Continuing the trend of blog posts that exist to document things we don’t want to forget, I present Configuring dual stack IPv6 without DHCPv6-PD.
If you’re wondering wtf than yes, this is a slightly bespoke setup that you won’t find with residential ISPs. Recently we’ve moved (the cause of all technical progress it seems) and with that I switched from Internodes business NBN to a new business centric ISP to connect our new place.
Well it is year 2020 so it would be remiss of me not to continue to tradition of being a salty “But I can’t reach you on IPv6” type user and help push the internet to a better place where I can.
But really the thing I needed most was to be able to connect to ephemeral instances in AWS EC2 without stuffing around to setup dynamic DNS. I was wanted a lazy option to SSH into. Turns out static IPv6 addresses are free 🎉 while IPv4 elastic IPs are free only while the instance is running.
Going dual stack
The ISP is configured a bit differently to residential ISPs in Australia hence this blog. The IPv4 features are nothing unsurprising, a static IPv4 session with /29 framed route.
But the IPv6 prefix, while being the typical /56 is delivered via a static interface route which is normally is handled by a managed CPE router but in my case needs to be terminated on my ER-X.
Consider my IPv6 prefix of
2001:0DB8::/56 and my interface the expected
pppoe0 for this
pppoe0 interface I have some IPv6 configured and I get a remote peer
fe80::f381:9ee4:b2f2:89a0 to chat with. I can ping across the link but the internet can
surely not talk with me on a
How do we get our subnet actually routing over these private addresses?
Interface routing on Edgerouter-X
I learned a new trick here, and I admittedly still don’t fully understand PtMP wired networks but here is how it works.
Configure your subnet on the loopback interface.
set interfaces loopback lo address '2001:0DB8::/56'
Setup the IPv6 default route for
set protocols static interface-route6 '::/0' next-hop-interface pppoe0
That is actually the entire setup from a routing perspective. It may be among some of the longest time I’ve spent trying to understand two lines of config.
Wire up your LAN
Now the internet knows where your router is inbound and your router knows where to send outbound traffic. Next you’ll actually want to tell your LAN clients about it.
Use router advertisement to further sub-divide the network by interface. Here we’ll configure a /64 for each internal LAN segment.
Configure the router interface address.
set interfaces switch switch0 vif 500 address 2001:0DB8:500::1/64
Configure router-advertisements for LAN clients.
edit interfaces switch switch0 vif 500 ipv6 router-advert set cur-hop-limit 64 set link-mtu 0 set managed-flag false set max-interval 600 set name-server '2001:0DB8:500::1' set other-config-flag false set reachable-time 0 set retrans-timer 0 set send-advert true
Commit and save the config
Seeing it in action
With an interface assigned and routing configured you can see the full routing table in action after the config is reloaded.
[email protected]# run show ipv6 route IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, B - BGP Timers: Uptime IP Route Table for VRF "default" S ::/0 [1/0] via ::, pppoe0, 00:11:30 C ::1/128 via ::, lo, 02w4d15h C 2001:0DB8::/56 via ::, lo, 02w2d06h C 2001:0DB8:500::1/64 ::, switch0.500, 02w1d22h C fe80::/10 via ::, pppoe0, 02w2d14h C fe80::/64 via ::, ifb_pppoe0, 02w2d14h
And no where along this journey did you need to fight with DHCPv6-PD firewall issues, client arguments, or arcane version issues.
It was actually surprisingly easy in the end. Obviously you’ll still need to configure your own firewall policy for IPv6 which is pretty frustrating but a good zone-policy tool should make that a once off too.
Bonus points - IPv6 upgrades in AWS VPCs
One gotcha I encountered in this journey was relatively unexpected. While upgrading the existing legacy VPC I’d created years ago to support IPv6 EC2 instances I found the instance was able to get an IPv6 address but not actually reach remote hosts?
Was it security groups? Nope. Was it my own borked routing? Nope. This process continued for a little while before I remembered my old friend the IGW.
If you’re upgrading an old VPC to IPv6, don’t forget you’ll need to wire up a static
::/0 route to your IGW for IPv6 traffic to egress on!