I recenty decided to play around with VyOS got completely in to it when I figured out that it could run containers using podman - Read more about it in one of my other blog posts. I have now replaced my pfSense firewall with VyOS and now it’s time to setup IPv6 on it.
Interfaces
As show below, eth0 is my LAN interface and eth1.101 is my WAN (Remember Hiper uses vlan 101)
kho@fw3:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.10.10.1/24 u/u LAN
eth1 - u/u
eth1.101 185.50.xxx.xxx/22 u/u Hiper WAN
eth2 - u/D
eth3 - u/D
eth4 - u/D
eth5 - u/D
eth6 - u/D
eth7 - u/D Create Firewall Rules
IPv6 relies on ICMP, so we need to create a few firewall rules
configure
edit firewall ipv6-name WAN-IN-IPv6
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
edit firewall ipv6-name WAN-LOCAL-IPv6
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "allow DHCPv6 client/server"
set rule 40 destination port 546
set rule 40 source port 547
set rule 40 protocol udp
commitConfigure WAN Interface
configure
set interfaces ethernet eth1 vif 101 address dhcpv6
set interfaces ethernet eth1 vif 101 dhcpv6-options rapid-commit
set interfaces ethernet eth1 vif 101 dhcpv6-options pd 0 interface eth0 sla-id 1
set interfaces ethernet eth1 vif 101 dhcpv6-options pd 0 interface eth0 address 1
set interfaces ethernet eth1 vif 101 dhcpv6-options pd 0 length 48
set interfaces ethernet eth1 vif 101 ipv6 address autoconf
set service router-advert interface eth0 default-lifetime 300
set service router-advert interface eth0 default-preference high
set service router-advert interface eth0 hop-limit 64
set service router-advert interface eth0 interval max 30
set service router-advert interface eth0 link-mtu 1500
set service router-advert interface eth0 managed-flag
set service router-advert interface eth0 other-config-flag
set service router-advert interface eth0 prefix ::/64 preferred-lifetime 300
set service router-advert interface eth0 prefix ::/64 valid-lifetime 900
set service router-advert interface eth0 reachable-time 900000
set service router-advert interface eth0 retrans-timer 0
set interfaces ethernet eth1 vif 101 firewall in ipv6-name WAN-IN-IPv6
set interfaces ethernet eth1 vif 101 firewall local ipv6-name WAN-LOCAL-IPv6
commit
saveWe now got IPv6
kho@fw3:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.10.10.1/24 u/u LAN
2a05:f6c7:xxxx:x::1/64
eth1 - u/u
eth1.101 185.50.xxx.xxx/22 u/u Hiper WAN
2a05:f6c7:x:xxxx::/128
eth2 - u/D
eth3 - u/D
eth4 - u/D
eth5 - u/D
eth6 - u/D
eth7 - u/D