Edgerouter, IPv6

Adding IPv6 to the Edgerouter

My goal was to set up IPv6 on my Edgerouter with tunnelbroker.net because my ISP doesn’t support IPv6. There are a lot of nice instructions on the internet how to get a /64 network routed into one Edgerouter interface. But I found very little information on getting several /64 networks to different interfaces. All examples was based on router advertisement, but I just couldn’t get it working because I was so focused on breaking my /64 into smaller subnets. I finally figured out that the router advertisement protocol only hands out full /64 networks per interface. I realized that I needed a /56 or a /48 subnet from tunnelborker.net, luckily that was easy as one click 🙂

In this article there will be some configuration references to my previous article series on Edgerouter Security:  http://www.cron.dk/edgerouter-security-part1/

The first job is to setup a tunnel to tunnelbroker.net.

set interfaces tunnel tun0 description "Tunnelbroker IPv6 Tunnel" 
set interfaces tunnel tun0 encapsulation sit 
set interfaces tunnel tun0 local-ip 0.0.0.0 
set interfaces tunnel tun0 remote-ip www.xxx.yyy.zzz   # They call it "Server IPv4 Address"
set interfaces tunnel tun0 address aaaa:bbbb:cccc:dddd::2/64   #They call it "Client IPv6 Address"

Now we need a default route to direct all IPv6 traffic to the internet

set protocols static interface-route6 ::/0 next-hop-interface tun0

Now some firewall rules is added to protect our self from the outside and then we bind it to the tunnel interface. I do allow incoming ICMP to my clients from the outside because apparently IPv6 relies heavily on it.

set firewall ipv6-name IP6_WAN_IN default-action drop
set firewall ipv6-name IP6_WAN_IN description WAN_IN
set firewall ipv6-name IP6_WAN_IN rule 10 action accept
set firewall ipv6-name IP6_WAN_IN rule 10 state established enable
set firewall ipv6-name IP6_WAN_IN rule 10 state related enable
set firewall ipv6-name IP6_WAN_LOCAL default-action drop
set firewall ipv6-name IP6_WAN_LOCAL description 'WAN_IN internet to edgerouter'
set firewall ipv6-name IP6_WAN_LOCAL rule 10 action accept
set firewall ipv6-name IP6_WAN_LOCAL rule 10 state established enable
set firewall ipv6-name IP6_WAN_LOCAL rule 10 state related enable
set firewall ipv6-name IP6_WAN_LOCAL rule 20 action accept
set firewall ipv6-name IP6_WAN_LOCAL rule 20 protocol icmp
set interfaces tunnel tun0 firewall in ipv6-name IP6_WAN_IN
set interfaces tunnel tun0 firewall local ipv6-name IP6_WAN_LOCAL

Now I can set up each of my 3 interfaces (eth2=lan, eth3 vlan30=wifi trusted, eth3 vlan40=wifi guest) with an IPv6 address and enable router advertisement (an easy alternative to DHCP). The aaaa:bbbb:cccc here is replaced with “Routed /48” prefix that you got from enabling /48 at tunnelbroker.net.

set interfaces ethernet eth2 address 'aaaa:bbbb:cccc:10::1/64'
set interfaces ethernet eth2 ipv6 router-advert prefix 'aaaa:bbbb:cccc:10::/64'
set interfaces ethernet eth3 vif 30 address 'aaaa:bbbb:cccc:30::1/64'
set interfaces ethernet eth3 vif 30 ipv6 router-advert prefix 'aaaa:bbbc:cccc:30::/64'
set interfaces ethernet eth3 vif 40 address 'aaaa:bbbb:cccc:40::1/64'
set interfaces ethernet eth3 vif 40 ipv6 router-advert prefix 'aaaa:bbbb:cccc:40::/64'

Now I am able to ping6 from my internal network to the internet!

 

Leave a Reply

Your email address will not be published. Required fields are marked *