IPv6 on the EdgeRouter Lite

Summary

Below are the commands and my thoughts on setting up IPv6 on a Ubiquiti Networks EdgeRouter Lite (ERLite-3). Were one to follow this as a guide, the results should be functioning IPv6 on the WAN and LAN side.

Note: As of EdgeMax v1.9.0, most IPv6 functionality is not available via the GUI. But, there is a new wizard as of this release which may work for the most basic case.

EdgeMax software version: 1.9.0 (works for 1.7.0 and above)
LAN: eth0
WAN: eth1
ISP: WebPass.net

Detailed Steps

Firewall

First, it’s important that we setup the firewall as the default policy is “accept” and your LAN clients will have routable IPs. That’s bad. Unlike IPv4, there will be no NAT’ing.

Compared to our IPv4 firewall rules, there is one important difference: we need to permit ICMPv6 and DHCP in order for DHCPv6-PD to function.

Create a policy for WAN->LAN Clients:

edit firewall ipv6-name WAN6_IN
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
top

Now create a policy for WAN->Router (aka local):

edit firewall ipv6-name WAN6_LOCAL
set default-action drop
set rule 10 action accept
set rule 10 description "allow established"
set rule 10 protocol all
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop
set rule 20 description "drop invalid packets"
set rule 20 protocol all
set rule 20 state invalid enable
set rule 30 action accept
set rule 30 description "allow ICMPv6"
set rule 30 protocol icmpv6
set rule 40 action accept
set rule 40 description "allow DHCPv6 client/server"
set rule 40 destination port 546
set rule 40 source port 547
set rule 40 protocol udp
top

Now attach the policies to your WAN interface:

set interfaces ethernet eth1 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth1 firewall local ipv6-name WAN6_LOCAL

Again, it’s important to note that we had to explicitly allow ICMP and DHCPv6.

DHCPv6 Prefix Delegation

Now we’ll request IPv6 addresses from our ISP.

You may need to manually discover the prefix length that your ISP provides. The two most common lengths appear to /56 and /64 (WebPass uses the latter).

Note: We’ll be using SLAAC (Stateless Address Autoconfiguration) instead of stateful DHCP (which is how IPv4 DHCP works).

edit interfaces ethernet eth1
set dhcpv6-pd pd 0 prefix-length /64
set dhcpv6-pd pd 0 interface eth0 host-address ::1
set dhcpv6-pd pd 0 interface eth0 prefix-id :0
set dhcpv6-pd pd 0 interface eth0 service slaac
top

eth0 and eth1 are both referenced above, be sure to note the correct interface. In short, we’re telling eth1 (WAN) to provide prefix-delegation to eth0 (LAN).

If you are also using eth2 for a second LAN port, you’ll need to use the prefix-id :1 for that interface.

If you are running an EdgeMax OS version released since February 2016 (v1.8.0), you can skip down to Committing the Changes. If not, keeping reading.

Router Advertisement — pre v1.8.0

Note: This section should only be necessary if you’re running an EdgeMax version older than v1.8.0.

It will also work with newer versions but is unnecessary.

If you run commit at this point, you will receive an error like this,

sed: can’t read /etc/radvd.conf: No such file or directory
Unable to edit radvd system config file. Exit code 512

The EdgeMax software is trying to start the radvd daemon because we setup dhcpv6-pd, but it failed to find a configuration file. I consider this a bug and hope the authors resolve this in future versions, as it’s entirely opaque to the casual hacker. (Update: they have!)

The solution is adding a router-advert section to your LAN interface, like so:

set interfaces ethernet eth0 ipv6 router-advert prefix ::/64

In the background, the EdgeMax software will write a valid radvd.conf, which will resolve the problem mentioned above.

Committing the Changes

You’re done!

commit
save

Verification and Testing

If you exit the config CLI, you should be able to see IPv4 and IPv6 addresses on your LAN and WAN interfaces,

$ show interfaces
Codes: S — State, L — Link, u — Up, D — Down, A — Admin Down
Interface IP Address S/L Description
— — — — — — — — — — — — — — — — — —
eth0 192.168.1.1/24 u/u LAN0
<redacted ipv6>::1/64
eth1 <redacted ipv4>/23 u/u WAN0
<redacted ipv6>/128

Test from your router and your LAN clients,

$ ping6 google.com
PING google.com(nuq05s02-in-x00.1e100.net) 56 data bytes
64 bytes from nuq05s02-in-x00.1e100.net: icmp_seq=1 ttl=56 time=5.85 ms
64 bytes from nuq05s02-in-x00.1e100.net: icmp_seq=2 ttl=56 time=5.48 ms
64 bytes from nuq05s02-in-x00.1e100.net: icmp_seq=3 ttl=56 time=5.37 ms

Don’t forget to save your config!

References

I found that the EdgeMax forums to be a bit unhelpful for this case because comments would often lack sufficient detail or a complete solution. Information was of course scattered across threads, dates, versions, etc. But, there is an active community and plenty of configuration examples, so it’s definitely worth checking out. https://community.ubnt.com/t5/EdgeMAX/bd-p/EdgeMAX

A similar guide that I found helpful: https://techsmix.net/ubiquti-edgemax-lite/ . Note however that it does not contain any firewall rules!

Updates

2016/Oct/31: EdgeMax v1.9.0 tested. Updated recommendation about router-advert.

2016/Jun/6: Fix applied to example firewall commands. Reported by Joe Hettiarachchy, thanks!

2016/Mar/1: EdgeMax v1.8.0 tested. No changes, just noted to work.