Adding IPv6 to the Edgerouter
My goal was to set up IPv6 on my Edgerouter with tunnelbroker.net because my ISP doesn’t support IPv6. There are a lot of nice instructions on the internet how to get a /64 network routed into one Edgerouter interface. But I found very little information on getting several /64 networks to different interfaces. All examples was based on router advertisement, but I just couldn’t get it working because I was so focused on breaking my /64 into smaller subnets. I finally figured out that the router advertisement protocol only hands out full /64 networks per interface. I realized that I needed a /56 or a /48 subnet from tunnelborker.net, luckily that was easy as one click 🙂
In this article there will be some configuration references to my previous article series on Edgerouter Security: http://www.cron.dk/edgerouter-security-part1/
The first job is to setup a tunnel to tunnelbroker.net.
set interfaces tunnel tun0 description "Tunnelbroker IPv6 Tunnel" set interfaces tunnel tun0 encapsulation sit set interfaces tunnel tun0 local-ip 0.0.0.0 set interfaces tunnel tun0 remote-ip www.xxx.yyy.zzz # They call it "Server IPv4 Address" set interfaces tunnel tun0 address aaaa:bbbb:cccc:dddd::2/64 #They call it "Client IPv6 Address"
Now we need a default route to direct all IPv6 traffic to the internet
set protocols static interface-route6 ::/0 next-hop-interface tun0
Now some firewall rules is added to protect our self from the outside and then we bind it to the tunnel interface. I do allow incoming ICMP to my clients from the outside because apparently IPv6 relies heavily on it.
set firewall ipv6-name IP6_WAN_IN default-action drop set firewall ipv6-name IP6_WAN_IN description WAN_IN set firewall ipv6-name IP6_WAN_IN rule 10 action accept set firewall ipv6-name IP6_WAN_IN rule 10 state established enable set firewall ipv6-name IP6_WAN_IN rule 10 state related enable set firewall ipv6-name IP6_WAN_LOCAL default-action drop set firewall ipv6-name IP6_WAN_LOCAL description 'WAN_IN internet to edgerouter' set firewall ipv6-name IP6_WAN_LOCAL rule 10 action accept set firewall ipv6-name IP6_WAN_LOCAL rule 10 state established enable set firewall ipv6-name IP6_WAN_LOCAL rule 10 state related enable set firewall ipv6-name IP6_WAN_LOCAL rule 20 action accept set firewall ipv6-name IP6_WAN_LOCAL rule 20 protocol icmp set interfaces tunnel tun0 firewall in ipv6-name IP6_WAN_IN set interfaces tunnel tun0 firewall local ipv6-name IP6_WAN_LOCAL
Now I can set up each of my 3 interfaces (eth2=lan, eth3 vlan30=wifi trusted, eth3 vlan40=wifi guest) with an IPv6 address and enable router advertisement (an easy alternative to DHCP). The aaaa:bbbb:cccc here is replaced with “Routed /48” prefix that you got from enabling /48 at tunnelbroker.net.
set interfaces ethernet eth2 address 'aaaa:bbbb:cccc:10::1/64' set interfaces ethernet eth2 ipv6 router-advert prefix 'aaaa:bbbb:cccc:10::/64' set interfaces ethernet eth3 vif 30 address 'aaaa:bbbb:cccc:30::1/64' set interfaces ethernet eth3 vif 30 ipv6 router-advert prefix 'aaaa:bbbc:cccc:30::/64' set interfaces ethernet eth3 vif 40 address 'aaaa:bbbb:cccc:40::1/64' set interfaces ethernet eth3 vif 40 ipv6 router-advert prefix 'aaaa:bbbb:cccc:40::/64'
Now I am able to ping6 from my internal network to the internet!