I recently switched Internet provider,The new provider offered me a /48 address prefix,This is different from my previous operators,They mostly use DHCP,Allocate one to you directly IPv6 the address of。Although the meaning of v6's existence is that the address is "infinite",But assigning one can save a lot of configuration trouble.。
This new setup caught me off guard。
the good news is,There are official tutorials。the bad news is,The official tutorial does not work。
This is a bit of a headache,After configuration, no network connection,Even if I manually add a static route to the router to the exit,It cannot be routed out either.。What I use here is Mikrotik router,The system isRouterOS v7
Follow the official tutorial,The first step is to add the dhcp client,This step is very simple,What is different from usual is,Cannot check address,If checked,Then dhcp is always in the search state,Because no one will reply to you with an ip address。Request address prefix only,Match successful。
Then manually give your network bridge and wan port an IP address,You just need to write ::/64 .,The router will automatically generate the corresponding address,Although the prefix lengths given by each operator are different,But usually at home we only need /64 .。When giving the address, check the "Declare Address" option.,In this way, your computer, mobile phone, etc. can search for the router and add the gateway.。
The last step is to turn on IPv6 in the IPv6 settings.,Accept forwarding and accept route announcement。
Finally restart the router,Finish!
So here’s the problem… After restarting, I still don’t have an IPv6 network.。
Since the error returned by ping6 is that there is no route,Then I'll add one to it,I first added a global static route to ether1,That is my wan mouth。Now there is a route,But the return is timeout,Obviously,no one can answer。of course,Sometimes it returns that the target is unreachable.。
After carefully comparing the configuration of the v6 version,I discovered that I was missing the firewall configuration,I found the default firewall configuration from the Internet and imported it.,But still not working。
After several days of searching online for answers,Finally solved the puzzle:
It turns out that it needs to be in ND,That is, IPv6 neighbors discovery here,Add ether1,Default is only bridge,So you can only discover all the devices on the intranet。After adding eth1 to device discovery,Restart the router,Sure enough, many upper-level routing addresses were quickly discovered in the neighbor list.,The router also successfully added a dynamic gateway,Test findings,There is internet。
Next, I summarize my configuration using the cli version as follows::
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
ipv6 dhcp-client add interface=ether1 request=prefix pool-name=v6 pool-prefix-length=64 prefix-hint=::/48 ipv6 address add address=::/64 from-pool=v6 interface=bridge eui-64=yes advertise=yes ipv6 address add address=::/64 from-pool=v6 interface=ether1 eui-64=yes advertise=yes ipv6 firewall { address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" address-list add list=bad_ipv6 address=::1 comment="defconf: lo" address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other" address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other" address-list add list=bad_ipv6 address=::/104 comment="defconf: other" address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other" filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute" filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" } ipv6 nd add interface=ether1 ra-interval=20s-60s ra-lifetime=none ipv6 nd set [ find interface=bridge ] dns=2606:4700:4700::1111,2001:4860:4860::8888 interface=bridge managed-address-configuration=yes ra-interval=20s-1m other-configuration=yes |
Original article written by LogStudio:R0uter's Blog » If your ISP assign u IPv6 only a prefix but no address
Reproduced Please keep the source and description link:https://www.logcg.com/archives/3864.html
Hello blogger, I have a question,Because I enabled RA on the bypass gateway,This way the default gateway for all other devices is bypass,Do I still need to enable NDP in this case?
According to my experience...it is still needed,Because your bypass must also be able to find the real route.。but,If static routing is done,You probably don’t need ND anymore.,Just open it on the bypass。