EdgeRouter 配置 IPv6 设定实在摸不着头绪,我相信大家遇到许多困扰,在默认情况下,照理来说 PPPoE 拨接连线后,应该会取得 IPv6 地址才对,不过这次还是需要指令开通它才能取得 IPv6 地址,之前试一下配置 IPv6 后,结果却做了蠢事把事情弄糟糕~XD
对于管理上面,您必须会熟悉 SSH 指令,不过我们也可以从 Web CLI 指令,要确保一切正常是绝对必要的;若是在 Windows 上,我推荐用 PuTTY 客户端。
1 基本指令
登入后,您可以使用下指令目前配置:show configuration
如果要更改配置,则需要下指令切换配置模式:configure
完成配置后,就可以应用套用:commit
若应用套用后,没有显示错误的话,可以保存生效:save
可以退出 configure 模式:exit
重新开机完成生效:reboot
2事先准备
在之前,您手上准备有 PPPoE 用户名和密码,以下操作默认值:
适用型号:EdgeRouter 系列
IP:192.168.1.1
WAN:eth0
登入帐号密码:UBNT / UBNT
3 防火墙建立IPv6 规则
在configure终端输入以下内容:
configure
edit firewall
set ipv6-name WANv6_IN default-action drop
set ipv6-name WANv6_IN description “IPv6 packets from the internet to LAN and WAN”
set ipv6-name WANv6_IN enable-default-log
set ipv6-name WANv6_IN rule 10 action accept
set ipv6-name WANv6_IN rule 10 description “Allow established and related packets”
set ipv6-name WANv6_IN rule 10 state established enable
set ipv6-name WANv6_IN rule 10 state related enable
set ipv6-name WANv6_IN rule 20 action drop
set ipv6-name WANv6_IN rule 20 description “Drop invalid packets”
set ipv6-name WANv6_IN rule 20 log enable
set ipv6-name WANv6_IN rule 20 state invalid enable
set ipv6-name WANv6_IN rule 30 action accept
set ipv6-name WANv6_IN rule 30 description “Allow ICMPv6 packets”
set ipv6-name WANv6_IN rule 30 log enable
set ipv6-name WANv6_IN rule 30 protocol icmpv6
set ipv6-name WANv6_LOCAL default-action drop
set ipv6-name WANv6_LOCAL description “IPv6 packets from internet to router”
set ipv6-name WANv6_LOCAL enable-default-log
set ipv6-name WANv6_LOCAL rule 10 action accept
set ipv6-name WANv6_LOCAL rule 10 description “Allow established and related packets”
set ipv6-name WANv6_LOCAL rule 10 state established enable
set ipv6-name WANv6_LOCAL rule 10 state related enable
set ipv6-name WANv6_LOCAL rule 20 action drop
set ipv6-name WANv6_LOCAL rule 20 description “Drop invalid packets”
set ipv6-name WANv6_LOCAL rule 20 log enable
set ipv6-name WANv6_LOCAL rule 20 state invalid enable
set ipv6-name WANv6_LOCAL rule 30 action accept
set ipv6-name WANv6_LOCAL rule 30 description “Allow ICMPv6 packets”
set ipv6-name WANv6_LOCAL rule 30 log enable
set ipv6-name WANv6_LOCAL rule 30 protocol icmpv6
set ipv6-name WANv6_LOCAL rule 40 action accept
set ipv6-name WANv6_LOCAL rule 40 description “Allow DHCPv6 client/server”
set ipv6-name WANv6_LOCAL rule 40 destination port 546
set ipv6-name WANv6_LOCAL rule 40 source port 547
set ipv6-name WANv6_LOCAL rule 40 protocol udp
set ipv6-receive-redirects disable
set ipv6-src-route disable
commit
save
exit
4 防火墙建立IPv4 规则
再来一样是在 configure 终端输入以下内容:
configure
edit firewall
set name WAN_IN default-action drop
set name WAN_IN description “WAN to internal”
set name WAN_IN rule 10 action accept
set name WAN_IN rule 10 description “Allow established/related”
set name WAN_IN rule 10 state established enable
set name WAN_IN rule 10 state related enable
set name WAN_IN rule 20 action drop
set name WAN_IN rule 20 description “Drop invalid state”
set name WAN_IN rule 20 state invalid enable
set name WAN_LOCAL default-action drop
set name WAN_LOCAL description “WAN to router”
set name WAN_LOCAL rule 10 action accept
set name WAN_LOCAL rule 10 description “Allow established/related”
set name WAN_LOCAL rule 10 state established enable
set name WAN_LOCAL rule 10 state related enable
set name WAN_LOCAL rule 20 action drop
set name WAN_LOCAL rule 20 description “Drop invalid state”
set name WAN_LOCAL rule 20 state invalid enable
commit
save
exit
5 MSS 值更改
由于 MSS 默认值是 1412,可能有时无法正常解析以及巨大封包异常,所以需要调整此值,这非常很重要。
set firewall options mss-clamp mss 1452
建立WAN 端口对应PPPoE
除了 PPPoE 设置 IPv4 之外,也额外增加对应 IPv6 拨接出去。
configure
edit interfaces ethernet eth0
set description “Internet (PPPoE)”
set duplex auto
set firewall in ipv6-name WANv6_IN
set firewall local ipv6-name WANv6_LOCAL
set pppoe 0 default-route auto
set pppoe 0 mtu 1492
set pppoe 0 name-server auto
set pppoe 0 user-id ********@hinet.net
(PPPoE 帳號,如有申請浮動轉固定IP者,請輸入 @ip.hinet.net)set pppoe 0 password **************** (PPPoE 密碼)
set pppoe 0 dhcpv6-pd pd 0 interface switch0 prefix-id :0
set pppoe 0 dhcpv6-pd pd 0 interface switch0 service slaac
set pppoe 0 dhcpv6-pd pd 0 prefix-length /64
set pppoe 0 firewall in name WAN_IN
set pppoe 0 firewall local name WAN_LOCAL
set pppoe 0 ipv6 dup-addr-detect-transmits 1
set pppoe 0 ipv6 enable
commit
save
exit
6 建立NAT 服务封包对应
这是必须建立,若没建立的话,封包出不去的。
configure
edit service nat rule 5010
set description “Masquerade for WAN”
set outbound-interface pppoe0
set type masquerade
commit
save
exit
7 DNS 服务器转发设置
我利用 EdgeRouter 充当 DNS 转发器,在各别台 LAN IP上网发送 DNS 请求,并将这些请求会转发到您指定的 DNS 服务器。
show dns forwarding nameservers
configure
set interfaces ethernet eth0 dhcp-options name-server no-update (阻止内建IPv4 DNS服务器)
set interfaces ethernet eth0 dhcpv6-pd no-dns (阻止内建IPv6 DNS服务器)
set service dns forwarding name- server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server 2606:4700:4700::1111
set service dns forwarding name-server 2606:4700:4700::1001
set service dhcp-server shared -network-name LAN subnet 192.168.1.0/24 dns-server192.168.1.1 (配置 DHCP 服务器 IP 为 192.168.1.1 位置,就可以从 LAN IP 客户端 DNS 服务器转发查询 IPv4 / IPv6 地址)
commit
save
exit
再一次输入 show dns forwarding nameservers 目前状态,就可看到已变更成功。
———————————————–
Nameservers configured for DNS forwarding
———————————————–
1.1.1.1 available via ‘statically configured’
1.0.0.1 available via ‘statically configured’
2606:4700:4700::1111 available via ‘statically configured’
2606:4700:4700::1001 available via ‘statically configured’
———————————————–
Nameservers NOT configured for DNS forwarding
———————————————–
168.95.192.1 available via ‘ppp pppoe0’
168.95.1.1 available via ‘ppp pppoe0’
2001:b000:168::1 available via ‘system’
2001:b000:168::2 available via ‘system’
虽然还有其它几种方法可以实现IPv6,但是这也是最简单的转发方法。
8 ICMPv6 开通方法
为了让 ICMPv6 流量导入,需要把 ICMPv6 开通,以下依 Windows 10 操作为例。
步骤一
点选开始 → 执行输入wf.msc呼叫 Windows Defender进阶防火墙视窗
步骤二
点选输入规则 → 新增规则
步骤三
在规则类型,选择自订
步骤四
选择所有程式
步骤五
通讯协定及连接埠,选择ICMPv6
步骤六
领域规则IP 地址部分,选任何IP 地址连通
步骤七
连线符合规则条件,选择允许连线
步骤八
此为设定档要套用那些规则,依您需求,若不清楚的话,可以全部选勾
步骤九
输入名称,由您喜好命名,例如:ICMPv6,点完成就生效啰~
9 实际测试
以下二个网站测试 IPv6 状态:
https://test-ipv6.com/
https://ipv6-test.com/
閱讀更多 UBNT 的文章
