Skip to content

Instantly share code, notes, and snippets.

@nelseric

nelseric/ipv6-erl.md

Forked from dmtucker/ipv6-erl.md
Last active October 10, 2022 15:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nelseric/1617facc6efa35e5c20e7e0303efbd4e to your computer and use it in GitHub Desktop.
Save nelseric/1617facc6efa35e5c20e7e0303efbd4e to your computer and use it in GitHub Desktop.
Download ZIP
Configuring IPv6 on EdgeRouter Lite
Raw
ipv6-erl.md

Configuring IPv6 on EdgeRouter Lite

Tested with:

  • v1.9.7+hotfix.4, Wave G in Seattle
  • v1.10.5, Comcast in the South Bay Area
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth3 description "WLAN - Bear"
set interfaces ethernet eth4 description "WLAN - Alpha"

Firewall

Since IPv6 does not require NAT, connected devices are directly accessible to the Internet at-large unless a firewall prevents it.

set firewall ipv6-name WAN6_INBOUND default-action drop
set firewall ipv6-name WAN6_INBOUND rule 10 action accept
set firewall ipv6-name WAN6_INBOUND rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN6_INBOUND rule 10 protocol all
set firewall ipv6-name WAN6_INBOUND rule 10 state established enable
set firewall ipv6-name WAN6_INBOUND rule 10 state related enable
set firewall ipv6-name WAN6_INBOUND rule 20 action accept
set firewall ipv6-name WAN6_INBOUND rule 20 description "Accept ICMP"
set firewall ipv6-name WAN6_INBOUND rule 20 protocol icmpv6
set interfaces ethernet eth0 firewall in ipv6-name WAN6_INBOUND

set firewall ipv6-name WAN_LOCAL default-action drop
set firewall ipv6-name WAN_LOCAL rule 10 action accept
set firewall ipv6-name WAN_LOCAL rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_LOCAL rule 10 protocol all
set firewall ipv6-name WAN_LOCAL rule 10 state established enable
set firewall ipv6-name WAN_LOCAL rule 10 state related enable
set firewall ipv6-name WAN_LOCAL rule 20 action accept
set firewall ipv6-name WAN_LOCAL rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_LOCAL rule 20 protocol icmpv6
set firewall ipv6-name WAN_LOCAL rule 30 action accept
set firewall ipv6-name WAN_LOCAL rule 30 description "Accept DHCP"
set firewall ipv6-name WAN_LOCAL rule 30 protocol udp
set firewall ipv6-name WAN_LOCAL rule 30 destination port 546
set firewall ipv6-name WAN_LOCAL rule 30 source port 547
set interfaces ethernet eth0 firewall local ipv6-name WAN_LOCAL

firewall {
    ipv6-name WAN6_INBOUND {
        default-action drop
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP"
            protocol icmpv6
        }
    }
    ipv6-name WAN_LOCAL {
        default-action drop
        rule 10 {
            action accept
            description "Accept Established/Related"
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP"
            protocol icmpv6
        }
        rule 30 {
            action accept
            description "Accept DHCP"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
}

DHCP-PD

The WAN interface can get an IPv6 address via SLAAC (ipv6 address autoconf). This is not required, though. What matters is that hosts on the LAN(s) are able to get IPv6 addresses via SLAAC. To achieve that, Wave G delegates /60 prefixes via DHCP-PD which is great because it allows you to deploy up to 16 different IPv6 subnets. The following configuration takes advantage of this by delegating a unique subnet to each of the LANs:

set interfaces ethernet eth0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 prefix-id :3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 host-address ::3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 prefix-id :4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 host-address ::4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 service slaac

interfaces {
    ethernet eth0 {
        description LAN
    }
    ethernet eth0 {
        description WAN
        dhcpv6-pd {
            pd 0 {
                interface eth0 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                prefix-length 60
            }
            prefix-only
        }
        firewall {
            in {
                ipv6-name WAN6_INBOUND
            }
            local {
                ipv6-name WAN_LOCAL
            }
        }
    }
    ethernet eth2 {
        description WLAN
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment