Reply
New Member
Posts: 12
Registered: ‎09-04-2017
Kudos: 7
Solutions: 1

IPv6 6rd setup configuration writeup

[ Edited ]

This post is a write-up of how to configure a 6rd ipv6 tunnel. I found very scattered information about the ER configuration for 6rd and I had to tinker a bit to get it to function properly. I write this post with the real IPs from my Norwegian ISP Altibox. My hopes is that this writeup can serve as useful examples to other 6rd setups as well.  

 

I'm running v1.9.7+hotfix.2 on a Edgerouter 5-port PoE.

 

The given ipv6 connection data for the tunnel from the ISP, sourced from https://www.altibox.no/privat/bredband/ipv6/, is:

 

IPv4 BR: 213.167.115.92
IPv4 Prefix: 0
IPv6 Prefix: 2a01:79c::
IPv6 Prefix length: 30
IPv6 DNS: 2a01:798:0:8012::4

The client's public ipv4 address is required to determine the full ipv6 prefix. This implies that the ipv6 addresses for the LAN network will change if the ipv4 IP address changes. As far as I know, the Edgerouter does not have any built-in support for handling changing DHCP ipv4 prefix addresses with 6rd. Because of this, it is often a good idea to get a fixed ipv4 IP which in turn gives you a fixed ipv6 network prefix.

 

For the remainder of this post, assume the public IPv4 address is 123.45.67.89


1. Determine the ipv6 LAN address range

 

The first item is to determine the so-called 6rd delegated prefix. This can be done by using ipv6calc

 

$ ipv6calc --action 6rd_local_prefix --6rd_prefix 2a01:79c::/30 --6rd_relay_prefix 213.167.115.92/0 123.45.67.89
No input type specified, try autodetection...found type: ipv4addr
No output type specified, try autodetection...found type: ipv6addr
2a01:79d:ecb5:d64::/62

 

Manually, this is determined by concatenating the ipv6 prefix with the ipv4 address using the last 32-<IPv4 Prefix> bits from it. Our example of ipv4 123.45.67.89 is represented as 7b2d:4359 in hex. Since the ipv6 prefix does not add up to 32, some bit juggling is required to concatinate them:

 

2a01:79c::/30 + 7b2d:4359/32 = 2a01:79d:ecb5:d64::/62

 

If the IPv4 Prefix length is 8, the ipv6 address would use 24 of the lower ipv4 address, yielding:

 

2a01:79c::/30 + 2d43:5900/24 = 2a01:79c:b50d:6400::/54


2. Configure the 6rd tunnel

 

The edgerouter requires setting up a new tunnel interface for 6rd tunnel. This interface is configured using:

 

configure
edit interfaces tunnel tun0
set 6rd-prefix '2a01:79c::/30' # <-- Use the 6rd prefix
set address '2a01:79d:ecb5:d64::1/30' # <-- Use the router IP and the 6rd-prefix length set description 'Altibox IPv6 6rd tunnel' set encapsulation sit set local-ip 123.45.67.89 # <-- Use public ipv4 address set mtu 1472 set multicast disable set ttl 255 top commit

The MTU should be sufficiently less than the MTU for the ipv4 network. My ISP serves ipv4 with MTU of 1500 bytes, so 1480 or less should suffice for ipv6. According to https://tools.ietf.org/html/rfc7059, the ipv6 MTU is recommended to be set to 1472 if the ISP tunnels the ipv4 traffic over PPPoE.

 

The address setting on the tunnel interface is important to get right to get proper routing. Especially the /30 part must exactly match the 6rd prefix given by the ISP.

 

To add the route 

 

set interfaces tunnel tun0 6rd-default-gw '::213.167.115.92'   # < -- The IPv4 BR


3. Setup ipv6 and routing on the local LAN

 

The following config will setup ipv6 on the LAN. On this router (ER5 PoE), the LAN is connected to the internal switch0. To setup for ipv6 on an ethernet port the "switch switch0" can be replaced with "ethernet eth1".

 

 

configure
edit interfaces switch switch0
set address '2a01:79d:ecb5:d64::1/64' # <-- Router IP-address
edit ipv6
set dup-addr-detect-transmits 1
edit router-advert
set cur-hop-limit 64
set link-mtu 1472
set managed-flag false
set max-interval 300
set other-config-flag false
# Setup for RDNSS from Altibox + 2x Google
set radvd-options "RDNSS 2a01:798:0:8012::4 2001:4860:4860::8888 2001:4860:4860::8844 {};"
set reachable-time 0
set retrans-timer 0
set send-advert true
edit prefix '2a01:79d:ecb5:d64::/64' # <-- 6rd delegated prefix
set autonomous-flag true
set on-link-flag true
set valid-lifetime 2592000
top
commit

Note that in the address field we set the IP-address for the router (hence the ::1/64 suffix). The prefix for the router-advertisement messages are using the 6rd delegated network prefix.

 

The 6rd delegated prefix calculations gives for this example a /62 network, while we in the LAN config setup a /64 network. For what I understand, this allows one to have 4* /64 networks.

 


4. Configure firewall

 

At this point the ipv6 LAN network will be completely open, so let's close it up.

 

 

configure
edit firewall ipv6-name WAN6_IN
set default-action drop
set description "WAN6 to internal"
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
top
edit firewall ipv6-name WAN6_LOCAL
set default-action drop
set description "WAN6 to router"
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "Drop invalid state"
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "allow DHCPv6 client/server"
set rule 40 destination port 546
set rule 40 protocol udp
set rule 40 source port 547
top
commit

 

To install these rules into the ipv6 interface, issue:

 

 

configure
set interfaces tunnel tun0 firewall in ipv6-name WAN6_IN
set interfaces tunnel tun0 firewall local ipv6-name WAN6_LOCAL
commit

 

This installs an ipv6 equivalent of the default ipv4 WAN_IN and WAN_LOCAL firewall rules, only allowing established in-bound traffic and ICMPv6. The latter is required for proper ipv6 operation. Out-bound traffic is unrestricted.

 

New Member
Posts: 25
Registered: ‎02-18-2015
Kudos: 5
Solutions: 1

Re: IPv6 6rd setup configuration writeup

Should be set interfaces on the last two commands (missing an s in interfaces). Otherwise great post, finally got ipv6 to work myself. The above works fine from the clients. But I still cannot ping6 ipv6.google.com on the router itself.
New Member
Posts: 12
Registered: ‎09-04-2017
Kudos: 7
Solutions: 1

Re: IPv6 6rd setup configuration writeup

[ Edited ]

Thanks. I've updated the writeup.

 

I have traced the missing ping6 response to be an error (or feature) in the ipv6 source address being used in the icmp6 message going trough the tunnel. I have raised this behaviour in another thread: https://community.ubnt.com/t5/EdgeMAX/Use-correct-ipv6-source-address-when-tunelling/m-p/2053190

New Member
Posts: 12
Registered: ‎09-04-2017
Kudos: 7
Solutions: 1

Re: IPv6 6rd setup configuration writeup

With some qualified help on the freenode ##ubnt channel, I learned that I was missing the address setting on the tunnel interface:

 

configure
set interfaces tunnel tun0 address '2a01:79d:ecb5:d64::1/30'
commit

The /30 is very important to match the 6rd prefix from your ISP, but that the address field contains the whole IP address for the ipv6 router address on the LAN.

 

I have updated the guide above as well. 

New Member
Posts: 25
Registered: ‎02-18-2015
Kudos: 5
Solutions: 1

Re: IPv6 6rd setup configuration writeup

Thank you. Finally having a fully working IPv6 setup. Also using Altibox by the way. Good guide.

New Member
Posts: 32
Registered: ‎05-13-2016
Kudos: 1

Re: IPv6 6rd setup configuration writeup

[ Edited ]

Hello thanks a lot @sveinse and @paaland. I also have Altibox norway and managed to setup a working tunnel and two local networks. Great success.

 

I have two questions; why does the tunnel use address with /30 prefix?

 

Im using edgerouter lite 3-port version 1.9.1. Im getting pretty bad performance over the ipv6 tunnel.

I have 300/300mbps, but I only manage to push ~85/85 over ipv6. The CPU goes through the roof. Anyone found a workaround / offload that works?

 

 

olof@cpe002:~$ show version 
Version:      v1.9.1
Build ID:     4939093
Build on:     12/14/16 07:05
Copyright:    2012-2016 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Lite 3-Port
HW S/N:       802AA8F1D245
Uptime:       12:23:29 up 119 days, 18:28,  2 users,  load average: 2.28, 1.57, 0.77


olof@cpe002:~$ show ubnt offload IP offload module : loaded IPv4 forwarding: enabled vlan : enabled pppoe : enabled gre : enabled IPv6 forwarding: enabled vlan : enabled pppoe : disabled IPSec offload module: loaded Traffic Analysis : export : disabled dpi : disabled

 

New Member
Posts: 25
Registered: ‎02-18-2015
Kudos: 5
Solutions: 1

Re: IPv6 6rd setup configuration writeup

Altibox Norway says to use IPv6 Prefix length: 30. See top of post. Why I don't know. I too see poor ipv6 performance and high CPU load on the router with ipv6. I asked on this forum and it's apparently because the router does not have cpu offloading for ipv6 nor tunneling. So we are kind of doubly punished.
New Member
Posts: 1
Registered: ‎11-13-2017

Re: IPv6 6rd setup configuration writeup

Hi

I do not quite understand, howto calculate 6rd delegated prefix.

 

How do you calculate IPv4 BR: 213.167.115.92 and Public IP: 123.45.67.89 into = 2a01:79d:ecb5:d64::/62

 

Can you please elaborate. 

Tnx :-)

New Member
Posts: 12
Registered: ‎09-04-2017
Kudos: 7
Solutions: 1

Re: IPv6 6rd setup configuration writeup

[ Edited ]

The prefix is 30 bits. Since 30 does not "fill" the last hex number, we leave the two last bit as '0' or 'x' for now.

 2    a    0    1  :      7    9    c/30
0010 1010 0000 0001 0000 0111 1001 11xx

Then we convert the public IP into hex and then to binary

123.45.67.89 = 0x7B.0x2D.0x43.0x59
7 B 2 D 4 3 5 9
0111 1011 0010 1101 0100 0011 0101 1001

 Then its a matter of putting it all together. We first use the 30 bits from the prefix and then continue with the 32 bits of the IPaddress. It must all be converted to hex number, with 4 hex numbers per group.

|-----prefix------------------------||---------IP addr----------------------|
0010 1010 0000 0001 0000 0111 1001 1101 1110 1100 1011 0101 0000 1101 0110 01xx
2 a 0 1 : 7 9 d : e c b 5 : d 6 4 /62

Hope this clears up the arithmetics

 

New Member
Posts: 2
Registered: ‎11-18-2017

Re: IPv6 6rd setup configuration writeup

Excellent writeup - I got up and running with 6rd in minutes with your guide!

 

 

I just wondered why you allow DHCPv6 client/server on the WAN6_LOCAL ruleset?

New Member
Posts: 12
Registered: ‎09-04-2017
Kudos: 7
Solutions: 1

Re: IPv6 6rd setup configuration writeup

When you ask about it I have to admit I don't know. I vaguely remember there was a reason, but yes, I agree that it sounds wrong. Or perhaps it was a remnant from when I was experimenting with the setup to get it going the first time.

 

New Member
Posts: 2
Registered: ‎11-18-2017

Re: IPv6 6rd setup configuration writeup

My setup (also with Altibox) seems to works perfectly without it.
New Member
Posts: 2
Registered: ‎03-10-2018

Re: IPv6 6rd setup configuration writeup

great post, now i want to ipv6 on eth1 eth2 eth3 how to do it?
er 6p dosent have internal switch Man Sad
Reply