EdgeRouter-XのIPv4,IPv6 dualstack化 (DS-Lite 編)
Page content
フレッツネクスト(NGN)とIPoE(IIJ-mio fiber access/NF) を使ってIPv6 nativeな環境なのに、IPv4 PPPoEでしか通信していないという屈辱的な設定だったので、頑張ってデュアルスタック化。 問題は、ER-X配下の各デバイスがIPv6アドレスをゲットするにはRAをやり取りできないといけないため、ER-XはIPv6だけパススルーする必要がある。そのため、ブリッジインターフェースなどの設定が必要になる。
構成 (as of 2018/1/6)
- FTTH種別: NTT東日本 フレッツ光ネクスト ひかり電話なし
- プロバイダ: IIJmio fiber access/NF (transixが土台), IPv4 は DS-Lite での接続となる
- CPE に er-x を利用し, DS-Lite 対応用の設定をして クライアントに IPv4 + IPv6 のデュアルスタック環境を提供
- 配下に無線ルータをAPモードで稼働し、無線も対応
- 図示するとこんな感じ (クライアント環境いい加減だし、ASCII artなんだか見づらいけどorz)
. +-----------------------+
.+--------+ 4,6 +-------+ +-----+ +-----------+ |IPoE(transix) |
.|client_A+--------+ | | | | | | 6 | +-------------+
.+--------+ | | | | | | | +-------------------------+IPv6 Internet|
. o |CPE(B4)| 6 | | | | 6 | | | +-------------+
. o | +-------+modem+---+ Flets_NGN +---------+ |
. o | ER-X | | | | | | | +----+ | +-------------+
.+--------+ | | | | | | | +--------+AFTR+-----------+IPv4 Internet|
.|client_Z+--------+ | | | | | | 4over6 +----+ 4 | +-------------+
.+--------+ 4,6 +-------+ +-----+ +-----------+ | |
. +-----------------------+
設定
config (as of 2018/1/6)
george@gw:~$ show configuration commands
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WAN_IN_IPv6 default-action drop
set firewall ipv6-name WAN_IN_IPv6 description 'IPv6 WAN to LAN'
set firewall ipv6-name WAN_IN_IPv6 enable-default-log
set firewall ipv6-name WAN_IN_IPv6 rule 10 action accept
set firewall ipv6-name WAN_IN_IPv6 rule 10 description 'Allow established/related'
set firewall ipv6-name WAN_IN_IPv6 rule 10 state established enable
set firewall ipv6-name WAN_IN_IPv6 rule 10 state related enable
set firewall ipv6-name WAN_IN_IPv6 rule 20 action accept
set firewall ipv6-name WAN_IN_IPv6 rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WAN_IN_IPv6 rule 20 protocol ipv6-icmp
set firewall ipv6-name WAN_IN_IPv6 rule 30 action drop
set firewall ipv6-name WAN_IN_IPv6 rule 30 description 'Drop invalid state'
set firewall ipv6-name WAN_IN_IPv6 rule 30 state invalid enable
set firewall ipv6-name WAN_LOCAL_IPv6 default-action drop
set firewall ipv6-name WAN_LOCAL_IPv6 description 'IPv6 WAN to router'
set firewall ipv6-name WAN_LOCAL_IPv6 enable-default-log
set firewall ipv6-name WAN_LOCAL_IPv6 rule 10 action accept
set firewall ipv6-name WAN_LOCAL_IPv6 rule 10 description 'Allow established/related'
set firewall ipv6-name WAN_LOCAL_IPv6 rule 10 state established enable
set firewall ipv6-name WAN_LOCAL_IPv6 rule 10 state related enable
set firewall ipv6-name WAN_LOCAL_IPv6 rule 20 action accept
set firewall ipv6-name WAN_LOCAL_IPv6 rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WAN_LOCAL_IPv6 rule 20 protocol ipv6-icmp
set firewall ipv6-name WAN_LOCAL_IPv6 rule 30 action accept
set firewall ipv6-name WAN_LOCAL_IPv6 rule 30 description 'Allow DS-Lite'
set firewall ipv6-name WAN_LOCAL_IPv6 rule 30 protocol ipip
set firewall ipv6-name WAN_LOCAL_IPv6 rule 40 action drop
set firewall ipv6-name WAN_LOCAL_IPv6 rule 40 description 'Drop invalid state'
set firewall ipv6-name WAN_LOCAL_IPv6 rule 40 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN_DS-Lite default-action drop
set firewall name WAN_IN_DS-Lite description 'WAN(DS-Lite) to LAN'
set firewall name WAN_IN_DS-Lite enable-default-log
set firewall name WAN_IN_DS-Lite rule 10 action accept
set firewall name WAN_IN_DS-Lite rule 10 description 'Allow established/related'
set firewall name WAN_IN_DS-Lite rule 10 state established enable
set firewall name WAN_IN_DS-Lite rule 10 state related enable
set firewall name WAN_IN_DS-Lite rule 20 action drop
set firewall name WAN_IN_DS-Lite rule 20 description 'Drop invalid state'
set firewall name WAN_IN_DS-Lite rule 20 state invalid enable
set firewall name WAN_LOCAL_DS-Lite default-action drop
set firewall name WAN_LOCAL_DS-Lite description 'WAN(DS-Lite) to Router'
set firewall name WAN_LOCAL_DS-Lite enable-default-log
set firewall name WAN_LOCAL_DS-Lite rule 10 action accept
set firewall name WAN_LOCAL_DS-Lite rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL_DS-Lite rule 10 state established enable
set firewall name WAN_LOCAL_DS-Lite rule 10 state related enable
set firewall name WAN_LOCAL_DS-Lite rule 40 action drop
set firewall name WAN_LOCAL_DS-Lite rule 40 description 'Drop invalid state'
set firewall name WAN_LOCAL_DS-Lite rule 40 state invalid enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
# needed for IPv6 Pass-through
set interfaces bridge br0 address 172.31.255.1/24
set interfaces bridge br0 aging 300
set interfaces bridge br0 bridged-conntrack disable
set interfaces bridge br0 description LAN_br
set interfaces bridge br0 hello-time 2
set interfaces bridge br0 ipv6 address autoconf
set interfaces bridge br0 ipv6 dup-addr-detect-transmits 1
set interfaces bridge br0 max-age 20
set interfaces bridge br0 priority 32768
set interfaces bridge br0 promiscuous disable
set interfaces bridge br0 stp false
# uplink port
set interfaces ethernet eth0 bridge-group bridge br0
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in ipv6-name WAN_IN_IPv6
set interfaces ethernet eth0 firewall local ipv6-name WAN_LOCAL_IPv6
set interfaces ethernet eth0 speed auto
# downlink ports
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth1 description LAN-L2SW
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 bridge-group bridge br0
set interfaces ethernet eth2 description WLAN-router
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 bridge-group bridge br0
set interfaces ethernet eth3 description storage
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
# management ports
set interfaces ethernet eth4 address 192.168.1.1/24
set interfaces ethernet eth4 description console
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
# necessary for IPv4-in-IPv6 as part of DS-Lite
set interfaces ipv6-tunnel v6tun0 description DS-Lite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name WAN_IN_DS-Lite
set interfaces ipv6-tunnel v6tun0 firewall local name WAN_LOCAL_DS-Lite
set interfaces ipv6-tunnel v6tun0 local-ip '<br0 IPv6 address>'
set interfaces ipv6-tunnel v6tun0 mtu 1454
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '<AFTR IPv6 address>'
set interfaces ipv6-tunnel v6tun0 ttl 64
set interfaces loopback lo
# needs all the IPv4 outbound packets to be forwarded to the IPv6 tunnel
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0
# IPoE provider's resolvers
set system name-server '2404:1a8:7f01:b::3'
set system name-server '2404:1a8:7f01:a::3'
# FYI: NTP servers by IPoE provider
set system ntp server ntp1.jst.mfeed.ad.jp
set system ntp server ntp2.jst.mfeed.ad.jp
set system ntp server ntp3.jst.mfeed.ad.jp
解説
1. bridge interfaceの設定
- switch interface では IPv6 パススルー出来ないため、 bridge interface を使用する。
- br0 に IPv4 アドレスの固定設定, IPv6 autoconf の設定を。
- bridge interfaceに uplink, downlink interfaceを関連付ける
- dnsの設定も
課題
ebtables の設定
IPv6 だけ pass-through (パスするー) してほしいため、他のパケットはルーティングする。つまり、ブリッジングさせないようなフィルタを入れる。 これは、 ebtables という iptables の L2版 のようなもので設定可能。
root@gw# ebtables -t broute -A BROUTING -i eth0 -p ! ipv6 -j DROP
ちなみに確認方法は
root@gw# ebtables -t broute -L
…ってこれ必要? PPPoE も併存するなら必要かな。 また、再起動時にこの設定が吹っ飛んでしまう。どうやって起動時に読み込んでくれるか試行錯誤中。
/etc/networks/ip-up.d/配下に適当に作ったファイルでは実行してくれなかった。ファイルに実行権限つけても所有者rootでもだめ。再検証必要
IPv4 向け firewall の設定
これで足りてる?