UBNT ER-X IPv6整路由器配置(深圳电信,路由器使用1.10.11老版本)

深圳福田地区城中村,所谓的“电信融合宽带”,分配前缀56。光猫已经配置好桥接模式。

这是整个路由器的配置,多个功能的配置一并分享,已验证可用,什么http://test-ipv6.com/都是满分通过的。

部分账号相关内容已用“X”代替

set firewall all-ping enable
set firewall broadcast-ping disable
#防火墙的内容有些是个人偏好和预留,不是必要,甚至是多余的。
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 15 action accept
#此条可选
set firewall ipv6-name WANv6_IN rule 15 description 'Allow icmpv6'
set firewall ipv6-name WANv6_IN rule 15 protocol icmpv6
set firewall ipv6-name WANv6_IN rule 20 action drop
set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 20 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'allow dhcpv6'
set firewall ipv6-name WANv6_LOCAL rule 20 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 20 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 20 source port 547
set firewall ipv6-name WANv6_LOCAL rule 23 action accept
set firewall ipv6-name WANv6_LOCAL rule 23 description 'Allow IPv6-frag'
set firewall ipv6-name WANv6_LOCAL rule 23 protocol ipv6-frag
#ICMPv6打开
set firewall ipv6-name WANv6_LOCAL rule 25 action accept
set firewall ipv6-name WANv6_LOCAL rule 25 description 'Allow IPv6 opts'
set firewall ipv6-name WANv6_LOCAL rule 25 protocol ipv6-opts
set firewall ipv6-name WANv6_LOCAL rule 28 action accept
set firewall ipv6-name WANv6_LOCAL rule 28 description 'Allow ICMPv6'
set firewall ipv6-name WANv6_LOCAL rule 28 protocol icmpv6
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 40 action drop
set firewall ipv6-name WANv6_LOCAL rule 40 description 'drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 40 destination
set firewall ipv6-name WANv6_LOCAL rule 40 state invalid enable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
#给L2PT VPN使用
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description ike
set firewall name WAN_LOCAL rule 10 destination port 500
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 protocol udp
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description esp
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol esp
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description nat-t
set firewall name WAN_LOCAL rule 30 destination port 4500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description l2tp
set firewall name WAN_LOCAL rule 40 destination port 1701
set firewall name WAN_LOCAL rule 40 ipsec match-ipsec
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description 'Allow established/related'
set firewall name WAN_LOCAL rule 50 state established enable
set firewall name WAN_LOCAL rule 50 state related enable
set firewall name WAN_LOCAL rule 60 action drop
set firewall name WAN_LOCAL rule 60 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 60 state invalid enable
set firewall name WAN_OUT default-action drop
set firewall name WAN_OUT description pppoe0/out
set firewall name WAN_OUT rule 10 action accept
set firewall name WAN_OUT rule 10 description 'accept default '
set firewall name WAN_OUT rule 10 log disable
set firewall name WAN_OUT rule 10 protocol all
set firewall name WAN_OUT rule 10 state established enable
set firewall name WAN_OUT rule 10 state invalid disable
set firewall name WAN_OUT rule 10 state new enable
set firewall name WAN_OUT rule 10 state related enable
#我用DTMB机顶盒的,所以屏蔽万恶的小米广告电视
set firewall name WAN_OUT rule 20 action drop
set firewall name WAN_OUT rule 20 description 'Block TV by ETH  MAC'
set firewall name WAN_OUT rule 20 log disable
set firewall name WAN_OUT rule 20 protocol all
set firewall name WAN_OUT rule 20 source mac-address 'xx:xx:xx:xx:xx:xx'
set firewall name WAN_OUT rule 30 action drop
set firewall name WAN_OUT rule 30 description 'Block TV by WiFi MAC'
set firewall name WAN_OUT rule 30 log disable
set firewall name WAN_OUT rule 30 protocol all
set firewall name WAN_OUT rule 30 source mac-address 'xx:xx:xx:xx:xx:xx'
set firewall name WAN_OUT rule 40 action drop
set firewall name WAN_OUT rule 40 description 'Block TV by IPv4'
set firewall name WAN_OUT rule 40 log disable
set firewall name WAN_OUT rule 40 protocol all
set firewall name WAN_OUT rule 40 source address 172.16.100.3
set firewall options mss-clamp mss 1412
set firewall options mss-clamp6 mss 1412
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 description 'Internet (PPPoE)'
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 pppoe 0 default-route auto
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 prefix-id 0
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 service dhcpv6-stateless
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 prefix-length /56
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd rapid-commit disable
set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 pppoe 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 pppoe 0 firewall out name WAN_OUT
set interfaces ethernet eth0 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 pppoe 0 ipv6 enable
set interfaces ethernet eth0 pppoe 0 mtu 1492
set interfaces ethernet eth0 pppoe 0 name-server auto
set interfaces ethernet eth0 pppoe 0 password xxxxxxxxxxxxx
set interfaces ethernet eth0 pppoe 0 user-id xxxxxxxxxxxxxxx@163.gd
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description Local
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description Local
set interfaces ethernet eth3 disable
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description Local
set interfaces ethernet eth4 disable
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 address 172.16.100.1/16
set interfaces switch switch0 description Local
set interfaces switch switch0 ipv6 address autoconf
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
#给内网的电脑发IPv6地址
set interfaces switch switch0 ipv6 router-advert cur-hop-limit ■■
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 600
#给内网的电脑指定自己的DNS服务器
set interfaces switch switch0 ipv6 router-advert name-server '2400:3200::1'
set interfaces switch switch0 ipv6 router-advert name-server '240c::6666'
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert prefix ■■■■■■■ autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix ■■■■■■■ on-link-flag true
#缩短内网IPv6地址的有效时间,更快刷新
set interfaces switch switch0 ipv6 router-advert prefix ■■■■■■■ preferred-lifetime 3600
set interfaces switch switch0 ipv6 router-advert prefix ■■■■■■■ valid-lifetime 4800
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface switch0
#给内网NAS服务器的端口映射,用来BT/PT下载
set port-forward rule 1 description 'NAS Transmission'
set port-forward rule 1 forward-to address 172.16.100.2
set port-forward rule 1 forward-to port 41410-52419
set port-forward rule 1 original-port 41410-52419
set port-forward rule 1 protocol tcp_udp
set port-forward wan-interface pppoe0
#给IPv6设默认路由,很多人设置了IPv6但上不了网是因为没做这个
set protocols static interface-route6 '::/0' next-hop-interface pppoe0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN-172 authoritative disable
set service dhcp-server shared-network-name LAN-172 subnet 172.16.0.0/16 default-router 172.16.100.1
set service dhcp-server shared-network-name LAN-172 subnet 172.16.0.0/16 dns-server 223.5.5.5
set service dhcp-server shared-network-name LAN-172 subnet 172.16.0.0/16 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN-172 subnet 172.16.0.0/16 lease ■■■■■
set service dhcp-server shared-network-name LAN-172 subnet 172.16.0.0/16 start 172.16.100.50 stop 172.16.100.70
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
#花生壳
set service dns dynamic interface pppoe0 service custom-Oray host-name xxxxxxx.eicp.■■■
set service dns dynamic interface pppoe0 service custom-Oray login xxxxxxxxxx
set service dns dynamic interface pppoe0 service custom-Oray options script=/ph/update,ssl=no
set service dns dynamic interface pppoe0 service custom-Oray password xxxxxxxxxx
set service dns dynamic interface pppoe0 service custom-Oray protocol dyndns2
set service dns dynamic interface pppoe0 service custom-Oray server ddns.oray.com
set service dns forwarding cache-size 8192
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service unms disable
set service upnp listen-on switch0 outbound-interface pppoe0
set system host-name a-Router
set system ipv6 neighbor base-reachable-time 30
set system ipv6 neighbor stale-time 60
set system ipv6 neighbor table-size 8192
set system login user admin authentication encrypted-password 'xxxxxxxxxxxxxxxxxx.'
set system login user admin level admin
#使用阿里云的NTP服务器,稳定多了
set system ntp server time5.aliyun.com
set system offload hwnat enable
set system offload ipsec disable
set system syslog global facility all level notice
set system syslog global facility protocols level debug
#NAS上有Syslog服务
set system syslog host 172.16.100.2 facility all level err
#ER-X每周自动重启
set system task-scheduler task reboottask crontab-spec '0 4 * * 4'
set system task-scheduler task reboottask executable path '/sbin/reboot '
set system time-zone Asia/Shanghai
#做了一个VPN,方便在外网看NAS下载的东西
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec ipsec-interfaces interface eth0
set vpn l2tp remote-access authentication local-users username vpn password xxxxxxxxx
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 172.16.100.101
set vpn l2tp remote-access client-ip-pool stop 172.16.100.110
set vpn l2tp remote-access dns-servers server-1 172.16.100.1
set vpn l2tp remote-access dns-servers server-2 223.5.5.5
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxxxxxxx
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings lifetime 3600
set vpn l2tp remote-access outside-address 0.0.0.0

有些人会问,有些配置和别人的不一样,比如我这里没有设enable:
set interfaces ethernet eth0 pppoe 0 dhcpv6-pd rapid-commit disable
我这里的电信,DHCPv6-PD并没有提供rapid-commit 的功能,enable的话只会在log里多一行错误。

有些人的配置里会有这一行:

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 host-address ■■■■■■

实际上,除了在接口增加一个EUI为::1的IPv6地址,没什么用,不用它也正常上网。

下面贴一些测试验证的信息,如果自己配置得不同,可以参考:

IPv6路由表,注意第一条是手工设置的静态路由。
----------------
show ipv6 route (total 10)- limit 500
----------------
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime

IP Route Table for VRF "default"
S      ::/0 [1/0] via ::, pppoe0, 21:24:29
C      ::1/128 via ::, lo, 21:26:04
C      ■■■■■■■■■■■■■■■■■■■■■■ via ::, switch0, 21:24:34
C      fe80::/10 via ::, pppoe0, 21:25:30
C      ■■■■■■■■■ via ::, eth2, 21:26:04

DHCPv6 的PD正常,server没有分配地址,所以配置要用stateless
如果用了rapid-commit,这里会多一行错误
admin@a-Router:/var/log$ cat dhcp6c.log
Jun/14/2020 11:50:47: update_ia: status code for PD-0: success
Jun/14/2020 11:50:47: update_ia: status code for NA-0: no addresses

路由器能够正常获得IPv4和IPv6的DNS地址(只是我不用)
admin@a-Router:/etc$ cat resolv.conf
nameserver 202.96.134.33 # nameserver added by pppoe0
nameserver 202.96.128.86 # nameserver added by pppoe0
nameserver 240e:1f:1::1 # written by /opt/vyatta/share/perl5/Vyatta/DhcpPd.pm

从路由器ping6 www.qq.com
admin@aHua-Router:/$ ping6 www.qq.com
PING www.qq.com(240e:ff:f101:10::14d) 56 data bytes
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=1 ttl=56 time=7.62 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=2 ttl=56 time=7.22 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=3 ttl=56 time=8.53 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=4 ttl=56 time=7.43 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=5 ttl=56 time=7.15 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=6 ttl=56 time=7.02 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=7 ttl=56 time=7.35 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=8 ttl=56 time=7.17 ms
■■ bytes from 240e:ff:f101:10::14d: icmp_seq=9 ttl=56 time=7.09 ms
^C
— www.qq.com ping statistics —
9 packets transmitted, 9 received, 0% packet loss, time 8010ms
rtt min/avg/max/mdev = 7.024/7.401/8.537/0.449 ms

从电脑ping6 www.qq.com
simon@Simon-MBP ~ % ping6 www.qq.com
PING6(56=40+8+8 bytes) 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659 --> 240e:ff:f101:10::14d
16 bytes from 240e:ff:f101:10::14d, icmp_seq=0 hlim=55 time=12.533 ms
16 bytes from 240e:ff:f101:10::14d, icmp_seq=1 hlim=55 time=12.345 ms
16 bytes from 240e:ff:f101:10::14d, icmp_seq=2 hlim=55 time=12.424 ms
16 bytes from 240e:ff:f101:10::14d, icmp_seq=3 hlim=55 time=12.270 ms
16 bytes from 240e:ff:f101:10::14d, icmp_seq=4 hlim=55 time=12.267 ms
16 bytes from 240e:ff:f101:10::14d, icmp_seq=5 hlim=55 time=12.793 ms
^C
— public-v6.sparta.mig.tencent-cloud.■■■ ping6 statistics —
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 12.267/12.439/12.793/0.183 ms

从外网美帝ping inet6 到路由器,通的。
rviews@route-server.ip.att.■■■> ping inet6 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff
PING6(56=40+8+8 bytes) 2001:1890:111d:1::28 --> 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff
16 bytes from 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff , icmp_seq=0 hlim=49 time=285.839 ms
16 bytes from 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff , icmp_seq=1 hlim=49 time=284.388 ms
16 bytes from 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff icmp_seq=2 hlim=49 time=284.896 ms
16 bytes from 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff , icmp_seq=3 hlim=49 time=284.702 ms
16 bytes from 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff icmp_seq=4 hlim=49 time=284.784 ms
^C
— 240e:xx:xx:xx00:xxxx:xxxx:xxxx:c2ff ping6 statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 284.388/284.922/285.839/0.489 ms

从外网美帝ping inet6 到电脑,也是通的。
rviews@route-server.ip.att.■■■> ping inet6 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659
PING6(56=40+8+8 bytes) 2001:1890:111d:1::28 --> 240e:fa:cfbe:bc00:eccd:2bdd:681c:c659
16 bytes from 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659, icmp_seq=0 hlim=50 time=301.210 ms
16 bytes from 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659, icmp_seq=1 hlim=50 time=300.390 ms
16 bytes from 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659, icmp_seq=2 hlim=50 time=371.505 ms
^C
— 240e:xx:xxxx:xx00:xxxx:xxxx:xxxx:c659 ping6 statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 300.390/324.368/371.505/33.332 ms

如果有人问怎么连route-server.ip.att.■■■这个服务器,百度吧。此本文本将被隐藏

1赞

感谢分享
#ICMPv6打开
rule 25 protocol ipv6-opts 这个是什么协议

rule 28 protocol icmpv6
rule 30 protocol ipv6-icmp
icmpv6 和 ipv6-icmp 是同一个协议,是不是有点重复了

移动宽带,一般3天后会重新分配一个新的ipv6前缀,此时基于旧的前缀分配的ipv6地址,将无法使用且还存在于各客户端的端口中,直接导致客户端仍优先使用旧地址做为网络地址。必须是通过重启或禁用接口后,再可以去掉这些旧地址,这个问题如何解决。