[Snap] IPv6 configuration for PPPoE on an EdgeRouter

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] IPv6 configuration for PPPoE on an EdgeRouter

FuelRozNZ

6 posts

Wannabe Geek

#166362 10-Mar-2015 23:33

Does anyone have a working configuration for UFB and IPv6 with an EdgeRouter. Currently I have the following configuration but I don't get any prefixes delegated to my internal interfaces

# show interfaces ethernet eth0

description "Internet (PPPoE)"

duplex auto

speed auto

vif 10 {

pppoe 0 {

default-route auto

dhcpv6-pd {

no-dns

pd 0 {

interface eth2 {

prefix-id :0

service slaac

}

prefix-length /48

}

rapid-commit enable

}

ipv6 {

dup-addr-detect-transmits 1

enable {

}

mtu 1492

name-server none

password ***

user-id ***@snap.net.nz

}

PeterReader

6019 posts

Uber Geek

Trusted

Geekzone

Lifetime subscriber

#1255054 10-Mar-2015 23:33

Hello... Our robot found some keywords in your post, so here is an automated reply with some important things to note regarding broadband speeds.

If you are posting regarding DSL speeds please check that

- you have reset your modem and router

- your PC (or other PCs in your LAN) is not downloading large files when you are testing

- you are not being throttled by your ISP due to going over the monthly cap

- your tests are always done on an ethernet connection to the router - do not use wireless for testing

- you read this topic and follow the instructions there.

Make sure you provide information for other users to help you. If you have not already done it, please EDIT your post and add this now:

- Your ISP and plan

- Type of connection (ADSL, ADSL2, VDSL)

- Your modem DSL stats (do not worry about posting Speedtest, we need sync rate, attenuation and noise margin)

- Your general location (or street)

- If you are rural or urban

- If you know your connection is to an exchange, cabinet or conklin

- If your connection is to a ULL or wholesale service

- If you have done an isolation test as per the link above

Most of the problems with speed are likely to be related to internal wiring issues. Read this discussion to find out more about this. Your ISP is not intentionally slowing you down today (unless you are on a managed plan). Also if this is the school holidays it's likely you will notice slower than usual speed due to more users online.

A master splitter is required for VDSL2 and in most cases will improve speeds on DSL connections. Regular disconnections can be a monitored alarm or a set top box trying to connect. If there's an alarm connected to your line even if you don't have an alarm contract it may still try to connect so it's worth checking.

I recommend you read these two blog posts:

- Is your premises phone wiring impacting your broadband performance? (very technical)

- Are you receiving a substandard ULL ADSL2+ connection from your ISP?

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1255070 11-Mar-2015 00:07

Aredwood Would likely have this.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

FuelRozNZ

6 posts

Wannabe Geek

#1256628 11-Mar-2015 21:25

So I ended up finding out that the problem was that I did not have firewall rules allowing the DHCPv6 reply back from Snap!

Aredwood

3885 posts

Uber Geek

#1256738 12-Mar-2015 01:15

hio77: Aredwood Would likely have this.

Actually I don't. It has been on the to do list for awhile. As I have seen threads on the UBNT forums. From people who have gotten IPv6 prefix delegation working on Comcast cable using an Edge Router.

Now I have no excuse not to get it working. Although the main reason I haven't done so yet Is that I don't know what Firewall rules I would need to protect my internal network. With all computers and devices been given Public IP addresses.

fe31nz

1231 posts

Uber Geek

#1256752 12-Mar-2015 05:06

I have IPv6 via a tunnel to tunnelbroker.net from my ERLite rather than using the Snap IPv6, as they have still not made the prefixes static. I am using zone firewall mode. The basic firewalling for IPv6 on an EdgeRouter is like this for the incoming direction:

set firewall ipv6-name RB-Outside-Inner-v6 default-action drop
set firewall ipv6-name RB-Outside-Inner-v6 enable-default-log
set firewall ipv6-name RB-Outside-Inner-v6 rule 100 action accept
set firewall ipv6-name RB-Outside-Inner-v6 rule 100 log disable
set firewall ipv6-name RB-Outside-Inner-v6 rule 100 state established enable
set firewall ipv6-name RB-Outside-Inner-v6 rule 100 state related enable
set firewall ipv6-name RB-Outside-Inner-v6 rule 200 action drop
set firewall ipv6-name RB-Outside-Inner-v6 rule 200 state invalid enable
set firewall ipv6-name RB-Outside-Inner-v6 rule 300 action accept
set firewall ipv6-name RB-Outside-Inner-v6 rule 300 protocol icmpv6

set zone-policy zone Z-Inner from Z-Outside firewall ipv6-name RB-Outside-Inner-v6

That is, block all incoming traffic except in response to an outgoing connection, except for icmpv6. You may want to be more restrictive on the icmpv6 packets you accept, but you do need to allow the ones for MTU path discovery. Logging is done for dropped packets.

After that, I have added the rules I need to allow in traffic to server software with open ports.

The outgoing direction is this:

set firewall group port-group Microsoft-sharing-ports port netbios-ns
set firewall group port-group Microsoft-sharing-ports port netbios-dgm
set firewall group port-group Microsoft-sharing-ports port netbios-ssn
set firewall group port-group Microsoft-sharing-ports port microsoft-ds

set firewall ipv6-name RB-Inner-Outside-v6 default-action drop
set firewall ipv6-name RB-Inner-Outside-v6 rule 100 action accept
set firewall ipv6-name RB-Inner-Outside-v6 rule 100 log disable
set firewall ipv6-name RB-Inner-Outside-v6 rule 100 state established enable
set firewall ipv6-name RB-Inner-Outside-v6 rule 100 state related enable
set firewall ipv6-name RB-Inner-Outside-v6 rule 200 action drop
set firewall ipv6-name RB-Inner-Outside-v6 rule 200 log enable
set firewall ipv6-name RB-Inner-Outside-v6 rule 200 state invalid enable
set firewall ipv6-name RB-Inner-Outside-v6 rule 300 action drop
set firewall ipv6-name RB-Inner-Outside-v6 rule 300 log enable
set firewall ipv6-name RB-Inner-Outside-v6 rule 300 protocol tcp_udp
set firewall ipv6-name RB-Inner-Outside-v6 rule 300 source group port-group Microsoft-sharing-ports
set firewall ipv6-name RB-Inner-Outside-v6 rule 9000 action accept
set firewall ipv6-name RB-Inner-Outside-v6 rule 9000 log disable
set firewall ipv6-name RB-Inner-Outside-v6 rule 9000 protocol all

set zone-policy zone Z-Outside from Z-Inner firewall ipv6-name RB-Inner-Outside-v6

That allows all outgoing traffic except the explicitly blocked ports Windows uses for SMB file sharing, and logs dropped packets.

You can add other rules in either direction for any other problematic traffic that you always want dropped - I also prefer to have explicit rules for blocking traffic to and from non-routable addresses, but I am still working on what exactly is and is not considered non-routable with IPv6.

Zagbot

12 posts

Geek

ID Verified

Trusted

Subscriber

#1257604 13-Mar-2015 08:12

Hi

Are you able to share your Edgerouter config with ipv6 and firewall?
I would like to enable it on mine as well :-)

Thanks.

FuelRozNZ

6 posts

Wannabe Geek

#1259347 14-Mar-2015 15:07

The external interface is in the initial post. http://michael.stapelberg.de/Artikel/fiber7_ubnt_erlite/ has the instructions for what is required to get DHCPv6-PD going. and my firewall rules (the basic ones at least) are generated by this ruby script but you need to allow IPv6 UDP packet back in from Snap! Easiest way is to allow link-local packets (since the only two people on that link are you and Snap!). Hope that helps some.