Attempting IP6 with auひかり using EdgeRouter

details.md

au HIKARI is DUID-LL and should be represented as "00:03:00:01:xx:xx:xx:xx:xx:xx"

So using MAC address aa:bb:cc:dd:ee:ff

My WAN is eth1

configure
set interfaces ethernet eth1 dhcpv6-pd duid "00:03:00:01:aa:bb:cc:dd:ee:ff"
commit
save
exit

But it isn't enough. Using tcpdump I see from the aterm-bl1000hw

09:15:53.430486 IP6 (flowlabel 0x92029, hlim 1, next-header UDP (17)
 payload length: 101) fe80::6ee4:daff:fe43:4831.546 > ff02::1:2.547:
  [udp sum ok] dhcp6 solicit
  (xid=ddacb3 (elapsed-time 65535)
  (option-request SIP-servers-domain SIP-servers-address
  DNS-server DNS-search-list SNTP-servers NTP-server AFTR-Name
  opt_67 opt_82 opt_83 opt_94 opt_95 opt_96)
  (client-ID hwaddr type 1 aabbccddeeff)
  (reconfigure-accept) (Client-FQDN) (IA_PD IAID:1 T1:0 T2:0))

As seen sent by EdgeRouter:

09:14:18.032015 IP6 (hlim 1, next-header UDP (17)
 payload length: 105) fe80::6ee4:daff:fe43:4831.546 > ff02::1:2.547:
   [udp sum ok] dhcp6 solicit
   (xid=1a1e2b
   (client-ID hwaddr type 1 aabbccddeeff)
   (IA_NA IAID:0 T1:0 T2:0) (rapid-commit)
   (elapsed-time 310)
   (option-request DNS-server DNS-search-list)
   (IA_PD IAID:0 T1:0 T2:0
   (IA_PD-prefix ::/48 pltime:4294967295 vltime:4294967295)))

Looking at differences, what stands out are:

IAID: 1 -> 0
IA_PD-prefix: none -> /48
No rapid-commit
option-request: opt_67 opt_82 opt_83 opt_94 opt_95 opt_96

Need to try to get closer to the aterm solicit.

I have no set any firewall rules, nor any internal ip6 work.

Hoping I will see a ip6 added to the nics.

Hmm if I set

set interfaces ethernet eth1 dhcpv6-pd prefix-only

I got a reply with /48, so I changed to

set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 48

and received

13:18:06.220197 IP6 (class 0xe0, hlim 30, next-header UDP (17) 
 payload length: 125) fe80::40ff:1011.547 > fe80::6ee4:daff:fe43:4831.546: 
  [udp sum ok] dhcp6 reply (xid=710b7f 
  (client-ID hwaddr type 1 aabbccddeeff) 
  (server-ID hwaddr/time type 1 time 342848843 sseeccrreett) 
  (IA_PD IAID:0 T1:76001 T2:121602 
  (IA_PD-prefix 240f:108:????::/48 pltime:152002 vltime:152002)) 
  (DNS-server 2001:268:fd07:4::1 2001:268:fd08:4::1))

Which I thought would be a successful reply. I'm not seeing it on my eth1 tho. Curious

yes

OK, more success:

From ubnt it does seem i need to add firewall rules, if its empty, it appears to drop.

set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_IN rule 30 log disable
set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6

Then I attached one of my LAN eth3 to the WAN eth1, so that there is a pass-through effect:

set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth3 no-dns

Now I get:

eth3:
inet6 addr: 240f:108:6a25:0:feec:????:????:????/64 Scope:Global

which I can ping from http://www.ipv6now.com.au/pingme.php so that's a good start. No idea why it's on eth3.

Now I need to figure out how to dole it out on internal.

Added the following commands to my eth3 LAN

configure
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth3 host-address '::1'
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth3 prefix-id ':1'
set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth3 service slaac
commit
save
exit

Now on my mac on wifi:

inet6 240f:108:6a26:1:????:????:????:???? prefixlen 64 autoconf secured

and testing https://test-ipv6.com/

Your IPv4 address on the public Internet appears to be xx.xx.xx.xx
--
Your IPv6 address on the public Internet appears to be 240f:108:6a26:1:????:????:????:????

Your Internet Service Provider (ISP) appears to be KDDI KDDI CORPORATION

Since you have IPv6, we are including a tab that shows how well you can reach other IPv6 sites.

Your DNS server (possibly run by your ISP) appears to have IPv6 Internet access.

10/10

Oh yeah, this leaves ipv6 completely open on the Internet. You want to add the rest of the rules from

https://community.ui.com/questions/Can-someone-let-us-know-the-added-default-IPv6-firewall-rule-mentioned-in-the-new-Edge-OS-2-01/9683f591-6cd2-4677-83c9-e90d2b7c3fbe#answer/c9ff4c71-e5a5-48cd-a013-4bcf1054cfda