diff options
| author | Robert Göhler <github@ghlr.de> | 2021-03-17 20:01:43 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-17 20:01:43 +0100 | 
| commit | b162fb8f272741c82684a08f10f364ea88cb244d (patch) | |
| tree | b279932b8ccf6975cddf8f6e668feb33a900bd47 /docs | |
| parent | a9484a223ad08390618049d504cc08dea39cac78 (diff) | |
| parent | ab402a16b50fe34457c18d34cfc52a5c2e556289 (diff) | |
| download | vyos-documentation-b162fb8f272741c82684a08f10f364ea88cb244d.tar.gz vyos-documentation-b162fb8f272741c82684a08f10f364ea88cb244d.zip | |
Merge pull request #478 from ramaxlo/new-config-example
configexamples: Add PPPoE IPv6 basic setup
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/_static/images/pppoe-ipv6-pd-diagram.jpg | bin | 0 -> 19993 bytes | |||
| -rw-r--r-- | docs/configexamples/index.rst | 1 | ||||
| -rw-r--r-- | docs/configexamples/pppoe-ipv6-basic.rst | 110 | 
3 files changed, 111 insertions, 0 deletions
| diff --git a/docs/_static/images/pppoe-ipv6-pd-diagram.jpg b/docs/_static/images/pppoe-ipv6-pd-diagram.jpgBinary files differ new file mode 100644 index 00000000..430848c8 --- /dev/null +++ b/docs/_static/images/pppoe-ipv6-pd-diagram.jpg diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index b2f7bfde..709708ce 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -17,3 +17,4 @@ This chapter contains various configuration examples:     tunnelbroker-ipv6     ha     wan-load-balancing +   pppoe-ipv6-basic diff --git a/docs/configexamples/pppoe-ipv6-basic.rst b/docs/configexamples/pppoe-ipv6-basic.rst new file mode 100644 index 00000000..451d2b09 --- /dev/null +++ b/docs/configexamples/pppoe-ipv6-basic.rst @@ -0,0 +1,110 @@ +.. _examples-pppoe-ipv6-basic: + +####################################### +PPPoE IPv6 Basic Setup for Home Network +####################################### + +This document is to describe a basic setup using PPPoE with DHCPv6-PD + +SLAAC to construct a typical home network. The user can follow steps described +here to quickly setup a working network and use this as a starting point to +further configure or fine tune other settings. + +To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure, +please contact your ISP for more information. + +Network Topology +================ + +.. image:: /_static/images/pppoe-ipv6-pd-diagram.jpg +   :width: 60% +   :align: center +   :alt: Network Topology Diagram + +Configurations +============== + +PPPoE Setup +----------- + +.. code-block:: none + +   set interfaces pppoe pppoe0 authentication password <YOUR PASSWORD> +   set interfaces pppoe pppoe0 authentication user <YOUR USERNAME> +   set interfaces pppoe pppoe0 service-name <YOUR SERVICENAME> +   set interfaces pppoe pppoe0 source-interface 'eth0' + +* Fill ``password`` and ``user`` with the credential provided by your ISP. +* ``service-name`` can be an arbitrary string. + +DHCPv6-PD Setup +--------------- + +During address configuration, in addition to assigning an address to the WAN +interface, ISP also provides a prefix to allow router to configure addresses of +LAN interface and other nodes connecting to LAN, which is called prefix +delegation (PD). + +.. code-block:: none + +   set interfaces pppoe pppoe0 ipv6 address autoconf +   set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100' + +* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``, +  where ``64`` is hexadecimal of address 100. +* For home network users, most of time ISP only provides /64 prefix, hence +  there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface` +  for more information. + +Router Advertisement +-------------------- + +We need to enable router advertisement for LAN network so that PC can receive +the prefix and use SLAAC to configure address automatically. + +.. code-block:: none + +   set service router-advert interface eth1 link-mtu '1492' +   set service router-advert interface eth1 name-server <NAME SERVER> +   set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800' + +* Set MTU in advertisement to 1492 because of PPPoE header overhead. +* Set DNS server address in advertisement so that clients can obtain it by using +  RDNSS option. Most operating systems (Windows, Linux, Mac) should +  already support it. +* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix +  the LAN interface is assigned. +* Since some ISPs disconnects continuous connection for every 2~3 days, we set +  ``valid-lifetime`` to 2 days to allow PC for phasing out old address. + +Basic Firewall +-------------- + +To have basic protection while keeping IPv6 network functional, we need to: + +* Allow all established and related traffic for router and LAN +* Allow all icmpv6 packets for router and LAN +* Allow DHCPv6 packets for router + +.. code-block:: none + +   set firewall ipv6-name WAN_IN default-action 'drop' +   set firewall ipv6-name WAN_IN rule 10 action 'accept' +   set firewall ipv6-name WAN_IN rule 10 state established 'enable' +   set firewall ipv6-name WAN_IN rule 10 state related 'enable' +   set firewall ipv6-name WAN_IN rule 20 action 'accept' +   set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6' +   set firewall ipv6-name WAN_LOCAL default-action 'drop' +   set firewall ipv6-name WAN_LOCAL rule 10 action 'accept' +   set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable' +   set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable' +   set firewall ipv6-name WAN_LOCAL rule 20 action 'accept' +   set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6' +   set firewall ipv6-name WAN_LOCAL rule 30 action 'accept' +   set firewall ipv6-name WAN_LOCAL rule 30 destination port '546' +   set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp' +   set firewall ipv6-name WAN_LOCAL rule 30 source port '547' +   set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN' +   set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL' + +Note to allow router to receive DHCPv6 response from ISP, we need to allow +packets with source port 547 (server) and destination port 546 (client). | 
