This is finally the end of my series on setting up my EdgeRouter and all the fun I had with it. This part was the hardest part, but it was also quite the learning experience: getting IPv6 up an running on my router. It took a lot of work, muddling around with configs, and reading a lot of articles, but in the end I passed the IPV6 Test with a score of 100%, which is something that I never could have done before. So read more to see the (current) conclusion of this endeavor.
As I said early on, I was really disappointed that my old setup would not allow me to access IPv6. I knew that my version of DD-WRT did not have IPv6 stack support, but I also knew that I didn’t have access to IPv6, so it was a moot point. However, one day a couple of years ago, I decided to hook up my computer directly to my cable modem to see if Comcast was handing out IPv6 addresses in my area, bypassing my wireless router. Much to my surprise, it was, but of course I could not give up my Linksys router. Thus, I had to keep my current setup, now knowing that I was missing out on the future of the internet.
My purchase of the EdgeRouter was driven partially by that IPv6 support. After I got everything else up and running, the last thing to do was to get IPv6 running. This, however, was far from easy. The first thing I did was search the EdgeOS forum for information, and found several posts. This one was by far the most helpful, as it got me 90% of the way there. That last 10%, though, I had to figure out on my own.
One big piece was properly configuring dhcp6c.conf. The file provided in that forum post was close, but left out a couple of key configuration settings. I spent a lot of time reading this online man page for dhcp6.conf, figuring out that I was missing that darn prefix tag, and configuring the interfaces properly. Compared to that, the configuration of the interfaces themselves in EdgeOS was pretty easy.
It still didn’t work, though, which is when all of that Splunking came in very handy. DHCP on IPv6 is different from IPv4, and there are crazy new things in IPv6 such as “Neighbor Discovery” and “Router Advertisement”, which needed to run on the EdgeRouter configured via radvd.conf to announce to connected clients that an IPv6 address was available. I started reading RFCs like RFC 4861 (for Neighbor Discovery) and RFC 5175 (for Router Advertisements) which actually came in handy. Through trial and error, and changing firewall rules, I did finally get an IPv6 address and a /64 prefix on my EdgeRouter, but it still wasn’t getting to my attached client, namely the CentOS box I had on the wired LAN.
Finally, I came across this page on setting up SLAAC on RedHat Enterprise Linux, which CentOS is essentially based on. By setting IPV6_AUTOCONF=YES and making sure the right firewall rules were in place, I received a publicly routable IPv6 address and finally passed that test with flying colors.
About those firewall rules: just like the zone firewall rules set up in Part 4, zone rules for IPv6 need to be set up for every source and destination zone pair. I took the firewall rule names that I started with (like LAN-WAN) and simply added a –6 to the end to get LAN-WAN-6 as the naming convention for all of my rules. Thinking back on it now, it probably would be easier for Splunk field extraction to have used a –4 prefix for IPv4 rules to match the IPv6 rules, but it doesn’t make much difference in the end. As for the rules themselves, they are pretty much copies of the IPv4 rules, with ports updated for things like DHCPv6.
Although IPv6 is working for me, I am running using that /64 prefix, which means one subnet for all of my devices. Comcast will allegedly provide a /60 if you request one, which is something I have not been able to get working yet. Perhaps that will be the next thing I try.
As for my current config, my dhcp6.conf file looks like this:
[codesyntax lang=”javascript”]
# Default dhpc6c configuration: it assumes the address is autoconfigured using # router advertisements. # Comcast IPv6 PD interface eth2 { send rapid-commit; send ia-pd 1; send ia-na 1; request domain-name-servers; request domain-name; script "/etc/wide-dhcpv6/dhcp6c-script"; }; id-assoc pd 1 { prefix ::/64 infinity; prefix-interface eth0 { sla-id 0; sla-len 0; }; prefix-interface eth1 { sla-id 0; sla-len 0; }; }; id-assoc na 1 { };
[/codesyntax]
My full, updated interface configuration looks like this:
[codesyntax lang=”javascript”]
interfaces { ethernet eth0 { address 192.168.2.254/24 description "Wired LAN" duplex auto ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 60 other-config-flag false prefix ::/64 { autonomous-flag true on-link-flag true valid-lifetime 86400 } reachable-time 0 retrans-timer 0 send-advert true } } speed auto } ethernet eth1 { address 192.168.1.254/24 description "Wireless LAN" duplex auto ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 600 other-config-flag false prefix ::/64 { autonomous-flag true on-link-flag true valid-lifetime 86400 } reachable-time 0 retrans-timer 0 send-advert true } } speed auto } ethernet eth2 { address dhcp address dhcpv6 description WAN duplex auto firewall { in { } local { } } ipv6 { dup-addr-detect-transmits 1 } speed auto } loopback lo { } }
[/codesyntax]
For the wide-dhcpv6-client file in /etc/default, I simply set INTERFACES=”eth2” as that is my WAN interface that DHCPv6 needs to run on. The start-dhcpv6-client file in /config/scripts/post-config.d is the same as in the link:
[codesyntax lang=”javascript”]
#!/bin/bash echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_ra /etc/init.d/wide-dhcpv6-client start /etc/init.d/radvd restart
[/codesyntax]
And that’s all! My last post tomorrow will be a summary and full config file for those who want to see how it is running.