Skip to content

Configuration

These examples might be outdated by now – it's been years since they were last updated here. They should work fine though.

Routers

EdgeOS/Vyatte/VyOS example

In this example:
- tun0 = Your IPv6 WAN interface
- ethX = Your IPv6 LAN interfaces
- IPv6 WAN range = 2001:db8:85a3::/48
- IPv6 WAN IP = 2001:db8:85a3::1/48
- IPv6 LAN1 IP = 2001:db8:85a3:1::1/64
- IPv6 LAN1 RA = 2001:db8:85a3:1::/64

Remember that with IPv6, it is by design that you have multiple IPv6 addresses per interface. For example, you will always have your link-local address, even when you have valid unicast addresses.

The following examples are based on EdgeOS.

Security first! Firewall time:

set firewall ipv6-name IPv6-LAN1 default-action drop
set firewall ipv6-name IPv6-LAN1 description 'From WAN to LAN (open ports here, remember dst ip)'
set firewall ipv6-name IPv6-LAN1 rule 10 action accept
set firewall ipv6-name IPv6-LAN1 rule 10 state established enable
set firewall ipv6-name IPv6-LAN1 rule 10 state related enable
set firewall ipv6-name IPv6-LAN1 rule 20 action accept
set firewall ipv6-name IPv6-LAN1 rule 20 description 'Accept ICMPv6'
set firewall ipv6-name IPv6-LAN1 rule 20 protocol icmpv6

set firewall ipv6-name IPv6-WAN-IN default-action drop
set firewall ipv6-name IPv6-WAN-IN rule 10 action accept
set firewall ipv6-name IPv6-WAN-IN rule 10 description 'Accept Established/Related'
set firewall ipv6-name IPv6-WAN-IN rule 10 protocol all
set firewall ipv6-name IPv6-WAN-IN rule 10 state established enable
set firewall ipv6-name IPv6-WAN-IN rule 10 state related enable

set firewall ipv6-name IPv6-LOCAL default-action drop
set firewall ipv6-name IPv6-LOCAL description 'When your router is the destination'
set firewall ipv6-name IPv6-LOCAL rule 10 action accept
set firewall ipv6-name IPv6-LOCAL rule 10 description 'Accept Established/Related'
set firewall ipv6-name IPv6-LOCAL rule 10 protocol all
set firewall ipv6-name IPv6-LOCAL rule 10 state established enable
set firewall ipv6-name IPv6-LOCAL rule 10 state related enable
set firewall ipv6-name IPv6-LOCAL rule 20 action accept
set firewall ipv6-name IPv6-LOCAL rule 20 description 'Accept ICMP'
set firewall ipv6-name IPv6-LOCAL rule 20 protocol icmpv6
set firewall ipv6-name IPv6-LOCAL rule 30 action accept
set firewall ipv6-name IPv6-LOCAL rule 30 description 'Accept DHCP'
set firewall ipv6-name IPv6-LOCAL rule 30 destination port 546
set firewall ipv6-name IPv6-LOCAL rule 30 protocol udp
set firewall ipv6-name IPv6-LOCAL rule 30 source port 547
set firewall ipv6-name IPv6-LOCAL rule 40 action accept
set firewall ipv6-name IPv6-LOCAL rule 40 description 'Accept DNS from own subnet'
set firewall ipv6-name IPv6-LOCAL rule 40 destination port 53
set firewall ipv6-name IPv6-LOCAL rule 40 protocol udp
set firewall ipv6-name IPv6-LOCAL rule 40 source address '2001:db8:85a3::/48'
set firewall ipv6-name IPv6-LOCAL rule 50 action accept
set firewall ipv6-name IPv6-LOCAL rule 50 description 'Management from own subnet'
set firewall ipv6-name IPv6-LOCAL rule 50 destination port 22,80,443
set firewall ipv6-name IPv6-LOCAL rule 50 protocol tcp
set firewall ipv6-name IPv6-LOCAL rule 50 source address '2001:db8:85a3::/48'

set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable

WAN setup:

set interfaces tunnel tun0 address '2001:db8:85a3::1/48'
set interfaces tunnel tun0 firewall in ipv6-name IPv6-WAN-IN
set interfaces tunnel tun0 firewall local ipv6-name IPv6-LOCAL
set protocols static interface-route6 '2000::/3' next-hop-interface tun0
ping ipv6.google.com

LAN1 setup:

set interfaces ethernet eth3 address '2001:db8:85a3:1::1/64'
set interfaces ethernet eth3 firewall local ipv6-name IPv6-LOCAL
set interfaces ethernet eth3 firewall out ipv6-name IPv6-LAN1
set interfaces ethernet eth3 ipv6 dup-addr-detect-transmits 1 # Duplicate Address Detection (DAD)
set interfaces ethernet eth3 ipv6 router-advert send-advert true # Enable sending RAs
set interfaces ethernet eth3 ipv6 router-advert managed-flag false # Inform that there is no DHCPv6
set interfaces ethernet eth3 ipv6 router-advert other-config-flag false # Indicate that DHCPv6 is not needed due to RDNSS
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' autonomous-flag true # Enables stateless autoconfiguration
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' on-link-flag true # Tells all clients that everyone in that /64 is on the same link.
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' valid-lifetime 2592000 # For how long our range is valid
set interfaces ethernet eth3 ipv6 router-advert radvd-options 'RDNSS 2001:db8:85a3:1::1 {};' # Provide DNS via RA

Minimal EdgeOS/VyOS example

ISP: Kviknet (DK)

A minimal EdgeRouter/VyOS (or Vyatte) setup with a basic firewall for safety.

  • WAN (eth0) requests a /48 from Kviknet with IA-NA: 1, and also gets an /128 locally to route the /48
  • LAN (eth3) gets a /64 from the /48, with SLAAC for compatibility (and privacy)
set firewall ipv6-name WAN-IN-IPv6 default-action drop
set firewall ipv6-name WAN-IN-IPv6 rule 10 action accept
set firewall ipv6-name WAN-IN-IPv6 rule 10 description 'Accept Established/Related'
set firewall ipv6-name WAN-IN-IPv6 rule 10 protocol all
set firewall ipv6-name WAN-IN-IPv6 rule 10 state established enable
set firewall ipv6-name WAN-IN-IPv6 rule 10 state related enable
set firewall ipv6-name WAN-IN-IPv6 rule 20 action accept
set firewall ipv6-name WAN-IN-IPv6 rule 20 description 'Accept ICMP'
set firewall ipv6-name WAN-IN-IPv6 rule 20 protocol icmpv6

set firewall ipv6-name WAN-LOCAL-IPv6 default-action drop
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 description 'Accept Established/Related'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 protocol all
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 state established enable
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 state related enable
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 description 'Accept IPv6 ICMP'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 protocol ipv6-icmp
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 description 'Accept DHCP'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 destination port 546
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 protocol udp
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 source port 547

set interfaces ethernet eth0 firewall in ipv6-name WAN-IN-IPv6
set interfaces ethernet eth0 firewall local ipv6-name WAN-LOCAL-IPv6

# EdgeOS:
sudo sed -i 's/na 0/na 1/g' /opt/vyatta/sbin/dhcpv6-pd-client.pl # Kviknet fix
set interfaces ethernet eth0 dhcpv6-pd pd 1 prefix-length 48
set interfaces ethernet eth0 dhcpv6-pd pd 1 interface eth3 service slaac

# VyOS 1.3 (exact example is untested):
sudo sed -i 's/na 0/na 1/g' /usr/share/vyos/templates/dhcp-client/ipv6.tmpl # Kviknet fix for VyOS 1.3.2, might be called ipv6.j2 on 1.4 (reboot required)
set interfaces ethernet eth0 address 'dhcpv6'
set interfaces ethernet eth0 dhcpv6-options pd 1 length '48'
set service router-advert interface eth3 prefix 2001:db8:85a3:1::/64  # Replace with your subnet; note that ::/64 is also used on the internet though not widely tested.

For more details, see the article on IPv6 on your own router (Kviknet).

OpenBSD NAT64

OpenBSD appears to have NAT64 built into its packet filter, and Unbound includes DNS64 support – making integration into your setup rather straightforward.

pf.conf

int_if = "em1"
pass in quick on $int_if inet6 from any to 64:ff9b::/96 af-to inet from (egress:0) keep state
# egress group contains the interfaces with default routes (i.e. usually WAN)
# af-to rule enables the NAT64 translation

unbound.conf

module-config: "dns64 validator iterator"
dns64-prefix: 64:ff9b::/96

Notes

Debug

You can use the following command to troubleshoot DHCPv6 and ICMPv6 traffic:

sudo tcpdump -i eth0 -n -vv '(udp port 546 or 547) or icmp6'