IPv6 with Zen CityFibre and an EdgeRouter
I finally took the plunge and decided it was time to enable IPv6 on my connection. I'm not really sure why Zen doesn't enable this by default for new connections - I guess they're scared of breaking something or causing more problems than it's worth. My hesitation towards acivating IPv6 has mainly been due to a lack of understanding and confusion about why they didn't just make the address length longer. Address assignment is different, routing announcements are built in, it's all a bit weird.
Ignoring that though, it wasn't too tricky to get running. For some context, I have my LAN connected to LAN1, and ONT (Optical Network Termination) connected to LAN3. The connection to the internet is encapsulated PPPoE over VLAN 911. My configuration for the WAN interface was roughly the following prior to enabling IPv6.
interfaces {
ethernet eth2 {
mtu 1508
vif 911 {
mtu 1508
pppoe 0 {
default-route auto
name-server auto
mtu 1500
user-id ?????
password ?????
}
}
}
}
When Zen enable IPv6, they provide two subnets. The first is known as
Neighbour Discovery (ND) and generally won't be used if you have a
router. The ND subnet is /64. It's used as a direct
connection, say if you connected your computer directly to the ONT with
PPPoE and VLAN tagging setup. The second subnet they provide is the
Delegation Prefix, which in the case of Zen is a /48. This
is the routed subnet from which addresses can be assigned to your
computers. The subnet is announced by the ISP using DHCPv6, but
internally can use SLAAC or DHCPv6.
In my case, I'm only using the Delegation Prefix and letting hosts configure themselves with SLAAC. If you don't know, SLAAC is the Stateless Address Auto-configuration - which is a really bad attempt at an acronym. This allows hosts to automatically configure an address based on the announced prefix and their machine's MAC address. It is effectively static, unless some kind of privacy controls are enabled on the host. I might switch to DHCPv6 eventually, but leaving this as is for the time being.
My configuration for this changes the above to the following:
interfaces {
ethernet eth2 {
mtu 1508
vif 911 {
mtu 1508
pppoe 0 {
default-route auto
name-server auto
mtu 1500
user-id ?????
password ?????
dhcpv6-pd {
pd 0 {
interface eth0 {
host-address ::1
prefix-id :0
service slaac
}
prefix-length /48
}
}
ipv6 {
dup-addr-detect-transmits 1
enable {}
}
}
}
}
}
This sets up a new prefix within the delegated prefix and configures
the routers address to be the delegated prefix with a bunch of 0's, then
1 - for example abcd:1234:ef01::1. The prefix is announced
via eth0 so that SLAAC can do its business on the host.
After this, it pretty much just works. On the EdgeRouter, not much can
be configured IPv6-wise from the web interface. It all has to be done
using the CLI - including your firewall rules for egress, ingress and
local traffic.
Incidentally, a fun trick I've been using over the past couple of
years to replicate the functionality of "fail2ban", but for the whole
network, is to count SYN packets (i.e. NEW state packets)
coming into the router within a set period of time.
rule 49 {
action drop
description "block repeated ssh"
destination {
port 22
}
protocol tcp
recent {
count 2
time 300
}
state {
established disable
invalid disable
new enable
related disable
}
}
This only wants to be applied to new connections and explicitly not those which are already open, related or invalid - otherwise all the SSH traffic will end up getting blocked.
Related posts:
Wanting to leave a comment?
Comments and feedback are welcome by email (aaron@nospam-aaronsplace.co.uk).