The VyOS in question is using 1.5-rolling and have the following interfaces setup:
eth0: MGMT (only IPv4)
eth1: WAN
eth2: DMZ
eth3: LAN
The ISP uses SLAAC with /64 onlink and also provides a /56 as DHCPv6-PD (so you can setup /64 on DMZ, LAN etc of your VyOS). In the below example I will request one /64 per downlink interface (DMZ and LAN) from the ISP.
The SLAAC (well RA) from ISP uses O-flag so DNS-servers are learnt through DHCPv6.
I assume these commands should fix this (please let me know if I missed something along the road)?
Set IPv6-address on WAN using SLAAC:
set interfaces ethernet eth1 ipv6 address autoconf
Fetch one /64 for DMZ and one /64 for LAN through DHCPv6-PD:
set interfaces ethernet eth1 dhcpv6-options rapid-commit
set interfaces ethernet eth1 dhcpv6-options no-release
set interfaces ethernet eth1 dhcpv6-options pd 2 length 64
set interfaces ethernet eth1 dhcpv6-options pd 2 interface eth2
set interfaces ethernet eth1 dhcpv6-options pd 3 length 64
set interfaces ethernet eth1 dhcpv6-options pd 3 interface eth3
Configure the DMZ and LAN interfaces so they become ::1 as IPv6-address:
set interfaces ethernet eth1 dhcpv6-options pd 2 interface eth2 address 1
set interfaces ethernet eth1 dhcpv6-options pd 3 interface eth3 address 1
Setup SLAAC (aka RA) on DMZ and LAN interfaces, or how do I make router-advert the PD it learnt through WAN interface?
set service router-advert interface eth2 prefix ::/64
set service router-advert interface eth2 prefix ::/64 preferred-lifetime 3600
set service router-advert interface eth2 prefix ::/64 valid-lifetime 86400
set service router-advert interface eth2 default-lifetime 3600
set service router-advert interface eth2 default-preference high
set service router-advert interface eth2 interval max 60
set service router-advert interface eth2 interval min 3
set service router-advert interface eth3 prefix ::/64
set service router-advert interface eth3 prefix ::/64 preferred-lifetime 3600
set service router-advert interface eth3 prefix ::/64 valid-lifetime 86400
set service router-advert interface eth3 default-lifetime 3600
set service router-advert interface eth3 default-preference high
set service router-advert interface eth3 interval max 60
set service router-advert interface eth3 interval min 3
Also make the SLAAC (aka RA) on DMZ and LAN interfaces to give out info of which DNS-servers to be used, below example is a static list of DNS-servers but how do I send out the DNS-servers learnt through SLAAC at the WAN interface (the ISP sends O-flag)?
set service router-advert interface eth2 name-server 2001:4860:4860::8844
set service router-advert interface eth2 name-server 2001:4860:4860::8888
set service router-advert interface eth2 other-config-flag
set service router-advert interface eth3 name-server 2001:4860:4860::8844
set service router-advert interface eth3 name-server 2001:4860:4860::8888
set service router-advert interface eth3 other-config-flag
If the above is ok (did I miss something?) then I have found some stuff I havent been able to resolve:
Q1.
According to the manual using SLAAC (autoconf) on an interface will disable IPv6 traffic forwarding through that interface!?
If so, how do I reenable it?
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Q2.
How will VyOS deal with default route that should point to the WAN?
Is that fixed automatically when “autoconf” is being used?
Q3.
Also provide the DNS information for legacy devices on DMZ and LAN (who will use DHCPv6 to find out which DNS-servers to use since we send out the O-flag):
Well how do I do that since I dont know the subnets Im getting through PD ahead of the configuration (so I cant configure the local DHCPv6-server manually)?
Or will the “set service router-advert interface eth2 name-server ” automatically use DHCPv6 to share this information (Im guessing no)?
Q4.
And since the PD delivered by the ISP to be used by DMZ and LAN can differ between reboots of the VyOS (or reboots in the DHCPv6-server of the ISP) I want to setup custom link-local so LAN always can reach servers in DMZ:
Well how do I do that?
I found in the documentation that one can disable the link-local (“set interfaces ethernet ipv6 address no-default-link-local”) but how do I set it to a custom value?
For example this is how I would do it on a HPE Comware device:
ipv6 address FE80::F101:1 link-local
Q5.
In VyOS how would I limit amount of learned IPv6 neighbors and mac-addresses per interface?
For example the below is what I would use on a HPE comware device:
ipv6 neighbors max-learning-num 20
port-security max-mac-count 20
port-security port-mode autolearn
port-security ntk-mode ntk-withmulticasts
port-security intrusion-mode blockmac
port-security mac-address dynamic
port-security mac-address aging-type inactivity
mac-address max-mac-count 20
mac-address information enable added
Q6.
Did I miss something or how do one setup a fully static IPv6 address on a VyOS box (if needed/wanted)?
vyos@vyos# set interfaces ethernet eth1 ipv6 address
Possible completions:
autoconf Enable acquisition of IPv6 address using stateless autoconfig
(SLAAC)
+ eui64 Prefix for IPv6 address with MAC-based EUI-64
no-default-link-local
Remove the default link-local address from the interface
Q7.
A follow up for above example (way up in this post) is what extra config is needed if I want the VyOS to fetch DHCPv6-PD from the ISP and then share PD on its own on downlink?
Lets say I would have another physical firewall box connected to VyOS on DMZ like so:
ISP ↔ VyOS ↔ DMZ-FW ↔ DMZ-host
In the above example the DMZ-FW would request a /64 DHCPv6-PD from the VyOS box and then use that on its downlink interface towards DMZ-host.
Q8.
There is this “deprecate-prefix” one can use for router-advert, how good/bad is that to be used in the wild?
deprecate-prefix: Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA