I recently decided to give Altibox and their 6rd implementation another go — searching the interwebs I stumbled upon a Norwegian forum post that read (translation by me):

Altibox offers native dual-stack IPv6 if your home central is in bridge mode. You get a /56 prefix though DHCPv6-PD (prefix delegation) and can split it into multiple /64 networks. (…) — sveinse

WHAT!? Really? They offer native dual-stack IPv6 with DHCPv6-PD? Let’s test it! 🥳

Table of contents

EdgeRouter configuration changes

I have the Altibox fiber plugged directly into my EdgeRouter 4.

There isn’t a lot of IPv6 stuff in the GUI, so you’ll have to work with the CLI or the config tree.

Interfaces

EdgeRouter DHCPv6-PD configuration

The first thing I did was configure DHCPv6-PD on my Altibox WAN interface. Under dhcpv6-pd I added a PD number of 1; here I set the prefix length to /56.

EdgeRouter DHCPv6-PD interface configuration

Next I added the eth1 interface, my LAN, and set host-address to ::1, prefix-id to :1, and service to slaac.

This tells the EdgeRouter to give out IPv6 addresses on the eth1 interface — using the SLAAC service and a prefix of :1. The router itself will get address ::1.

Also remember to set your IPv6 firewalls; WANv6_IN and WANv6_LOCAL.

interfaces {
    ethernet eth3 {
        duplex auto
        mac xx:xx:xx:xx:xx:xx
        speed auto
        vif 102 {
            address dhcp
            dhcpv6-pd {
                pd 1 {
                    interface eth1 {
                        host-address ::1
                        prefix-id :1
                        service slaac
                    }
                    prefix-length /56
                }
                rapid-commit enable
            }
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
            }
        }
    }
}

Firewall

It’s important to keep in mind that dual-stack is exactly that; dual stack. You need a complete set of firewall rules for both IPv4 and IPv6. I made sure to have WANv6_IN (from WAN to inside) and WANv6_LOCAL (from WAN to router).

Some of these rules already existed on the EdgeRouter, I did add a rule to allow IPv6 ICMP to devices inside the network. This is required for IPv6 to function properly.

You won’t find these rules in the GUI either, so you’ll need to use the CLI or config tree.

For maximum security you could only allow the ICMP types needed, but I haven’t looked into that (yet). Here is a YouTube video on IPv6 security.

firewall {
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
}

Success

After committing and saving the configuration changes, I navigated back to the EdgeRouter dashboard and found that my WAN and LAN interface now had IPv6 addresses! Success!

I did play a bit with different DHCPv6-PD settings and found that sometimes it just didn’t work. Not sure why.

After removing the entire DHCPv6-PD configuration and trying again; it worked. This happened on multiple occasions.

It could be that a reboot would have solved it, or that it just needed some time. But I was to impatient for wait for that 😛

What about router advertisement?

SLAAC requires Router Advertisement (RA) to work, but I hadn’t configured it… So why did it work?

A post on the Ubiquiti forum answered that:

When using SLAAC a Router Advertisement (RA) is definitely needed. But, with the EdgeRouter implementation an RA is created with the service slaac command within the WAN interface DHCPv6-PD context, so strictly speaking the RA configuration under the LAN interfaces is not needed. (…) — smf22

It goes on to talk about a file; /etc/radvd.conf:

hebron@ubnt:~$ cat /etc/radvd.conf
interface eth1 {
#   This section was automatically generated by the Vyatta
#   configuration sub-system.  Do not edit it.
#
#   service type [slaac]
#
    IgnoreIfMissing on;
    AdvSendAdvert on;
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    prefix ::/64 {
          AdvOnLink on;
          AdvAutonomous on;
    };
};

Aha! So the EdgeRouter as automatically configured router advertisement, with a /64 prefix on my eth1 interface. That’s why it’s working.

Closing remarks

I have only enabled IPv6 addresses on my LAN network, as this network doesn’t have any firewall restrictions to other networks. To enable it on DMZ, guest, IoT, etc; all firewall rules must be copied into the IPv6 firewall. This is important!

ipv6-test.com results

Last commit 2024-04-05, with message: Tag cleanup.