While many people still just use IPv4, IPv6 is great to have if your ISP provides it. In my case I have Spectrum Internet, and they have IPv6 fully rolled out in my area.
This guide will be assuming you already have a VLAN configured, and that you have clients able to connect properly at an IPv4 level. There’s plenty of guides on how to get yourself to this point, I am focusing strictly on getting every client a public IPv6 address.
Prerequisites
- Ubiquiti Edgerouter
- Managed Switch
- Configured VLANs with 802.1Q routing (you can ping each VLAN subnet)
- An ISP giving you IPv6 addresses in a prefix length bigger than a /64 – most do if you ask nicely ๐
- eth0 connecting to your ISP
- eth1 connecting to your LAN
- SSH access to your router
For this example, we are going to focus on my VLAN 20, which I have configured to eth1.20
Part One: Firewall Rules
Since we don’t want to get portscanned, or some of the many other issues with not using a firewall, let’s set up a firewall for IPv6. I have comments on each rule, so see the comments if you are curious what each rule does.
Log into your router with your admin username
ssh bryantdl7@10.2.20.1bryantdl7@20en001sus:~$ ssh bryantdl7@10.2.20.1
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
bryantdl7@10.2.20.1’s password:
bryantdl7@router:~$
Enter router configuration Mode by typing this command
configurebryantdl7@router:~$ configure
[edit]
bryantdl7@router#
Paste in your firewall rules
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_IN rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects enable
set firewall ipv6-src-route enable
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set system offload ipv6 forwarding enable
set system offload ipv6 pppoe enable
If all these rules worked, you should get no response. No news is good news!
Temporarily apply our configuration changes
We use the following command to apply our changes. This doesn’t permanently save them, which allows us to reboot and start fresh. This command saves the changes to RAM only, and not the hard drive.
commitPart two: Prepping our interfaces
Some stuff needs to be set statically, so lets get that out of the way now.
I am assuming you are still within your terminal session from earlier, so let’s pick up where we left off:
Assign eth0 the first IPv6 address, ::1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth0 host-address '::1'Set the prefix ID for the IPv6 subnet on the interface
Yes, we are indeed subnetting IPv6. To keep it simple our range is :00-:ff. You can definitely just paste the line I have here and not overthink it. If you know how to subnet IPv6 yourself, feel free to tweak it.
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth0 prefix-id ':DC'We have all of the static setup for the interface eth0 completed. Next we will complete the same steps for eth1, which is VLAN1.
Prepping eth1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':DD'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaacYou’ll notice we did a third command this time, SLAAC. This is the cool mechanism which works great for providing IPv6 addresses to devices in most setups. You’ll see this command repeated for every LAN interface. It currently escapes my mind why we don’t do this on eth0, but there is some reason we just use DHCPv6 there. At the end of the day, it works?
Prepping eth1.20
Almost the exact same commands as above, just yet again we are tweaking that prefix ID.
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 prefix-id ':0f'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1.20 service slaacAt this point, all of the prepwork on the interfaces is done. Let’s hold off on applying everything until the rest is done, just to ensure stability.
Part three: Asking for our IPv6 addresses
Some ISPs you actually need to call up for this to work, but with spectrum they are automatically configured to accept this request.
Asking our ISP for a /56 prefix for eth0
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /56Enabling DHCPv6 Rapid Commit for eth0
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enableApply or configuration changes temporarily
commitIf all went well, you should have IPv6 on your subnet now.
Part four: Verifying IPv6 works
This wouldn’t be a good guide without me explaining how to test it, would it?
Exit the configuration utility
You simply type exit when in the [edit] prompt.
exitYou’ll receive a warning saying your configuration changes haven’t been permanently saved yet, we are expecting this like I explained earlier.
Check your interfaces IP addresses
show interfacesAssuming you didn’t type exit one too many times, you should get the following output:
I sanitized my addresses for obvious reasons. but you get the idea:
bryantdl7@graypenguin:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 69.69.69.170/19 u/u Spectrum
6868:6868:ffc0:61:4d97:e9cb:83bf:378/128
eth1 10.0.0.1/22 u/u Physical Int(VLAN1)
6969:6969:3e06:53dd::1/64
eth1.20 10.2.20.1/24 u/u Access
6969:6969:3e06:530f::1/64
eth1.30 10.2.30.1/30 u/u Voice
6969:6969:3e06:531f::1/64
eth1.50 10.2.50.1/24 u/u Guest
6969:6969:3e06:532f::1/64
eth2 192.168.2.1/24 A/D Local 2
lo 127.0.0.1/8 u/u Testing Ping
Since we see IPv6 addresses, lets try pinging some of them. We need the ping6 command to do this. We are going to ping cloudflare’s IPv6 server:
ping6 2606:4700:4700::1111This is the desired output:
PING 2606:4700:4700::1111(2606:4700:4700::1111) 56 data bytes
64 bytes from 2606:4700:4700::1111: icmp_seq=1 ttl=53 time=19.9 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=2 ttl=53 time=20.3 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=3 ttl=53 time=17.1 ms
64 bytes from 2606:4700:4700::1111: icmp_seq=4 ttl=53 time=17.6 ms
^C
--- 2606:4700:4700::1111 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 17.149/18.784/20.384/1.403 ms
bryantdl7@graypenguin:~$ By the way, hold the control key, plus the letter C to cancel the ping command, you can see that above listed as ^C.
Part five: Save your work
At this point everything is working properly, so we need to save our changes to the router’s hard drive.
Re-enter configuration mode
configureSave your changes
saveYou’ll see the following output:
bryantdl7@router# save
Saving configuration to '/config/config.boot'...
Done
[edit]That’s it! All you have left to do is type the exit command twice to fully sign out of your router.
Leave a Reply
You must be logged in to post a comment.