Network
DSLite

Edgerouter Lite-3でDS-Lite

このたびEdgerouter Lite-3を安く購入することができたので、IIJmioひかりでIPoEを契約してDS-Liteしてみた。

EdgerouterのファームウェアはEdgeOSと言ってVyosからフォークしたもので、いくつか独自仕様の部分もあるけれどIPv6まわりのまとまった資料もなかったので整理がてら投稿してみる。

ちなみにEdgeOSはつい先日v1.9.1がリリースされたばかりで、このリリースでIPv6でのIPIPトンネルが作れるようになったようだ。ちょうどいいタイミングだった。

2018/02/20 追記: v1.10.0がリリースされたので設定を見直し、現在のコンフィグにあわせて記事も修正した

構成

ERL-3のeth0をWANに、eth1とeth2をLANに設定。
eth1とeth2をブリッジさせることも可能なようだけど、性能が大きく低下するため今回は個別のセグメントにした。ER-xならハードウェアスイッチングが可能なようなので、必要ならそちらで。

光コラボレーション事業者であるところのIIJから貸与されたひかり電話ルータはpr-500ki。pr-500kiのLANポートとERL-3のeth0を接続しておく。
またpr-500kiのpppoeは停止して、pppoeブリッジが有効になっていることを確認しておくこと。

今回はひかり電話契約ありなので、HGWからのRAをもとにeth0のIPv6アドレスはautoconfする。
またDHCPv6-PDによりHGWには/60のprefixが割り当てられている。これを/64のprefixに分割してLAN内のIPv6アドレスに利用する。
ちなみにIPIPトンネルでDS-Liteを設定するためには、eth0のIPv6グローバルアドレスを知っていなければならない。
そのため、一旦eth0にipv6 address autoconfを設定してIPv6アドレスが割り付けられたことを確認してからDS-Lite設定を行うこと。

以下ではあわせて下記の設定を行っている。

  • 192.168.1.1-192.168.1.63/24の範囲をサーバーセグメントとしてインターネット接続にはPPPoEを用いる
  • 192.168.1.64-192.168.1.199/24の範囲をLANセグメントとしてインターネット接続にはDS-Liteを用いる
  • 192.168.1.200-192.168.1.210/24の範囲をL2TP接続用にプールする
  • PPPoEとDS-LiteはPolicy Based Routingにより振り分ける
  • port-fowardにより特定サービスをインターネット側へ公開する(GaraponTVなど)
  • GoogleDomainで自ドメインを運用してDDNSを設定する

コンフィグ

コンフィグはVyosとほぼ同じ。
pppoeのハードウェアoffloadは設定するとむしろ遅くなるという話もあるので、お好みで。

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable

set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable

set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite) to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable

set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite) to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable

set firewall name PPPoE_IN default-action drop
set firewall name PPPoE_IN description 'WAN(PPPoE) to LAN'
set firewall name PPPoE_IN rule 10 action accept
set firewall name PPPoE_IN rule 10 description 'Allow established/related'
set firewall name PPPoE_IN rule 10 state established enable
set firewall name PPPoE_IN rule 10 state related enable
set firewall name PPPoE_IN rule 20 action drop
set firewall name PPPoE_IN rule 20 description 'Drop invalid state'
set firewall name PPPoE_IN rule 20 state invalid enable

set firewall name PPPoE_LOCAL default-action drop
set firewall name PPPoE_LOCAL description 'WAN(PPPoE) to Router'
set firewall name PPPoE_LOCAL rule 10 action accept
set firewall name PPPoE_LOCAL rule 10 description 'Allow established/related'
set firewall name PPPoE_LOCAL rule 10 state established enable
set firewall name PPPoE_LOCAL rule 10 state related enable
set firewall name PPPoE_LOCAL rule 20 action accept
set firewall name PPPoE_LOCAL rule 20 description 'Allow ping'
set firewall name PPPoE_LOCAL rule 20 destination group address-group ADDRv4_pppoe0
set firewall name PPPoE_LOCAL rule 20 log disable
set firewall name PPPoE_LOCAL rule 20 protocol icmp
set firewall name PPPoE_LOCAL rule 30 action accept
set firewall name PPPoE_LOCAL rule 30 description 'Allow IKE, L2TP, NAT-T'
set firewall name PPPoE_LOCAL rule 30 destination port 500,1701,4500
set firewall name PPPoE_LOCAL rule 30 protocol udp
set firewall name PPPoE_LOCAL rule 40 action accept
set firewall name PPPoE_LOCAL rule 40 description 'Allow ESP'
set firewall name PPPoE_LOCAL rule 40 protocol esp
set firewall name PPPoE_LOCAL rule 50 action drop
set firewall name PPPoE_LOCAL rule 50 description 'Drop invalid state'
set firewall name PPPoE_LOCAL rule 50 state invalid enable

set firewall modify LAN_PBR rule 10 action modify
set firewall modify LAN_PBR rule 10 description 'LAN to WAN(PPPoE)'
set firewall modify LAN_PBR rule 10 destination address '!192.168.0.0/16'
set firewall modify LAN_PBR rule 10 modify table 1
set firewall modify LAN_PBR rule 10 source address 192.168.1.1-192.168.1.63
set firewall modify LAN_PBR rule 20 action modify
set firewall modify LAN_PBR rule 20 description 'LAN to WAN(DSLite)'
set firewall modify LAN_PBR rule 20 destination address '!192.168.0.0/16'
set firewall modify LAN_PBR rule 20 modify table 2
set firewall modify LAN_PBR rule 20 source address 192.168.1.64-192.168.1.255

set firewall options mss-clamp interface-type pppoe
set firewall options mss-clamp mss 1414

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL

set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id ':2'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable

set interfaces ethernet eth0 pppoe 0 description IIJMio
set interfaces ethernet eth0 pppoe 0 default-route auto
set interfaces ethernet eth0 pppoe 0 mtu 1454
set interfaces ethernet eth0 pppoe 0 firewall in name PPPoE_IN
set interfaces ethernet eth0 pppoe 0 firewall local name PPPoE_LOCAL
set interfaces ethernet eth0 pppoe 0 name-server auto
set interfaces ethernet eth0 pppoe 0 password <password>
set interfaces ethernet eth0 pppoe 0 user-id <username>@iij.ad.jp

set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth1 firewall in modify LAN_PBR

set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto

set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip <eth0 global ipv6>
set interfaces ipv6-tunnel v6tun0 mtu 1454
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e00::feed:101'
set interfaces ipv6-tunnel v6tun0 ttl 64

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward rule 10 description 'GaraponTV Access'
set port-forward rule 10 forward-to address 192.168.1.20
set port-forward rule 10 forward-to port 80
set port-forward rule 10 original-port 50080
set port-forward rule 10 protocol tcp_udp
set port-forward rule 20 description 'GaraponTV Stream'
set port-forward rule 20 forward-to address 192.168.1.20
set port-forward rule 20 forward-to port 443
set port-forward rule 20 original-port 51932
set port-forward rule 20 protocol tcp_udp
set port-forward wan-interface pppoe0

set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0 distance 100
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface v6tun0

set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server use-dnsmasq disable
set service dhcp-server static-arp disable
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name lan
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.64 stop 192.168.1.199
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 domain-name lan
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.64 stop 192.168.2.199

set service dns dynamic interface pppoe0 service custom-GoogleDomains host-name <hostname>
set service dns dynamic interface pppoe0 service custom-GoogleDomains login nouser
set service dns dynamic interface pppoe0 service custom-GoogleDomains password <token>
set service dns dynamic interface pppoe0 service custom-GoogleDomains protocol dyndns2
set service dns dynamic interface pppoe0 service custom-GoogleDomains server domains.google.com
set service dns dynamic interface pppoe0 web dyndns

set service dns forwarding cache-size 5000
set service dns forwarding options listen-address=192.168.1.1
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding listen-on lo

set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable

set service nat rule 5010 description 'masquerade for WAN(PPPoE)'
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade

set service ssh disable-password-authentication
set service ssh port 22
set service ssh protocol-version v2

set system login user <username> authentication encrypted-password '<encrypted>'
set system login user <username> authentication public-keys <username>@host key <key>
set system login user <username> authentication public-keys <username>@host type ssh-rsa
set system login user <username> level admin

set system name-server 127.0.0.1
set system static-host-mapping host-name erlite3.lan inet 192.168.1.1
set system static-host-mapping host-name readynas.lan inet 192.168.1.10
set system static-host-mapping host-name garapontv.lan inet 192.168.1.20

set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system time-zone Asia/Tokyo

set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system syslog host 192.168.1.10 facility all level info

set system offload hwnat disable
set system offload ipv4 forwarding disable
set system traffic-analysis dpi disable
set system traffic-analysis export disable

set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable

set vpn l2tp remote-access authentication local-users username <username> password <password>
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.200
set vpn l2tp remote-access client-ip-pool stop 192.168.1.210
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <psk>
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1280
set vpn l2tp remote-access outside-address 0.0.0.0