1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
:lastproofread: 2021-06-29
.. _examples-pppoe-ipv6-basic:
#######################################
PPPoE IPv6 Basic Setup for Home Network
#######################################
This document is to describe a basic setup using PPPoE with DHCPv6-PD +
SLAAC to construct a typical home network. The user can follow the steps
described here to quickly setup a working network and use this as a starting
point to further configure or fine-tune other settings.
To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
please contact your ISP for more information.
Network Topology
================
.. image:: /_static/images/pppoe-ipv6-pd-diagram.jpg
:width: 60%
:align: center
:alt: Network Topology Diagram
Configurations
==============
PPPoE Setup
-----------
.. code-block:: none
set interfaces pppoe pppoe0 authentication password <YOUR PASSWORD>
set interfaces pppoe pppoe0 authentication user <YOUR USERNAME>
set interfaces pppoe pppoe0 service-name <YOUR SERVICENAME>
set interfaces pppoe pppoe0 source-interface 'eth0'
* Fill ``password`` and ``user`` with the credential provided by your ISP.
* ``service-name`` can be an arbitrary string.
DHCPv6-PD Setup
---------------
During address configuration, in addition to assigning an address to the WAN
interface, ISP also provides a prefix to allow the router to configure addresses
of LAN interface and other nodes connecting to LAN, which is called prefix
delegation (PD).
.. code-block:: none
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
* Here we use the prefix to configure the address of eth1 (LAN) to form
``<prefix>::64``, where ``64`` is hexadecimal of address 100.
* For home network users, most of time ISP only provides /64 prefix, hence
there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
for more information.
Router Advertisement
--------------------
We need to enable router advertisement for LAN network so that PC can receive
the prefix and use SLAAC to configure the address automatically.
.. code-block:: none
set service router-advert interface eth1 link-mtu '1492'
set service router-advert interface eth1 name-server <NAME SERVER>
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
* Set MTU in advertisement to 1492 because of PPPoE header overhead.
* Set DNS server address in the advertisement so that clients can obtain it by
using RDNSS option. Most operating systems (Windows, Linux, Mac) should
already support it.
* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
the LAN interface is assigned.
* Since some ISPs disconnects continuous connection for every 2~3 days, we set
``valid-lifetime`` to 2 days to allow PC for phasing out old address.
Basic Firewall
--------------
To have basic protection while keeping IPv6 network functional, we need to:
* Allow all established and related traffic for router and LAN
* Allow all icmpv6 packets for router and LAN
* Allow DHCPv6 packets for router
.. code-block:: none
set firewall ipv6 name WAN_IN default-action 'drop'
set firewall ipv6 name WAN_IN rule 10 action 'accept'
set firewall ipv6 name WAN_IN rule 10 state established 'enable'
set firewall ipv6 name WAN_IN rule 10 state related 'enable'
set firewall ipv6 name WAN_IN rule 20 action 'accept'
set firewall ipv6 name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_LOCAL default-action 'drop'
set firewall ipv6 name WAN_LOCAL rule 10 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 10 state established 'enable'
set firewall ipv6 name WAN_LOCAL rule 10 state related 'enable'
set firewall ipv6 name WAN_LOCAL rule 20 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6 name WAN_LOCAL rule 30 action 'accept'
set firewall ipv6 name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6 name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6 name WAN_LOCAL rule 30 source port '547'
set firewall ipv6 forward filter rule 10 action jump
set firewall ipv6 forward filter rule 10 jump-target 'WAN_IN'
set firewall ipv6 forward filter rule 10 inbound-interface name 'pppoe0'
set firewall ipv6 input filter rule 10 action jump
set firewall ipv6 input filter rule 10 jump-target 'WAN_LOCAL'
set firewall ipv6 input filter rule 10 inbound-interface name 'pppoe0'
Note to allow the router to receive DHCPv6 response from ISP. We need to allow
packets with source port 547 (server) and destination port 546 (client).
|
