6-name WAN_LOCAL rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_LOCAL rule 10 protocol all
set firewall ipv6-name WAN_LOCAL rule 10 state established enable
set firewall ipv6-name WAN_LOCAL rule 10 state related enable
set firewall ipv6-name WAN_LOCAL rule 20 action accept
set firewall ipv6-name WAN_LOCAL rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_LOCAL rule 20 protocol icmpv6
set firewall ipv6-name WAN_LOCAL rule 30 action accept
set firewall ipv6-name WAN_LOCAL rule 30 description "Accept DHCP"
set firewall ipv6-name WAN_LOCAL rule 30 protocol udp
set firewall ipv6-name WAN_LOCAL rule 30 destination port 546
set firewall ipv6-name WAN_LOCAL rule 30 source port 547
set interfaces ethernet eth1 firewall local ipv6-name WAN_LOCAL
firewall {
    ipv6-name WAN_INBOUND {
        default-action drop
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP"
            protocol icmpv6
        }
    }
    ipv6-name WAN_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP"
            protocol icmpv6
        }
        rule 30 {
            action accept
            description "Accept DHCP"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
}

DHCP-PD

The WAN interface can get an IPv6 address via SLAAC (ipv6 address autoconf). This is not required, though. What matters is that hosts on the LAN(s) are able to get IPv6 addresses via SLAAC. To achieve that, Wave G delegates /60 prefixes via DHCP-PD which is great because it allows you to deploy up to 16 different IPv6 subnets. The following configuration takes advantage of this by delegating a unique subnet to each of the LANs:

set interfaces ethernet eth1 dhcpv6-pd prefix-only
set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service prefix-id :1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service prefix-id :2
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service host-address ::1
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2 service slaac
interfaces {
    ethernet eth0 {
        description LAN
    }
    ethernet eth1 {
        description WAN
        dhcpv6-pd {
            pd 0 {
                interface eth0 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                prefix-length 60
            }
            prefix-only
        }
        firewall {
            in {
                ipv6-name WAN_INBOUND
            }
            local {
                ipv6-name WAN_LOCAL
            }
        }
    }
    ethernet eth2 {
        description WLAN
    }
}
@modest
Copy link

modest commented Mar 29, 2017

Did you see this regress recently on Wave G, too? Any guidance?

@jeffwilcox
Copy link

Also interested... moved a while back from an Edge Router X to a USG Pro, haven't gotten my static IPv6 block with Wave G working in ages...

@dmtucker
Copy link
Author

dmtucker commented Sep 30, 2017

Did you see this regress recently on Wave G, too? Any guidance?

@modest I had been having issues for awhile, but I was able to fix my deployment by doing 2 things:

  • Disable ipv6 address autoconf on LAN interfaces.
  • Block DHCP from the WAN to the LAN.
    • When DHCP is allowed from the WAN to the LAN, hosts are able to see prefixes meant for the gateway. A symptom of this is having many IPv6 addresses from multiple subnets on a single interface within the LAN. For example, I was seeing 13 addresses (a link-local, 6 temporary, and 6 mngtmpaddr)! Addresses on those extra subnets are not routable (because the gateway is not aware of them). After fixing this, I only see 3 (a link-local, a temporary, and a mngtmpaddr).

@dmtucker
Copy link
Author

dmtucker commented Nov 9, 2017

https://www.reddit.com/r/Ubiquiti/comments/466de2/ipv6_on_erl/d02xphw/

Setting "router-advert" and "prefix ::/64" tells EdgeOS that you want to use a manually configured router advertisement. Setting "service slaac" in the PD config tells the router you want it to take care of that for you. One tends to mess up the other when they are both set.

This provides some background: https://medium.com/@nurblieh/ipv6-on-the-edgerouter-lite-c95e3cc8d49d#0ee7

@bcomnes
Copy link

bcomnes commented May 26, 2018

Looks like maybe set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 service prefix-id :1 has changed to set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0 prefix-id :1 etc

@bcomnes
Copy link

bcomnes commented May 26, 2018

Thanks this worked! Curious how you got this to work:

Block DHCP from the WAN to the LAN.

@dmtucker
Copy link
Author

@bcomnes, IIRC, I previously included the "Accept DHCP" rule on WAN_INBOUND. So, I just had to remove that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment