Ubiquiti Edgerouter IPv6 (Zen Internet UK) plus Tayga NAT64 configuration

Nearly 23 years after starting a new job managing IPv6 development at Cisco Systems, I've finally ended up with an ISP here in the UK that actually supports IPv6. So I thought I'd better turn it on.

Zen Fibre still uses PPPoE, and they give you a static /64 via SLAAC and a static /48 that's allocated via DHCPv6-PD.  Although the prefixes are static, it appears that you have to use PD to make a prefix request, in order for routing for the whole /48 block to be enabled in your direction.  

The configuration I ended up with is as follows. I disable use of the ISP's DNS server as I've got my own local server with ad-blocking.

The firewall setup isn't shown, but blocks all incoming traffic, allows ICMPv6, established sessions and DHCPv6. 

A caveat about using the Edgerouter's PD implementation is that the "service slaac" clause auto-generates a basic radvd configuration for that interface. However, this then gets overwritten if you explicitly configure any ipv6 router advertisement options on the interface.  So you can't use both, it has to be one or the other on a per interface basis.

  ethernet eth2 {
        description WAN
        duplex auto
        mtu 1508
        speed auto
        vif 911 {
            description "Zen VLAN"
            mtu 1508
            pppoe 0 {
                default-route force
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id ::1
                            service slaac
                        }
                        interface eth4 {
                            host-address ::1
                            prefix-id :4
                            service slaac
                        }
                        prefix-length /48
                    }
                    prefix-only
                }
                firewall {
                    in {
                        ipv6-name ipv6-fw
                        name WAN_IN
                    }
                    local {
                        ipv6-name ipv6-fw
                        name WAN_LOCAL
                    }
                }
                ipv6 {
                    address {
                        autoconf
                    }
                    enable {
                    }
                }
                mtu 1500
                name-server none
                password ****************
                user-id ****************
            }
        }
    }

I also have an IPv6-only internal interface, that uses Tayga to provide NAT64 for the access to the "legacy" internet.  As this needs some custom setup, it has to be explicitly configured for the reason mentioned above:

        vif 11 {
            address 2a02:****:****:11::1/64
            description Future
            ipv6 {
                dup-addr-detect-transmits 1
                router-advert {
                    cur-hop-limit 64
                    default-lifetime 1800
                    managed-flag false
                    max-interval 360
                    min-interval 60
                    name-server 2001:4860:4860::6464
                    other-config-flag false
                    prefix 2a02:****:****:11::/64 {
                        autonomous-flag true
                        on-link-flag true
                    }
                    reachable-time 0
                    retrans-timer 0
                    send-advert true
                }
            }

You can install Tayga on an Edgerouter using apt install, but since it's not compatible with current systemd, you don't get proper startup/shutdown support, and the installation doesn't complete successfully, despite leaving all the files present.  So I just start it by hand from rc.local. 

I'm using the well-known prefix and Google public DNS64 rather than having to run my own server.

# start Tayga because there's no systemd support for it

/usr/sbin/tayga --mktun

ip link set nat64 up
ip route add 64:ff9b::/96 dev nat64 
ip route add 192.168.64.0/24 dev nat64

/usr/sbin/tayga  # start daemon

exit 0

The contents of /etc/tayga.conf are:

tun-device nat64
ipv4-addr 192.168.64.5
ipv6-addr 2a02:****:****:11::2
prefix 64:ff9b::/96
dynamic-pool 192.168.64.0/24

See, it works:
  
admin@ubnt:~$ ping  64:ff9b::8.8.8.8
PING 64:ff9b::8.8.8.8(64:ff9b::808:808) 56 data bytes
64 bytes from 64:ff9b::808:808: icmp_seq=1 ttl=117 time=18.2 ms
64 bytes from 64:ff9b::808:808: icmp_seq=2 ttl=117 time=9.68 ms

Comments

Post a Comment

Popular posts from this blog

DECnet-VAX Phase V WAN connectivity with simh

Installing VMS and DECnet-Plus HP's VMS Hobbyist program used to make the VMS 7.3 distribution CD available as an ISO image file. While there is no longer an official hobbyist program, I would imagine that the CD image is findable if you look hard enough. Once in possession of an image of the VAXVMS073 CD, you can install it using your simh configuration of choice, which must have a Qbus or Unibus.  There are plenty of examples out there to help with VMS installation, but if starting from scratch, you boot from the CD; use standalone backup to expand saveset B onto your normal boot medium, then boot as normal and go through the installation dialogue.  During the installation you should choose to install DECnet-Plus (aka Phase V). Here's an example:  https://raymii.org/s/blog/OpenVMS_7.3_install_log_with_simh_vax_on_Ubuntu_16.04.html To make the system fully useful, you'll need a valid license loaded for at least VAX-VMS and DVNETEND (endnode) or DVNETRTG (router).  Once aga
Read more

Time Electronics 9814 Programmable Voltage Calibrator

Image
I left school having just turned 17 after my 'A' levels in 1980, needing to fill a year before going to University, and ended up working at Time Electronics in Tonbridge.   The company made electronic calibration lab instruments, and I worked there for a year before University, and then in most vacations subsequently until I started my first post-graduation job at DEC in 1984. More reminiscences about this in a future post perhaps. The biggest project I was involved with was a new range of programmable instrumentation, with remote operation via IEEE-488/GPIB and local front panel controls. This range included voltage and current sources, a programmable resistance, multi-way switch, and screwdriver *(1).  Later on, a multi-function calibrator was produced, combining several functions in one unit. Since I retired from actual paid employment a few years ago, I've been slowly collecting working versions of things I worked on during my career.  For example, using simh, I can run
Read more

DECnet-VAX Phase V P.S.I. configuration in open_simh

The addition of HDLC framing support to the DUP11/DPV11 devices in open_simh extends the number of networking products can be used under VMS in the simulator. The most obvious product to demonstrate is VAX P.S.I., which provides X.25 connectivity.  This example uses P.S.I. in its simplest possible mode, with two systems connected back to back, one configured to act as a DCE (X.25 is asymmetric).  P.S.I. is shipped as part of DECnet-Plus, so if you chose not to install it originally, re-run "PRODUCT INSTALL" for DECnet-Plus, and answer yes to the question about installing P.S.I. The rest of your configuration will remain unchanged. A valid license for "P.S.I." is needed to get started.   If you're feeling confident, you can just run @sys$manager:psi$configure and go through the configurator, to produce your own startup scripts. To avoid needing to run the configurator, and just use the example scripts below, do the following while logged in as SYSTEM: $ set def
Read more