Tuesday, July 10, 2018

Edgerouter IPV6 config

Hi All,

Hope someone can help me with a Edgerouter and configuring IPV6. At the moment i have configured interface of ISP with ipv6 address provided by them. From the Router itself i can ping to google DNS servers and ISP DNS servers. So all good. But LAN clients with ipv6 address can only ping router gateway on LAN and cannot access anything on the internet.

I cannot figure out why the router does not pass ipv6 traffic from client to internet. Since the router itself can ping just fine i assume its some config i am not seeing.

EdgeRouter Pro v1.10.5

Below is the config of the router. Eth1 is LAN and Eth7 is ipv6 ISP.

Any help is appreciated!

ubnt@company-FWL01:~$ show configuration firewall { all-ping enable broadcast-ping disable ipv6-name WAN6_IN { default-action drop enable-default-log rule 10 { action accept description "allow established" protocol all state { established enable related enable } } rule 20 { action drop description "drop invalid packets" protocol all state { invalid enable } } rule 30 { action accept description "allow ICMPv6" protocol icmpv6 } } ipv6-name WAN6_LOCAL { default-action drop enable-default-log rule 10 { action accept description "allow established" protocol all state { established enable related enable } } rule 20 { action drop description "drop invalid packets" protocol all state { invalid enable } } rule 30 { action accept description "allow ICMpv6" protocol icmpv6 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable modify WAN_POLICY { rule 10 { action modify modify { lb-group WAN_FAILOVER } } } name Alarm { default-action accept description "Alarm System" enable-default-log rule 10 { action drop description "company GPHQ" destination { address 192.168.0.0/23 } log disable protocol all source { address 192.168.250.0/24 } state { established enable invalid enable new enable related enable } } rule 20 { action drop description "company AMS01" destination { address 10.0.0.0/8 } log disable protocol all source { address 192.168.250.0/24 } state { established enable invalid enable new enable related enable } } rule 30 { action drop description "company VPN" destination { address x.x.0.0/12 } log disable protocol all source { address 192.168.250.0/24 } state { established enable invalid enable new enable related enable } } rule 40 { action accept description "vlan 500" destination { address 0.0.0.0/0 group { } } log disable protocol all source { address 192.168.250.0/24 } state { established enable invalid disable new enable related enable } } } name VOIP { default-action accept description "" rule 10 { action accept description "LDAP query" destination { } log disable protocol tcp_udp source { address 192.168.0.0/16 port 389 } } rule 20 { action accept description test log disable protocol tcp_udp source { address 192.168.0.0/16 port 464 } } rule 30 { action accept description testtest log disable protocol tcp_udp source { address 192.168.0.0/16 port 1025-5000 } } rule 40 { action drop log disable protocol all source { address 192.168.0.0/16 } } } name WAN_IN { default-action drop description "Default drop all from the interweb" rule 1 { action accept description "Allow Established" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_IN_UNET { default-action drop description "Default drop all from the interweb" rule 1 { action accept description "Allow Established" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_TO_GW { default-action drop description "Internet to Gateway" rule 1 { action accept description "Accept established" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_TO_GW_UNET { default-action drop description "Internet to Gateway" rule 1 { action accept description "Accept established" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop invalid" log disable protocol all state { established disable invalid enable new disable related disable } } } name test { default-action drop description test } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 192.168.1.254/20 address x:x:4039::13/48 description "company LAN" duplex auto speed auto } ethernet eth1 { address 20.20.20.1/16 description VOIP duplex auto firewall { in { name VOIP } out { name VOIP } } speed auto vif 2 { description "Mitel IN" } } ethernet eth2 { description "Mitel out" duplex auto speed auto vif 2 { address 192.168.20.254/24 description "Mitel OUT" } } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto speed auto } ethernet eth5 { address 192.168.250.1/24 bandwidth { maximum 500m } description Alarm duplex auto firewall { in { name Alarm } out { name Alarm } } speed auto } ethernet eth6 { address dhcp address dhcpv6 description Ziggo duplex auto firewall { in { name WAN_IN } local { name WAN_TO_GW } } speed auto } ethernet eth7 { address x.x.x.138/29 address x:x:4039::12/48 description Unet duplex auto firewall { in { ipv6-name WAN6_IN name WAN_IN_UNET } local { ipv6-name WAN6_LOCAL name WAN_TO_GW_UNET } } speed auto } loopback lo { } } load-balance { group WAN_FAILOVER { interface eth6 { failover-only } interface eth7 { } lb-local enable lb-local-metric-change disable } } port-forward { auto-firewall enable hairpin-nat disable lan-interface eth0 rule 1 { description fs.company.net forward-to { address 192.168.1.11 port 443 } original-port 443 protocol tcp } rule 2 { description "Alarm system" forward-to { address 192.168.250.2 port 8000 } original-port 8000 protocol tcp_udp } rule 3 { description "Alarm system" forward-to { address 192.168.250.2 port 554 } original-port 554 protocol tcp_udp } wan-interface eth7 } protocols { static { interface-route x.x.198.136/29 { next-hop-interface eth7 { } } interface-route 192.168.20.0/24 { next-hop-interface eth2.2 { description VOIP_OUT } } interface-route 192.168.20.2/32 { next-hop-interface eth1.2 { description "Mitel Centrale" } } route 0.0.0.0/0 { next-hop x.x.198.137 { description "GW Unet" distance 10 } } route 10.0.0.0/16 { next-hop 192.168.1.16 { description "Backend LAN" } } route 10.1.0.0/16 { next-hop 192.168.1.16 { description "Management LAN" } } route 10.8.0.0/16 { next-hop 192.168.1.16 { description "OpenVPN range" } } route x.x.0.0/12 { next-hop 192.168.1.16 { description "VPN range" } } route6 ::/0 { next-hop x:x:4039::1 { description "GW UNET" distance 10 } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name DhcpVoip { authoritative disable subnet 20.20.20.0/24 { default-router 20.20.20.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start 20.20.20.10 { stop 20.20.20.254 } } } use-dnsmasq disable } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description fs.company.net destination { port 443 } inbound-interface eth7 inside-address { address 192.168.1.11 port 443 } log disable protocol tcp source { port 443 } type destination } rule 5000 { description "MASQ WAN" log disable outbound-interface eth6 protocol all type masquerade } rule 5001 { description "MASQ WAN" log disable outbound-interface eth7 protocol all type masquerade } } snmp { community public { authorization ro } listen-address 0.0.0.0 { port 161 } } ssh { port 22 protocol-version v2 } unms { disable } } system { host-name company-FWL01 login { user ubnt { authentication { encrypted-password **************** plaintext-password **************** } full-name "" level admin } } name-server 192.168.1.11 name-server 192.168.1.12 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } host 10.0.1.39 { facility all { level notice } } } time-zone Europe/Amsterdam traffic-analysis { dpi disable export disable } } traffic-control { advanced-queue { root { queue 1023 { attach-to global bandwidth 1000mbit description UBNT-BQ } } } } ubnt@company-FWL01:~$


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)