Reply
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6
Accepted Solution

IPv6 on USG?

How can I configure my USG to pass through IPv6 from a Comcast cable connection to my clients? I didn't see any options to configure v6 in the UI, and unlike the old router my clients are now only getting IPv4 addresses when they connect to the network.

Accepted Solutions
Highlighted
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

[ Edited ]

Ok, so, all together now for anyone else interested in replicating this... If you have a USG + CK... to enable IPv6 on your USG, inclusive of some standard IPv6 firewall rules, copy the attached config.gateway.json file into your /srv/unifi/data/sites/default folder on your cloud key. (Unizip it first!)

 

(if you have multiple sites configured or are using your own hardware for your unifi controller, copy it to the correct path for your setup)

View solution in original post

Attachment

All Replies
Established Member
Posts: 2,505
Registered: ‎05-30-2014
Kudos: 984
Solutions: 12

Re: IPv6 on USG?

Ipv6 is not yet supported
I can not teach you anything. I can only make you think. Please don't forget to mark posts as solutions, and to give kudos when something solves your issue.
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

No way to make it work? Happy to use the CLI to configure...
Ubiquiti Employee
Posts: 4,927
Registered: ‎08-08-2016
Kudos: 5208
Solutions: 343

Re: IPv6 on USG?

You should be able to manually configure it via config.gateway.json, same way you would via CLI on EdgeRouter. That should work, though admittedly I haven't had a chance to try it yet. 

 

Missing IPv6 UI is one of my highest-priority items to address. 

Established Member
Posts: 1,364
Registered: ‎10-15-2015
Kudos: 440
Solutions: 65

Re: IPv6 on USG?

Even if you can make it work through config hacking, UAPs don't support it yet.

Ubiquiti Employee
Posts: 4,927
Registered: ‎08-08-2016
Kudos: 5208
Solutions: 343

Re: IPv6 on USG?

UAPs don't need to support it, they bridge IPv6 through just fine. I've been using IPv6 through UAPs since the very first ones were released, several years back. You won't be able to manage UAPs using IPv6, but that's no big deal. 

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Exactly... Been running UAPs passing through IPv6 to clients for over a year with a 3rd party router. Has been working flawlessly.

Just made the switch over to the USG last week; hoping to restore that functionality.

@UBNT-cmb glad to hear it RE roadmap. If you have any details on how to Config, please share.. But in any case I'll give it a go next week and report back.

Is it true that a poorly formatted Config.gateway.json file can cause a boot loop? Any way to recover if I screw it up?

New Member
Posts: 42
Registered: ‎11-22-2015
Kudos: 174
Solutions: 4

Re: IPv6 on USG?


appleguru wrote:
Is it true that a poorly formatted Config.gateway.json file can cause a boot loop? Any way to recover if I screw it up?


Yes it is true. I have done this trying to set static DNS entries and enable SNMP. Basically have a port ready on the same VLAN as whatever you use to manage the Unifi Controller directly (I have a special VLAN for management for added security and this is where the UniFi controller sits as well as management for USW, etc), and set your IP static, so that you can talk to the controller via Layer 2. Now that you can talk to the controller, you can remove the custom config.gateway.json, and the USG will stop trying to apply a "bad" file to itself.

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Ah. I missed the fact that this file lives on the controller (cloud key in my case) and is pushed to the USG.

That makes me much less scared of screwing it up ;-)

Will do some googling and give Config a shot next week. If anyone has any tips, tricks, a walkthroughs, etc before then, I'm all ears!
Established Member
Posts: 1,364
Registered: ‎10-15-2015
Kudos: 440
Solutions: 65

Re: IPv6 on USG?

Make sure you count your curly braces lol
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Ok, taking my first stab at this now... so far seems to be working, but I'm not sure yet what should go into my .json file.

 

I did a diff to before and after the changes:

 

{
        "interfaces": {
                "ethernet": {
                        "eth0": {
                                "address": [
                                        "dhcp"
                                ],
                                "dhcp-options": {
                                        "client-option": [
                                                "retry 60;"
                                        ],
                                        "default-route": "update",
                                        "default-route-distance": "210",
                                        "name-server": "update"
                                },
                                "duplex": "auto",
                                "firewall": {
                                        "in": {
                                                "name": "WAN_IN"
                                        },
                                        "local": {
                                                "name": "WAN_LOCAL"
                                        }
                                },
                                "speed": "auto"
                        },
                        "eth1": {
                                "address": [
                                        "10.0.0.1/24"
                                ],
                                "duplex": "auto",
                                "firewall": {
                                        "in": {
                                                "name": "LAN_IN"
                                        },
                                        "local": {
                                                "name": "LAN_LOCAL"
                                        },
                                        "out": {
                                                "name": "LAN_OUT"
                                        }
                                },
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "false",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                },
                                "speed": "auto"
                        },
                        "eth2": {
                                "disable": "''",
                                "duplex": "auto",
                                "speed": "auto"
                        }
                },
                "loopback": {
                        "lo": "''"
                }
        }
}

specifically, the

 

"ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "false",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                },

Was added. What should my config.gateway.json file that will go on my controller look like?

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

The other important piece is PD:

 

                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                },

Again though, what does such a .json file look like?

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Ok, as best I can tell it should look like this... this is JUST the new config info needed:

 

{
        "interfaces": {
                "ethernet": {
                        "eth0": {
                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                }
                        },
                        "eth1": {
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "true",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                }
                        }
                }
        }
}
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

[ Edited ]

Ok, success! For reference, I am running the current latest production USG FW, 4.3.16.4879270:

 

appleguru@USG:~$ show version
Version: v4.3.16
Build ID: 4879270
Build on: 05/20/16 14:51
Copyright: 2012-2015 Ubiquiti Networks, Inc.
HW model: UniFi-Gateway-3
HW S/N: XXXXXXXX
Uptime: 13:40:42 up 4 min, 1 user, load average: 0.37, 0.46, 0.22

 

Originally, I followed this guide: https://community.ubnt.com/t5/EdgeMAX/My-config-for-a-working-IPv6-64-prefix-delegation-on-Comcast/t...

 

HOWEVER, this used non-standard way of configuring things that required editing system files. While this worked, my goal was to get everything working using only standard EdgeOS configuration / a config.gateway.json file.

 

To that end, this tutorial was MUCH more helpful: https://community.ubnt.com/t5/EdgeMAX/Comcast-Residential-IPv6-with-EdgeOS-1-6-0-on-EdgeRouter-Lite/...

 

In the end, my configuration was very simple. I have a USG with my comcast cable modem plugged into the WAN port (eth0) and my LAN plugged into the LAN port (eth1). The basic idea is to let the USG pull IPV6 addresses from my cable modem via eth0 and advertise those addresses to my local clients over eth1. To achieve this, I ran the following commands:

 

 

 

set interfaces ethernet eth0 dhcpv6-pd pd 0
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 64
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64
set interfaces ethernet eth1 ipv6 router-advert managed-flag true
set interfaces ethernet eth1 ipv6 router-advert send-advert true

If you're new to EdgeOS (the OS running on the USG) like I am, here's a more detailed look at how to run those commands, including commiting sand saving them. First, I SSHed into my USG. Then I ran "configure" and issued these commands:

 

 

appleguru@USG:~$ configure
[edit]
appleguru@USG# set interfaces ethernet eth0 dhcpv6-pd pd 0
[edit]
appleguru@USG# set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1
[edit]
appleguru@USG# set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 64
[edit]
appleguru@USG# set interfaces ethernet eth1 ipv6 router-advert prefix ::/64
[edit]
appleguru@USG# set interfaces ethernet eth1 ipv6 router-advert managed-flag true 
[edit]
appleguru@USG# set interfaces ethernet eth1 ipv6 router-advert send-advert true
[edit]
appleguru@USG# commit
[ interfaces ethernet eth1 ipv6 router-advert ]
Re-generating radvd config file for interface eth1...
Re-starting radvd...
Stopping radvd: radvd.
Starting radvd: radvd.

[ interfaces ethernet eth0 dhcpv6-pd ]
Starting new daemon...

[edit]
appleguru@USG# save
Saving configuration to '/config/config.boot'...
Done
[edit]
appleguru@USG# exit
exit

Before I did any of this, I exported my config:

 

 

 

mca-ctrl -t dump-cfg > config.gateway.json

I did the same thing after making my changes, and then pulled the files off using SFTP and diffed them (I used FileMerge on my Mac). I then edited the config.gateway.json file (using a good text editor which lets me collapse JSON sections; I used textWrangler on my mac) so that it only contained the changed parts, and saved that to /srv/unifi/data/sites/default/config.gateway.json on my Cloud Key:

 

{
        "interfaces": {
                "ethernet": {
                        "eth0": {
                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                }
                        },
                        "eth1": {
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "true",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                }
                        }
                }
        }
}

 

I then verified that I could make changes via my controller to the USG (I added a firewall rule). That worked fine, and left my IPv6 changes in tact. Rebooting the USG also seemed to be fine/not cause any problems.

 

So, if anyone else wants IPv6 support, in theory all you should have to do is copy the config.gateway.json file to your unifi controller and you should be all set!

 

One thing I did notice: occassionally, after a reboot, my clients would no longer pull IPv6 addreses/could no longer connect over IPv6, even though the USG could just fine (as verified via ping6). I found that disabling and re-enabling send-advert would cause radvd to restart and would 100% of the time fix my problems/renable IPv6 connectivity for my clients:

 

set interfaces ethernet eth1 ipv6 router-advert send-advert false
commit
set interfaces ethernet eth1 ipv6 router-advert send-advert true
commit

 

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Now, does anyone know what firewall rules (if any) are in place for my iPv6 clients with this configuration? I assume the standard "outbound only" applies and these aren't all wide open with no firewall on the internet... but since I haven't configured anything yet, maybe they are?

 

If that is the case, what is a good set of rules to block inbound connections/allow normal functionality, and how do I configure my USG with them?

 

Thanks!

Established Member
Posts: 1,364
Registered: ‎10-15-2015
Kudos: 440
Solutions: 65

Re: IPv6 on USG?

Might need to add them to your .json file, I don't think you can set IPv6 rules in the UniFi UI since v6 isn't officially supported yet.
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

Yes, a quick test shows that on v6 my clients are now wide open 8-)

 

So, lets see if we can't get some basic rules in, and I will add to my .json file.

Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

[ Edited ]

Ok, I think I got it now. This reddit thread was very helpful for firewall rules: https://www.reddit.com/r/Ubiquiti/comments/3cdzw1/erl_ipv6_firewall/

 

That link had a few typos, which I corrected. Ultimately, I ran:

set firewall ipv6-name wan_in-6 default-action drop
set firewall ipv6-name wan_in-6 description wan_in
set firewall ipv6-name wan_in-6 enable-default-log
set firewall ipv6-name wan_in-6 rule 1 action accept
set firewall ipv6-name wan_in-6 rule 1 state established enable
set firewall ipv6-name wan_in-6 rule 1 state related enable
set firewall ipv6-name wan_in-6 rule 1 description "Allow Enabled/Related state"
set firewall ipv6-name wan_in-6 rule 2 action drop
set firewall ipv6-name wan_in-6 rule 2 log enable
set firewall ipv6-name wan_in-6 rule 2 state invalid enable
set firewall ipv6-name wan_in-6 rule 2 description "Drop Invalid state"
set firewall ipv6-name wan_in-6 rule 5 action accept
set firewall ipv6-name wan_in-6 rule 5 log enable
set firewall ipv6-name wan_in-6 rule 5 protocol icmpv6
set firewall ipv6-name wan_in-6 rule 5 description "Allow ICMPv6"
set firewall ipv6-name wan_local-6 default-action drop
set firewall ipv6-name wan_local-6 description wan_local
set firewall ipv6-name wan_local-6 enable-default-log
set firewall ipv6-name wan_local-6 rule 1 action accept
set firewall ipv6-name wan_local-6 rule 1 state established enable
set firewall ipv6-name wan_local-6 rule 1 state related enable
set firewall ipv6-name wan_local-6 rule 1 description "Allow Enabled/Related state"
set firewall ipv6-name wan_local-6 rule 2 action drop
set firewall ipv6-name wan_local-6 rule 2 log enable
set firewall ipv6-name wan_local-6 rule 2 state invalid enable
set firewall ipv6-name wan_local-6 rule 2 description "Drop Invalid state"
set firewall ipv6-name wan_local-6 rule 5 action accept
set firewall ipv6-name wan_local-6 rule 5 log enable
set firewall ipv6-name wan_local-6 rule 5 protocol icmpv6
set firewall ipv6-name wan_local-6 rule 5 description "Allow ICMPv6"
set firewall ipv6-name wan_local-6 rule 6 description "DHCPv6"
set firewall ipv6-name wan_local-6 rule 6 action accept
set firewall ipv6-name wan_local-6 rule 6 destination port 546
set firewall ipv6-name wan_local-6 rule 6 protocol udp
set firewall ipv6-name wan_local-6 rule 6 source port 547
set interfaces ethernet eth0 firewall in ipv6-name wan_in-6
set interfaces ethernet eth0 firewall local ipv6-name wan_local-6

Which, yeilds this delta config.gateway.json file:

{
        "firewall": {
                "ipv6-name": {
                        "wan_in-6": {
                                "default-action": "drop",
                                "description": "wan_in",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        }
                                }
                        },
                        "wan_local-6": {
                                "default-action": "drop",
                                "description": "wan_local",
                                "enable-default-log": "''",
                                "rule": {
                                        "1": {
                                                "action": "accept",
                                                "description": "Allow Enabled/Related state",
                                                "state": {
                                                        "established": "enable",
                                                        "related": "enable"
                                                }
                                        },
                                        "2": {
                                                "action": "drop",
                                                "description": "Drop Invalid state",
                                                "log": "enable",
                                                "state": {
                                                        "invalid": "enable"
                                                }
                                        },
                                        "5": {
                                                "action": "accept",
                                                "description": "Allow ICMPv6",
                                                "log": "enable",
                                                "protocol": "icmpv6"
                                        },
                                        "6": {
                                                "action": "accept",
                                                "description": "DHCPv6",
                                                "destination": {
                                                        "port": "546"
                                                },
                                                "protocol": "udp",
                                                "source": {
                                                        "port": "547"
                                                }
                                        }
                                }
                        }
                }
        },
        "interfaces": {
                "ethernet": {
                        "eth0": {
                                "dhcpv6-pd": {
                                        "pd": {
                                                "0": {
                                                        "interface": {
                                                                "eth1": "''"
                                                        },
                                                        "prefix-length": "64"
                                                }
                                        },
                                        "rapid-commit": "enable"
                                },
                                "firewall": {
                                        "in": {
                                                "ipv6-name": "wan_in-6"
                                        },
                                        "local": {
                                                "ipv6-name": "wan_local-6"
                                        }
                                }
                        },
                        "eth1": {
                                "ipv6": {
                                        "dup-addr-detect-transmits": "1",
                                        "router-advert": {
                                                "cur-hop-limit": "64",
                                                "link-mtu": "0",
                                                "managed-flag": "true",
                                                "max-interval": "600",
                                                "other-config-flag": "false",
                                                "prefix": {
                                                        "::/64": {
                                                                "autonomous-flag": "true",
                                                                "on-link-flag": "true",
                                                                "valid-lifetime": "2592000"
                                                        }
                                                },
                                                "reachable-time": "0",
                                                "retrans-timer": "0",
                                                "send-advert": "true"
                                        }
                                }
                        }
                }
        }
}
Highlighted
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

[ Edited ]

Ok, so, all together now for anyone else interested in replicating this... If you have a USG + CK... to enable IPv6 on your USG, inclusive of some standard IPv6 firewall rules, copy the attached config.gateway.json file into your /srv/unifi/data/sites/default folder on your cloud key. (Unizip it first!)

 

(if you have multiple sites configured or are using your own hardware for your unifi controller, copy it to the correct path for your setup)

Attachment
Member
Posts: 164
Registered: ‎10-12-2015
Kudos: 71
Solutions: 6

Re: IPv6 on USG?

[ Edited ]

Can anyone with some more experience validate my .json file?

 

I noticed that this guide: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-w...

 

says: It is important to note here that the custom json file is a "replace" instead of a "merge" of the sections of configuration. You must keep that in mind so you include ALL the items, and not only the new ones you wish to add.

 

My setup shows the opposite; that it does appear to be a merge and not a "replace". If it was a replace, I'd expect nothing to work, but everything seems to be working great!

Reply