er-x ipv6 nat 折腾记录

Therma***

之前根据论坛帖子成功配置了公网ipv6，后来想内网ipv6然后再nat，于是又折腾了一波

光猫桥接，eth0做wan口，pppoe拨号，eth1~eth4为switch0
1. 进入 interfaces/ethernet/eth0/pppoe/0  （路径需要自行添加，括号内是当前路径的配置）
      dhcpv6-pd/pd/0   ( prefix-length = /60 , 网络前缀依运营商而不同  )
      dhcpv6-pd/pd/0/interface/pppoe0  ( host-address = ::1 , prefix-id =  0 , service =  slaac  )
      ipv6/enable
      ipv6/address/autoconf
      ipv6/router-advert   (  link-mtu =  1280 ，其他不填保留默认 )
      ipv6/router-advert/prefix/"::/64"  (prefix下增加::/64，不需要双引号。 autonomous-flag =  true, on-link-flag = true ,  preferred-lifetime不填 , valid-lifetime =  86400  )

2. 进入 interfaces/switch/switch0    (加一个 address，可找工具生成，比如  fda6:c13b:d387:0::1/64 )

3. 进路由器ssh的root，新建脚本：

#!/bin/bash

ip6tables -t nat -A POSTROUTING -s 'fda6:c13b:d387:0::1/64' -o pppoe0 -j MASQUER
ip6tables -t raw -D OUTPUT -j NOTRACK
ip6tables -t raw -D PREROUTING -j NOTRACK

ip6tables -i pppoe0 -I INPUT -p tcp -j DROP
ip6tables -i pppoe0 -I INPUT -p udp -j DROP


脚本放哪都行，带上可执行权，配置到/etc/init.d/rc.local 里自启动

4. 最后，目前未配置dhcp，因为我只是让服务器和路由器接通ipv6，手动配置即可。其他设备保持ipv4更稳定
    ipv6 nat似乎硬件加速无效，跑不满千兆
    写的比较乱，凑合着看

Therma***

补充一个：进路由器ssh的root，把/etc/sysctl.conf里的 net.ipv6.conf.all.forwarding=1去掉注释，然后重启或者 sysctl -p 生效

fyi***

mark，二级路由下发不了。我打算换回光猫拨号了

fyi***

解决了，我之前设置的不是slaac，好像是hdcp-pd-sateless什么的

ER-X如何设置支持ipv6上网？
这是我的ipv6部分以及相应防火墙的设置，er-x sfp，应该和er-x差不多，eth0是wan口，eth1-eth4为lan口，switch0，供参考：

configure

#Configure the PPPoE for IPv6(eth0):

set interfaces ethernet eth0 pppoe 0 ipv6 enable

set interfaces ethernet eth0 pppoe 0 ipv6 address autoconf

set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 prefix-length /60

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd rapid-commit enable

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only



#Enable IPv6 SLAAC on the LAN(switch0):

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 host-address ::1

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 prefix-id :0

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 service slaac



#Enable IPv6 on switch0:

set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1

set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64

set interfaces switch switch0 ipv6 router-advert link-mtu 0

set interfaces switch switch0 ipv6 router-advert managed-flag false

set interfaces switch switch0 ipv6 router-advert max-interval 600

set interfaces switch switch0 ipv6 router-advert other-config-flag false

set interfaces switch switch0 ipv6 router-advert prefix '::/64' autonomous-flag true

set interfaces switch switch0 ipv6 router-advert prefix '::/64' on-link-flag true

set interfaces switch switch0 ipv6 router-advert prefix '::/64' valid-lifetime 2592000

set interfaces switch switch0 ipv6 router-advert reachable-time 0

set interfaces switch switch0 ipv6 router-advert retrans-timer 0

set interfaces switch switch0 ipv6 router-advert send-advert true



#create a policy for WAN->Router:

set firewall ipv6-name WANv6_LOCAL default-action drop

set firewall ipv6-name WANv6_LOCAL description 'Local network traffic'

set firewall ipv6-name WANv6_LOCAL enable-default-log

set firewall ipv6-name WANv6_LOCAL rule 10 action accept

set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'

set firewall ipv6-name WANv6_LOCAL rule 10 state established enable

set firewall ipv6-name WANv6_LOCAL rule 10 state related enable

set firewall ipv6-name WANv6_LOCAL rule 20 action drop

set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'

set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable

set firewall ipv6-name WANv6_LOCAL rule 30 action accept

set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'

set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6

set firewall ipv6-name WANv6_LOCAL rule 40 action accept

set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'

set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546

set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp

set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

#create a policy for WAN->LAN Clients:

set firewall ipv6-name WANv6_IN default-action drop

set firewall ipv6-name WANv6_IN description 'WAN inbound traffic to the router'

set firewall ipv6-name WANv6_IN enable-default-log

set firewall ipv6-name WANv6_IN rule 10 action accept

set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'

set firewall ipv6-name WANv6_IN rule 10 state established enable

set firewall ipv6-name WANv6_IN rule 10 state related enable

set firewall ipv6-name WANv6_IN rule 20 action drop

set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'

set firewall ipv6-name WANv6_IN rule 20 state invalid enable

set firewall ipv6-name WANv6_IN rule 30 action accept

set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'

set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6

set firewall ipv6-name WANv6_IN rule 40 action accept

set firewall ipv6-name WANv6_IN rule 40 description 'allow dhcpv6'

set firewall ipv6-name WANv6_IN rule 40 destination port 546

set firewall ipv6-name WANv6_IN rule 40 protocol udp

set firewall ipv6-name WANv6_IN rule 40 source port 547

set firewall ipv6-receive-redirects disable

set firewall ipv6-src-route disable

set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name WANv6_IN

set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name WANv6_LOCAL



commit

save

exit