vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #478 from ramaxlo/new-config-example

Browse Source 
configexamples: Add PPPoE IPv6 basic setup
This commit is contained in:
Robert Göhler 2021-03-17 20:01:43 +01:00 committed by GitHub
commit b162fb8f27
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 111 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/pppoe-ipv6-pd-diagram.jpg vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

1
docs/configexamples/index.rst
View File

@ -17,3 +17,4 @@ This chapter contains various configuration examples:
tunnelbroker-ipv6 tunnelbroker-ipv6
ha ha
wan-load-balancing wan-load-balancing
pppoe-ipv6-basic

110
docs/configexamples/pppoe-ipv6-basic.rst Normal file
View File

@ -0,0 +1,110 @@
.. _examples-pppoe-ipv6-basic:
#######################################
PPPoE IPv6 Basic Setup for Home Network
#######################################
This document is to describe a basic setup using PPPoE with DHCPv6-PD +
SLAAC to construct a typical home network. The user can follow steps described
here to quickly setup a working network and use this as a starting point to
further configure or fine tune other settings.
To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
please contact your ISP for more information.
Network Topology
================
.. image:: /_static/images/pppoe-ipv6-pd-diagram.jpg
:width: 60%
:align: center
:alt: Network Topology Diagram
Configurations
==============
PPPoE Setup
-----------
.. code-block:: none
set interfaces pppoe pppoe0 authentication password <YOUR PASSWORD>
set interfaces pppoe pppoe0 authentication user <YOUR USERNAME>
set interfaces pppoe pppoe0 service-name <YOUR SERVICENAME>
set interfaces pppoe pppoe0 source-interface 'eth0'
* Fill ``password`` and ``user`` with the credential provided by your ISP.
* ``service-name`` can be an arbitrary string.
DHCPv6-PD Setup
---------------
During address configuration, in addition to assigning an address to the WAN
interface, ISP also provides a prefix to allow router to configure addresses of
LAN interface and other nodes connecting to LAN, which is called prefix
delegation (PD).
.. code-block:: none
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``,
where ``64`` is hexadecimal of address 100.
* For home network users, most of time ISP only provides /64 prefix, hence
there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
for more information.
Router Advertisement
--------------------
We need to enable router advertisement for LAN network so that PC can receive
the prefix and use SLAAC to configure address automatically.
.. code-block:: none
set service router-advert interface eth1 link-mtu '1492'
set service router-advert interface eth1 name-server <NAME SERVER>
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
* Set MTU in advertisement to 1492 because of PPPoE header overhead.
* Set DNS server address in advertisement so that clients can obtain it by using
RDNSS option. Most operating systems (Windows, Linux, Mac) should
already support it.
* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
the LAN interface is assigned.
* Since some ISPs disconnects continuous connection for every 2~3 days, we set
``valid-lifetime`` to 2 days to allow PC for phasing out old address.
Basic Firewall
--------------
To have basic protection while keeping IPv6 network functional, we need to:
* Allow all established and related traffic for router and LAN
* Allow all icmpv6 packets for router and LAN
* Allow DHCPv6 packets for router
.. code-block:: none
set firewall ipv6-name WAN_IN default-action 'drop'
set firewall ipv6-name WAN_IN rule 10 action 'accept'
set firewall ipv6-name WAN_IN rule 10 state established 'enable'
set firewall ipv6-name WAN_IN rule 10 state related 'enable'
set firewall ipv6-name WAN_IN rule 20 action 'accept'
set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL default-action 'drop'
set firewall ipv6-name WAN_LOCAL rule 10 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable'
set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable'
set firewall ipv6-name WAN_LOCAL rule 20 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL rule 30 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6-name WAN_LOCAL rule 30 source port '547'
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
Note to allow router to receive DHCPv6 response from ISP, we need to allow
packets with source port 547 (server) and destination port 546 (client).