Ipv6 configuration with prefix delegation and SLAAC

c-po · March 18, 2025, 3:16pm

@zentec That is a good hint.

@the_jackal777 you are handed out a /48 prefix 2a02:168:68f9::/48

17:15:11.313875 IP6 (server-ID hwaddr/time type 1 time 708449505 a209da24f4bf) (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0 (IA_ADDR 2a02:168:2000:14::68c pltime:0 vltime:0)) (IA_PD IAID:1 T1:0 T2:0 (IA_PD-prefix 2a02:168:68f9::/48 pltime:0 vltime:0)))) (interface-ID 73362e373930686f6e5f...))

what does show interfaces and ip a show?

the_jackal777 · March 18, 2025, 6:54pm

The strange thing is that eth0 (WAN) does not receive an IPV6 address.

Interface    IP Address        MAC                VRF        MTU  S/L    Description
-----------  ----------------  -----------------  -------  -----  -----  -------------
eth0         xxx.xxx.137.66/24  xx:xx:xx:xx:xx:08  default   1500  u/u    Init7
eth1         xxx.xxx.0.1/24    xx:xx:xx:xx:xx:09  default   1500  u/u    LAN
eth2         xxx.xxx.74.1/27     xx:xx:xx:xx:xx:93  default   1500  u/D    MGMT
lo           xxx.xxx.0.1/8       xx:xx:xx:xx:xx:00  default  65536  u/u
             ::1/128
wg01         xxx.xxx.10.1/24   n/a                default   1420  u/u    wireguard

inet6 fe80::527c:6fff:fe7a:fc08/64 scope link

woodsb02 · March 18, 2025, 11:33pm

I just went through setting up IPv6 yesterday, and there were 2 things that were catching me out. Maybe they will help you too?

My ISP does not send router advertisements - they only support DHCPv6 for both the IP address assigned to your router’s WAN, and also for the prefix delegation to your LAN. Note the WAN interface IPv6 address is different to the prefix delegated for LAN.
My vyos firewall was blocking the DHCPv6 traffic - I had a zone-based firewall configure for IPv4, but no rules configured for IPv6 - this didn’t prevent the zones I was using for IPv4 from blocking the traffic (zones were default drop). I could see the dropped traffic using the operational command show log firewall ipv6

To address the above - I used the config below. Maybe something in this will help you too?

Interface config:
The first line requests an address for the WAN interface via DHCPv6, the later lines request a prefix delegation for the LAN interfaces. SLA-ID of 32 is unimportant - I’m using that value to get my IPv6 prefixes to match my IPv4 subnets to help me identify addresses.

set interfaces ethernet <WAN> address 'dhcpv6'
set interfaces ethernet <WAN> description 'WAN'
set interfaces ethernet <WAN> dhcpv6-options pd 0 interface <LAN> address '1'
set interfaces ethernet <WAN> dhcpv6-options pd 0 interface <LAN> sla-id '32'
set interfaces ethernet <WAN> dhcpv6-options pd 0 length '48'

Router Advertisement:
Advertise the prefixes delegated by my ISP to my LAN.

set service router-advert interface <LAN> dnssl '<MY DOMAIN>'
set service router-advert interface <LAN> prefix ::/64

Firewall Rules:

GLOBAL - allow reply traffic.

WAN - Allow DHCPv6 replies from my ISP. Also allow ICMPv6 as it is more heavily relied upon in IPv6.

LAN - allow ICMPv6 from WAN.

set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'

set firewall ipv6 name LAN-LOCAL-v6 default-action 'reject'
set firewall ipv6 name LAN-LOCAL-v6 default-log
set firewall ipv6 name LAN-LOCAL-v6 rule 1 action 'accept'
set firewall ipv6 name LAN-LOCAL-v6 rule 1 protocol 'ipv6-icmp'set firewall ipv6 name LAN-WAN-v6 default-action 'accept'
set firewall ipv6 name LOCAL-LAN-v6 default-action 'accept'
set firewall ipv6 name LOCAL-WAN-v6 default-action 'accept'
set firewall ipv6 name WAN-LAN-v6 default-action 'drop'
set firewall ipv6 name WAN-LAN-v6 default-log
set firewall ipv6 name WAN-LAN-v6 rule 1 action 'accept'
set firewall ipv6 name WAN-LAN-v6 rule 1 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-v6 default-action 'drop'
set firewall ipv6 name WAN-LOCAL-v6 default-log
set firewall ipv6 name WAN-LOCAL-v6 rule 1 action 'accept'
set firewall ipv6 name WAN-LOCAL-v6 rule 1 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-v6 rule 2 action 'accept'
set firewall ipv6 name WAN-LOCAL-v6 rule 2 description 'Allow DHCPv6 response from ISP'set firewall ipv6 name WAN-LOCAL-v6 rule 2 destination port '546'
set firewall ipv6 name WAN-LOCAL-v6 rule 2 protocol 'udp'
set firewall ipv6 name WAN-LOCAL-v6 rule 2 source port '547'
set firewall zone LAN from LOCAL firewall ipv6-name 'LOCAL-LAN-v6'
set firewall zone LAN from WAN firewall ipv6-name 'WAN-LAN-v6'
set firewall zone LOCAL from LAN firewall ipv6-name 'LAN-LOCAL-v6'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-v6'
set firewall zone WAN from LAN firewall ipv6-name 'LAN-WAN-v6'
set firewall zone WAN from LOCAL firewall ipv6-name 'LOCAL-WAN-v6'

the_jackal777 · March 19, 2025, 8:25pm

Many thanks for your hint. That was the final piece missing. I did not setup any ipv6 firewall rules as I thought that at least the address allocation to wan interface should work. I have now added the ipv6 firewall and now both interface receive an ipv6 address.

system · March 21, 2025, 8:25pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.