2021 - ATT Fiber - How to configure IPv6 #44
Comments
|
I'm curious if you tried the config I had submitted in a PR here: #36 I could try to diff the two to see what is missing/different aside from subnet/naming differences, but at this point, I mostly want to get the config recommendations merged upstream my Jay. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've seen a dozen different articles with different configurations being used. I've tried many but they seemed to be incomplete and simply not work. Maybe things have changed, maybe ATT's support for IPv6 differs by region? Not sure but as of Jan, 2021 - ATT Fiber in the SF Bay area is supported and the commands below were able to get full ipv6 support for all machines connected to my ER-4.
Setup notes here so you can customize ports as needed:
set firewall ipv6-name IPv6_WAN_IN default-action drop
set firewall ipv6-name IPv6_WAN_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name IPv6_WAN_IN enable-default-log
set firewall ipv6-name IPv6_WAN_IN rule 10 action accept
set firewall ipv6-name IPv6_WAN_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name IPv6_WAN_IN rule 10 state established enable
set firewall ipv6-name IPv6_WAN_IN rule 10 state related enable
set firewall ipv6-name IPv6_WAN_IN rule 20 action drop
set firewall ipv6-name IPv6_WAN_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name IPv6_WAN_IN rule 20 log enable
set firewall ipv6-name IPv6_WAN_IN rule 20 state invalid enable
set firewall ipv6-name IPv6_WAN_IN rule 30 action accept
set firewall ipv6-name IPv6_WAN_IN rule 30 description 'Allow ICMPv6'
set firewall ipv6-name IPv6_WAN_IN rule 30 icmpv6 type destination-unreachable
set firewall ipv6-name IPv6_WAN_IN rule 30 protocol icmpv6
set firewall ipv6-name IPv6_WAN_IN rule 31 action accept
set firewall ipv6-name IPv6_WAN_IN rule 31 description 'Allow ICMPv6 packet-too-big'
set firewall ipv6-name IPv6_WAN_IN rule 31 icmpv6 type packet-too-big
set firewall ipv6-name IPv6_WAN_IN rule 31 protocol icmpv6
set firewall ipv6-name IPv6_WAN_IN rule 32 action accept
set firewall ipv6-name IPv6_WAN_IN rule 32 description 'Allow ICMPv6 time-exceeded'
set firewall ipv6-name IPv6_WAN_IN rule 32 icmpv6 type time-exceeded
set firewall ipv6-name IPv6_WAN_IN rule 32 protocol icmpv6
set firewall ipv6-name IPv6_WAN_IN rule 33 action accept
set firewall ipv6-name IPv6_WAN_IN rule 33 description 'Allow ICMPv6 parameter-problem'
set firewall ipv6-name IPv6_WAN_IN rule 33 icmpv6 type parameter-problem
set firewall ipv6-name IPv6_WAN_IN rule 33 protocol icmpv6
set firewall ipv6-name IPv6_WAN_IN rule 34 action accept
set firewall ipv6-name IPv6_WAN_IN rule 34 description 'Allow ICMPv6 echo-request'
set firewall ipv6-name IPv6_WAN_IN rule 34 icmpv6 type echo-request
set firewall ipv6-name IPv6_WAN_IN rule 34 limit burst 1
set firewall ipv6-name IPv6_WAN_IN rule 34 limit rate 600/minute
set firewall ipv6-name IPv6_WAN_IN rule 34 protocol icmpv6
set firewall ipv6-name IPv6_WAN_IN rule 35 action accept
set firewall ipv6-name IPv6_WAN_IN rule 35 description 'Allow ICMPv6 echo-reply'
set firewall ipv6-name IPv6_WAN_IN rule 35 icmpv6 type echo-reply
set firewall ipv6-name IPv6_WAN_IN rule 35 limit burst 1
set firewall ipv6-name IPv6_WAN_IN rule 35 limit rate 600/minute
set firewall ipv6-name IPv6_WAN_IN rule 35 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL default-action drop
set firewall ipv6-name IPv6_WAN_LOCAL description 'WAN inbound traffic to router'
set firewall ipv6-name IPv6_WAN_LOCAL enable-default-log
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 log disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 state established enable
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 state invalid disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 state new disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 10 state related enable
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 action drop
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 log disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 state established disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 state invalid enable
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 state new disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 20 state related disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 30 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 30 description 'Allow IPv6 ICMP'
set firewall ipv6-name IPv6_WAN_LOCAL rule 30 icmpv6 type destination-unreachable
set firewall ipv6-name IPv6_WAN_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name IPv6_WAN_LOCAL rule 31 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 31 description 'Allow ICMPv6 packet-too-big'
set firewall ipv6-name IPv6_WAN_LOCAL rule 31 icmpv6 type packet-too-big
set firewall ipv6-name IPv6_WAN_LOCAL rule 31 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 32 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 32 description 'Allow ICMPv6 time-exceeded'
set firewall ipv6-name IPv6_WAN_LOCAL rule 32 icmpv6 type time-exceeded
set firewall ipv6-name IPv6_WAN_LOCAL rule 32 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 33 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 33 description 'Allow ICMPv6 parameter-problem'
set firewall ipv6-name IPv6_WAN_LOCAL rule 33 icmpv6 type parameter-problem
set firewall ipv6-name IPv6_WAN_LOCAL rule 33 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 description 'Allow ICMPv6 echo-request'
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 icmpv6 type echo-request
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 limit burst 5
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 limit rate 5/second
set firewall ipv6-name IPv6_WAN_LOCAL rule 34 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 description 'Allow ICMPv6 echo-reply'
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 icmpv6 type echo-reply
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 limit burst 5
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 limit rate 5/second
set firewall ipv6-name IPv6_WAN_LOCAL rule 35 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 36 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 36 description 'Allow ICMPv6 Router Advertisement'
set firewall ipv6-name IPv6_WAN_LOCAL rule 36 icmpv6 type router-advertisement
set firewall ipv6-name IPv6_WAN_LOCAL rule 36 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 37 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 37 description 'Allow ICMPv6 Neighbor Solicitation'
set firewall ipv6-name IPv6_WAN_LOCAL rule 37 icmpv6 type neighbor-solicitation
set firewall ipv6-name IPv6_WAN_LOCAL rule 37 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 38 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 38 description 'Allow ICMPv6 Neighbor Advertisement'
set firewall ipv6-name IPv6_WAN_LOCAL rule 38 icmpv6 type neighbor-advertisement
set firewall ipv6-name IPv6_WAN_LOCAL rule 38 protocol icmpv6
set firewall ipv6-name IPv6_WAN_LOCAL rule 40 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 40 description 'Allow DHCPv6'
set firewall ipv6-name IPv6_WAN_LOCAL rule 40 destination port dhcpv6-client
set firewall ipv6-name IPv6_WAN_LOCAL rule 40 protocol tcp_udp
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 description 'Allow DHCPv6'
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 destination port 546
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 log disable
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 protocol udp
set firewall ipv6-name IPv6_WAN_LOCAL rule 50 source port 547
set firewall ipv6-name IPv6_WAN_LOCAL rule 60 action accept
set firewall ipv6-name IPv6_WAN_LOCAL rule 60 description 'Allow DHCPv6'
set firewall ipv6-name IPv6_WAN_LOCAL rule 60 destination port 546
set firewall ipv6-name IPv6_WAN_LOCAL rule 60 protocol udp
set firewall ipv6-name IPv6_WAN_LOCAL rule 60 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 10 action drop
set firewall name WAN_IN rule 10 description 'Drop invalid state'
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 10 protocol all
set firewall name WAN_IN rule 10 state invalid enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description 'Allow established/related'
set firewall name WAN_IN rule 20 log enable
set firewall name WAN_IN rule 20 protocol all
set firewall name WAN_IN rule 20 state established enable
set firewall name WAN_IN rule 20 state related enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 dhcpv6-pd pd 60 prefix-length /64
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name IPv6_WAN_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 0 description 'WAN VLAN 0'
set interfaces ethernet eth0 vif 0 dhcp-options default-route update
set interfaces ethernet eth0 vif 0 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 0 dhcp-options name-server update
set interfaces ethernet eth0 vif 0 dhcpv6-pd duid '2d:6e:20:30:30:31:45:34:36:2d:52:39:31:56:48:39:46:50:31:xx:xx:xx:xx:xx' <--- BGW210 RG DUID BASED ON SERIAL AND CONVERT TO HEX
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 host-address '::1'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 no-dns
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 prefix-id ':0'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 interface eth2 service slaac
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 vif 0 dhcpv6-pd rapid-commit disable
set interfaces ethernet eth0 vif 0 firewall in ipv6-name IPv6_WAN_IN
set interfaces ethernet eth0 vif 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 0 firewall local ipv6-name IPv6_WAN_LOCAL
set interfaces ethernet eth0 vif 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth1 description 'AT&T Router'
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 address 192.168.86.1/24
set interfaces ethernet eth2 description LAN
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth2 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth2 ipv6 router-advert link-mtu 0
set interfaces ethernet eth2 ipv6 router-advert managed-flag false
set interfaces ethernet eth2 ipv6 router-advert max-interval 0600
set interfaces ethernet eth2 ipv6 router-advert other-config-flag false
set interfaces ethernet eth2 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces ethernet eth2 ipv6 router-advert prefix '::/64' on-link-flag true
set interfaces ethernet eth2 ipv6 router-advert prefix '::/64' valid-lifetime 259200
set interfaces ethernet eth2 ipv6 router-advert reachable-time 0
set interfaces ethernet eth2 ipv6 router-advert retrans-timer 0
set interfaces ethernet eth2 ipv6 router-advert send-advert true
set interfaces ethernet eth2 speed auto
set interfaces loopback lo
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth2
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name DHCP subnet 192.168.86.0/24 default-router 192.168.86.1
set service dhcp-server shared-network-name DHCP subnet 192.168.86.0/24 dns-server YOUR_DNS_HERE
set service dhcp-server shared-network-name DHCP subnet 192.168.86.0/24 lease 6000
set service dhcp-server shared-network-name DHCP subnet 192.168.86.0/24 start 192.168.86.100 stop 192.168.86.200
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
set service dns forwarding cache-size 2500
set service dns forwarding listen-on eth2
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server '2001:4860:4860::8888'
set service dns forwarding name-server '2001:4860:4860::8844'
set service dns forwarding name-server 192.168.86.1
set service dns forwarding options 'dhcp-range=::1,constructor:eth2,ra-names,86400'
set service dns forwarding options enable-ra
set service nat rule 5001 description NAT
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface eth0.0
set service nat rule 5001 protocol all
set service nat rule 5001 type masquerade
set system name-server '2001:4860:4860::8844'
set system name-server 192.168.86.1
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system offload ipv6 vlan enable
commit
save
HTH
The text was updated successfully, but these errors were encountered: