Hi!
I’m a casual user of a RB2011UiAS-2HnD (firmware 3.10) running v6.40.4 (stable). Yesterday I decided to dip my toes into IPv6 since my ISP have started to provide it.
First of all, I’m running a very simple home LAN here. Nothing fancy. A few nodes hooked up with wire and some over wifi. I’ve managed to get IPv6 to work for both computers connected by wire and mobile units over the wifi. I am however struggling a bit with some of the concepts and I hope you guys could help me out a bit with some questions.
Here’s my current setup (which I’ve done following various guides I found googling):
DHCP Client:
/ipv6 dhcp-client print
Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS REQUEST PREFIX
0 ether1-gateway bound prefix 2001:9b1:xxxx:xx00::/56, 12h31m18s
From what I understand this means I’ve successfully managed to snatch a /56 prefix from my ISP.
Pools:
/ipv6 pool print
Flags: D - dynamic
# NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER
0 D poolv6 2001:xxxx:xxxx:xx00::/56 64 12h22m4s
1 ula-pool fd00::/64 64
From what I’ve gathered reading (although not very carefully) RFC7368 one is for a homework recommended to use two addresses for each node, a GUA and a ULA. The latter being needed as GUAs are expected to change frequently. Is this the correct way of setting up a ULA pool though? Googling around has me a bit confused, as people seem to generate the prefix used for the ULAs based on some algorithm. Why is that necessary?
Anyway, on to addresses:
/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 DL fe80::20c:42ff:fed8:2f/64 bridge-local no
1 DL fe80::20c:42ff:fed8:2e/64 ether1-gateway no
2 G 2001:xxxx:xxxx:xx00:192:168:88:1/64 poolv6 bridge-local yes
3 G fd00::1/64 ula-pool bridge-local yes
I’ve only manually set up 2 and 3. I assume the other two are link local addresses that show up automatically for some reason? I’m not entirely sure why I’ve set up things like this. Especially why I’ve used the IPv4 address of my router as the last bit in 3. I got it of YouTube. Could I have used something like e.g. 2001:xxxx:xxxx:xx01:1:1:1:1/64 instead? Could I have used anything aside from /64? Also, I assume this part of the configuration has to do with SLAAC? Will 3 mean that each node on my LAN will get a ULA that is pretty much static?
Another thing I haven’t quite figured out is what the IPv6 address of my router is. Can it be derived from above some how? Anyway, with the above setup I’m able to browse the internet and my IP shows as being IPv6 on the various “what’s my ip” services on the web.
Now, from what I understand the configuration above means that all my nodes are directly addressable from the global internet, and that one should setup a firewall for this very reason. My version of didn’t come with a default one, so I googled around a bit and found this one, which suggests the following rules:
/ipv6 firewall address-list add address=fd12:672e:6f65:8899::/64 list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" connection-state=established,related
add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
add action=drop chain=input in-interface=sit1 log=yes log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=xxxx::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=!sit1 protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=!sit1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
Most of that makes sense, but I do not understand these two commands:
/ipv6 firewall address-list add address=fd12:672e:6f65:8899::/64 list=allowed
/ipv6 firewall address-list add address=xxxx::/48 list=allowed
Why the address fd12:672e:6f65:8899::/64? What should I replace the xxxx with? I did manage to work around not figuring this out by adding ::/0 to allowed (which I guess partly defeats the purpose, but bear with me). I do however fail the ICMP test over at https://ipv6-test.com/. From what it looks like above, ICMP should go through fine?