Native IPv6 with DHCPv6-PD
cpugeniusmv opened this issue Β· 53 comments
I was playing around earlier trying to see if I could get DHCPv6-PD to work with the native ipv6 in my area and haven't had success yet, but wanted to share my progress.
The first problem I encountered was related to the fact that the ONT uses vlan 0 which EdgeMax doesn't like in some areas (e.g. https://community.ubnt.com/t5/EdgeMAX/Virtual-Interface-0-with-DHCP/m-p/1709119). DHCP for IPv4 seems to work with it using what you have here, but the config for the dhcp6c config wasn't being generated for me until I modified the perl module referenced in that article.
After that, I was sending DHCPv6 solicitations, but getting no response. I'm going to see if I can find the DUID that the ATT gateway is using and see if copying that into my router makes a difference.
Yeah, I figured this out earlier today. :-) Thanks for that link. Once I realized EdgeOS wasn't willing to configure dhcp6c on a VLAN, I just ran it manually like so:
sudo dhcp6c -D -f -i eth0.0
That causes dhcp6c to print verbose debugging messages (-D), stay in the foreground (-f) and send only informational requests (-i). That's an easy way to send out requests on VLAN 0 and see if you're getting any response. At least in the Raleigh area, AT&T is still using 6rd and I get no reply.
I just realized you can do this which may work (untested):
set interfaces ethernet eth0 vif 0 address dhcpv6
edit: that starts /sbin/dhclient -6 -nw -cf /var/run/dhclient_v6_eth0.0.conf -pf /var/run/dhclient_v6_eth0.0.pid -lf /var/run/dhclient_v6_eth0.0.leases eth0.0
which is probably not what's wanted.
I think that will fail if you also have dhcpv6-pd configured on that interface because it automatically does ia-na in that case.
Actually, I take it back. That got a reply and I now have a IPv6 address on eth0.0:
eth0.0 75.60.xx.xx/22 u/u WAN VLAN 0
2001:506:xxxx:xxx::1/64
I'm not sure I care about dhcpv6-pd. I may just manually configure dnsmasq to handle the RA's on my LAN. However, I've only got a /64 on eth0.0. Okay, more experimenting to do. I'll report back here.
The IPv6 address in the DHCPv6 reply is bogus. Or at least, AT&T isn't advertising a route to it AFAICT. Drat. I probably won't play with this anymore for a while. I'll plug my RG in directly to the ONT once a month or so and once it gets a native IPv6 I'll try again.
I'm likely going to have to get a capture between the ONT and the RG to get the DUID, that capture might tell me some other useful things as well. Will update after I've tried that.
Has anyone been able to get native IPv6 going when bypassing with the eap proxy?
In the original thread on dslreports someone posted that it requires spoofing the DUID-EN to match the RGs:
I've had my RG in DMZPlus mode the last couple months because I was traveling and didn't want there to be any trouble with my connection while I was away. In the interim, AT&T has upgraded its firmware and moved it from 6rd to native IPv6. I'll be setting things back up with the proxy and once I have native IPv6 working I'll document the setup in the README here.
I spent about 7-10 days now trying to get native IPv6 working, here's what I did found/did:
- After a few days of trying to get an IPv6 with the wrong DUID and different options, I seem to have broken my config with AT&T to the point where even the Pace 5286ac in the original setup wouldn't get an IPv6 anymore
- I changed the edgerouter's DUID later by changing /var/lib/dhcp6c_duid to match the dhcpv6 packets I sniffed from my Pace 5286ac
- Manually started dhcp6c as edgeOS wouldn't do that for me as it seems to not automatically start that for VLAN's
- I'm getting ICMPv6 neighbor advertisement on eth0.0 which seems to be the next router that I've set as route6 next-hop (fe80::ea4:2ff:fe89:3801 fe80::de7f:xxxx:xxxx:xxxx ICMPv6 Neighbor Advertisement fe80::ea4:2ff:fe89:3801 (rtr, sol, ovr) is at 0c:a4:02:89:39:4b)
My guess would be now that I simply have to wait for a week or two until my IPv6 lease on AT&T's side is up and I'll get a prefix delegated onto eth0.0 through dhcp6c (that I started manually).
Got it working. /var/run/dhcp6c-eth0.0-pd.conf is this:
interface eth0.0 {
send ia-na 1;
send ia-pd 1;
};
id-assoc na 1 {};
id-assoc pd 1 {
prefix ::/60 21600 86400;
prefix-interface eth1 {
sla-id 0;
sla-len 4;
ifid 1;
};
};
There's no way to get EdgeOS to write that correctly, so you have to set it up by hand. I was able to get EdgeOS to write a proper /var/lib/dhcpv6/dhcp6c_duid via this option:
set interfaces ethernet eth0 vif 0 dhcpv6-pd duid '00:02:00:00:0d:e9:30:30:44:30:39:45:2d:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
That's the DUID for a Pace 5268AC and the xx are the ASCII values (in hex) of its serial number (prefaced by PEN 00:00:0d:e9 and the Pace OUI of 00D09E- which is represented by 30:30:44:30:39:45:2d). Here's a bit of Python you could use to convert your S/N into the correct representation using 12345A123456 as an example S/N:
>>> ':'.join('%02x' % ord(c) for c in '12345A123456')
'31:32:33:34:35:41:31:32:33:34:35:36'
I sniffed the values via tcpdump, but confirmed they match the serial number from the RG web interface.
Anyway, once I created dhcp6c-eth0.0-pd.conf and confirmed that EdgeOS had written a correct dhcp6c_duid I was able to renew dhcpv6-pd interface eth0.0 and that started dhcp6c correctly and my eth0.0 (WAN) and eth1 (LAN) had correct IPv6 IPs. I have a few other IPv6 related items in my config:
set system offload ipv6 forwarding enable
set system offload ipv6 vlan enable
set service dns forwarding options enable-ra
set service dns forwarding options 'dhcp-range=::1,constructor:eth1,ra-names,86400'
I'm using dnsmasq for my DHCP server, so I have it handling the IPv6 RA as well. I'm sure you could use radvd instead.
I also have an IPv6 firewall, but I won't document that here.
It's too bad EdgeOS can't configure dhcp6c correctly. When I have time, I'll add some scripts to this repo to help with the IPv6 setup.
Funny, I got it working yesterday morning too. I had to wait almost two weeks for AT&T to expire my dhcp lease and I was suddenly getting a IPv6.
I did basically the same thing as you did, although, I just generated myself the duid through pfSense and edited the duid on my edgerouter to match. Verified the same thing through tcpdump.
Setting the duid on the edgerouter as you suggested, didn't work for me as the generated DUID was always marked as corrupt as the first half byte was off ( 1900 instead of 0019 ).
pfSense did that right.
Anyways, what I'm wondering is if you did any modification to any perl scripts for your dhcp6c come up and so that renew would work?
I always get DHCPv6 client is not configured on interface eth0.0. as soon as it's concerning a virtual interface.
I also had to set the next-hop/static IPv6 route to actually make IPv6 work
For reference, I created a script that you put in /config/scripts/post-config.d/ and chmod +x here. It fixes the faulty weird endian error for dhcp6c_duid and automates everything else.
https://gist.github.com/jrgutier/283cf1469273b0b3ddcfb781e97be895
I used the script and it generated a code that starts like this:
Γ00D09E
Should I go in and delete the Γ or is that what everyone else gets?
The script didn't work for me as the calculation was totally screwed. Imho, your best bet is to use the calculator pfsense has integrated and pulling the config from there yourself.
Yea Iβm using 4.4.26 and 5.9.16
I just need help setting my
DUID because right now itβs locked to my att router.
Script above doesnβt work right. Hoping for some help from someone with pfsense to generate the proper duid for me.
I just upgraded to a EdgeRouter-4 (I lost my ERL-3 to lighting recently) and was able to get native IPv6 working with:
set interfaces ethernet eth3 vif 0 dhcpv6-pd duid '00:02:00:00:0d:e9:30:30:44:30:39:45:2d:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 host-address '::1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 no-dns
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 prefix-id ':1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth3 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth3 vif 0 dhcpv6-pd rapid-commit disable
I'm not sure the custom DUID is necessary. I think if you're willing to wait 2 weeks for any existing IPv6 lease to time out it will acquire a new lease correctly w/o a custom DUID. That said... I was using the RG for a while my ERL-3 was dead, so it's possible once the existing lease times out that this won't work correctly, but for now it's working.
The VLAN 0 bug referenced at the start of this conversation is fixed in EdgeOS v1.10.5.
I'm not sure IPv6 is worth the trouble on AT&T at this time. I notice when I request an IPv6 address via NA (I did have to manually edit /opt/vyatta/sbin/dhcpv6-pd-client.pl and set the na to 1 instead of 0 for that to work), I get the same IPv6 address on my router as the RG gets, but that address is not globally routable, so I can't reach any IPv6 sites from the router itself with an NA assigned WAN IPv6 address. For reference, I'm getting this IP assigned to the WAN interface via NA: 2001:506:73d4:67a::1.
When I disable NA (by setting the prefix-only option), I can reach the outside world as the router uses its LAN IPv6 address (assigned via PD). I don't mind sharing that IPv6: 2600:1700:3d40:6300::1/64.
However, IPv6 connections are flaky. I'm seeing the symptoms described here:
https://forums.att.com/t5/AT-T-Internet-Equipment/Partial-IPv6-access/td-p/5384167
So I'm probably just going to disable IPv6 till AT&T gets its act together. :-(
@janthony6 the reason you're having trouble with the DUID (I think...) is that the ER-X is little-endian (mipsel) while the ER-Lite and ER4 are big-endian. The script from @jrgutier assumes little-endian so it only works correctly on an ER-X.
Meanwhile, the EdgeOS script script (/opt/vyatta/sbin/dhcpv6-pd-duid.pl) which writes /var/lib/dhcpv6/dhcp6c_duid assumes big-endian when setting the DUID. Oddly, it accounts for endianess correctly when reading the DUID (show dhcpv6-pd duid).
You guys have done some great work on this! I'm using eap_proxy, and have updated to EdgeOS v1.10.5 as above.
I ran:
set interfaces ethernet eth3 vif 0 dhcpv6-pd duid '00:02:00:00:0d:e9:30:30:44:30:39:45:2d:[redacted]'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 host-address '::1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 no-dns
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 prefix-id ':1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth3 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth3 vif 0 dhcpv6-pd rapid-commit disable
(whilst replacing the duid + ethernet interface names with corresponding names from my side)
And strangely enough now get my prefix delegation assigned to my LAN as expected, but my WAN does not get an address. Has anyone else experienced this?
eth0.0 45.29.192.101/22 u/u WAN VLAN 0
eth1 192.168.99.1/24 u/u AT&T router
eth2 192.168.1.1/24 u/u LAN
2600:1700:7ec0:XXXX::1/64
@sethwonder yes that's what I describe in
#3 (comment)
My apologies. With some more experimentation I have realized that the IPv6 connectivity for my LAN is working just fine; it's just the edgerouter itself that has no IPV6 connectivity on its WAN interface. I'm not too concerned about that given that the rest is working.
For anyone interested, here is the configuration I ended up with:
set interfaces ethernet eth3 vif 0 dhcpv6-pd duid '00:02:00:00:0d:e9:30:30:44:30:39:45:2d:[redacted]'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 host-address '::1'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 no-dns
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 prefix-id ':1'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 service slaac # not sure if this is needed but i didnt seem to get IPv6 to my LAN clients without it
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 vif 0 dhcpv6-pd rapid-commit disable
set system offload ipv6 forwarding enable
set system offload ipv6 vlan enable
Huge props again to @jaysoffian for eap_proxy in the first place. I just got my AT&T fiber yesterday and was really bummed about the crummy router situation!
Can someone help me generate a duid for a BGW210-700? I assue that the OUI is different from that of the PACE routers?
@abulgatz My BGW210-700 was 00:02:00:00:0d:e9:30:30:31:45:34:36:2d: + S/N (15 digit) in ASCII hex. You might capture that with tcpdump after enabling IPv6 on BGW210-700.
@abulgatz My BGW210-700 was
00:02:00:00:0d:e9:30:30:31:45:34:36:2d:+ S/N (15 digit) in ASCII hex. You might capture that with tcpdump after enabling IPv6 on BGW210-700.
Using your prefix here along with my S/N in hex and instructions from https://github.com/aus/pfatt I was able to get ipv6 working. Thanx for the info!
@sethwonder the reason that your EdgeRouter itself has no IPv6 is because of your set interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only configuration option. Run delete interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only, commit and save and your EdgeRouter should now have IPv6 connectivity.
@lizan thanks for the info. Can you tell me how you got this information from tcpdump? And I guess my original AT&T duid expired, because IPv6 is working now without explicitly setting a duid. That doesn't mean I don't want to know how to fix/troubleshoot this in the future though, so I'd like to know your tcpdump setup.
@jaysoffian or anyone else in the group, can you explain why you have no-dns and rapid-commit disable set?
Thanks!
@abulgatz, per @jaysoffian:
I'm not sure the custom DUID is necessary. I think if you're willing to wait 2 weeks for any existing IPv6 lease to time out it will acquire a new lease correctly w/o a custom DUID.
So that might be your case, so I think you can just leave it as is. I did tcpdump to capture all traffic from AT&T Router i.e. tcpdump -s 0 -w file.pcap -i eth2.0 (eth2 is the interface to AT&T router) and analyzed the file with Wireshark.
@sethwonder the reason that your EdgeRouter itself has no IPv6 is because of your
set interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-onlyconfiguration option. Rundelete interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only, commit and save and your EdgeRouter should now have IPv6 connectivity.
I have the exact same issue that IPv6 isn't working on the EdgeRouter itself, yet, I have never had the prefix-only option set.
My eth0 vif 0 config looks like this
address dhcp
description "WAN VLAN 0"
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
dhcpv6-pd {
pd 1 {
interface switch0 {
host-address ::1
prefix-id :1
service slaac
}
prefix-length /60
}
rapid-commit enable
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
mac dc:7f:a4:e0:72:a4
So looking at a tcpdump of my eth0.0, the router is requesting prefix delegation and is receiving "dhcp6 advertise" messages back (which if I understand correctly are the first two steps of the handshake for dhcpv6), but then it just... stops for a while, then repeats.
eth0.0 v6-pd config:
dhcpv6-pd {
duid 00:02:00:00:0d:e9:30:30:44:30:39:45:2d:[S/N in hex]
pd 1 {
interface eth1 {
host-address ::1
no-dns
prefix-id :1
service slaac
}
prefix-length 60
}
rapid-commit disable
}
Using tcpdump -i eth0.0 ip6 I see a "dhcp6 solicit" followed immediately by a "dhcp6 advertise", followed by silence for a minute or two, then it repeats.
I've got IPv6 working through HE TunnelBroker, so it's not the worst thing in the world if I can't get this working, but it is frustrating. Any ideas? Running on ER4 v1.10.9 if that makes a difference.
@Code-You-Fools I'll be honest, I'm not running IPv6 at the moment. I got it working on AT&T with both their tunnel, and then native, but every so often I'd have random connectivity/latency issues and I was never sure if it was related to IPv6 or not. So I ended up just disabling it.
Other than the info in this thread I don't have any assistance to offer.
@Code-You-Fools sounds like a firewall issue, do you have it enabled? I needed to add the following to mine for native ipv6 to work.
rule 30 {
action accept
description "Allow ICMPv6"
log disable
protocol icmpv6
}
rule 40 {
action accept
description "Allow DHCPv6"
destination {
port dhcpv6-client
}
protocol tcp_udp
}
@cerealcable That worked perfectly, thank you!
For anyone who wants to try getting native IPv6 working, the relevant configuration I used was this (I have a PACE 5268AC):
firewall {
ipv6-name ipv6-wan-in {
default-action drop
description "WAN to LAN"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name ipv6-wan-local {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
rule 4 {
action accept
description "Allow DHCPv6"
destination {
port dhcpv6-client
}
protocol tcp_udp
}
}
}
interfaces {
ethernet eth0 {
description WAN
duplex auto
firewall {
in {
ipv6-name ipv6-wan-in
name wan-in
}
local {
ipv6-name ipv6-wan-local
name wan-local
}
}
speed auto
vif 0 {
description "WAN VLAN 0"
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
dhcpv6-pd {
duid 00:02:00:00:0d:e9:30:30:44:30:39:45:2d:[S/N converted from ASCII to hex]
pd 1 {
interface eth1 {
host-address ::1
no-dns
prefix-id :1
service slaac
}
prefix-length 60
}
rapid-commit disable
}
firewall {
in {
ipv6-name ipv6-wan-in
name wan-in
}
local {
ipv6-name ipv6-wan-local
name wan-local
}
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
description "AT&T Router"
duplex auto
speed auto
}
}
If you have a BGW210-700, replace the duid prefix with 00:02:00:00:0d:e9:30:30:31:45:34:36:2d:.
Only problem is that the router itself doesn't have IPv6 access for some reason, but the LAN clients do, so it isn't a big deal.
@cerealcable so is there any way to get the router IPv6 access?
I assigned a /64 out of the PD block to my loopback, worked fine for enabling remote IPv6 access, however lots of services aren't able to specify a source interface and that causes some issues, so I'd say its not completely possible, but you could get something working.
Anyone got IPv6 working and can reproduce it? I've followed every comment through this thread and had no luck.
IPv6 is working correctly for me. My configuration is similar to above. Relevant IPv6 portions:
set firewall ipv6-name WAN6_IN default-action drop
set firewall ipv6-name WAN6_IN description 'WAN to internal'
set firewall ipv6-name WAN6_IN enable-default-log
set firewall ipv6-name WAN6_IN rule 10 action accept
set firewall ipv6-name WAN6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WAN6_IN rule 10 state established enable
set firewall ipv6-name WAN6_IN rule 10 state related enable
set firewall ipv6-name WAN6_IN rule 20 action drop
set firewall ipv6-name WAN6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WAN6_IN rule 20 log enable
set firewall ipv6-name WAN6_IN rule 20 state invalid enable
set firewall ipv6-name WAN6_IN rule 30 action accept
set firewall ipv6-name WAN6_IN rule 30 description 'Allow ICMPv6 destination-unreachable'
set firewall ipv6-name WAN6_IN rule 30 icmpv6 type destination-unreachable
set firewall ipv6-name WAN6_IN rule 30 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 31 action accept
set firewall ipv6-name WAN6_IN rule 31 description 'Allow ICMPv6 packet-too-big'
set firewall ipv6-name WAN6_IN rule 31 icmpv6 type packet-too-big
set firewall ipv6-name WAN6_IN rule 31 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 32 action accept
set firewall ipv6-name WAN6_IN rule 32 description 'Allow ICMPv6 time-exceeded'
set firewall ipv6-name WAN6_IN rule 32 icmpv6 type time-exceeded
set firewall ipv6-name WAN6_IN rule 32 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 33 action accept
set firewall ipv6-name WAN6_IN rule 33 description 'Allow ICMPv6 parameter-problem'
set firewall ipv6-name WAN6_IN rule 33 icmpv6 type parameter-problem
set firewall ipv6-name WAN6_IN rule 33 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 34 action accept
set firewall ipv6-name WAN6_IN rule 34 description 'Allow ICMPv6 echo-request'
set firewall ipv6-name WAN6_IN rule 34 icmpv6 type echo-request
set firewall ipv6-name WAN6_IN rule 34 limit burst 1
set firewall ipv6-name WAN6_IN rule 34 limit rate 600/minute
set firewall ipv6-name WAN6_IN rule 34 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 35 action accept
set firewall ipv6-name WAN6_IN rule 35 description 'Allow ICMPv6 echo-reply'
set firewall ipv6-name WAN6_IN rule 35 icmpv6 type echo-reply
set firewall ipv6-name WAN6_IN rule 35 limit burst 1
set firewall ipv6-name WAN6_IN rule 35 limit rate 600/minute
set firewall ipv6-name WAN6_IN rule 35 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL default-action drop
set firewall ipv6-name WAN6_LOCAL description 'WAN to router'
set firewall ipv6-name WAN6_LOCAL enable-default-log
set firewall ipv6-name WAN6_LOCAL rule 10 action accept
set firewall ipv6-name WAN6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WAN6_LOCAL rule 10 state established enable
set firewall ipv6-name WAN6_LOCAL rule 10 state related enable
set firewall ipv6-name WAN6_LOCAL rule 20 action drop
set firewall ipv6-name WAN6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WAN6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WAN6_LOCAL rule 30 action accept
set firewall ipv6-name WAN6_LOCAL rule 30 description 'Allow ICMPv6 destination-unreachable'
set firewall ipv6-name WAN6_LOCAL rule 30 icmpv6 type destination-unreachable
set firewall ipv6-name WAN6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 31 action accept
set firewall ipv6-name WAN6_LOCAL rule 31 description 'Allow ICMPv6 packet-too-big'
set firewall ipv6-name WAN6_LOCAL rule 31 icmpv6 type packet-too-big
set firewall ipv6-name WAN6_LOCAL rule 31 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 32 action accept
set firewall ipv6-name WAN6_LOCAL rule 32 description 'Allow ICMPv6 time-exceeded'
set firewall ipv6-name WAN6_LOCAL rule 32 icmpv6 type time-exceeded
set firewall ipv6-name WAN6_LOCAL rule 32 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 33 action accept
set firewall ipv6-name WAN6_LOCAL rule 33 description 'Allow ICMPv6 parameter-problem'
set firewall ipv6-name WAN6_LOCAL rule 33 icmpv6 type parameter-problem
set firewall ipv6-name WAN6_LOCAL rule 33 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 34 action accept
set firewall ipv6-name WAN6_LOCAL rule 34 description 'Allow ICMPv6 echo-request'
set firewall ipv6-name WAN6_LOCAL rule 34 icmpv6 type echo-request
set firewall ipv6-name WAN6_LOCAL rule 34 limit burst 5
set firewall ipv6-name WAN6_LOCAL rule 34 limit rate 5/second
set firewall ipv6-name WAN6_LOCAL rule 34 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 35 action accept
set firewall ipv6-name WAN6_LOCAL rule 35 description 'Allow ICMPv6 echo-reply'
set firewall ipv6-name WAN6_LOCAL rule 35 icmpv6 type echo-reply
set firewall ipv6-name WAN6_LOCAL rule 35 limit burst 5
set firewall ipv6-name WAN6_LOCAL rule 35 limit rate 5/second
set firewall ipv6-name WAN6_LOCAL rule 35 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 36 action accept
set firewall ipv6-name WAN6_LOCAL rule 36 description 'Allow ICMPv6 Router Advertisement'
set firewall ipv6-name WAN6_LOCAL rule 36 icmpv6 type router-advertisement
set firewall ipv6-name WAN6_LOCAL rule 36 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 37 action accept
set firewall ipv6-name WAN6_LOCAL rule 37 description 'Allow ICMPv6 Neighbor Solicitation'
set firewall ipv6-name WAN6_LOCAL rule 37 icmpv6 type neighbor-solicitation
set firewall ipv6-name WAN6_LOCAL rule 37 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 38 action accept
set firewall ipv6-name WAN6_LOCAL rule 38 description 'Allow ICMPv6 Neighbor Advertisement'
set firewall ipv6-name WAN6_LOCAL rule 38 icmpv6 type neighbor-advertisement
set firewall ipv6-name WAN6_LOCAL rule 38 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 50 action accept
set firewall ipv6-name WAN6_LOCAL rule 50 description 'Allow DHCPv6'
set firewall ipv6-name WAN6_LOCAL rule 50 destination port 546
set firewall ipv6-name WAN6_LOCAL rule 50 protocol udp
set firewall ipv6-name WAN6_LOCAL rule 50 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set interfaces ethernet eth3 vif 0 dhcpv6-pd duid 'SEE BELOW'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 host-address '::1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 no-dns
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 prefix-id ':0'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth3 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth3 vif 0 dhcpv6-pd rapid-commit disable
set interfaces ethernet eth3 vif 0 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth3 vif 0 firewall local ipv6-name WAN6_LOCAL
set interfaces ethernet eth3 vif 0 ipv6 dup-addr-detect-transmits 1
set service dns forwarding options enable-ra
set service dns forwarding options 'dhcp-range=::1,constructor:eth1,ra-names,86400'
set system offload ipv6 forwarding enable
set system offload ipv6 vlan enable
Re: SEE BELOW, see #3 (comment) for how to get the DUID value.
eth1 is LAN, eth3 is the ONT (WAN) port. I'm using dnsmasq for handling RA on the LAN port. The router does not have an IPv6 address on its WAN port, only on its LAN port. This works fine. The dhcpv6 client ends up with this config:
$ cat /var/run/dhcp6c-eth3.0-pd.conf
# This file was auto-generated by /opt/vyatta/sbin/dhcpv6-pd-client.pl
# configuration sub-system. Do not edit it.
interface eth3.0 {
request domain-name-servers, domain-name;
send ia-pd 1;
script "/opt/vyatta/sbin/ubnt-dhcp6c-script";
};
id-assoc pd 1 {
prefix ::/60 infinity;
prefix-interface eth1 {
sla-id 0;
sla-len 4;
ifid 1;
};
};
EdgeOS v1.10.10 on an ER-4.
@Farjad The relevant parts of my current config:
firewall {
ipv6-name ipv6-wan-in {
default-action drop
description "WAN to LAN"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name ipv6-wan-local {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow DHCPv6"
destination {
port dhcpv6-client
}
}
rule 4 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
}
interfaces {
ethernet [WAN_IF] {
description WAN
vif 0 {
description "WAN VLAN 0"
dhcpv6-pd {
duid [YOUR_DUID]
pd 1 {
interface [LAN_IF] {
host-address ::1
no-dns
prefix-id :1
service slaac
}
prefix-length 60
}
}
firewall {
in {
ipv6-name ipv6-wan-in
}
local {
ipv6-name ipv6-wan-local
}
}
}
}
}
service {
nat {
rule 1 {
description "Masquerade for WAN"
outbound-interface [WAN_IF].0
protocol all
type masquerade
}
}
}
[WAN_IF] and [LAN_IF] should be self-explanatory - just replace them with whatever interface is hooked up to the WAN or LAN respectively.
[YOUR_DUID] is calculated from the serial number on your AT&T router, and the steps are given here.
In ipv6-wan-local, rules 3 and 4 are non-negotiable. In ipv6-wan-in, rule 3 is optional - I didn't run into any problems without it, although YMMV.
Of note is the fact that your router will not have IPv6 access. To test your config you will need a PC behind the EdgeRouter. If you're using any apt repositories, you'll want to run sudo mkdir -p /opt/vyatta/etc/apt/apt.conf.d/ && echo 'Acquire::ForceIPv4 "true";' | sudo tee /opt/vyatta/etc/apt/apt.conf.d/99forceipv4 | sudo tee /etc/apt/apt.conf.d/99forceipv4.
If you like, you could use take notes from @jaysoffian's latest config and define rate-limits for ICMPv6 messages based on message types, if you're worried about malicious actors trying to flood you with ICMPv6 requests, but I personally just like completely blocking them using an address list.
Obviously, this is not a complete, plug-and-play configuration. I have no idea what would happen if someone decided to use it as such, but I take no responsibility for the results.
Of note is the fact that your router will not have IPv6 access
I don't find that to be the case:
$ curl ifconfig.io; curl -4 ifconfig.io; show interfaces
2600:1700:3d40:6300::1
75.60.242.5
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u RG (inside)
eth1 192.168.1.1/24 u/u LAN
2600:1700:3d40:6300::1/64
eth2 - u/u RG (outside)
eth3 - u/u ONT
eth3.0 75.60.242.5/22 u/u ONT VLAN 0
lo 127.0.0.1/8 u/u
::1/128
So this is my config after following your instructions:
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WAN6_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6 destination-unreachable"
icmpv6 {
type destination-unreachable
}
protocol icmpv6
}
rule 31 {
action accept
description "Allow ICMPv6 packet-too-big"
icmpv6 {
type packet-too-big
}
protocol icmpv6
}
rule 32 {
action accept
description "Allow ICMPv6 time-exceeded"
icmpv6 {
type time-exceeded
}
protocol icmpv6
}
rule 33 {
action accept
description "Allow ICMPv6 parameter-problem"
icmpv6 {
type parameter-problem
}
protocol icmpv6
}
rule 34 {
action accept
description "Allow ICMPv6 echo-request"
icmpv6 {
type echo-request
}
limit {
burst 1
rate 600/minute
}
protocol icmpv6
}
rule 35 {
action accept
description "Allow ICMPv6 echo-reply"
icmpv6 {
type echo-reply
}
limit {
burst 1
rate 600/minute
}
protocol icmpv6
}
}
ipv6-name WAN6_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6 destination-unreachable"
icmpv6 {
type destination-unreachable
}
protocol icmpv6
}
rule 31 {
action accept
description "Allow ICMPv6 packet-too-big"
icmpv6 {
type packet-too-big
}
protocol icmpv6
}
rule 32 {
action accept
description "Allow ICMPv6 time-exceeded"
icmpv6 {
type time-exceeded
}
protocol icmpv6
}
rule 33 {
action accept
description "Allow ICMPv6 parameter-problem"
icmpv6 {
type parameter-problem
}
protocol icmpv6
}
rule 34 {
action accept
description "Allow ICMPv6 echo-request"
icmpv6 {
type echo-request
}
limit {
burst 5
rate 5/second
}
protocol icmpv6
}
rule 35 {
action accept
description "Allow ICMPv6 echo-reply"
icmpv6 {
type echo-reply
}
limit {
burst 5
rate 5/second
}
protocol icmpv6
}
rule 36 {
action accept
description "Allow ICMPv6 Router Advertisement"
icmpv6 {
type router-advertisement
}
protocol icmpv6
}
rule 37 {
action accept
description "Allow ICMPv6 Neighbor Solicitation"
icmpv6 {
type neighbor-solicitation
}
protocol icmpv6
}
rule 38 {
action accept
description "Allow ICMPv6 Neighbor Advertisement"
icmpv6 {
type neighbor-advertisement
}
protocol icmpv6
}
rule 50 {
action accept
description "Allow DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
vif 0 {
address dhcp
description "WAN VLAN 0"
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
dhcpv6-pd {
duid xxxxx
pd 1 {
interface eth1 {
host-address ::1
no-dns
prefix-id :0
}
prefix-length 60
}
prefix-only
rapid-commit disable
}
firewall {
in {
ipv6-name WAN6_IN
name WAN_IN
}
local {
ipv6-name WAN6_LOCAL
name WAN_LOCAL
}
}
ipv6 {
dup-addr-detect-transmits 1
}
mac xxxxxx
}
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "AT&T router"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
lan-interface eth1
wan-interface eth0.0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.106
domain-name ubnt.local
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.1.106
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
use-dnsmasq enable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 192.168.1.106
options enable-ra
options dhcp-range=::1,constructor:eth1,ra-names,86400
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0.0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
Still no dice though!
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u WAN
eth0.0 xxxxx/22 u/u WAN VLAN 0
eth1 192.168.1.1/24 u/u LAN
eth2 192.168.2.1/24 u/u AT&T router
eth3 - u/D
lo 127.0.0.1/8 u/u
::1/128
And:
$ /opt/vyatta/sbin/dhcpv6-pd-client.pl --ifname=eth0 --renew
DHCPv6 client is not configured on interface eth0.
So I created /var/run/dhcp6c-eth0.0-pd.conf
And it is definitely working now.
Thanks @jaysoffian and @Code-You-Fools
I should note, is there any way to automatically create this? Or is this expected to be created manually?
So I restarted my router a few times and it ends up auto-deleting /var/run/dhcp6c-eth0.0-pd.conf
So I imagine there's some setting to automatically run it..
@Farjad You shouldn't manually create /var/run/dhcp6c-eth0.0-pd.conf, the config should let your device (mine is USG) create it.
My related config from show interfaces ethernet [WAN_IF] vif 0:
address dhcp
description WAN
dhcp-options {
client-option "retry 60;"
default-route-distance 1
name-server no-update
}
dhcpv6-pd {
duid [YOUR DUID]
no-dns
pd 0 {
interface [LAN_IF] {
prefix-id 2
}
prefix-length 60
}
prefix-only
rapid-commit enable
}
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
out {
ipv6-name WANv6_OUT
name WAN_OUT
}
}
mac [YOUR ATT GATEWAY MAC]
After pushing this config, the following content are created automatically at /var/run/dhcp6c-eth0.0-pd.conf:
# This file was auto-generated by /opt/vyatta/sbin/dhcpv6-pd-client.pl
# configuration sub-system. Do not edit it.
interface eth0.0 {
request domain-name-servers, domain-name;
send rapid-commit;
send ia-pd 0;
script "/opt/vyatta/sbin/ubnt-dhcp6c-script";
};
id-assoc pd 0 {
prefix ::/60 infinity;
prefix-interface [LAN_IF] {
sla-id 2;
sla-len 4;
};
};
So everything I've tried in my /config/config.boot from suggestions in this thread, none of them automatically generate the /var/run/dhcp6c-eth0.0-pd.conf ...but as soon as I manually created it and renewed the ipv6 stuff, it worked.
@Farjad you don't need to create that file manually. It's created automatically per the comment at the top of the file. I only shared mine as an example of what it looks like. The relevant settings which create that file are the dhcpv6-pd lines in the config. Perhaps you should ask on the Ubiquity forums as this is not related to eap_proxy.
So I upgraded my firmware (might have been the reason), now my /var/run/dhcp6c-eth0.0-pd.conf has the auto-generated comment.
Thanks for all your help guys!
A small update: I setup a fresh config using @jaysoffian's config but with only one change:
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth1 service slaac
Without this option, I was not able to get ipv6 going.
Note that previously, our BGW210 grabbed two /64's; one it held onto and one it passed to our network (I had the modem setup in passthrough mode). With this option, I was given the modem block and my clients on the LAN get IPs from it (which makes way more sense than what was happening before).
Some remarkably smart people on this thread. Very enlightening conversation. I was able to get eap_proxy going on the bgw210-700 on the first shot with @jaysoffian's files and @Genghis1227's instructions. I got it going on the erpoe5, erx and edgerouter 4. However, instead of using the perfect bridge, I spent the next 4 days wondering why the RG had a red blinking led on the broadband (ONT) connection :)
Shows how the human brain is trained to see green to indicate things are OK.
Thank you folks for the great instructions and wizardry. Some fine engineering indeed!
Some remarkably smart people on this thread. Very enlightening conversation. I was able to get eap_proxy going on the bgw210-700 on the first shot with @jaysoffian's files and @Genghis1227's instructions. I got it going on the erpoe5, erx and edgerouter 4. However, instead of using the perfect bridge, I spent the next 4 days wondering why the RG had a red blinking led on the broadband (ONT) connection :)
Shows how the human brain is trained to see green to indicate things are OK.
I recently changed from a PACE 5268AC to the ARRIS BGW210-700. I had already had my ER-4 set up with EAP-Proxy so only had to change the MAC and DUID to get it all working. Thank you to those on this thread for the DUID help. The old gen-duid.sh script from pfatt does not include the correct prefix for the BGW210-700, but using the prefix here worked!
FYI, I also found that if you create a DHCP server on the ER-4 to serve addresses to the BGW210, it'll stop blinking and "be happy" with the world!