Konfiguration PPPoE Dual-Stack EdgeRouter

Ich habe eine Supervectoring Verbindung bei meinem Anbieter und er stellt mir den Internet Dienst über das VLAN7 zur Verfügung. Aus diesem Grund zeige ich hier die Konfiguration PPPoE Dual-Stack am EdgeRouter (IPv6).

Wir starten mit der Konfiguration der Firewall-Regelsätze für IPv4. Diese ist sehr rudimentär und ihr seid eingeladen diese euren Bedürfnissen nach auszubauen. Beispielsweise könnten hier Regeln für den L2TP Remote Access hinzugefügt werden.

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 description 'Drop invalid state'
set firewall name WAN_IN rule 40 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 100 action drop
set firewall name WAN_LOCAL rule 100 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 100 log disable
set firewall name WAN_LOCAL rule 100 protocol all
set firewall name WAN_LOCAL rule 100 state established disable
set firewall name WAN_LOCAL rule 100 state invalid enable
set firewall name WAN_LOCAL rule 100 state new disable
set firewall name WAN_LOCAL rule 100 state related disable

Anschließend konfigurieren wir die Firewall-Regelsätze für IPv6. Wir werden an dieser Stelle neben ICMPv6 auch DHCPv6 akzeptieren. Das ist in meinem Fall notwendig, da mein Anbieter die IPv6 Prefixe mittels DHCPv6 zur Verfügung stellt.

set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action drop
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

Als nächstes setzen wir die PPPoE Verbindung auf. Hierfür verwenden wir Providerseitig das VLAN7. Alternativ kann dies auch auf dem Modem konfiguriert werden. Jeder Anbieter kann hier ein anderes VLAN verwenden oder auch garkein VLAN. Dazu kontaktiert ihr am Besten euren Anbieter. Da wir unsere IPv6 Adresse mittels DHCPv6 erhalten konfigurieren wir dies ebenfalls und wissen nun auch weshalb wir dies in der Firewall freigegeben haben.

set interfaces ethernet eth0 vif 7 description 'eth0.7 - Internet VLAN'
set interfaces ethernet eth0 vif 7 pppoe 0 default-route auto
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth0 host-address '::dead:beef'
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth0 no-dns
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth0 prefix-id 42
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth1 prefix-id ':10'
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 vif 7 pppoe 0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 vif 7 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 vif 7 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 7 pppoe 0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 vif 7 pppoe 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 7 pppoe 0 idle-timeout 0
set interfaces ethernet eth0 vif 7 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 vif 7 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 vif 7 pppoe 0 ipv6 enable
set interfaces ethernet eth0 vif 7 pppoe 0 mtu 1492
set interfaces ethernet eth0 vif 7 pppoe 0 name-server auto
set interfaces ethernet eth0 vif 7 pppoe 0 password <your password>
set interfaces ethernet eth0 vif 7 pppoe 0 user-id '<yourID>'

Abschließend ergänzen wir die Interface Konfiguration unserer LAN Interfaces, nachdem wir diese bereits im DHCPv6 bekanntgemacht haben.

set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth2 ipv6 dup-addr-detect-transmits 1

Nachdem wir nun die Konfiguration PPPoE Dual-Stack am EdgeRouter (IPv6) abgeschlossen haben, können wir bei Bedarf mit der IPTV Konfiguration im folgenden Beitrag weitermachen.

Glossar:

Schreibe einen Kommentar