With all the helpful posts I've managed to get everything working with my current provider XS4ALL.nl however, there is this one thing i just can't get my head around.
IPv6 works like a charm on the LAN however, when I enable dhcpv6-pd for vtun0 it only works for my openvnpn connection and no longer for machines on the LAN,
$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 50 {
action accept
description OpenVPN
destination {
port 1194
}
log enable
protocol udp
}
}
options {
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
mtu 1532
speed auto
vif 4 {
address dhcp
description "XS4ALL Routed IPTV"
dhcp-options {
client-option "send vendor-class-identifier "IPTV_RG";"
client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
default-route no-update
default-route-distance 210
name-server update
}
mtu 1500
}
vif 6 {
description "Internet (PPPoE)"
mtu 1508
pppoe 0 {
default-route auto
dhcpv6-pd {
pd 0 {
interface eth1 {
host-address ::1
prefix-id :1
service slaac
}
interface eth2 {
host-address ::1
prefix-id :2
service slaac
}
interface vtun0 {
}
prefix-length 48
}
prefix-only
rapid-commit enable
}
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
enable {
}
}
mtu 1500
name-server auto
password ****************
user-id fb7490@xs4all.nl
}
}
}
ethernet eth1 {
address 192.168.168.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.178.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
description "OpenVPN server"
encryption aes256
hash sha256
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
mode server
openvpn-option "--port 1194"
openvpn-option --tls-server
openvpn-option "--comp-lzo yes"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--push route-ipv6 ::/0"
openvpn-option --tun-ipv6
server {
name-server 192.168.188.1
push-route 192.168.168.0/24
push-route 192.168.178.0/24
subnet 192.168.188.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/host.pem
dh-file /config/auth/dh2048.pem
key-file /config/auth/host-decrypted.key
}
}
}
protocols {
igmp-proxy {
interface eth0.4 {
alt-subnet 10.16.12.0/16
alt-subnet 213.75.0.0/16
role upstream
threshold 1
}
interface eth1 {
role downstream
threshold 1
}
}
static {
route 213.75.112.0/21 {
next-hop 10.194.232.1 {
}
}
}
}
service {
dhcp-server {
disabled false
global-parameters "option vendor-class-identifier code 60 = string;"
global-parameters "option broadcast-address code 28 = ip-address;"
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.168.0/24 {
default-router 192.168.168.1
dns-server 192.168.168.1
lease 86400
start 192.168.168.38 {
stop 192.168.168.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.178.0/24 {
default-router 192.168.178.1
dns-server 192.168.178.1
lease 86400
start 192.168.178.38 {
stop 192.168.178.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on vtun0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description IPTV
destination {
address 10.16.0.0/16
}
log disable
outbound-interface eth0.4
protocol all
type masquerade
}
rule 5001 {
description IPTV
destination {
address 213.75.112.0/21
}
log disable
outbound-interface eth0.4
protocol all
type masquerade
}
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface pppoe0
}
listen-on eth2 {
outbound-interface pppoe0
}
}
}
system {
config-management {
commit-revisions 64
}
domain-name xxxxx.nl
host-name hq
login {
user xxxxxx {
authentication {
encrypted-password ****************
public-keys user@domain.com {
key ****************
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ****************
url http://mirror.leaseweb.com/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ****************
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Amsterdam
traffic-analysis {
dpi enable
export enable
}
}here's the part that breaks ipv6 for the LAN and makes it work for openvnp
# compare 2 [edit interfaces ethernet eth0 vif 6 pppoe 0 dhcpv6-pd pd 0 interface vtun0] -host-address ::1 -prefix-id :100 -service slaac [edit interfaces openvpn vtun0] -openvpn-option "--server-ipv6 2001:984:674d:100::1/64" [edit]
Any help is appreciated