6
13

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

EdgeRouter X (ER-X) で IPv6 IPoE + DS-Lite するまで

Posted at

前回 の続き。

NGN 側からの router advertisement を LAN 内に proxy することができないので、EdgeRouter で router advertisement を作って LAN 内に流す。

switch switch0 {
     address 192.168.1.1/24
     description Local
     ipv6 {
         address {
             eui64 XXXXXXXXXXXXXXXXXX/64
         }
         dup-addr-detect-transmits 1
         router-advert {
             cur-hop-limit 64
             link-mtu 1500
             managed-flag false
             max-interval 600
             other-config-flag true
             prefix ::/64 {
                 autonomous-flag true
                 on-link-flag true
             }
             reachable-time 0
             retrans-timer 0
             send-advert true
         }
     }
     mtu 1500
     switch-port {
         interface eth1 {
         }
         interface eth2 {
         }
         interface eth3 {
         }
         interface eth4 {
         }
         vlan-aware disable
     }
}

commit すると、LAN 内に NGN からの router advertisement が流れてくる。


% sudo tcpdump -v -n -i en0 icmp6
10:47:25.848045 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::1ae8:29ff:fe5e:78f2 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
	hop limit 64, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
	  prefix info option (3), length 32 (4): XXXXXXXXXXXXXXXXXX::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
	  mtu option (5), length 8 (1):  1500
	  source link-address option (1), length 8 (1): 18:e8:29:5e:78:f2

LAN 内に router advertisement が流れたことで、LAN 内の端末に IPv6 が割り当てられた。しかし、これだけでは NGN 側が LAN 内端末の MAC アドレスを認識していないため、LAN 内から外に出ていくことができない。このため、NGN 側から送られてくる neighbor solicitation を LAN 内に流してやり、LAN 内からそれに返答させる必要がある。

ER-X 上で tcpdump をすると、NGN 側から neighbor solicitation が送られてきていることを確認できる。

% sudo tcpdump -v -i eth0 icmp6
02:05:43.496620 IP6 (class 0xb8, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ff:fe02:XXXX > fe80::1ae8:29ff:fe5e:78ed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1ae8:29ff:fe5e:78ed
	  source link-address option (1), length 8 (1): 02:00:00:02:20:29

NGN 側と LAN 内は別のネットワークであるため、ER-X は デフォルトでは NGN から ER-X に送られてきた neighbor solicitation を LAN 内に流すことはない。LAN 内に流すように、 ip コマンドを使って設定することもできるが、LAN 内端末それぞれの IP アドレスを指定してやる必要があり、面倒なので、ndppd を利用するのがよい。

ndppd を設定して起動させておけば、たとえば今回必要な eth0 と switch0 間の neighbor solicitation, neighbor advertisement の相互 proxy を行える。

次に、ndppd により、NGN 側 (eth0) から LAN 内 (switch0、つまり eth1〜4) 端末への neighbor solicitation を、LAN 内に Proxy し LAN 内からの neighbor advertisement を NGN 側に Proxy させる。

/config/user-data/ndppd/ndppd.conf
proxy eth0 {
   router no
   timeout 500
   autowire yes
   keepalive yes
   retries 3
   ttl 30000
   rule ::/0 {
      iface switch0
   }
}

proxy switch0 {
   router yes
   timeout 500
   autowire yes
   keepalive yes
   retries 3
   ttl 30000
   rule ::/0 {
      auto
   }
}

ndppd を ER-X で動かすまでは 前回 に書いた。

これで ndppd を起動して、ER-X 上で tcpdump してみると、

02:05:43.496620 IP6 (class 0xb8, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ff:fe02:XXXX > fe80::1ae8:29ff:fe5e:78ed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1ae8:29ff:fe5e:78ed
	  source link-address option (1), length 8 (1): 02:00:00:02:XX:XX
02:05:43.496845 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::1ae8:29ff:fe5e:78ed > fe80::ff:fe02:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::1ae8:29ff:fe5e:78ed, Flags [router, solicited]

NGN 側の neighbor solicitation に対して、advertisement で応えられていることがわかる。

LAN 内で tcpdump しても、NGN 側の neighbor solicitation が LAN 内に proxy されて受け取れていることがわかる。

これで LAN 内で IPv6 アドレスを取得して、インターネットにでていけるようになった。

最終的な設定

# show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 'XXXXXXXXXXXXXXXXXX/64'
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 mtu 1500
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description Local
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description Local
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description Local
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 local-ip 'XXXXXXXXXXXXXXXXXX'
set interfaces ipv6-tunnel v6tun0 mtu 1500
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e00::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 address 192.168.1.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 ipv6 address eui64 'XXXXXXXXXXXXXXXXXX/64'
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1500
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
set protocols static route6 '::/0' next-hop 'fe80::ff:fe02:XXXX' interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.38 stop 192.168.1.243
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set system host-name ubnt
set system login user ubnt authentication encrypted-password '$1$XXXXXXXXXXXXXXXXXX'
set system login user ubnt level admin
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
set system ntp server ntp.jst.mfeed.ad.jp
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone UTC
# configure ; show
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-name WANv6_IN {
         default-action drop
         description "WAN inbound traffic forwarded to LAN"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     ipv6-name WANv6_LOCAL {
         default-action drop
         description "WAN inbound traffic to the router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPv6 icmp"
             protocol ipv6-icmp
         }
         rule 40 {
             action accept
             description "allow dhcpv6"
             destination {
                 port 546
             }
             protocol udp
             source {
                 port 547
             }
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address XXXXXXXXXXXXXXXXXX/64
         description Internet
         duplex auto
         firewall {
             in {
                 ipv6-name WANv6_IN
                 name WAN_IN
             }
             local {
                 ipv6-name WANv6_LOCAL
                 name WAN_LOCAL
             }
         }
         ipv6 {
             address {
                 autoconf
             }
             dup-addr-detect-transmits 1
         }
         mtu 1500
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         speed auto
     }
     ipv6-tunnel v6tun0 {
         encapsulation ipip6
         local-ip XXXXXXXXXXXXXXXXXX
         mtu 1500
         multicast disable
         remote-ip 2404:8e00::feed:100
         ttl 64
     }
     loopback lo {
     }
     switch switch0 {
         address 192.168.1.1/24
         description Local
         ipv6 {
             address {
                 eui64 XXXXXXXXXXXXXXXXXX/64
             }
             dup-addr-detect-transmits 1
             router-advert {
                 cur-hop-limit 64
                 link-mtu 1500
                 managed-flag false
                 max-interval 600
                 other-config-flag true
                 prefix ::/64 {
                     autonomous-flag true
                     on-link-flag true
                 }
                 reachable-time 0
                 retrans-timer 0
                 send-advert true
             }
         }
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
 }
 protocols {
     static {
         interface-route 0.0.0.0/0 {
             next-hop-interface v6tun0 {
             }
         }
         route6 ::/0 {
             next-hop fe80::ff:fe02:XXXX {
                 interface eth0
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 dns-server 192.168.1.1
                 lease 86400
                 start 192.168.1.38 {
                     stop 192.168.1.243
                 }
             }
         }
         static-arp disable
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5010 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
 }
 system {
     host-name ubnt
     login {
         user ubnt {
             authentication {
                 encrypted-password $1$XXXXXXXXXXXXXXXXXX.
             }
             level admin
         }
     }
     name-server 2001:4860:4860::8888
     name-server 2001:4860:4860::8844
     ntp {
         server ntp.jst.mfeed.ad.jp {
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
6
13
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
6
13

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?