Ubiquiti Edgerouter X IPv6 6RD configuration

My ISP has IPv6 6RD support, but i had some trouble finding the right configuration for my Edgerouter X. After some search work and trial and error i came up with a working solution which i'm glad to share.

Select 'IPv4 to IPv6 Transitional' and continue to the following sections:
'Provider prefix IPv6': Enter your the IPv6 prefix of your ISP.
'Customer IPv4': Enter your WAN IPv4 address using 32 bits.
'IPv6 Customer Prefix': This will be calculated using the 'ISP -> Customer' button below the input fields. Make sure you use a '/64'!
  • Next we create the tunnel interface, the best way to do this by logging in to your Edgerouter X using SSH.
    Be aware that text between /* and */ are comments, do not copy/paste this!
  • We start configuring the router with the 'configure' command. Keep in mind to enter these settings on separate lines one by one! Do not copy/paste the entire section at once, this will end up in a failed setup.

Tunnel Setup:

set interfaces tunnel tun0 address '2a02:58:ac:b600::/56' /* Use your own calculated 'IPv6 Customer Prefix' from the first step */
set interfaces tunnel tun0 description 'IPv6 6RD Tunnel'
set interfaces tunnel tun0 encapsulation sit
set interfaces tunnel tun0 local-ip xxx.xxx.xxx.xxx /* Use your IPv4 WAN address */
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip xxx.xxx.xxx.xxx /* Use the remote IPv4 tunnel address of your ISP */
set interfaces tunnel tun0 ttl 255
set protocols static interface-route6 '::/0' next-hop-interface tun0

commit

save
  • To confim if the tunnel is correctly set up you can use the follwing command: 'ping6 ipv6.google.com'. If you get IPv6 replies you can continue with the setup.
  • When configuring the local network we use a /64 network segment instead of the /56 i calculated. In my case eth0 is the WAN port and eth1 to eth4 are combined under the switch0 interface. Depending on your configuration or the wizard you followed during setup of the Edgerouter you might have to replace 'switch switch0' by 'ethernet ethX', where ethX is your LAN port.

Ethernet Setup:

set interfaces switch switch0 address '2a02:58:ac:b600::/64' /* Use your own calculated 'IPv6 Customer Prefix' from the first step and replace the /56 by a /64 */
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1480
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 300
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '2a02:58:ac:b600::/64' autonomous-flag true /* Use your own calculated 'IPv6 Customer Prefix' from the first step and replace the /56 by a /64 */
set interfaces switch switch0 ipv6 router-advert prefix '2a02:58:ac:b600::/64' on-link-flag true /* Use your own calculated 'IPv6 Customer Prefix' from the first step and replace the /56 by a /64 */
set interfaces switch switch0 ipv6 router-advert prefix '2a02:58:ac:b600::/64' valid-lifetime 2592000 /* Use your own calculated 'IPv6 Customer Prefix' from the first step and replace the /56 by a /64 */
set interfaces switch switch0 ipv6 router-advert radvd-options 'RDNSS 2a02:58:2:1:53::1 2a02:58:2:1:53::2 {};'
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true

commit

save
  • The last step is to configure the firewall to allow IPv6 traffic. I this example i allow ICMPv6, but you can configure that to your own preference ofcourse.

Firewall Setup:

set firewall ipv6-name Internet-To-LAN default-action drop
set firewall ipv6-name Internet-To-LAN description 'Internet to LAN'
set firewall ipv6-name Internet-To-LAN rule 1 action accept
set firewall ipv6-name Internet-To-LAN rule 1 description 'Allow Incoming IPv6 established or related connections'
set firewall ipv6-name Internet-To-LAN rule 1 state established enable
set firewall ipv6-name Internet-To-LAN rule 1 state related enable
set firewall ipv6-name Internet-To-LAN rule 2 action drop
set firewall ipv6-name Internet-To-LAN rule 2 state invalid enable
set firewall ipv6-name Internet-To-LAN rule 3 action accept
set firewall ipv6-name Internet-To-LAN rule 3 description "Allow ICMPv6 packets"
set firewall ipv6-name Internet-To-LAN rule 3 protocol icmpv6

set firewall ipv6-name LAN-To-Internet default-action accept
set firewall ipv6-name LAN-To-Internet description 'LAN to Internet'
set firewall ipv6-name LAN-To-Internet rule 1 action accept
set firewall ipv6-name LAN-To-Internet rule 1 state established enable
set firewall ipv6-name LAN-To-Internet rule 1 state related enable
set firewall ipv6-name LAN-To-Internet rule 2 action drop
set firewall ipv6-name LAN-To-Internet rule 2 state invalid enable
set firewall ipv6-name LAN-To-Internet rule 3 action accept
set firewall ipv6-name LAN-To-Internet rule 3 description "Allow ICMPv6 packets"
set firewall ipv6-name LAN-To-Internet rule 3 protocol icmpv6

set interfaces switch switch0 firewall in ipv6-name LAN-To-Internet

set interfaces tunnel tun0 firewall in ipv6-name Internet-To-LAN

commit

save

 

Final note: When your IPv4 WAN address changes your IPv6 6rd tunnel will not function correctly anymore. To fix this you need to re-calculate your 'IPv6 Customer Prefix' and alter your settings accordingly. Any questions? Feel free to comment, good luck!