{"id":2747,"date":"2020-02-02T13:29:33","date_gmt":"2020-02-02T05:29:33","guid":{"rendered":"https:\/\/blog.warbel.net\/?p=2747"},"modified":"2020-02-02T15:12:21","modified_gmt":"2020-02-02T07:12:21","slug":"vodafone-nbn-fttp-ipv6-prefix-delegation-on-a-ubiquiti-edgerouter-lite","status":"publish","type":"post","link":"https:\/\/blog.warbel.net\/index.php\/2020\/02\/02\/vodafone-nbn-fttp-ipv6-prefix-delegation-on-a-ubiquiti-edgerouter-lite\/","title":{"rendered":"Vodafone NBN (FTTP) IPv6 Prefix Delegation on a Ubiquiti EdgeRouter Lite"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Background<\/h2>\n\n\n\n<p>I&#8217;ve always been intimidated by IPv6, the addresses were long and confusing, and not fully understanding the technology made me nervous to integrate it into my systems. How did it work? Would enabling it expose everything in my LAN to the internet? Would I find myself under attack without realising it?<\/p>\n\n\n\n<p>Well, the good news is that smarter people have already thought about  the problems above (and more) and engineered an addressing system with built-in security and automatic configuration (SLAAC). So if you use a firewall on your router, IPv6 will give you the benefits of having externally accessible IP addresses on your LAN that can be routed, if you allow it.<\/p>\n\n\n\n<p>I found a lot of misinformation and confusion around IPv6 online. So if you&#8217;re looking for general information on IPv6 review the videos below, I also found the instructions here: <a href=\"https:\/\/medium.com\/@nurblieh\/ipv6-on-the-edgerouter-lite-c95e3cc8d49d\">https:\/\/medium.com\/@nurblieh\/ipv6-on-the-edgerouter-lite-c95e3cc8d49d<\/a> invaluable.<\/p>\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"MicroNugget: What is IPv6 PreFix Delegation?\" width=\"584\" height=\"329\" src=\"https:\/\/www.youtube.com\/embed\/EVD61Fteb_s?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Ubiquiti EdgeRouter - Dual Stack IPv4 and IPv6\" width=\"584\" height=\"329\" src=\"https:\/\/www.youtube.com\/embed\/AEt7LIxxKBU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Finally, I was able to guess at the correct settings to use on Vodafone NBN to obtain IPv6 addresses. I called Vodafone&#8217;s support number &#8211; email, weirdly, wasn&#8217;t an option &#8211; unfortunately their support wasn&#8217;t great, and all I was able to find was that they do offer IPv6, but not technical advice. Thankfully their IPv6 technology implementation is standard to the point of being boring and I guessed at the right settings, eventually getting it right.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuration<\/h2>\n\n\n\n<p>To get IPv6 prefix delegation working on the edgerouter with Vodafone FTTP NBN a few steps need to be taken:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li> Setup the firewalls WAN6_In and WAN6_LOCAL on the EdgeRouter to allow IPv6 traffic and assign it to the internet interface.<\/li><li>Enable dhcpv6-pd on the internet Ethernet port, request a \/56 from Vodafone.<\/li><li>Delegate \/64 subdomains to each interface on your network. If I understand it correctly, there should be 255 available networks to assign. <\/li><li>I personally disable DNS name servers being advertised to <\/li><\/ol>\n\n\n\n<p>Generally I use the config tree to do configuration, however to save time, I&#8217;ve included below the relevant settings to enable IPv6 taken from the config file. If I&#8217;ve missed something please let me know in the comments.<\/p>\n\n\n\n<p>The below settings contain the firewall settings for an IPv6 connection. I&#8217;ve removed IP addresses, but left the configuration to show to poke holes in the firewall to allow services through directly to servers. As it has been mentioned elsewhere on the internet, allowing ICMPv6 through is critical for IPv6 to function correctly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall {\n     ...\n     ipv6-name WAN6_IN {\n         default-action drop\n         rule 10 {\n             action accept\n             description \"allow established\"\n             protocol all\n             state {\n                 established enable\n                 related enable\n             }\n         }\n         rule 20 {\n             action drop\n             description \"drop invalid packets\"\n             protocol all\n             state {\n                 invalid enable\n             }\n         }\n         rule 30 {\n             action accept\n             description \"allow ICMPv6\"\n             protocol icmpv6\n         }\n         rule 40 {\n             action accept\n             description \"allow traffic for www\"\n             destination {\n                 address xxx\n             }\n             protocol tcp\n         }\n         rule 41 {\n             action accept\n             description \"Allow SSH (v6) to Atlas\"\n             destination {\n                 address xxx\n                 port 22\n             }\n             protocol tcp\n         }\n         rule 42 {\n             action accept\n             description \"Allow Ipv6 to Plex\"\n             destination {\n                 address xxx\n                 port 32400\n             }\n             protocol tcp\n         }\n     }\n     ipv6-name WAN6_LOCAL {\n         default-action drop\n         rule 10 {\n             action accept\n             description \"allow established\"\n             protocol all\n             state {\n                 established enable\n                 related enable\n             }\n         }\n         rule 20 {\n             action drop\n             description \"drop invalid packets\"\n             protocol all\n             state {\n                 invalid enable\n             }\n         }\n         rule 30 {\n             action accept\n             description \"allow ICMPv6\"\n             protocol icmpv6\n         }\n         rule 40 {\n             action accept\n             description \"allow DHCPv6 client\/server\"\n             destination {\n                 port 546\n             }\n             protocol udp\n             source {\n                 port 547\n             }\n         }\n     }\n\n<\/pre>\n\n\n\n<p>The below section contains the details on how to configure an interface for dhcpv6-pd. You may notice that I have multiple interfaces that I have advertised IPv6 to. It&#8217;s important to realise the function of the prefix-id and host address fields. The prefix-id is, apparently, a 2 digit hexadecimal number from 00 to FF representing 0-255. It indicates which \/64 subnet to assign to the interface. The host address is the address that the router will assign itself on that subnet. I&#8217;ve disabled dns on my interfaces, as I would prefer my systems to use my internal DNS for all requests and my internal DNS servers are configured to resolve A and AAAA records. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">interfaces {\n     ethernet eth0 {\n         address dhcp\n         description \"Internet (IPoE)\"\n         dhcpv6-pd {\n             pd 0 {\n                 interface eth1 {\n                     host-address ::1\n                     no-dns\n                     prefix-id :1\n                     service slaac\n                 }\n                 interface eth1.3 {\n                     host-address ::1\n                     no-dns\n                     prefix-id :2\n                     service slaac\n                 }\n                 interface eth1.4 {\n                     host-address ::1\n                     no-dns\n                     prefix-id :3\n                     service slaac\n                 }\n                 interface eth2 {\n                     host-address ::1\n                     no-dns\n                     prefix-id :4\n                     service slaac\n                 }\n                 prefix-length \/56\n             }\n             rapid-commit enable\n         }\n         duplex auto\n         firewall {\n             in {\n                 ipv6-name WAN6_IN\n                 name WAN_IN\n             }\n             local {\n                 ipv6-name WAN6_LOCAL\n                 name WAN_LOCAL\n             }\n         }\n         ip {\n         }\n         ipv6 {\n             address {\n                 autoconf\n             }\n             dup-addr-detect-transmits 1\n         }\n         mtu 1500\n         speed auto<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Further Notes<\/h2>\n\n\n\n<p>I found that implementing IPv6 wasn&#8217;t perfect. As I kept playing with the settings, my networked hosts would, using SLAAC, get another IPv6 address without removing the old one and instead just mark them as stale. The easy fix was to manually remove the addresses, but it was tedious. I also had to modify my web server&#8217;s configs to properly respond to IPv6 requests. I did that by adding [::]:443 to the virtual host directive eg: &lt;VirtualHost blog.warbel.net:443 [::]:443><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.vultr.com\/resources\/subnet-calculator-ipv6\/\">https:\/\/www.vultr.com\/resources\/subnet-calculator-ipv6\/<\/a> &#8211; The Vultr IPv6 subnet calculator is very handy. As is this calculator: <a href=\"http:\/\/www.gestioip.net\/cgi-bin\/subnet_calculator.cgi\">http:\/\/www.gestioip.net\/cgi-bin\/subnet_calculator.cgi<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.warbel.net\/wp-content\/uploads\/2020\/02\/ipv6.png\" alt=\"\" class=\"wp-image-2752\" width=\"862\" height=\"308\" srcset=\"https:\/\/blog.warbel.net\/wp-content\/uploads\/2020\/02\/ipv6.png 905w, https:\/\/blog.warbel.net\/wp-content\/uploads\/2020\/02\/ipv6-300x107.png 300w, https:\/\/blog.warbel.net\/wp-content\/uploads\/2020\/02\/ipv6-768x273.png 768w, https:\/\/blog.warbel.net\/wp-content\/uploads\/2020\/02\/ipv6-500x178.png 500w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><figcaption>IPv6 up and running<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Background I&#8217;ve always been intimidated by IPv6, the addresses were long and confusing, and not fully understanding the technology made me nervous to integrate it into my systems. How did it work? Would enabling it expose everything in my LAN &hellip; <a href=\"https:\/\/blog.warbel.net\/index.php\/2020\/02\/02\/vodafone-nbn-fttp-ipv6-prefix-delegation-on-a-ubiquiti-edgerouter-lite\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[91,4],"tags":[15,97,92,96,93,95,94,33,8],"class_list":["post-2747","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","tag-apache2","tag-dhcpv6-pd","tag-edgerouter","tag-fttp","tag-ipv6","tag-nbn","tag-prefix-delegation","tag-ubiquiti","tag-vodafone"],"_links":{"self":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/comments?post=2747"}],"version-history":[{"count":6,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2747\/revisions"}],"predecessor-version":[{"id":2755,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2747\/revisions\/2755"}],"wp:attachment":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/media?parent=2747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/categories?post=2747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/tags?post=2747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}