Tested with:
v1.9.7+hotfix.4
, Wave G in Seattlev1.10.5
, Comcast in the South Bay Area
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth3 description "WLAN - Bear"
set interfaces ethernet eth4 description "WLAN - Alpha"
Since IPv6 does not require NAT, connected devices are directly accessible to the Internet at-large unless a firewall prevents it.
set firewall ipv6-name WAN6_INBOUND default-action drop
set firewall ipv6-name WAN6_INBOUND rule 10 action accept
set firewall ipv6-name WAN6_INBOUND rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN6_INBOUND rule 10 protocol all
set firewall ipv6-name WAN6_INBOUND rule 10 state established enable
set firewall ipv6-name WAN6_INBOUND rule 10 state related enable
set firewall ipv6-name WAN6_INBOUND rule 20 action accept
set firewall ipv6-name WAN6_INBOUND rule 20 description "Accept ICMP"
set firewall ipv6-name WAN6_INBOUND rule 20 protocol icmpv6
set interfaces ethernet eth0 firewall in ipv6-name WAN6_INBOUND
set firewall ipv6-name WAN_LOCAL default-action drop
set firewall ipv6-name WAN_LOCAL rule 10 action accept
set firewall ipv6-name WAN_LOCAL rule 10 description "Accept Established/Related"
set firewall ipv6-name WAN_LOCAL rule 10 protocol all
set firewall ipv6-name WAN_LOCAL rule 10 state established enable
set firewall ipv6-name WAN_LOCAL rule 10 state related enable
set firewall ipv6-name WAN_LOCAL rule 20 action accept
set firewall ipv6-name WAN_LOCAL rule 20 description "Accept ICMP"
set firewall ipv6-name WAN_LOCAL rule 20 protocol icmpv6
set firewall ipv6-name WAN_LOCAL rule 30 action accept
set firewall ipv6-name WAN_LOCAL rule 30 description "Accept DHCP"
set firewall ipv6-name WAN_LOCAL rule 30 protocol udp
set firewall ipv6-name WAN_LOCAL rule 30 destination port 546
set firewall ipv6-name WAN_LOCAL rule 30 source port 547
set interfaces ethernet eth0 firewall local ipv6-name WAN_LOCAL
firewall {
ipv6-name WAN6_INBOUND {
default-action drop
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP"
protocol icmpv6
}
}
ipv6-name WAN_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP"
protocol icmpv6
}
rule 30 {
action accept
description "Accept DHCP"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
}
The WAN interface can get an IPv6 address via SLAAC (ipv6 address autoconf
). This is not required, though. What matters is that hosts on the LAN(s) are able to get IPv6 addresses via SLAAC. To achieve that, Wave G delegates /60
prefixes via DHCP-PD which is great because it allows you to deploy up to 16 different IPv6 subnets. The following configuration takes advantage of this by delegating a unique subnet to each of the LANs:
set interfaces ethernet eth0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 60
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::2
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 prefix-id :3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 host-address ::3
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth3 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 prefix-id :4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 host-address ::4
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth4 service slaac
interfaces {
ethernet eth0 {
description LAN
}
ethernet eth0 {
description WAN
dhcpv6-pd {
pd 0 {
interface eth0 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
prefix-length 60
}
prefix-only
}
firewall {
in {
ipv6-name WAN6_INBOUND
}
local {
ipv6-name WAN_LOCAL
}
}
}
ethernet eth2 {
description WLAN
}
}