Native IPv6 with DHCPv6-PD #3
Comments
|
Yeah, I figured this out earlier today. :-) Thanks for that link. Once I realized EdgeOS wasn't willing to configure dhcp6c on a VLAN, I just ran it manually like so: That causes dhcp6c to print verbose debugging messages ( |
|
I just realized you can do this which may work (untested):
edit: that starts which is probably not what's wanted. |
|
I think that will fail if you also have dhcpv6-pd configured on that interface because it automatically does ia-na in that case. |
|
Actually, I take it back. That got a reply and I now have a IPv6 address on eth0.0: |
|
I'm not sure I care about dhcpv6-pd. I may just manually configure dnsmasq to handle the RA's on my LAN. However, I've only got a /64 on eth0.0. Okay, more experimenting to do. I'll report back here. |
|
The IPv6 address in the DHCPv6 reply is bogus. Or at least, AT&T isn't advertising a route to it AFAICT. Drat. I probably won't play with this anymore for a while. I'll plug my RG in directly to the ONT once a month or so and once it gets a native IPv6 I'll try again. |
|
I'm likely going to have to get a capture between the ONT and the RG to get the DUID, that capture might tell me some other useful things as well. Will update after I've tried that. |
|
Has anyone been able to get native IPv6 going when bypassing with the eap proxy? |
|
In the original thread on dslreports someone posted that it requires spoofing the DUID-EN to match the RGs: I've had my RG in DMZPlus mode the last couple months because I was traveling and didn't want there to be any trouble with my connection while I was away. In the interim, AT&T has upgraded its firmware and moved it from 6rd to native IPv6. I'll be setting things back up with the proxy and once I have native IPv6 working I'll document the setup in the README here. |
|
I spent about 7-10 days now trying to get native IPv6 working, here's what I did found/did:
My guess would be now that I simply have to wait for a week or two until my IPv6 lease on AT&T's side is up and I'll get a prefix delegated onto eth0.0 through dhcp6c (that I started manually). |
|
Got it working. There's no way to get EdgeOS to write that correctly, so you have to set it up by hand. I was able to get EdgeOS to write a proper
That's the DUID for a Pace 5268AC and the I sniffed the values via tcpdump, but confirmed they match the serial number from the RG web interface. Anyway, once I created I'm using I also have an IPv6 firewall, but I won't document that here. It's too bad EdgeOS can't configure |
|
Funny, I got it working yesterday morning too. I had to wait almost two weeks for AT&T to expire my dhcp lease and I was suddenly getting a IPv6. I did basically the same thing as you did, although, I just generated myself the duid through pfSense and edited the duid on my edgerouter to match. Verified the same thing through tcpdump. Anyways, what I'm wondering is if you did any modification to any perl scripts for your dhcp6c come up and so that I always get I also had to set the next-hop/static IPv6 route to actually make IPv6 work |
|
For reference, I created a script that you put in /config/scripts/post-config.d/ and chmod +x here. It fixes the faulty weird endian error for dhcp6c_duid and automates everything else. https://gist.github.com/jrgutier/283cf1469273b0b3ddcfb781e97be895 |
|
I used the script and it generated a code that starts like this: È00D09E Should I go in and delete the È or is that what everyone else gets? |
|
The script didn't work for me as the calculation was totally screwed. Imho, your best bet is to use the calculator pfsense has integrated and pulling the config from there yourself. |
|
No access to a pfsense box- sent you a message.
… On Jul 26, 2018, at 12:35 PM, Florian Harr ***@***.***> wrote:
The script didn't work for me as the calculation was totally screwed. Imho, your best bet is to use the calculator pfsense has integrated and pulling the config from there yourself.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Yea I’m using 4.4.26 and 5.9.16 I just need help setting my Script above doesn’t work right. Hoping for some help from someone with pfsense to generate the proper duid for me. |
|
I just upgraded to a EdgeRouter-4 (I lost my ERL-3 to lighting recently) and was able to get native IPv6 working with: I'm not sure the custom DUID is necessary. I think if you're willing to wait 2 weeks for any existing IPv6 lease to time out it will acquire a new lease correctly w/o a custom DUID. That said... I was using the RG for a while my ERL-3 was dead, so it's possible once the existing lease times out that this won't work correctly, but for now it's working. The VLAN 0 bug referenced at the start of this conversation is fixed in EdgeOS v1.10.5. |
|
Would it be okay to delete the generated DUID file in the dhcp6c folder that was generated from the script?
Thanks,
Jason
Sent from my iPhone
… On Jul 26, 2018, at 2:46 PM, Jay Soffian ***@***.***> wrote:
I just upgraded to a EdgeRouter-4 (I lost my ERL-3 to lighting recently). I had no trouble getting native IPv6 working and I didn't use a custom dhcp6c-eth0.0-pd.conf this time. The one generated by EdgeOS worked fine for me. Relevant config:
set interfaces ethernet eth3 vif 0 dhcpv6-pd duid '00:02:00:00:0d:e9:30:30:44:30:39:45:2d:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 host-address '::1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 no-dns
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 interface eth1 prefix-id ':1'
set interfaces ethernet eth3 vif 0 dhcpv6-pd pd 1 prefix-length 60
set interfaces ethernet eth3 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth3 vif 0 dhcpv6-pd rapid-commit disable
I'm not sure the custom DUID is necessary. I think if you're willing to wait 2 weeks for any existing IPv6 lease to time out it will acquire a new lease correctly w/o a custom DUID. That said... I was using the RG for a while my ERL-3 was dead, so it's possible once the existing lease times out that this won't work correctly, but for now it's working.
Disabling rapid-commit and setting prefix-only both seem to be needed.
The VLAN 0 bug referenced at the start of this conversation is fixed in EdgeOS v1.10.5. The script posted above is not necessary. /var/lib/dhcpv6/dhcp6c_duid is written correctly just by setting the duid via the EdgeOS configuration, and with the bug fixed, there's no need to manually start dhcp6c.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I'm not sure IPv6 is worth the trouble on AT&T at this time. I notice when I request an IPv6 address via NA (I did have to manually edit When I disable NA (by setting the However, IPv6 connections are flaky. I'm seeing the symptoms described here: https://forums.att.com/t5/AT-T-Internet-Equipment/Partial-IPv6-access/td-p/5384167 So I'm probably just going to disable IPv6 till AT&T gets its act together. :-( |
|
When I had it working with the switch bypass it worked great for me. Especially streaming video like Netflix.
… On Jul 26, 2018, at 4:25 PM, Jay Soffian ***@***.***> wrote:
I'm not sure IPv6 is worth the trouble on AT&T at this time. I notice when I request an IP address via NA, I get the same IP on my router as the RG gets, but that address is not globally routable, so I can't reach any IPv6 sites from the router itself with NA enabled. For reference, I'm getting this IP assigned to the WAN interface via NA: 2001:506:73d4:67a::1.
When I disable NA (by setting the prefix-only option), I can reach the outside world as the router uses its IPv6 address assigned via PD to the LAN interface. I don't mind sharing that IPv6: 2600:1700:3d40:6300::1/64.
However, IPv6 connections are flaky. I'm seeing all the same symptoms described here:
https://forums.att.com/t5/AT-T-Internet-Equipment/Partial-IPv6-access/td-p/5384167
So I'm probably just going to disable IPv6 till AT&T gets its act together. :-(
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@janthony6 the reason you're having trouble with the DUID (I think...) is that the ER-X is little-endian (mipsel) while the ER-Lite and ER4 are big-endian. The script from @jrgutier assumes little-endian so it only works correctly on an ER-X. Meanwhile, the EdgeOS script script ( |
|
Fixed things by removing the script completely and then deleting the dhcp6c_duid file in var/lib/dhcp6c and then rebooting. Picked up my global ipv6 right away on eth2.0 and have it working on all my devices.
… On Jul 26, 2018, at 7:25 PM, Jay Soffian ***@***.***> wrote:
@janthony6 the reason you're having trouble with the DUID (I think...) is that the ER-X is little-endian (mipsel) while the ER-Lite and ER4 are big-endian. I don't know what @caffeineflo is running. The EdgeOS script script (/opt/vyatta/sbin/dhcpv6-pd-duid.pl) which writes /var/lib/dhcpv6/dhcp6c_duid properly account for endianess. The script from @jrgutier assumes little-endian so it only works correctly on an ER-X.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
You guys have done some great work on this! I'm using eap_proxy, and have updated to EdgeOS v1.10.5 as above. I ran: (whilst replacing the duid + ethernet interface names with corresponding names from my side) And strangely enough now get my prefix delegation assigned to my LAN as expected, but my WAN does not get an address. Has anyone else experienced this? |
|
@sethwonder yes that's what I describe in |
|
My apologies. With some more experimentation I have realized that the IPv6 connectivity for my LAN is working just fine; it's just the edgerouter itself that has no IPV6 connectivity on its WAN interface. I'm not too concerned about that given that the rest is working. For anyone interested, here is the configuration I ended up with: Huge props again to @jaysoffian for eap_proxy in the first place. I just got my AT&T fiber yesterday and was really bummed about the crummy router situation! |
|
Can someone help me generate a duid for a BGW210-700? I assue that the OUI is different from that of the PACE routers? |
|
@abulgatz My BGW210-700 was |
Using your prefix here along with my S/N in hex and instructions from https://github.com/aus/pfatt I was able to get ipv6 working. Thanx for the info! |
|
@sethwonder the reason that your EdgeRouter itself has no IPv6 is because of your @lizan thanks for the info. Can you tell me how you got this information from tcpdump? And I guess my original AT&T duid expired, because IPv6 is working now without explicitly setting a duid. That doesn't mean I don't want to know how to fix/troubleshoot this in the future though, so I'd like to know your tcpdump setup. @jaysoffian or anyone else in the group, can you explain why you have Thanks! |
|
@abulgatz, per @jaysoffian:
So that might be your case, so I think you can just leave it as is. I did tcpdump to capture all traffic from AT&T Router i.e. |
I have the exact same issue that IPv6 isn't working on the EdgeRouter itself, yet, I have never had the prefix-only option set. My eth0 vif 0 config looks like this |
|
So looking at a tcpdump of my eth0.0, the router is requesting prefix delegation and is receiving "dhcp6 advertise" messages back (which if I understand correctly are the first two steps of the handshake for dhcpv6), but then it just... stops for a while, then repeats. eth0.0 v6-pd config: Using I've got IPv6 working through HE TunnelBroker, so it's not the worst thing in the world if I can't get this working, but it is frustrating. Any ideas? Running on ER4 v1.10.9 if that makes a difference. |
|
@Code-You-Fools I'll be honest, I'm not running IPv6 at the moment. I got it working on AT&T with both their tunnel, and then native, but every so often I'd have random connectivity/latency issues and I was never sure if it was related to IPv6 or not. So I ended up just disabling it. Other than the info in this thread I don't have any assistance to offer. |
|
@Code-You-Fools sounds like a firewall issue, do you have it enabled? I needed to add the following to mine for native ipv6 to work. |
|
@cerealcable That worked perfectly, thank you! If you have a BGW210-700, replace the duid prefix with |
|
The router doesn't have ipv6 access because the /128 given via DHCP from
AT&T Fiber for some reason comes from a block they have assigned from ARIN
but do not advertise. I have no idea why they do this, but that's the
problem.
…On Thu, Jun 27, 2019, 5:21 PM Michael ***@***.***> wrote:
@cerealcable <https://github.com/cerealcable> That worked perfectly,
thank you!
For anyone who wants to try getting native IPv6 working, the relevant
configuration I used was this (I have a PACE 5268AC):
firewall {
ipv6-name ipv6-wan-in {
default-action drop
description "WAN to LAN"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name ipv6-wan-local {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
rule 4 {
action accept
description "Allow DHCPv6"
destination {
port dhcpv6-client
}
protocol tcp_udp
}
}
}
interfaces {
ethernet eth0 {
description WAN
duplex auto
firewall {
in {
ipv6-name ipv6-wan-in
name wan-in
}
local {
ipv6-name ipv6-wan-local
name wan-local
}
}
speed auto
vif 0 {
description "WAN VLAN 0"
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
dhcpv6-pd {
duid 00:02:00:00:0d:e9:30:30:44:30:39:45:2d:[S/N converted from ASCII to hex]
pd 1 {
interface eth1 {
host-address ::1
no-dns
prefix-id :1
service slaac
}
prefix-length 60
}
rapid-commit disable
}
firewall {
in {
ipv6-name ipv6-wan-in
name wan-in
}
local {
ipv6-name ipv6-wan-local
name wan-local
}
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
description "AT&T Router"
duplex auto
speed auto
}
}
If you have a BGW210-700, replace the duid prefix with
00:02:00:00:0d:e9:30:30:31:45:34:36:2d:.
Only problem is that the router itself doesn't have IPv6 access for some
reason, but the LAN clients do, so it isn't a big deal.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3?email_source=notifications&email_token=AAEL4Y6USIZZDU42SQY4O6TP4U4PHA5CNFSM4D23NGEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYYRE5Q#issuecomment-506532470>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAEL4Y5IJTNEJX4J23542GDP4U4PHANCNFSM4D23NGEA>
.
|
|
@cerealcable so is there any way to get the router IPv6 access? |
|
I assigned a /64 out of the PD block to my loopback, worked fine for enabling remote IPv6 access, however lots of services aren't able to specify a source interface and that causes some issues, so I'd say its not completely possible, but you could get something working. |
|
Anyone got IPv6 working and can reproduce it? I've followed every comment through this thread and had no luck. |
|
IPv6 is working correctly for me. My configuration is similar to above. Relevant IPv6 portions: Re: eth1 is LAN, eth3 is the ONT (WAN) port. I'm using dnsmasq for handling RA on the LAN port. The router does not have an IPv6 address on its WAN port, only on its LAN port. This works fine. The dhcpv6 client ends up with this config: EdgeOS v1.10.10 on an ER-4. |
|
@Farjad The relevant parts of my current config: [WAN_IF] and [LAN_IF] should be self-explanatory - just replace them with whatever interface is hooked up to the WAN or LAN respectively. In Of note is the fact that your router will not have IPv6 access. To test your config you will need a PC behind the EdgeRouter. If you're using any apt repositories, you'll want to run If you like, you could use take notes from @jaysoffian's latest config and define rate-limits for ICMPv6 messages based on message types, if you're worried about malicious actors trying to flood you with ICMPv6 requests, but I personally just like completely blocking them using an address list. Obviously, this is not a complete, plug-and-play configuration. I have no idea what would happen if someone decided to use it as such, but I take no responsibility for the results. |
I don't find that to be the case: |
|
So this is my config after following your instructions: Still no dice though! And: |
|
So I created And it is definitely working now. Thanks @jaysoffian and @Code-You-Fools I should note, is there any way to automatically create this? Or is this expected to be created manually? |
|
So I restarted my router a few times and it ends up auto-deleting So I imagine there's some setting to automatically run it.. |
|
@Farjad You shouldn't manually create My related config from After pushing this config, the following content are created automatically at |
|
So everything I've tried in my |
|
@Farjad you don't need to create that file manually. It's created automatically per the comment at the top of the file. I only shared mine as an example of what it looks like. The relevant settings which create that file are the |
|
So I upgraded my firmware (might have been the reason), now my Thanks for all your help guys! |
|
A small update: I setup a fresh config using @jaysoffian's config but with only one change:
Without this option, I was not able to get ipv6 going. Note that previously, our BGW210 grabbed two /64's; one it held onto and one it passed to our network (I had the modem setup in passthrough mode). With this option, I was given the modem block and my clients on the LAN get IPs from it (which makes way more sense than what was happening before). |
|
Some remarkably smart people on this thread. Very enlightening conversation. I was able to get eap_proxy going on the bgw210-700 on the first shot with @jaysoffian's files and @Genghis1227's instructions. I got it going on the erpoe5, erx and edgerouter 4. However, instead of using the perfect bridge, I spent the next 4 days wondering why the RG had a red blinking led on the broadband (ONT) connection :) Shows how the human brain is trained to see green to indicate things are OK. Thank you folks for the great instructions and wizardry. Some fine engineering indeed! |
I recently changed from a PACE 5268AC to the ARRIS BGW210-700. I had already had my ER-4 set up with EAP-Proxy so only had to change the MAC and DUID to get it all working. Thank you to those on this thread for the DUID help. The old gen-duid.sh script from pfatt does not include the correct prefix for the BGW210-700, but using the prefix here worked! FYI, I also found that if you create a DHCP server on the ER-4 to serve addresses to the BGW210, it'll stop blinking and "be happy" with the world! |
|
I got this working on ER-Lite 3 with the help of this thread. Adding my findings here to help others:
Best of luck! |
I was playing around earlier trying to see if I could get DHCPv6-PD to work with the native ipv6 in my area and haven't had success yet, but wanted to share my progress.
The first problem I encountered was related to the fact that the ONT uses vlan 0 which EdgeMax doesn't like in some areas (e.g. https://community.ubnt.com/t5/EdgeMAX/Virtual-Interface-0-with-DHCP/m-p/1709119). DHCP for IPv4 seems to work with it using what you have here, but the config for the dhcp6c config wasn't being generated for me until I modified the perl module referenced in that article.
After that, I was sending DHCPv6 solicitations, but getting no response. I'm going to see if I can find the DUID that the ATT gateway is using and see if copying that into my router makes a difference.
The text was updated successfully, but these errors were encountered: