Ubiquiti Edgerouter IPv6 (Zen Internet UK) plus Tayga NAT64 configuration

Nearly 23 years after starting a new job managing IPv6 development at Cisco Systems, I've finally ended up with an ISP here in the UK that actually supports IPv6. So I thought I'd better turn it on.

Zen Fibre still uses PPPoE, and they give you a static /64 via SLAAC and a static /48 that's allocated via DHCPv6-PD.  Although the prefixes are static, it appears that you have to use PD to make a prefix request, in order for routing for the whole /48 block to be enabled in your direction.  

The configuration I ended up with is as follows. I disable use of the ISP's DNS server as I've got my own local server with ad-blocking.

The firewall setup isn't shown, but blocks all incoming traffic, allows ICMPv6, established sessions and DHCPv6. 

A caveat about using the Edgerouter's PD implementation is that the "service slaac" clause auto-generates a basic radvd configuration for that interface. However, this then gets overwritten if you explicitly configure any ipv6 router advertisement options on the interface.  So you can't use both, it has to be one or the other on a per interface basis.

  ethernet eth2 {
        description WAN
        duplex auto
        mtu 1508
        speed auto
        vif 911 {
            description "Zen VLAN"
            mtu 1508
            pppoe 0 {
                default-route force
                dhcpv6-pd {
                    no-dns
                    pd 0 {
                        interface eth1 {
                            host-address ::1
                            no-dns
                            prefix-id ::1
                            service slaac
                        }
                        interface eth4 {
                            host-address ::1
                            prefix-id :4
                            service slaac
                        }
                        prefix-length /48
                    }
                    prefix-only
                }
                firewall {
                    in {
                        ipv6-name ipv6-fw
                        name WAN_IN
                    }
                    local {
                        ipv6-name ipv6-fw
                        name WAN_LOCAL
                    }
                }
                ipv6 {
                    address {
                        autoconf
                    }
                    enable {
                    }
                }
                mtu 1500
                name-server none
                password ****************
                user-id ****************
            }
        }
    }

I also have an IPv6-only internal interface, that uses Tayga to provide NAT64 for the access to the "legacy" internet.  As this needs some custom setup, it has to be explicitly configured for the reason mentioned above:

        vif 11 {
            address 2a02:****:****:11::1/64
            description Future
            ipv6 {
                dup-addr-detect-transmits 1
                router-advert {
                    cur-hop-limit 64
                    default-lifetime 1800
                    managed-flag false
                    max-interval 360
                    min-interval 60
                    name-server 2001:4860:4860::6464
                    other-config-flag false
                    prefix 2a02:****:****:11::/64 {
                        autonomous-flag true
                        on-link-flag true
                    }
                    reachable-time 0
                    retrans-timer 0
                    send-advert true
                }
            }

You can install Tayga on an Edgerouter using apt install, but since it's not compatible with current systemd, you don't get proper startup/shutdown support, and the installation doesn't complete successfully, despite leaving all the files present.  So I just start it by hand from rc.local. 

I'm using the well-known prefix and Google public DNS64 rather than having to run my own server.

# start Tayga because there's no systemd support for it

/usr/sbin/tayga --mktun

ip link set nat64 up
ip route add 64:ff9b::/96 dev nat64 
ip route add 192.168.64.0/24 dev nat64

/usr/sbin/tayga  # start daemon

exit 0

The contents of /etc/tayga.conf are:

tun-device nat64
ipv4-addr 192.168.64.5
ipv6-addr 2a02:****:****:11::2
prefix 64:ff9b::/96
dynamic-pool 192.168.64.0/24

See, it works:
  
admin@ubnt:~$ ping  64:ff9b::8.8.8.8
PING 64:ff9b::8.8.8.8(64:ff9b::808:808) 56 data bytes
64 bytes from 64:ff9b::808:808: icmp_seq=1 ttl=117 time=18.2 ms
64 bytes from 64:ff9b::808:808: icmp_seq=2 ttl=117 time=9.68 ms

Comments

Post a Comment

Popular posts from this blog

DECnet-VAX Phase V WAN connectivity with simh

Installing VMS and DECnet-Plus HP's VMS Hobbyist program used to make the VMS 7.3 distribution CD available as an ISO image file. While there is no longer an official hobbyist program, I would imagine that the CD image is findable if you look hard enough. Once in possession of an image of the VAXVMS073 CD, you can install it using your simh configuration of choice, which must have a Qbus or Unibus.  There are plenty of examples out there to help with VMS installation, but if starting from scratch, you boot from the CD; use standalone backup to expand saveset B onto your normal boot medium, then boot as normal and go through the installation dialogue.  During the installation you should choose to install DECnet-Plus (aka Phase V). Here's an example:  https://raymii.org/s/blog/OpenVMS_7.3_install_log_with_simh_vax_on_Ubuntu_16.04.html To make the system fully useful, you'll need a valid license loaded for at least VAX-VMS and DVNETEND (endnode) or DVNETRTG (router).  O...
Read more

Time Electronics 9814 IEEE-488 Interface testing

Image
I mentioned in an earlier post about this instrument that I might try to get IEEE-488 working with it. I'd naively assumed that one could simply search on eBay for "USB to IEEE-488 interface" and pick something up that would have an open source Linux driver for about £10.  I was slightly surprised to find that the new price for such an item was actually over £1000, which I suppose just demonstrates that IEEE-488 was never used outside of labs, and as such, why leave money on the table by making it cheap ? Anyway, it turned out that there's a very nice  Arduino project  that just needs a cable to be wired up, so I thought I'd have a go at that since I had a Mega in the cupboard. AliExpress obliged with a cheap cable that I could butcher, and I set to work with a set of pins and some crimping pliers After a bit of crimping, sorting out the wiring diagram from the AR488 manual, and full checking for connectivity, I had this mess The AR488 software needs some minor co...
Read more

Ubiquiti Edgerouter ER-X Flash issues (free space, hangs, firmware upgrades)

  The ER-X is a very cheap 5 port router, with a lot of enterprise-level software features. It's almost too cheap, because it doesn't really have enough Flash memory, and certainly with earlier samples, the Flash itself was rather unreliable. For a start, there isn't enough Flash space to store three images, so when you want to upgrade the firmware, you always need to delete any old backup version that's still installed to make enough free space ("delete system image" CLI command). The firmware upgrade process ("add system image") itself can be rather hit&miss on devices that suffer from unreliable Flash, requiring multiple attempts to succeed. The symptom I found is an apparent hang at the "Copying Image" stage, with a crash and reboot after a few minutes. There are many reports on the Internet of ER-X having random hangs with various software versions, in particular there's a symptom where IP forwarding seems to work normally, but...
Read more