Unable to get IPv6 to work despite following guides [Solved]

General questions
1

I’ve been following all the guides, forum threads and Reddit posts I can find to get IPv6 with Prefix Delegation working.

My ISP provides a /56 prefix using DHCPv6-PD, like lots of other ISPs. I know that it has been enabled by the ISP since they told me so and also because a neighbor in the same house has it working (same ISP).

The Qotom mini PC I’m running VyOS on turned out to have a UUID I’ve seen used by other manufacturers so I generated a random one and manually set the DUID I calculated from that UUID to avoid conflicts, just in case. :slightly_smiling_face:

Am I missing something obvious here? Am I mistakenly blocking some important traffic?

Santized configuration:

firewall {
    flowtable FT-OFFLOAD {
        interface "eth2"
        interface "eth1"
    }
    group {
        interface-group LAN {
            interface "eth1"
        }
        interface-group MANAGEMENT {
            include "LAN"
            interface "eth8"
        }
        interface-group WAN {
            interface "eth2"
        }
        network-group NET-LAN-v4 {
            network "192.168.10.0/24"
            network "192.168.1.0/24"
        }
        network-group WAN-IP {
            network "xx.xx.xx.xx/32"
        }
    }
    ipv6 {
        forward {
            filter {
                rule 5 {
                    action "offload"
                    offload-target "FT-OFFLOAD"
                    state "established"
                    state "related"
                }
                rule 10 {
                    action "jump"
                    jump-target "CONN_FILTER"
                }
                rule 100 {
                    action "jump"
                    inbound-interface {
                        group "WAN"
                    }
                    jump-target "OUTSIDE-IN"
                }
            }
        }
        input {
            filter {
                default-action "drop"
                rule 10 {
                    action "jump"
                    jump-target "CONN_FILTER"
                }
                rule 20 {
                    action "jump"
                    destination {
                        port "22"
                    }
                    jump-target "VyOS_MANAGEMENT"
                    protocol "tcp"
                }
                rule 30 {
                    action "accept"
                    protocol "ipv6-icmp"
                    state "new"
                }
                rule 40 {
                    action "jump"
                    inbound-interface {
                        group "WAN"
                    }
                    jump-target "WAN-LOCAL"
                }
            }
        }
        name CONN_FILTER {
            default-action "return"
            rule 10 {
                action "accept"
                state "established"
                state "related"
            }
            rule 20 {
                action "drop"
                state "invalid"
            }
        }
        name OUTSIDE-IN {
            default-action "drop"
            rule 10 {
                action "accept"
                protocol "ipv6-icmp"
            }
        }
        name VyOS_MANAGEMENT {
            default-action "return"
            rule 15 {
                action "accept"
                inbound-interface {
                    group "LAN"
                }
            }
            rule 20 {
                action "drop"
                inbound-interface {
                    group "WAN"
                }
                state "new"
            }
        }
        name WAN-LOCAL {
            rule 30 {
                action "accept"
                destination {
                    port "546"
                }
                protocol "udp"
                source {
                    port "547"
                }
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        description "SFP+ 1"
    }
    ethernet eth1 {
        address "192.168.1.1/24"
        description "LAN (SFP+ 2)"
    }
    ethernet eth2 {
        address "dhcp"
        description "WAN (SFP+ 3)"
        dhcpv6-options {
            duid "..."
            no-release
            pd 0 {
                interface eth1 {
                    address "1"
                    sla-id "0"
                }
                length "56"
            }
        }
        ipv6 {
            address {
                autoconf
            }
        }
    }
    ethernet eth3 {
        description "SFP+ 4"
    }
    ethernet eth4 {
        description "LAN (RJ45 4)"
    }
    ethernet eth5 {
        description "RJ45 2"
    }
    ethernet eth6 {
        description "RJ45 3"
    }
    ethernet eth7 {
        description "RJ45 1"
    }
    ethernet eth8 {
        description "Management (RJ45 5)"
    }
    loopback lo {
    }
}

service {
    router-advert {
        interface eth1 {
            default-preference "high"
            prefix ::/64 {
            }
        }
    }
}
2

You need to turn on dhcpv6 on eth2

set interfaces ethernet eth2 address dhcpv6

My configuration for reference

firewall {
  ...
        name WAN-to-LOCALv6 {
            default-action drop
            rule 10 {
                action accept
                description "Allow ICMPv6"
                protocol ipv6-icmp
            }
            rule 20 {
                action accept
                description "Allow DHCPv6"
                destination {
                    port dhcpv6-client
                }
                protocol udp
                source {
                    port dhcpv6-server
                }
            }
        }
}
interfaces {
    ethernet eth2 {
        address dhcp
        address dhcpv6
        dhcpv6-options {
            pd 0 {
                interface eth0 {
                    address 1
                    sla-id 1
                }
                interface eth0.2 {
                    address 1
                    sla-id 2
                }
                interface eth0.3 {
                    address 1
                    sla-id 3
                }
                length 60
            }
        }
    }
}
service {
    router-advert {
        interface eth0 {
            prefix ::/64 {
            }
        }
        interface eth0.2 {
            prefix ::/64 {
            }
        }
        interface eth0.3 {
            prefix ::/64 {
            }
        }
    }
}
1 Like
3

Thank you.

I was under the impression that it would get what it needs from the RA + autoconf (i.e. SLAAC?)? Most guides I’ve seen don’t set address dhcpv6 on the WAN interface.

I tried it though, and it still doesn’t work. :thinking:

I did however also modify my “Allow DHCPv6” rule to specify the ports like you do, as it’s much easier to read. :slight_smile:

4

I would start by removing the input filter, just to be sure you are not blocking anything. After that a config like below should do the trick:

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 address 'dhcpv6'
set interfaces ethernet eth0 description 'transit: ziggo'
set interfaces ethernet eth0 dhcpv6-options duid '...'
set interfaces ethernet eth0 dhcpv6-options no-release
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth1 address '1'
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth1 sla-id '0'
set interfaces ethernet eth0 dhcpv6-options pd 0 length '56'
set interfaces ethernet eth0 dhcpv6-options rapid-commit
set interfaces ethernet eth0 hw-id '00:0d:b9:51:4f:fc'
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth1 address '192.168.10.1/24'
set interfaces ethernet eth1 address 'fe80::1/64'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id '00:0d:b9:51:4f:fd'

It works for me! ™

5

After running tcpdump for 7 minutes on the WAN interface (eth2), I did catch an Router Advertisment from the ISP with a prefix and also a Neighbor Solicitation. It had a prefix length of /64 though. Is that correct? I’m supposed to get a /56. :thinking: Is that because I only have a single prefix delegation configured in VyOS? I would’ve assumed I would get an RA with a /56 prefix and then be able to delegate /64s from that. I suppose I could try adding another prefix delegation on a different interface and see if I get a new /64 on that too.

My VyOS router didn’t do anything with that though, so I assumed it might be blocked by the firewall. That pointed me to input filter rule 30 that only allowed state “new”. Once I removed the state requirement, I received a GUA IPv6 /64 on my LAN interface (eth1). Success! :grinning:

I don’t have a GUA on my WAN interface (eth2), but I my understanding is that a GUA on the WAN isn’t necessary because it can just use the Link Local address. Correct? I can ping IPv6 hosts on the internet from it just fine. EDIT: Yes.

I might want a GUA on my WAN interface in the future though as I’m considering moving the Wireguard VPN I use to reach my internal network to the VyOS box instead for increased performance. How would I get a GUA for it? Just add a prefix delegation for the WAN interface too, similarly to pd 0 assigned to eth1? EDIT: Yes.

The lifetime of the prefix is also set to 300. Would it help if I requested a longer lifetime that isn’t infinity?

Also, since I seemingly don’t need DHCPv6 for the WAN (eth2), I assume that I can remove the firewall that allows that (rule 30 in WAN-LOCAL)?

6

Also, what’s the proper way to give IPv6 clients the IPv6 address of the router’s DNS server over RDNSS? Should I set it to listen to the GUA address and configure the allow-from to the /64 prefix (or entire /56 prefix if I confirm I indeed have that)?

VyOS complains about entering the /64 prefix as the allow-from value, so I guess I’m also wondering how it wants it formatted? EDIT: Answer: Add :: to the end of the prefix.

7

AFAIK you need DHCPv6 on the WAN interface to receive a prefix delegation. You cannot receive a PD using router advertisements.

8

You mean the part below? No, I’m pretty sure you don’t need that for DHCPv6-PD to work. Most guides don’t tell you to add that and it made no difference in my case from what I can tell. In fact, it’s working right now and I don’t have that set. :slight_smile: The configuration I have right now is basically the same as in my first post, but with state “new” removed from rule 30 on the input filter chain.

set interfaces ethernet eth0 address 'dhcpv6'

If you mean the firewall rule, that’s certainly possible. I would have to check with tcpdump. Was that what you meant? :slight_smile:

9

Actually, it seems like I could potentially just use the GUA address of the LAN interface. :thinking: I can ping that address from my VPS. I suppose that sort of makes sense since my ISP can reach that address through their switch via the link-local address of my WAN interface, but it’s definitely not what you’re used to with modern day IPv4 (i.e. with NAT). :smile:

Wouldn’t that make the firewall rules pretty confusing though? :thinking: What would I set as the inbound interface?

EDIT: Nevermind. The wg0 interface is assigned a routable IPv6 address so that’s very logical. Even before that, I confirmed that firewall rules for accessing services listening on the “LAN” interface also make perfect sense. :slightly_smiling_face:

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.