Difference between revisions of "TN3"
(2 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
The WAN interface on a Unifi Security Gateway (USG) supports static IPv6 address configuration and IPv6 prefix delegation. However it does not officially support the scenario of IPv6 stateless address autoconfiguration. This mode is deployed by some ISPs, notably NTT in Japan. |
The WAN interface on a Unifi Security Gateway (USG) supports static IPv6 address configuration and IPv6 prefix delegation. However it does not officially support the scenario of IPv6 stateless address autoconfiguration. This mode is deployed by some ISPs, notably NTT in Japan. |
||
− | This note describes the configuration of a USG to operate in this environment. |
+ | This note describes the configuration of a USG to operate in this environment. It assumes familarity with USG administration, including config.gateway.json files, and basic Linux knowledge. |
== Configure IPv6 stateless address autoconfiguration on eth0 == |
== Configure IPv6 stateless address autoconfiguration on eth0 == |
||
Line 25: | Line 25: | ||
== Configure private local IPv6 addresses for internal use == |
== Configure private local IPv6 addresses for internal use == |
||
− | # |
+ | # Select a random [https://tools.ietf.org/html/rfc4193 RFC 4193] IPv6 prefix of the form fdxx:xxxx:xxxx:/48. There are online tools to make this easy. |
− | # |
+ | # Use the configuration GUI to assign addresses and subnets to each internal interface. For example, fdxx:xxxx:xxxx:1::1/64 |
+ | |||
+ | == Configure NATv6 == |
||
+ | |||
+ | SSH to the USG, become root and create the file: |
||
+ | /config/scripts/post-config.d/nat6.sh |
||
+ | containing: |
||
+ | #!/bin/bash |
||
+ | # enable ipv6 NAT |
||
+ | /sbin/ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
||
+ | |||
+ | Make sure it is executable: |
||
+ | chmod 755 /config/scripts/post-config.d/nat6.sh |
Latest revision as of 21:56, 3 May 2020
IPv6 stateless address autoconfiguration of the WAN interface on a Unifi Security Gateway
The WAN interface on a Unifi Security Gateway (USG) supports static IPv6 address configuration and IPv6 prefix delegation. However it does not officially support the scenario of IPv6 stateless address autoconfiguration. This mode is deployed by some ISPs, notably NTT in Japan.
This note describes the configuration of a USG to operate in this environment. It assumes familarity with USG administration, including config.gateway.json files, and basic Linux knowledge.
Configure IPv6 stateless address autoconfiguration on eth0
This requires the creation or modification of a config.gateway.json file on the Unifi controller. On a Unifi Cloud Key controller, this file is located at:
/srv/unifi/data/sites/default/config.gateway.json
The config.gateway.json should include the following nodes:
{ "interfaces": { "ethernet": { "eth0": { "ipv6": { "address": "autoconf" } } } } }
Configure private local IPv6 addresses for internal use
- Select a random RFC 4193 IPv6 prefix of the form fdxx:xxxx:xxxx:/48. There are online tools to make this easy.
- Use the configuration GUI to assign addresses and subnets to each internal interface. For example, fdxx:xxxx:xxxx:1::1/64
Configure NATv6
SSH to the USG, become root and create the file:
/config/scripts/post-config.d/nat6.sh
containing:
#!/bin/bash # enable ipv6 NAT /sbin/ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Make sure it is executable:
chmod 755 /config/scripts/post-config.d/nat6.sh