Setting up Ipv6-pd with dnsmasq on a linux router

geek

Nov 12, 2018 — 2 min read

This follows on from my last post, and is basically a distillation of this excellent post on Super User.

These steps will work with Starhub Fibre ipv6 or any other provider who does IPv6 PD

I found I *didn’t* need to set up a few things the way he did and there were a few additional steps with my firewall for things to work. Its still a little WIP (firewalld blocks ipv6 ping into my network and might have things secured already)

to /etc/sysctl.conf add lines

# Obtain IPv6 address on wan interface by Stateless autoconfiguration (SLAAC)
net.ipv6.conf.enp1s0.accept_ra=2

This enables route advertisement in the kernel. Load your changes with sysctl -p

Install the wide dhcpv6 client. For some reason this is the only one that does prefix delegation

sudo apt install wide-dhcpv6-client

You *don’t* actually have to set up /etc/network/interfaces for ipv6

replace /etc/wide-dhcpv6/dhcp6c.conf with

profile default
{
  information-only;

  request domain-name-servers;
  request domain-name;

  script "/etc/wide-dhcpv6/dhcp6c-script";
};

interface enp1s0 {
    send rapid-commit;

    send ia-na 0;
    send ia-pd 0;
};

id-assoc na 0 {

};

id-assoc pd 0 {
    prefix ::/64 infinity;

    # Internal interface (LAN)
    prefix-interface br0{
        sla-len 0;
        sla-id 0;
        ifid 1;
    };
};

There’s a few changes here – I had to change the sla-len to 0 since my ISP provides a /64

Set up dnsmasq

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
enable-ra
dhcp-range = ::1,constructor:br0,   ra-stateless, ra-names, 12h

restart all the things –
sudo systemctl start wide-dhcpv6-client
sudo systemctl enable wide-dhcpv6-client
sudo systemctl restart networks
sudo systemctl restart dnsmasq

for some reason things wouldn’t work until I set up some forwarding rules

firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i br0 -o  enp1s0 -j ACCEPT

firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i enp1s0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

To test

Check if there’s a non link local IP v6 address for the internet facing interface.

Check to see if you can ping and open ipv6.google.com. IPv6 test is also a useful way to troubleshoot.

There’s still a few bits to work out but these steps work well enough to get things running.

Setting up a hurricane electric tunnel with a linux router

This assumes that you have a working router as per my older post . This can work behind a nat (though I ended up DMZing this router) in some circumstances. This distils grawity’s excellent post on superuser – in the context of this setup (which has a few quirks), and some

Setting up a basic Linux router with Ubuntu 18.04 and firewalld.

I’ve made a few choices that fit around my own preferences (firewalld) and problems I faced (bridgeutils and the classic network interfaces over bridging) This is as much a cookbook as a guide Picking hardware is easy. I got a system that was overkill – but basically there’s a

And another iteration of bias lighting.

While it “works” – there’s various minor issues, and iterations of my bias lighting setup. More brightness is always nice, and I’d like to combine the ability to power it off my PC, with a few additional features. I’d like to turn it off. I went with a

The internet kinda sucks.

I’ll entirely admit this is *partially* inspired by this MSE post. And a certain desire to move off purely “This is a neat thing that I did” that this blog has been (even if I need to do an updated ttrss install guide). And well, I’m not a

Read more

Setting up a hurricane electric tunnel with a linux router

Setting up a basic Linux router with Ubuntu 18.04 and firewalld.

And another iteration of bias lighting.

The internet kinda sucks.