What should I do with these settings? I have some (limited) IPv6 experience but with different ISP (I enabled DHCP client and got /56 prefix, that was all). I assume this is a static IPv6 and SLAAC or DHCPv6 cannot be used to get prefix and delegate it to the rest of my network. I tried this settings:
Now the router has IPv6 address and is able to ping to google.com (2a00:1450:4014:800::200e). What should I do next? How to delegate prefix to the internal machines in my network?
The address on bridge is wrong, 2a00:XXX:XX00:11::/64 is only for link between you and ISP. Take another /64 from 2a00:XXX:XX11::/48 for your network. And add unreachable route for whole 2a00:XXX:XX11::/48, so packets for the rest you won’t use won’t bounce between you and ISP.
Thank you for really helpful reply. I changed the router settings to this:
# Disable default neighbour discovery.
/ipv6 nd set [ find default=yes ] disabled=yes
# Create address pool for my network.
/ipv6 pool add name=ipv6-local-pool prefix=2a00:XXX:XX11::/48 prefix-length=64
# Assign the address from my ISP to the WAN interface.
/ipv6 address add address=2a00:XXX:XX00:11::2 advertise=no interface=ether1-wan
# Get an address from the pool for `bridge` interface.
/ipv6 address add from-pool=ipv6-local-pool interface=bridge
# Set default route.
/ipv6 route add gateway=2a00:XXX:XX00:11::1
# Enable neighbour discovery for `bridge` interface.
/ipv6 nd add interface=bridge ra-interval=3m-10m
After this, all hosts in network have IPv6 address from
2a00:XXXX:XX11::/64
pool and I can access IPv6 network from my hosts. I also created some basic IPv6 firewall as my router did not has any.
Now I am wondering how to “add unreachable route for whole 2a00:XXX:XX11::/48”. Can you show me some example how to do this, please?
Is there any other settings I should look at? Thanks again!
The reason for this, if you look at existing routes, there’s only default one and then connected route for /64 used on bridge (probably 2a00:XXX:XX11:0000::/64, or something else instead of 0000). So if a packet from internet comes for e.g. 2a00:XXX:XX11:abcd::1, ISP sends it to you (because it belongs in your /48), but your router would send it back (because the “best” route is default one and it leads to ISP). And this ping-ping would be repeated until TTL expired. Or maybe not, ISP can filter packets coming from you destined for your subnet. But in any case it’s better to prevent this from happening, and that’s what this route does. Any smaller subnet you actually use (and have a route to) will have higher priority than this route for whole /48, so everything will work correctly.
If your config from ISP is static, you don’t need any pool, you can simply choose /64 subnet yourself and assign the address to bridge manually.