Hello,
Je voulais vous transmettre ma configuration suite à l'achat d'un ERPoe-5 avec internet et ipv6 sans livebox.
Je n'ai pas testé la télé ni le SIP que je n'utilise pas, mais j'ai laissé les paramètres dans ma configuration si jamais un jour je voulais l'utiliser. Normalement, ce devrait être fonctionnel sans livebox. La TV devrait fonctionner sur ETH0 avec le décodeur normalement.
L'ONT est sur ETH1
ETH2,ETH3,ETH4 sont en mode switch (sur switch0) avec ETH2 un RaspberryPi, Eth3 un NAS et ETH4 une borne Wifi.
Le fichier vyatta-interfaces.pl est patché avec l'option 90 et j'ai installé le dhclient3 modifié de zoc ainsi que les packages dibbler (client et server) pour l'ipv6 de Je@nb.
Fichier de config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "packets from Internet to LAN"
enable-default-log
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "packets from Internet to the router"
rule 1 {
action accept
description "allow established session to the router"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.0.1/24
description LAN1
duplex auto
speed auto
}
ethernet eth1 {
description Internet_ONT
duplex auto
speed auto
vif 832 {
address dhcp
description "Internet Orange DHCP"
dhcp-options {
client-option "send vendor-class-identifier "sagem";"
client-option "send dhcp-client-identifier 1:40:xx:xx:xx:xx:xx;"
client-option "send user-class "+FSVDSL_livebox.Internet.softathome.Livebox3";"
client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:66:xx:xx:xx:xx:xx:xx:xx:xx;"
client-option "request dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, domain-search, rfc3118-auth, SIP;"
default-route update
default-route-distance 210
name-server update
}
egress-qos "0:0 1:1 2:2 3:3 4:4 5:5 6:6 7:7"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
vif 838 {
address dhcp
description "TV - VOD"
dhcp-options {
client-option "send vendor-class-identifier "sagem";"
client-option "send dhcp-client-identifier 1:40:xx:xx:xx:xx:xx;"
client-option "send user-class "\047FSVDSL_livebox.MLTV.softathome.Livebox3";"
client-option "request subnet-mask, rfc3442-classless-static-routes;"
default-route update
default-route-distance 210
name-server update
}
egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
}
vif 840 {
address 192.168.255.254/24
description "VLAN TV Canal 1 - Zap"
egress-qos "0:5 1:5 2:5 3:5 4:5 5:5 6:5 7:5"
}
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.0.1.1/24
description LAN
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
vif 832 {
address 192.168.2.254/24
description Voip
mtu 1500
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description "Diskstation admin"
forward-to {
address 10.0.1.150
port 5001
}
original-port xxxxx
protocol tcp_udp
}
rule 2 {
description "Diskstation ssh"
forward-to {
address 10.0.1.150
port 22
}
original-port xx
protocol tcp_udp
}
wan-interface eth1.832
}
protocols {
igmp-proxy {
disable-quickleave
interface eth0 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth1.840 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
}
service {
dhcp-server {
disabled false
global-parameters "option rfc3118-auth code 90 = string;"
global-parameters "option SIP code 120 = string;"
hostfile-update disable
shared-network-name DHCP-SWITCH0 {
authoritative disable
subnet 10.0.1.0/24 {
default-router 10.0.1.1
dns-server 10.0.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 10.0.1.100 {
stop 10.0.1.254
}
static-mapping DiskStation {
ip-address 10.0.1.150
mac-address 00:11:32:02:c9:59
}
}
}
shared-network-name LOCAL_NETWORK {
authoritative enable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
lease 86400
start 192.168.0.100 {
stop 192.168.0.200
}
}
}
shared-network-name Livebox {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.254
dns-server 80.10.246.136
dns-server 81.253.149.6
lease 86400
start 192.168.2.21 {
stop 192.168.2.200
}
static-mapping Livebox {
ip-address 192.168.2.1
mac-address 40:C7:29:40:19:F8
}
subnet-parameters "option rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:64:68:63:70:6c:69:76:65:62:6f:78:66:72:32:35:30;"
subnet-parameters "option SIP 0:6:73:62:63:74:33:67:3:50:55:54:6:61:63:63:65:73:73:11:6f:72:61:6e:67:65:2d:6d:75:6c:74:69:6d:65:64:69:61:3:6e:65:74:0;"
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 1000
listen-on eth2
listen-on eth0
name-server 8.8.8.8
name-server 8.8.4.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "Masquerading outgoing connections"
log disable
outbound-interface eth1.832
protocol all
type masquerade
}
rule 5011 {
description "Masquerading TV"
log disable
outbound-interface eth1.838
protocol all
type masquerade
}
}
ssh {
allow-root
port 22
protocol-version v2
}
upnp {
listen-on switch0 {
outbound-interface eth1.832
}
}
upnp2 {
listen-on eth0
listen-on switch0
nat-pmp enable
secure-mode disable
wan eth1.832
}
}
system {
config-management {
commit-revisions 5
}
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose disable
max-retrans 3
}
}
domain-name ubiquiti
host-name ubiquiti
login {
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
}
}
package {
repository wheezy {
components "main contrib non-free"
distribution wheezy
password ""
url http://http.us.debian.org/debian
username ""
}
repository wheezy-security {
components main
distribution wheezy/updates
password ""
url http://security.debian.org
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level warning
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi disable
export disable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939093.161214.0705 */
Pour l'ipv6 ca a été un peu plus compliqué. J'ai modifié le fichier radvd.sh pour y ajouter mes propres prefixes.
Bizzarement, la variable PREFIXE1 ne me renvoit pas en entier le prefixe ipv6 ce qui faisait que je me retrouvais avec des ipv6 invalides :
Mon prefixe ipv6 2a01:xxxx:4ce::/56
Le script ci-dessous me renvoyait le prefixe : 2a01:xxxx:4
Pourtant dibbler me retournaient bien le Prefixe complet !
dibbler-client run
Du coup, je me retrouvais avec des prefixes 2a01:xxxx:410 et 2a01:xxxx:4a0 qui ne redirigeaient sur rien.
C'est pour ça que dans le script vous verrez des "ce" après chaque ${PREFIX1:0:taille}
Autre bizzarerie, tous mes appareils fonctionnaient bien en ipv6 sauf les téléphones sous android ou je me retrouvait avec des grosses latences (mais aucun pb de débit). Les téléphones androids n'arrivaient pas à ping le serveur DNS local (2a01:xxxx:4ce:a0::1) alors que les autres appareils y arrivaient sans soucis.
Pour remédier à ça, j'ai ajouté les serveur ipv6 dns de google dans la section RDNSS et le tour était joué.
#sous android, dans une application terminal, pour obtenir les DNS et leurs priorités
getprop | grep net.dns
Les sections LAN2 pourraient être enlevées chez moi vu que je n'ai rien sur le switch0.832 qui sert à la VoIP.
Je me roderai un peu plus sur les réglages afin de configurer plus finement les sous-réseaux ipv6, mais pour le moment, ça fait le boulot, et les IPs sont accessible depuis l'extérieur (sauf pour mon nas quand l'ipv6 est configuré manuellement...)
radvd.sh
#!/bin/bash
LAN0=switch0
LAN2=switch0.832
WAN=eth1.832
taille=${#PREFIX1}
taille=$((taille-4))
cat > /etc/radvd.conf << EOF
interface ${LAN0}
{
AdvSendAdvert on;
AdvManagedFlag off;
AdvOtherConfigFlag on;
prefix ${PREFIX1:0:taille}ce:a0::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvPreferredLifetime 86400;
AdvValidLifetime 86400;
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 ${PREFIX1:0:taille}ce:a0::1
{
AdvRDNSSLifetime 1200;
};
};
interface ${LAN2}
{
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix ${PREFIX1:0:taille}ce:10::/64
{
AdvOnLink on;
AdvAutonomous off;
AdvPreferredLifetime 86400;
AdvValidLifetime 86400;
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 ${PREFIX1:0:taille}ce:10::1
{
AdvRDNSSLifetime 1200;
};
};
EOF
cat > /etc/dibbler/server.conf << EOF
log-level 7
log-mode full
iface "${LAN0}" {
T1 43200
T2 69120
option dns-server 2001:4860:4860::8888
prefered-lifetime 86400
valid-lifetime 86400
# option 11 duid 00:00:00:00:00:00:00:00:00:00:00:64:68:63:70:6c:69:76:65:62:6f:78:66:72:32:35:30
pd-class {
pd-pool ${PREFIX1:0:taille}ce:a0::/58
pd-length 60
}
}
iface "${LAN2}" {
T1 43200
T2 69120
option dns-server 2001:4860:4860::8888
prefered-lifetime 86400
valid-lifetime 86400
option 11 duid 00:00:00:00:00:00:00:00:00:00:00:64:68:63:70:6c:69:76:65:62:6f:78:66:72:32:35:30
option dns-server ${PREFIX1:0:taille}ce:c0::1
pd-class {
pd-pool ${PREFIX1:0:taille}ce:c0::/58
pd-length 60
}
}
EOF
mv /etc/ip6deconf-new.sh /etc/ip6deconf-old.sh
cat > /etc/ip6conf.sh << EOF
/etc/ip6deconf-old.sh
ip -6 route add fe80::ba0:bab dev ${WAN}
ip -6 route add default via fe80::ba0:bab dev ${WAN}
ip -6 route add ${PREFIX1:0:taille}ce:a0::/64 dev ${LAN0}
ip -6 addr add ${PREFIX1:0:taille}ce:a0::1/64 dev ${LAN0}
ip -6 route add ${PREFIX1:0:taille}ce:10::/64 dev ${LAN2}
ip -6 route add fe80::xxxx:xxxx:xxxx:xxxx dev ${LAN2}
ip -6 route add ${PREFIX1:0:taille}ce:c0::/60 via fe80::xxxx:xxxx:xxxx:xxxx dev ${LAN2}
ip -6 addr add ${PREFIX1:0:taille}ce:10::1/64 dev ${LAN2}
service radvd restart >> /var/log/radvd.log
EOF
cat > /etc/ip6deconf-new.sh << EOF
ip -6 route flush ${PREFIX1:0:taille}10::
ip -6 route flush default
ip -6 route del fe80::ba0:bab dev ${WAN}
ip -6 route del default via fe80::ba0:bab dev ${WAN}
ip -6 route del ${PREFIX1:0:taille}ce:10::/64 dev ${LAN0}
ip -6 addr del ${PREFIX1:0:taille}ce:10::1/64 dev ${LAN0}
ip -6 route del ${PREFIX1:0:taille}ce:10::/64 dev ${LAN2}
ip -6 route del fe80::xxxx:xxxx:xxxx:xxxx dev ${LAN2}
ip -6 route del ${PREFIX1:0:taille}ce:c0::/60 via fe80::xxxx:xxxx:xxxx:xxxx dev ${LAN2}
ip -6 addr del ${PREFIX1:0:taille}ce:10::1/64 dev ${LAN2}
EOF
chmod +x /etc/ip6conf.sh
chmod +x /etc/ip6deconf-new.sh
/etc/ip6conf.sh
dibbler-server stop >> /var/log/radvd.log
dibbler-server start >> /var/log/radvd.log
Aucune modification sur ce fichier, c'est le même que b416
dibbler/client.conf
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# 8 (Debug) is most verbose. 7 (Info) is usually the best option
log-level 7
# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless
downlink-prefix-ifaces "none"
script "/etc/dibbler/radvd.sh"
iface "eth1.832" {
pd
option 16 hex 00:00:04:0e:00:05:73:61:67:65:6d
option 15 hex 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33
option 11 hex 00:00:00:00:00:00:00:00:00:00:00:66:xxxxxxxx #id fti
option 11 hex 00:00:00:00:00:00:00:00:00:00:00:66:xxxxxxxx #id fti
}
Merci encore à tous pour toutes ces précieuses informations !