Ubiquiti Edgerouter – Enabling the LAN with a routed /48 IPv6 prefix

In the last post we had established an IPv6 end-point tunnel between our Ubiquiti Edgerouter and Hurricane Electrics free tunnel broker service. Now that connectivity has been established we need to enable the LAN to support IPv6.

I took the option of enabling the additional /48 routed prefix, this would allow use of the existing /64 as a point-to-point link between Hurricane Electric and the Edgerouter, with the /48 being used for whatever I’d like on the local area network.

On my LAN side, ethernet port 1, I allocated one /64 prefix from my /48:

ethernet eth1 {
address 10.11.12.254/24
address 2001:470:X:1::1/64

Next was to configure the router advertisement protocol to correctly give the additional information required for autoconfiguration to work on the LAN:

 ipv6 {
     router-advert {
         link-mtu 1480
         prefix 2001:470:X:1::/64 {
         }
         send-advert true
     }
 }

Even though our LAN MTU is much higher at 1500, I modified it to 1480 to match what is configured on the tunnel.

I opened a command prompt on my Windows P.C. after comitting those changes, and typed ipconfig /renew then ipconfig to see if my device had been allocated an IPv6 address:

Temporary IPv6 Address. . . . . . : 2001:470:X:1:b46e:eef2:55fc:b622

Perfect! My device is now correctly picking up IPv6 addressing, and can we ping an IPv6 website?

Pinging bbc.co.uk [2a04:4e42::81] with 32 bytes of data:
Reply from 2a04:4e42::81: time=21ms
Reply from 2a04:4e42::81: time=20ms
Reply from 2a04:4e42::81: time=21ms
Reply from 2a04:4e42::81: time=22ms

From the results of the ping above, it looks to be working perfectly fine.

We’ll need to secure the prefix now, since every address is now pubically accessable with no NAT to hide behind! The next post will demonstate on how that will be configured.

Hurricane Electrics IPv6 Tunnel Broker Service

According to their website, Hurricane Electric offer an IPv6 tunnel broker service.

An IPv6 tunnel broker service, allows you to access IPv6 services over a normal IPv4 connection with Hurricane Electric providing you the IPv6 part completely free.

The technical working behind the service is that the IPv6 traffic will be enscapsulated inside the IPv4 traffic between Hurricane Electric and the internet router that it is set up on.

The internet provider I use (TalkTalk Retail) does not support IPv6 on their network so instead of waiting for TalkTalk to enable it, perhaps Hurricane Electrics tunnel broker service is an option instead.

We begin by visiting the Hurricane Electric Tunnel Broker website at https://tunnelbroker.net/ and clicking Register, filling out the details required and verifying our e-mail address via the link sent to it.

After clicking we should automatically logged into the service, let’s begin the set up process by clicking Create Regular Tunnel

The first question on the page is to provide the IPv4 endpoint IP address of the tunnel, this will more than likely be our home IP address which is handily displayed directly below the text box. We can type the same IPv4 address displayed into the box before the page will respond if that IP address can be used as a potentional end point or not.

The second question gives us a list of Tunnel end-points to select. In my opinion select the tunnel server closest geographically.

The final page gives a Tunnel Details confirmation, along with an assigned /64 prefix, if you’d like up to 65536 more networks you can also ask for a /48 prefix!

One of tabs below the header gives Example Configurations, including the an example for the Ubiquti Edgerouter 3 Lite I’ll be using to configure this service:

configure

edit interfaces tunnel tun0

set encapsulation sit

set local-ip 85.x.x.x

set remote-ip 216.66.88.98

set address 2001:470:x:3c6::2/64

set description "HE.NET IPv6 Tunnel"

exit

set protocols static interface-route6 ::/0 next-hop-interface tun0

commit

I made a couple of modifications to the above, I changed my local-ip to be 0.0.0.0 from 85.x.x.x as my IP address is not statically assigned from TalkTalk but rather dynamic. Looking in the advanced tab on the Tunnel Details page it does look to have some options for automatic updating if your IP address did change which can be looked into later.

Once commited, I tried pinging from my Edgerouter (important, as the LAN is not yet enabled for IPv6) to the opposite end of the tunnel which looks to have worked. The Ubiquiti Edgerouter is now IPv6 enabled!

me@home:~$ ping6 2001:470:X:3c6::1
PING 2001:470:1f1c:3c6::1(2001:470:X:3c6::1) 56 data bytes
64 bytes from 2001:470:X:3c6::1: icmp_seq=1 ttl=64 time=18.7 ms
64 bytes from 2001:470:X:3c6::1: icmp_seq=2 ttl=64 time=18.7 ms

Next up we need to enable our LAN to work using IPv6

Load Balancing and Redundancy on the Ubiquiti Edgerouter

The Ubiquiti Edgerouter offers the capability to load balance trafffic among different WAN interfaces. This can improve redundancy and overall thoroughput on your home or small business connection.

To get started you’ll need two WAN connections, ideally similar in capability, you can configure weighting to prefer one connection over the other. If your looking to simply have an automatic backup connection you can also configure one of the load balanced connections to only active as a fail-over.

In this example I am using an Edgerouter 3 Lite, running version v1.10.8 and two VDSL/FTTC connections.

Set up your individual WANs on each interface as you normally would, including the PPPoE interfaces under each physical interface:

ethernet eth0 {
description VDSL 1
duplex auto
mtu 1500
pppoe 0 {
default-route auto
mtu 1492
name-server auto
password xxxx
user-id username@connectionone
}
speed auto
}

ethernet eth2 {
description VDSL 2
duplex auto
mtu 1500
pppoe 1 {
default-route auto
mtu 1492
name-server auto
password xxxx
user-id username@connectiontwo
}
speed auto
}

Next configure static routing for each. I do not get static IP addresses for each of my services to I need to use a static interface-route

protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
next-hop-interface pppoe1 {
distance 200
}
}
}
}

Remeber to also create your NAT rules for both interfaces pppoe0 and pppoe1

If succesfull, you should now have two pppoe interfaces up and running:

x@edgerouter:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u VDSL
eth2 - u/u VDSL2
lo 127.0.0.1/8 u/u
::1/128
pppoe0 x.x.x.1 u/u
pppoe1 x.x.x.2 u/u

The next step is to create the load balancing

set load-balance group LB1 interface pppoe0 route-test initial-delay 60
set load-balance group LB1 interface pppoe0 route-test interval 10
set load-balance group LB1 interface pppoe0 route-test type ping target 8.8.4.4
set load-balance group LB1 interface pppoe1 route-test initial-delay 60
set load-balance group LB1 interface pppoe1 route-test interval 10
set load-balance group LB1 interface pppoe1 route-test type ping target 8.8.8.8
set load-balance group LB1 lb-local enable
set load-balance group LB1 lb-local-metric-change disable
set load-balance group LB1 sticky

The commands above create the group and add both of our PPPoE interfaces to the group.

It also creates test methods to ensure that both connections are online by occasionly pinging 8.8.8.8 and 8.8.4.4. If the destinations can’t be reached the load balance member will be removed from the group.

Next up we create our firewall rules to determine which traffic gets load balanced:

set firewall group network-group lan-subnets network 192.168.0.0/16
set firewall group network-group lan-subnets network 172.16.0.0/12
set firewall group network-group lan-subnets network 10.0.0.0/8

set firewall modify LBRules rule 10 action modify
set firewall modify LBRules rule 10 destination group network-group lan-subnets
set firewall modify LBRules rule 10 modify table main

set firewall modify LBRules rule 20 action modify
set firewall modify LBRules rule 20 destination group address-group ADDRv4_eth0
set firewall modify LBRules rule 20 modify table main

set firewall modify LBRules rule 30 action modify
set firewall modify LBRules rule 30 destination group address-group ADDRv4_eth1
set firewall modify LBRules rule 30 modify table main

set firewall modify LBRules rule 110 action modify
set firewall modify LBRules rule 110 modify lb-group LB1

The first set of 3 rules defines the LAN subnets that we don’t need to balance across our WAN load balancers. These are all internal traffic so there is no need for it to be sent to our load balancing group.

Rule 10 and Rule 20 prevent the WAN IP’s being load balanced. Rule 110 is the end/process everything else rule that sends traffic to the load balancers.

Now that we have our load balancer set up. We need to apply it to incoming traffic on our LAN interface

set interfaces ethernet eth1 firewall in modify LBRules

Commit and your changes and that is it! You can verify the load balancer is working by running show load-balance status

x@edgerouter:~$ show load-balance status
Group LB1
interface : pppoe0
carrier : up
status : active
gateway : pppoe0
route table : 201
weight : 50%
flows
WAN Out : 1141
WAN In : 3
Local Out : 2
interface   : pppoe1
carrier : up
status : active
gateway : pppoe1
route table : 202
weight : 50%
flows
WAN Out : 1123
WAN In : 0
Local Out : 3