Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
12
Help us understand the problem. What is going on with this article?
@haccht

Edgerouter Lite-3でDS-Lite

はじめに

IIJmioひかりでIPoEオプションを契約し、Edgerouter-Lite3でDS-Lite接続してみた。
今回はあわせてひかり電話も契約し、DHCPv6-PDを使ってLAN内の端末にもIPv6アドレスを割り振れるよう設定する。

構成

          +-----------------+   +--------------------------+
          |     pr-500ki    |   |     EdgeRouter-Lite3     |
          |                 |   |                          |
          |  +----+  +----+ |   |  +----+  +----+  +----+  |
          |  |WAN |  |LAN1| |   |  |eth0|  |eth1|  |eth2|  |
          +--+-+--+--+--+-+-+   +--+-+--+--+--+-+--+----+--+
               |        |            |        |
INTERNET +-----+        +------------+        +-------------+ LAN

光コラボレーション事業者であるところのIIJから貸与されたホームゲートウェイ(ひかり電話ルータ)はpr-500kiだった。PPPoE(IPv4)はEdgerouter-Lite3に任せるため、事前にpr-500kiのPPPoEは停止しPPPoEブリッジを有効にしておく。

Edgerouter-Lite3はeth0をWANポートに、eth1とeth2をLANポートとする。
eth1とeth2をブリッジさせることも可能なようだが、性能が大きく低下するため今回は個別のセグメントにしている。Edgerouter-Xならハードウェアブリッジが可能なので、そこまで性能低下しないはず。

今回はひかり電話契約ありのため、pr-500kiにはIPv6アドレスとして/60のprefixが割り当てられている。LAN内の端末にはこのprefixをさらに/64に分割し、DHCPv6で割り振る。

その他、あわせて以下を設定した。

  • 192.168.1.1-192.168.1.63/24の範囲をサーバーセグメントとし、インターネット接続にはPPPoEを用いる
  • 192.168.1.64-192.168.1.199/24の範囲をLANセグメントとし、インターネット接続にはDS-Liteを用いる
  • 192.168.1.200-192.168.1.210/24の範囲をL2TP接続用にプールする
  • PPPoEとDS-LiteはPolicy Based Routingにより振り分ける
  • GoogleDomainで自ドメインを運用してDDNSを設定する

コンフィグ

EdgerouterのOS(EdgeMAX)はVyOSをフォークしたものであり、コンフィグもVyOSとほぼ同じ。

DS-Lite接続のためにはIPv6サービスプロバイダのtransixとIPIPトンネル(ipv6-tunnel)を作成する必要があるが、このときremote-ipだけでなくlocal-ipをIPv6グローバルアドレスで指定しなくてはならない。そのため、まずはeth0インタフェースにset interfaces ethernet ipv6 address autoconfを設定し、IPv6グローバルアドレスが割り振られたのを確認してからipv6-tunnel設定をすればよい。

{}内は各自の設定に合わせて置き換えること。

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable

set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable

set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite) to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable

set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite) to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable

set firewall name PPPoE_IN default-action drop
set firewall name PPPoE_IN description 'WAN(PPPoE) to LAN'
set firewall name PPPoE_IN rule 10 action accept
set firewall name PPPoE_IN rule 10 description 'Allow established/related'
set firewall name PPPoE_IN rule 10 state established enable
set firewall name PPPoE_IN rule 10 state related enable
set firewall name PPPoE_IN rule 20 action drop
set firewall name PPPoE_IN rule 20 description 'Drop invalid state'
set firewall name PPPoE_IN rule 20 state invalid enable

set firewall name PPPoE_LOCAL default-action drop
set firewall name PPPoE_LOCAL description 'WAN(PPPoE) to Router'
set firewall name PPPoE_LOCAL rule 10 action accept
set firewall name PPPoE_LOCAL rule 10 description 'Allow established/related'
set firewall name PPPoE_LOCAL rule 10 state established enable
set firewall name PPPoE_LOCAL rule 10 state related enable
set firewall name PPPoE_LOCAL rule 20 action accept
set firewall name PPPoE_LOCAL rule 20 description 'Allow ping'
set firewall name PPPoE_LOCAL rule 20 destination group address-group ADDRv4_pppoe0
set firewall name PPPoE_LOCAL rule 20 log disable
set firewall name PPPoE_LOCAL rule 20 protocol icmp
set firewall name PPPoE_LOCAL rule 30 action accept
set firewall name PPPoE_LOCAL rule 30 description 'Allow IKE, L2TP, NAT-T'
set firewall name PPPoE_LOCAL rule 30 destination port 500,1701,4500
set firewall name PPPoE_LOCAL rule 30 protocol udp
set firewall name PPPoE_LOCAL rule 40 action accept
set firewall name PPPoE_LOCAL rule 40 description 'Allow ESP'
set firewall name PPPoE_LOCAL rule 40 protocol esp
set firewall name PPPoE_LOCAL rule 50 action drop
set firewall name PPPoE_LOCAL rule 50 description 'Drop invalid state'
set firewall name PPPoE_LOCAL rule 50 state invalid enable

set firewall modify LAN_PBR rule 10 action modify
set firewall modify LAN_PBR rule 10 description 'LAN to WAN(PPPoE)'
set firewall modify LAN_PBR rule 10 destination address '!192.168.0.0/16'
set firewall modify LAN_PBR rule 10 modify table 1
set firewall modify LAN_PBR rule 10 source address 192.168.1.1-192.168.1.63
set firewall modify LAN_PBR rule 20 action modify
set firewall modify LAN_PBR rule 20 description 'LAN to WAN(DSLite)'
set firewall modify LAN_PBR rule 20 destination address '!192.168.0.0/16'
set firewall modify LAN_PBR rule 20 modify table 2
set firewall modify LAN_PBR rule 20 source address 192.168.1.64-192.168.1.255

set firewall options mss-clamp interface-type pppoe
set firewall options mss-clamp mss 1414

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL

set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id ':2'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable

set interfaces ethernet eth0 pppoe 0 description IIJMio
set interfaces ethernet eth0 pppoe 0 default-route auto
set interfaces ethernet eth0 pppoe 0 mtu 1454
set interfaces ethernet eth0 pppoe 0 firewall in name PPPoE_IN
set interfaces ethernet eth0 pppoe 0 firewall local name PPPoE_LOCAL
set interfaces ethernet eth0 pppoe 0 name-server auto
set interfaces ethernet eth0 pppoe 0 password {PPPOE_PASSWORD}
set interfaces ethernet eth0 pppoe 0 user-id {PPPOE_ACCOUNT}@iij.ad.jp

set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth1 firewall in modify LAN_PBR

set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto

set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip {GLOBAL_IPV6_ADDR_ETH0}
set interfaces ipv6-tunnel v6tun0 mtu 1454
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e00::feed:101'
set interfaces ipv6-tunnel v6tun0 ttl 64

set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0 distance 100
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface v6tun0

set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server use-dnsmasq disable
set service dhcp-server static-arp disable
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name lan
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.64 stop 192.168.1.199
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 domain-name lan
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.64 stop 192.168.2.199

set service dns dynamic interface pppoe0 service custom-GoogleDomains host-name {DDNS_HOSTNAME}
set service dns dynamic interface pppoe0 service custom-GoogleDomains login nouser
set service dns dynamic interface pppoe0 service custom-GoogleDomains password {DDNS_TOKEN}
set service dns dynamic interface pppoe0 service custom-GoogleDomains protocol dyndns2
set service dns dynamic interface pppoe0 service custom-GoogleDomains server domains.google.com
set service dns dynamic interface pppoe0 web dyndns

set service dns forwarding cache-size 5000
set service dns forwarding options listen-address=192.168.1.1
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding listen-on lo

set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable

set service nat rule 5010 description 'masquerade for WAN(PPPoE)'
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade

set service ssh disable-password-authentication
set service ssh port 22
set service ssh protocol-version v2

set system login user {USERNAME} authentication encrypted-password '{PASSWORD}'
set system login user {USERNAME} authentication public-keys {USERNAME}@host key {PUBLIC_KEY}
set system login user {USERNAME} authentication public-keys {USERNAME}@host type ssh-rsa
set system login user {USERNAME} level admin

set system name-server 127.0.0.1

set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system time-zone Asia/Tokyo

set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system syslog host 192.168.1.10 facility all level info

set system offload hwnat disable
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv6 forwarding enable
set system traffic-analysis dpi enable
set system traffic-analysis export enable

set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable

set vpn l2tp remote-access authentication local-users username {L2TP_USERNAME} password {L2TP_PASSWORD}
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.200
set vpn l2tp remote-access client-ip-pool stop 192.168.1.210
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret {PRE_SHARED_SECRET}
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1280
set vpn l2tp remote-access outside-address 0.0.0.0
12
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
haccht

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
12
Help us understand the problem. What is going on with this article?