Beta website

Aussie Broadband IPv6 with an EdgeRouter

EdgeRouter’s are my router of choice since they provide the perfect level of customisation and pro features whilst not being incredibly complicated or require extensive networking knowledge to operate. I’ve blogged about them before and continue to use them wherever possible. Aussie Broadband are also my ISP of choice in Australia and I’ve had nothing but great experiences with them.

Ever since I heard about their IPv6 beta I wanted to give it a try and it wasn’t super hard to setup on the EdgeRouter but beware there isn’t a GUI for it at this stage.

Firewall

First we need to setup firewalls for your internal and external interfaces as IPv6 rules are completely separate from your standard IPv4 rules.

WAN rules

Our first set of rules are for traffic inbound from the internet. IPv6 ICMP is critical for everything to function so don’t omit it!

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action drop
set firewall ipv6-name WANv6_IN rule 10 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 10 state invalid enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 20 state established enable
set firewall ipv6-name WANv6_IN rule 20 state related enable
set firewall ipv6-name WANv6_IN rule 30 action accept
set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 30 protocol ipv6-icmp

Second set of rules is for traffic inbound to the router itself. Again we need to allow IPv6 ICMP along with IPv6 DHCP so that our router can pickup its prefix from Aussie properly.

set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action drop
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 10 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 20 state established enable
set firewall ipv6-name WANv6_LOCAL rule 20 state related enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow IPv6 DHCP'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

Finally a default rule that allows all outbound traffic by default.

set firewall ipv6-name WANv6_OUT default-action accept
set firewall ipv6-name WANv6_OUT description 'LAN traffic to WAN'

LAN rules

These LAN rules are optional but are a good fail safe in case your WAN rules above break for some reason.

set firewall ipv6-name LANv6_IN default-action accept
set firewall ipv6-name LANv6_IN description 'LAN to WAN/LOCAL'
set firewall ipv6-name LANv6_IN rule 10 action drop
set firewall ipv6-name LANv6_IN rule 10 description 'Drop invalid'
set firewall ipv6-name LANv6_IN rule 10 log enable
set firewall ipv6-name LANv6_IN rule 10 state invalid enable
set firewall ipv6-name LANv6_IN rule 20 action accept
set firewall ipv6-name LANv6_IN rule 20 description 'Allow established/related'
set firewall ipv6-name LANv6_IN rule 20 log disable
set firewall ipv6-name LANv6_IN rule 20 state established enable
set firewall ipv6-name LANv6_IN rule 20 state related enable
set firewall ipv6-name LANv6_LOCAL default-action accept
set firewall ipv6-name LANv6_OUT default-action accept

Note: The rules above allow all traffic outbound and inbound to your router. If you want to restrict traffic to your router or block some outbound traffic you’ll need to modify these rules.

Assign rules

Now apply the rules we’ve just created, I’m assuming your internet interface is eth0 and LAN is on eth1:

set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall out ipv6-name WANv6_OUT
set interfaces ethernet eth1 firewall in ipv6-name LANv6_IN
set interfaces ethernet eth1 firewall local ipv6-name LANv6_LOCAL
set interfaces ethernet eth1 firewall out ipv6-name LANv6_OUT

DHCPv6 Setup

The EdgeRouter picks up its assigned IPv6 prefix via the dhcpv6-pd service known as prefix delegation.

We then tell it to let devices in our LAN network pickup and assign their own addresses out of our prefix via Stateless address autoconfiguration (SLAAC). SLAAC is fantastic and means that we don’t need to run an internal DHCP server or anything, IPv6 delegation just works.

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd rapid-commit disable

If you have multiple internal interfaces you simply repeat the interface lines whilst setting a prefix-id on the interface, for example:

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 no-dns
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 no-dns
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id 2
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd rapid-commit disable

In both these examples host-address is the IP that gets assigned to the EdgeRouter’s interface. We also set no-dns which instructs the EdgeRouter not to pass Aussie’s DNS server down to our devices.

Troubleshooting

If the above doesn’t seem to work try fully restarting your EdgeRouter. I’m sure there’s a better way to do this like bringing the interfaces up and down but this was the only way I managed to initially get things going.

I also had issues with rapid-commit being enabled, but your milage may vary!