Reply
Member
Posts: 164
Registered: ‎08-19-2013
Kudos: 66
Solutions: 12

PBR for IPv6

Hi, found out that there are ipv6-modify firewall rules in 1.3, but interface-route6 or route6 are not available during routing table creatinn:

set protocols static table <num> route6

 

Now, if I want to forward traffic to specific destination via tun1 (tun0 is ::/0), each time I need to do two things:

  1. Set the static interface-route6 in ERL;
  2. Set prefixpolicy in windows (to choose correct source ip address).

I would prefer to create a table (one time) and only add prefixes in Windows Man Happy

 

So, any plans to support ipv6? Or is there any other way to do it?

Thank you.

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

Re: PBR for IPv6

Our underlying routing daemons don't support IPv6 PBR, but it's on the todo list.

EdgeMAX Router Software Development
New Member
Posts: 15
Registered: ‎05-25-2015
Kudos: 61

Re: PBR for IPv6

Any updates on PBR for IPv6 lately?

 

Is this something I can still do manually, though?

 

Thanks!

New Member
Posts: 15
Registered: ‎05-25-2015
Kudos: 61

Re: PBR for IPv6

Looks like thee are patches for VyOS for this already: http://forum.vyos.net/showthread.php?tid=16489

 

Could be easy to implement?

New Member
Posts: 15
Registered: ‎05-25-2015
Kudos: 61

Re: PBR for IPv6

New Member
Posts: 12
Registered: ‎02-17-2017
Kudos: 2
Solutions: 1

Re: PBR for IPv6

It's been a year and a half and EdgeOS still doesn't have this implemented?!?!?!

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: PBR for IPv6

It's 2018 and EdgeOS STILL doesn't have this implemented.
New Member
Posts: 1
Registered: ‎05-12-2017

Re: PBR for IPv6

This is a super  serious issue for me.

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: PBR for IPv6

[ Edited ]

@joshboros

Agreed.

 

Based on how long ago this was implemented upstream, I'd say there's very low likelihood of ubnt ever doing anything.

 

Your best bet is just to use the workaround from the feature request... or get a router that supports IPv6.

New Member
Posts: 12
Registered: ‎02-17-2017
Kudos: 2
Solutions: 1

Re: PBR for IPv6

@jugs @joshboros Yeah, I gave up on waiting and just set up a runtime script to configure my IPv6 PBR. It seems to work -- except for the fact that my ISP seems to throttle Proto41 packets so I stopped using it.
Ubiquiti Employee
Posts: 4,989
Registered: ‎08-08-2016
Kudos: 5356
Solutions: 344

Re: PBR for IPv6


@jugs wrote:

@joshboros

Agreed.

 

Based on how long ago this was implemented upstream, I'd say there's very low likelihood of ubnt ever doing anything.

 


It's still not in a stable release in VyOS so how long ago it was implemented (but never rolled into a stable version) is pretty irrelevant. 

 

There is support for IPv6 modify rulesets, has anyone tried those? It appears the only thing that's lacking is multiple routing table route6 support. 

Veteran Member
Posts: 7,226
Registered: ‎03-24-2016
Kudos: 1860
Solutions: 822

Re: PBR for IPv6

I once started with firewall modify rules, still work in progress:

Spoiler

set firewall ipv6-modify MODWAN6 rule 10 action modify
set firewall ipv6-modify MODWAN6 rule 10 description restore_all_marks
set firewall ipv6-modify MODWAN6 rule 10 modify connmark restore-mark
set firewall ipv6-modify MODWAN6 rule 11 action accept
set firewall ipv6-modify MODWAN6 rule 11 description StatisticsOnly_8
set firewall ipv6-modify MODWAN6 rule 11 mark 8
set firewall ipv6-modify MODWAN6 rule 12 action accept
set firewall ipv6-modify MODWAN6 rule 12 description StatisticsOnly_18
set firewall ipv6-modify MODWAN6 rule 12 mark 18
set firewall ipv6-modify MODWAN6 rule 13 action accept
set firewall ipv6-modify MODWAN6 rule 13 description StatisticsOnly_46
set firewall ipv6-modify MODWAN6 rule 13 mark 46
set firewall ipv6-modify MODWAN6 rule 20 action modify
set firewall ipv6-modify MODWAN6 rule 20 description MSUPDATE
set firewall ipv6-modify MODWAN6 rule 20 modify mark 8
set firewall ipv6-modify MODWAN6 rule 20 source group ipv6-address-group MSUPDATE6

set firewall ipv6-modify MODLAN6 rule 8 action modify
set firewall ipv6-modify MODLAN6 rule 8 dscp 8
set firewall ipv6-modify MODLAN6 rule 8 modify mark 8

Idea behind these rules.  Set marks for incoming DSCP on LAN, restore them on WAN return traffic, so we can use these marks for download QoS.  As MODWAN6 rule 11 stays at count zero, it doesn't seem to work, as it does for IP4

 

Spoiler

admin@ERX:~$ show firewall ipv6-modify
--------------------------------------------------------------------------------
IPv6 Modify Firewall "MODLAN6":

 Active on (switch0.333,IN)

rule  action   proto     packets  bytes
----  ------   -----     -------  -----
8     modify   all       64244    4109835
  condition - DSCP match 0x08 MARK xset 0x8/0xff

10000 accept   all       1741588  182199727

--------------------------------------------------------------------------------
IPv6 Modify Firewall "MODWAN6":

 Active on (switch0.178,IN)

rule  action   proto     packets  bytes
----  ------   -----     -------  -----
10    modify   all       2782674  3783905967
  condition - CONNMARK restore

11    accept   all       0        0
  condition - mark match 0x8/0xff

12    accept   all       0        0
  condition - mark match 0x12/0xff

13    accept   all       0        0
  condition - mark match 0x2e/0xff

20    modify   all       0        0
  condition - match-SRC--GROUP MSUPDATE6 MARK xset 0x8/0xff

10000 accept   all       2782674  3783905967

 



 

Highlighted
New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: PBR for IPv6

[ Edited ]

@UBNT-cmb

 

I have tried to set up the PBR as per the docs, but the routing component doesn't exist for IPv6. I am having to use the hack suggested in the feature request to make it work. It would be nice if you guys could complete the functionality for it to work correctly.

Reply