Configuring dual stack IPv6 without DHCPv6-PD

Reading time ~3 minutes

Ahoy!

Continuing the trend of blog posts that exist to document things we don’t want to forget, I present Configuring dual stack IPv6 without DHCPv6-PD.

If you’re wondering wtf than yes, this is a slightly bespoke setup that you won’t find with residential ISPs. Recently we’ve moved (the cause of all technical progress it seems) and with that I switched from Internodes business NBN to a new business centric ISP to connect our new place.

Ulterior motives

Why IPv6?

Well it is year 2020 so it would be remiss of me not to continue to tradition of being a salty “But I can’t reach you on IPv6” type user and help push the internet to a better place where I can.

But really the thing I needed most was to be able to connect to ephemeral instances in AWS EC2 without stuffing around to setup dynamic DNS. I was wanted a lazy option to SSH into. Turns out static IPv6 addresses are free 🎉 while IPv4 elastic IPs are free only while the instance is running.

Going dual stack

The ISP is configured a bit differently to residential ISPs in Australia hence this blog. The IPv4 features are nothing unsurprising, a static IPv4 session with /29 framed route.

But the IPv6 prefix, while being the typical /56 is delivered via a static interface route which is normally is handled by a managed CPE router but in my case needs to be terminated on my ER-X.

Consider my IPv6 prefix of 2001:0DB8::/56 and my interface the expected pppoe0 for this exercise.

On the pppoe0 interface I have some IPv6 configured and I get a remote peer fe80::f381:9ee4:b2f2:89a0 to chat with. I can ping across the link but the internet can surely not talk with me on a fe80:: address.

How do we get our subnet actually routing over these private addresses?

Interface routing on Edgerouter-X

I learned a new trick here, and I admittedly still don’t fully understand PtMP wired networks but here is how it works.

  1. Configure your subnet on the loopback interface.

     set interfaces loopback lo address '2001:0DB8::/56'
    
  2. Setup the IPv6 default route for pppoe0.

     set protocols static interface-route6 '::/0' next-hop-interface pppoe0
    

That is actually the entire setup from a routing perspective. It may be among some of the longest time I’ve spent trying to understand two lines of config.

Wire up your LAN

Now the internet knows where your router is inbound and your router knows where to send outbound traffic. Next you’ll actually want to tell your LAN clients about it.

Use router advertisement to further sub-divide the network by interface. Here we’ll configure a /64 for each internal LAN segment.

  1. Configure the router interface address.

     set interfaces switch switch0 vif 500 address 2001:0DB8:500::1/64
    
  2. Configure router-advertisements for LAN clients.

     edit interfaces switch switch0 vif 500 ipv6 router-advert
     set cur-hop-limit 64
     set link-mtu 0
     set managed-flag false
     set max-interval 600
     set name-server '2001:0DB8:500::1'
     set other-config-flag false
     set reachable-time 0
     set retrans-timer 0
     set send-advert true
    
  3. Commit and save the config

     commit
     save
    

Seeing it in action

With an interface assigned and routing configured you can see the full routing table in action after the config is reloaded.

[email protected]# run show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
    IA - OSPF inter area, E1 - OSPF external type 1,
    E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
    N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime

IP Route Table for VRF "default"
S      ::/0 [1/0] via ::, pppoe0, 00:11:30
C      ::1/128 via ::, lo, 02w4d15h
C      2001:0DB8::/56 via ::, lo, 02w2d06h
C      2001:0DB8:500::1/64 ::, switch0.500, 02w1d22h
C      fe80::/10 via ::, pppoe0, 02w2d14h
C      fe80::/64 via ::, ifb_pppoe0, 02w2d14h

And no where along this journey did you need to fight with DHCPv6-PD firewall issues, client arguments, or arcane version issues.

It was actually surprisingly easy in the end. Obviously you’ll still need to configure your own firewall policy for IPv6 which is pretty frustrating but a good zone-policy tool should make that a once off too.

Bonus points - IPv6 upgrades in AWS VPCs

One gotcha I encountered in this journey was relatively unexpected. While upgrading the existing legacy VPC I’d created years ago to support IPv6 EC2 instances I found the instance was able to get an IPv6 address but not actually reach remote hosts?

Was it security groups? Nope. Was it my own borked routing? Nope. This process continued for a little while before I remembered my old friend the IGW.

If you’re upgrading an old VPC to IPv6, don’t forget you’ll need to wire up a static ::/0 route to your IGW for IPv6 traffic to egress on!

Mount Cloudmaker VK2/CT-015

Almost a year to the day after activating Mt Warrigal, I again sent my good friend Pascal VK2IHL an email saying “hey let’s go SOTA”. It ...… Continue reading

Tackling Mount Warrigal VK2/CT-057

Published on September 27, 2018

QRO - Backpack portable HF power amplifier

Published on April 15, 2017