Setting up IPv6 using dhcpv6-pd/slaac with dnsmasq
For this to work it’s important that you understand some concepts in IPv6, I’ll briefly cover the most important ones in this post, but I strongly advice you to read up on them in detail. Also, I have absolutely no clue about networking. This setup is tested and working on Get (Telia), a service provider in Norway.
Some assumptions, because you need that on IPv6
- Your ISP delegates you a /56 using slaac or dhcpv6
- You run an EdgeRouter with EdgeOS 2.x or can figure out what you need to do otherwise
What we want to achieve
- Open the firewall to allow traffic
- Request an /56-prefix using dhcpv6-pd and configure a prefix delegation
- Set up dnsmasq to handle router advertisement and dhcpv6 along side the regular dhcp for IPv4
And then covering some basics
There are multiple ways to delegate and obtain IPv6-prefixes, the most common way is that your ISP delegate a prefix to you using slaac or dhcpv6.
Stateless Address Autoconfiguration (slaac) is where your ISP annouces a prefix using Router Advertisement (ra). Your client then uses this prefix to generate a prefix for your interface using Extended Unique Identifier (eui-64). The results is a global and unique prefix. But nothing more. If we wanted more information, like DNS-servers and such, we’d have to request the prefix using either dhcpv6-stateless or dhcpv6-stateful.
The main difference between slaac and dhcpv6-stateless is that you in dhcpv6-stateless request a prefix using slaac and additional information, like DNS-servers, using dhcpv6. If you request a prefix using dhcpv6-stateful the entire process of assigning a prefix is handled by the dhcpv6-server, more or less exactly like on DHCP on IPv4.
Don’t expose MySQL on the public Internet, you idiot
It’s worth mentioning that IPv6-addresses by the nature of being global and unique are all routed and available on ther Internet. You don’t have NAT to cover your ass for sloppy firewall rules. This is a fairly restrictive configuration, where we allow traffic to be established form the client, but not the other way around.
Notice that we’re allowing traffic from source port 547 to destination port 546 on udp. This is because we need to talk with our upstream router to request a prefix using dhcpv6-pd.
Requesting an /56-prefix and configuring a prefix delegation
Here we’re requesting a prefix on eth0 and a prefix delecation (pd 0) to eth1, with a prefix-id set to :1, which means that it will get the first /64-prefix in the requested /56-prefix on eth0. We also configure the interface to use ::1 as address. This address will also be used later for things like DNS.
Setting up dnsmasq for RA, DNS and DHCP
To enable some more advanced features we’re going to disable the internal dhcp-server (isc-dhcp-server) and instead use dnsmasq to handle all aspects of this, from router advertisement to DNS and DHCP. The perk here is that dnsmasq can act as an authorative DNS-server and inject DNS-records for hosts on the local network. For clients that use DHCP to request IPv4 it will also be able to provide DNS lookups for their respective IPv6 addresses, since the network interface has the same MAC-address.
I recommend taking a look at dnsmasq(8) to see what the different options do. In short we’re setting up dnsmasq to enable router advertisement on the interface we’re listening on and act as a authorative dhcp-server for ipv4. It also advertises local DNS-servers over both IPv4 and IPv6.
If you’re using Get (Telia, Norway) you should be able to request two prefixes, one /128-prefix that I personally just set to autoconfigure on eth0 for IPv6 connectivity on the router. You don’t really need to use it, but I guess it can be handy somehow. Just haven’t figured it out yet. You can also request a /56-prefix, which should give you plenty of room to grow.
If you’re not able to request a prefix it probably means that they haven’t enabled it for you or that you’re blocking it in the firewall. IPv6-support needs to be enable by support before you can request a prefix.
Links that has been helpful for me: