前回 の続き。
NGN 側からの router advertisement を LAN 内に proxy することができないので、EdgeRouter で router advertisement を作って LAN 内に流す。
switch switch0 {
address 192.168.1.1/24
description Local
ipv6 {
address {
eui64 XXXXXXXXXXXXXXXXXX/64
}
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 1500
managed-flag false
max-interval 600
other-config-flag true
prefix ::/64 {
autonomous-flag true
on-link-flag true
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
commit すると、LAN 内に NGN からの router advertisement が流れてくる。
% sudo tcpdump -v -n -i en0 icmp6
10:47:25.848045 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::1ae8:29ff:fe5e:78f2 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 64
hop limit 64, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
prefix info option (3), length 32 (4): XXXXXXXXXXXXXXXXXX::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
mtu option (5), length 8 (1): 1500
source link-address option (1), length 8 (1): 18:e8:29:5e:78:f2
LAN 内に router advertisement が流れたことで、LAN 内の端末に IPv6 が割り当てられた。しかし、これだけでは NGN 側が LAN 内端末の MAC アドレスを認識していないため、LAN 内から外に出ていくことができない。このため、NGN 側から送られてくる neighbor solicitation を LAN 内に流してやり、LAN 内からそれに返答させる必要がある。
ER-X 上で tcpdump をすると、NGN 側から neighbor solicitation が送られてきていることを確認できる。
% sudo tcpdump -v -i eth0 icmp6
02:05:43.496620 IP6 (class 0xb8, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ff:fe02:XXXX > fe80::1ae8:29ff:fe5e:78ed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1ae8:29ff:fe5e:78ed
source link-address option (1), length 8 (1): 02:00:00:02:20:29
NGN 側と LAN 内は別のネットワークであるため、ER-X は デフォルトでは NGN から ER-X に送られてきた neighbor solicitation を LAN 内に流すことはない。LAN 内に流すように、 ip コマンドを使って設定することもできるが、LAN 内端末それぞれの IP アドレスを指定してやる必要があり、面倒なので、ndppd を利用するのがよい。
ndppd を設定して起動させておけば、たとえば今回必要な eth0 と switch0 間の neighbor solicitation, neighbor advertisement の相互 proxy を行える。
次に、ndppd により、NGN 側 (eth0) から LAN 内 (switch0、つまり eth1〜4) 端末への neighbor solicitation を、LAN 内に Proxy し LAN 内からの neighbor advertisement を NGN 側に Proxy させる。
/config/user-data/ndppd/ndppd.conf
proxy eth0 {
router no
timeout 500
autowire yes
keepalive yes
retries 3
ttl 30000
rule ::/0 {
iface switch0
}
}
proxy switch0 {
router yes
timeout 500
autowire yes
keepalive yes
retries 3
ttl 30000
rule ::/0 {
auto
}
}
ndppd を ER-X で動かすまでは 前回 に書いた。
これで ndppd を起動して、ER-X 上で tcpdump してみると、
02:05:43.496620 IP6 (class 0xb8, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ff:fe02:XXXX > fe80::1ae8:29ff:fe5e:78ed: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1ae8:29ff:fe5e:78ed
source link-address option (1), length 8 (1): 02:00:00:02:XX:XX
02:05:43.496845 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::1ae8:29ff:fe5e:78ed > fe80::ff:fe02:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::1ae8:29ff:fe5e:78ed, Flags [router, solicited]
NGN 側の neighbor solicitation に対して、advertisement で応えられていることがわかる。
LAN 内で tcpdump しても、NGN 側の neighbor solicitation が LAN 内に proxy されて受け取れていることがわかる。
これで LAN 内で IPv6 アドレスを取得して、インターネットにでていけるようになった。
最終的な設定
# show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address 'XXXXXXXXXXXXXXXXXX/64'
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 mtu 1500
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description Local
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description Local
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description Local
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 local-ip 'XXXXXXXXXXXXXXXXXX'
set interfaces ipv6-tunnel v6tun0 mtu 1500
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e00::feed:100'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
set interfaces switch switch0 address 192.168.1.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 ipv6 address eui64 'XXXXXXXXXXXXXXXXXX/64'
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1500
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '::/64' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
set protocols static route6 '::/0' next-hop 'fe80::ff:fe02:XXXX' interface eth0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.38 stop 192.168.1.243
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set system host-name ubnt
set system login user ubnt authentication encrypted-password '$1$XXXXXXXXXXXXXXXXXX'
set system login user ubnt level admin
set system name-server '2001:4860:4860::8888'
set system name-server '2001:4860:4860::8844'
set system ntp server ntp.jst.mfeed.ad.jp
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system time-zone UTC
# configure ; show
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address XXXXXXXXXXXXXXXXXX/64
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
mtu 1500
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ipv6-tunnel v6tun0 {
encapsulation ipip6
local-ip XXXXXXXXXXXXXXXXXX
mtu 1500
multicast disable
remote-ip 2404:8e00::feed:100
ttl 64
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
ipv6 {
address {
eui64 XXXXXXXXXXXXXXXXXX/64
}
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 1500
managed-flag false
max-interval 600
other-config-flag true
prefix ::/64 {
autonomous-flag true
on-link-flag true
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface v6tun0 {
}
}
route6 ::/0 {
next-hop fe80::ff:fe02:XXXX {
interface eth0
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $1$XXXXXXXXXXXXXXXXXX.
}
level admin
}
}
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
ntp {
server ntp.jst.mfeed.ad.jp {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}