Bryant's Tech / Tech Ranting site

How to add IPv6 to VLANs on an Edgerouter

โ€”

by

bryantdl7
in

While many people still just use IPv4, IPv6 is great to have if your ISP provides it. In my case I have Spectrum Internet, and they have IPv6 fully rolled out in my area.

This guide will be assuming you already have a VLAN configured, and that you have clients able to connect properly at an IPv4 level. There’s plenty of guides on how to get yourself to this point, I am focusing strictly on getting every client a public IPv6 address.

Prerequisites

  • Ubiquiti Edgerouter
  • Managed Switch
  • Configured VLANs with 802.1Q routing (you can ping each VLAN subnet)
  • An ISP giving you IPv6 addresses in a prefix length bigger than a /64 – most do if you ask nicely ๐Ÿ™‚
  • eth0 connecting to your ISP
  • eth1 connecting to your LAN
  • SSH access to your router

For this example, we are going to focus on my VLAN 20, which I have configured to eth1.20

Part One: Firewall Rules

Since we don’t want to get portscanned, or some of the many other issues with not using a firewall, let’s set up a firewall for IPv6. I have comments on each rule, so see the comments if you are curious what each rule does.

Log into your router with your admin username

ssh bryantdl7@10.2.20.1

bryantdl7@20en001sus:~$ ssh bryantdl7@10.2.20.1
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

bryantdl7@10.2.20.1’s password:

bryantdl7@router:~$

Enter router configuration Mode by typing this command

configure

bryantdl7@router:~$ configure
[edit]
bryantdl7@router#

Paste in your firewall rules

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_IN rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects enable
set firewall ipv6-src-route enable
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable

If all these rules worked, you should get no response. No news is good news!

Temporarily apply our configuration changes

We use the following command to apply our changes. This doesn’t permanently save them, which allows us to reboot and start fresh. This command saves the changes to RAM only, and not the hard drive. 

commit

Part two: Prepping our interfaces

Some stuff needs to be set statically, so lets get that out of the way now.

I am assuming you are still within your terminal session from earlier, so let’s pick up where we left off:

Assign eth0 the first IPv6 address, ::1

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth0 host-address '::1'

Set the prefix ID for the IPv6 subnet on the interface

Yes, we are indeed subnetting IPv6. To keep it simple our range is :00-:ff. You can definitely just paste the line I have here and not overthink it. If you know how to subnet IPv6 yourself, feel free to tweak it. 

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth0 prefix-id ':DC'

We have all of the static setup for the interface eth0 completed. Next we will complete the same steps for eth1, which is VLAN1.

Prepping eth1

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':DD'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac

You’ll notice we did a third command this time, SLAAC. This is the cool mechanism which works great for providing IPv6 addresses to devices in most setups. You’ll see this command repeated for every LAN interface. It currently escapes my mind why we don’t do this on eth0, but there is some reason we just use DHCPv6 there. At the end of the day, it works?

Prepping eth1.20

Almost the exact same commands as above, just yet again we are tweaking that prefix ID. 

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 prefix-id ':0f'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 service slaac

At this point, all of the prepwork on the interfaces is done. Let’s hold off on applying everything until the rest is done, just to ensure stability.

Part three: Asking for our IPv6 addresses

Some ISPs you actually need to call up for this to work, but with spectrum they are automatically configured to accept this request.

Asking our ISP for a /56 prefix for eth0

set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /56

Enabling DHCPv6 Rapid Commit for eth0

set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable

Apply or configuration changes temporarily

commit

If all went well, you should have IPv6 on your subnet now.

Part four: Verifying IPv6 works

This wouldn’t be a good guide without me explaining how to test it, would it?

Exit the configuration utility

You simply type exit when in the [edit] prompt. 

exit

You’ll receive a warning saying your configuration changes haven’t been permanently saved yet, we are expecting this like I explained earlier.

Check your interfaces IP addresses

show interfaces

Assuming you didn’t type exit one too many times, you should get the following output:

I sanitized my addresses for obvious reasons. but you get the idea: 

bryantdl7@graypenguin:~$ show interfaces           
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         69.69.69.170/19                 u/u  Spectrum                    
             6868:6868:ffc0:61:4d97:e9cb:83bf:378/128
eth1         10.0.0.1/22                       u/u  Physical Int(VLAN1)         
             6969:6969:3e06:53dd::1/64        
eth1.20      10.2.20.1/24                      u/u  Access                      
             6969:6969:3e06:530f::1/64        
eth1.30      10.2.30.1/30                      u/u  Voice                       
             6969:6969:3e06:531f::1/64        
eth1.50      10.2.50.1/24                      u/u  Guest                       
             6969:6969:3e06:532f::1/64        
eth2         192.168.2.1/24                    A/D  Local 2                     
lo           127.0.0.1/8                       u/u

Testing Ping

Since we see IPv6 addresses, lets try pinging some of them. We need the ping6 command to do this. We are going to ping cloudflare’s IPv6 server: 

ping6 2606:4700:4700::1111

This is the desired output: 

PING 2606:4700:4700::1111(2606:4700:4700::1111) 56 data bytes
64 bytes from 2606:4700:4700::1111: icmp_seq=1 ttl=53 time=19.9 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=2 ttl=53 time=20.3 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=3 ttl=53 time=17.1 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=4 ttl=53 time=17.6 ms
^C
--- 2606:4700:4700::1111 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 17.149/18.784/20.384/1.403 ms

bryantdl7@graypenguin:~$

By the way, hold the control key, plus the letter C to cancel the ping command, you can see that above listed as ^C.

Part five: Save your work

At this point everything is working properly, so we need to save our changes to the router’s hard drive.

Re-enter configuration mode

configure

Save your changes

save

You’ll see the following output: 

bryantdl7@router# save
Saving configuration to '/config/config.boot'...
Done
[edit]

That’s it! All you have left to do is type the exit command twice to fully sign out of your router.

Comments

Leave a Reply