En espérant que cela pourra être utile à certain, j'ai enfin réussi à faire fonctionner l'IPv6 sur les machines derrière un pfsense connecté directement à un ER4.
L'architecture est la suivante (cf image) :
- Port Eth1 de ER4 branché en direct sur ONT Orange,
- Port Eth0 de l'ER4 branché direct sur PFsense WAN
- PC branché sur LAN Pfsense
Le fichier de config.boot (en PJ, le fichier complet):
firewall {
...
ipv6-name WANv6_IN {
default-action drop
description "WANv6 inbound traffic forwarded to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WANv6 inbound traffic to the router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
rule 40 {
action accept
description "Allow DHCPv6 Client/server"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 50 {
action accept
description "Allow DHCPv6 Relaying"
destination {
port 547
}
protocol udp
source {
port 547
}
}
}
ipv6-name WANv6_OUT {
default-action accept
description "WANv6 outbound traffic"
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "packets from Internet to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related disable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
....
}
interfaces {
ethernet eth0 {
address dhcp
description LAN0_Internal_Network
duplex auto
speed auto
vif 10 {
address 10.10.0.1/24
address dhcpv6
description "Vlan Pfsense"
ip {
enable-proxy-arp
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
}
}
ethernet eth1 {
address dhcp
description LAN1_Internet_ONT
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
duplex auto
speed auto
vif 832 {
address dhcp
description "Internet Orange DHCP"
dhcp-options {
client-option "send vendor-class-identifier "sagem";"
client-option "send user-class "\053FSVDSL_livebox.Internet.softathome.Livebox4";"
client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, domain-search, rfc3118-auth, SIP,V-I;"
client-option "send dhcp-client-identifier xx:xx:xx:xx:xx:xx:xx;"
client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:1a:09:00:00:05:58:01:03:41:01:0d:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx;"
default-route update
default-route-distance 210
global-option "option rfc3118-auth code 90 = string;"
global-option "option SIP code 120 =string;"
global-option "option V-I code 125 =string;"
name-server update
}
dhcpv6-pd {
pd 0 {
interface eth0.10 {
host-address ::1
prefix-id ::1
}
interface eth2.832 {
host-address ::1
prefix-id ::3
}
prefix-length 56
}
prefix-only
rapid-commit enable
}
egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
out {
ipv6-name WANv6_OUT
name WAN_OUT
}
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
}
vif 840 {
address 10.10.2.254/32
description "VLAN TV Canal 1 - Zap"
egress-qos "0:5 1:5 2:5 3:5 4:5 5:5 6:5 7:5"
}
}
ethernet eth2 {
address 10.10.1.1/24
description LAN2_Livebox
duplex auto
speed auto
vif 832 {
address 10.10.1.254/24
description Voip
}
}
}
protocols {
igmp-proxy {
disable-quickleave
interface eth0 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth1 {
role disabled
threshold 1
}
interface eth1.832 {
role disabled
threshold 1
}
interface eth1.840 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
static {
route 10.20.0.0/16 {
next-hop 10.10.0.2 {
}
}
route6 ::/0 {
next-hop fe80::ba0:bab {
distance 1
interface eth1.832
}
}
route6 2a01:xx:xx:d202::/64 {
next-hop fe80::250:56ff:fe97:c099 {
interface eth0.10
}
}
}
}
service {
Les points importants :- Rajouter distance 1 à la route par défaut (route6 ::/0) => M'a déjà fait le bon gag de remplacer la route par défaut Ipv6 Internet par celle de la dernière route statique créer.
- Rajouter dans protocols static la route vers votre réseau Lan derriere pfsense en indiquant l'addresse en fe:xx:xx de l'interface Wan du pfsense
Si le gag de la route par défaut ::/0 vous arrive, c'est très certainement que votre route statique vers votre lan derrière pfsense à une priorité supérieur à la route Internet par défaut. exemple :root@Routeur:~# show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
S ::/0 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 02:05:38 ======>non non non, la route Internet par défaut n'est pas mon lan
C ::1/128 via ::, lo, 02:06:15
C 2a01:xx:xx:d2::/64 via ::, eth1.832, 01:54:26
C 2a01:xx:xx:d201::/64 via ::, eth0.10, 01:54:26
S 2a01:xx:xx:d202::/64 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 01:40:04
C fe80::/64 via ::, eth1.832, 02:05:47
root@Routeur:~# ip -6 route
2a01:xx:xx:d2::/64 dev eth1.832 proto kernel metric 256 pref medium
2a01:xx:xx:d201::2 dev eth0.10 proto kernel metric 256 expires 86035sec pref medium
2a01:xx:xx:d201::/64 dev eth0.10 proto kernel metric 256 pref medium
2a01:xx:xx:d202::/64 via fe80::250:56ff:fe97:c099 dev eth0.10 proto zebra metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev eth1.840 proto kernel metric 256 pref medium
fe80::/64 dev eth1.832 proto kernel metric 256 pref medium
default via fe80::250:56ff:fe97:c099 dev eth0.10 proto ra metric 1024 expires 1435sec hoplimit 64 pref medium
default via fe80::ba0:bab dev eth1.832 proto zebra metric 1024 pref low ============> Aie priorité inférieur à celle de dessus....
[b]Identifier la route qui vous pose problème et taper la commande [/b]
ip -6 route delete default via fe80::250:56ff:fe97:c099 dev eth0.10
root@Routeur:~# show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
S ::/0 [1/0] via fe80::ba0:bab, eth1.832, 02:05:38
C ::1/128 via ::, lo, 02:06:15
C 2a01:xx:xx:d2::/64 via ::, eth1.832, 01:54:26
C 2a01:xx:xx:d201::/64 via ::, eth0.10, 01:54:26
S 2a01:xx:xx:d202::/64 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 01:40:04
C fe80::/64 via ::, eth1.832, 02:05:47
Le fichier dhclient6.service à mettre dans /etc/systemd/system ave un chmod 755 et à personnaliser avec vos interfaces
#/etc/systemd/system/dhclient6.service
[Unit]
Description=dhclient for sending IPv6 DUID
After=network.target auditd.service vyatta-router.service netplug.service
[Service]
Type=forking
ExecStartPre=/config/scripts/generate_dhcpv6_configfile.sh
ExecStartPre=/sbin/ip6tables -t mangle -F
ExecStartPre=/sbin/ip6tables -t mangle -I POSTROUTING -p udp --dport dhcpv6-server -j CLASSIFY --set-class 0:6
ExecStart=/sbin/dhclient -6 -P -nw -cf /etc/dhcp3/dhclient6_eth1_832.conf -pf /var/run/dhclient6_eth1_832.pid -lf /var/run/dhclient6_eth1_832.leases eth1.832
NonBlocking=yes
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
Le fichier dhclient-ipv6 à mettre dans /etc/dhcp3/dhclient-exit-hooks.d/ et à personnaliser avec vos interfaces
#!/bin/bash
leasefile='/var/run/dhclient6_eth1_832.leases'
EXT_IFACE='eth1.832' #une seule interface autorisée
INT_IFACE=('eth0.10' 'eth2.832') #Plusieurs interfaces autorisées ex : INT_IFACE=('eth0' 'eth0.10')
INT_PREFIX=('01') #Plusieurs prefixes autorisés (chaque interface doit avoir un préfixe) ex : INT_PREFIX=('01' '02')
#Les logs sont consultables avec journalctl -t dhclient6
#Il faut configurer autoconf sur $INT_IFACE pour recevoir le prefix uniquement
#Il faut parfois attendre 20 minutes pour recevoir route par défaut+préfix de chez Orange
#Rendre ce fichier executable
ipv6_ifsetup(){
#Suppression des anciennes adresses/routes pour les interfaces internes/externes
#Recréation des adresses/routes internes
systemctl stop radvd >/dev/null 2>&1
for if in ${!INT_IFACE[@]} ; do
IFACE=${INT_IFACE[$if]}
IPREFIX=${INT_PREFIX[$if]}
iface_prefix=`echo $current_pdnet | cut -d: -f1-3`
iface_prefix+=:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
iface_prefix+=$IPREFIX
iface_prefix+="::/64"
#Suppression des adresses internes
ifip=($(ip -6 a s dev $IFACE scope global| grep inet6 | awk -F' ' '{print $2}'))
for i in ${!ifip[@]} ;do
iface_ip=${ifip[$i]}
ip -6 a d "$iface_ip" dev $IFACE
echo "Delete ipv6 address : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
done
#Suppression des routes internes
ifrt=($(ip -6 r s dev $IFACE | grep -v -e "default via" -e "fe80::/64" | awk -F' ' '{print $1}'))
for i in ${!ifrt[@]} ;do
iface_rt=${ifrt[$i]}
ip -6 r d "$iface_ip" dev $IFACE
echo "Delete ipv6 route : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
done
iface_ip=`echo $iface_prefix |sed 's|::/64|::1/64|g'`
echo "Create ipv6 address : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
ip -6 a a "$iface_ip" dev $IFACE scope global
if [ "$(ip -6 r s $iface_prefix dev $IFACE)" = "" ] ; then
echo "Check ipv6 route failed : create route $iface_prefix on interface $IFACE" | systemd-cat -p info -t dhclient6
ip -6 r a "$iface_prefix" dev $IFACE proto kernel
fi
done
extifip=($(ip -6 a s dev $EXT_IFACE scope global| grep inet6 | awk -F' ' '{print $2}'))
for i in ${!extifip[@]} ; do
ip -6 a d "${extifip[$i]}" dev $IFACE
echo "Delete ipv6 address : ${extifip[$i]} on interface $EXT_IFACE" | systemd-cat -p info -t dhclient6
done
extifrt=($(ip -6 r s dev $EXT_IFACE | grep -v -e "default via" -e "fe80::/64" | awk -F' ' '{print $1}'))
for i in ${!extifrt[@]} ; do
ip -6 r d "${extifrt[$i]}" dev $IFACE
echo "Delete ipv6 address : ${extifrt[$i]} on interface $EXT_IFACE" | systemd-cat -p info -t dhclient6
done
systemctl restart radvd >/dev/null 2>&1
}
ipv6_radvd_reconf(){
#Suppression du fichier /etc/radvd.conf
echo > /etc/radvd.conf
for if in ${!INT_IFACE[@]}
do
IFACE=${INT_IFACE[$if]}
IPREFIX=${INT_PREFIX[$if]}
iface_prefix=`echo $current_pdnet | cut -d: -f1-3`
iface_prefix+=:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
iface_prefix+=$IPREFIX
iface_prefix+="::/64"
echo "# Generated automatically by dhclient6-script exit-hook on `date`" >> /etc/radvd.conf
echo "interface $IFACE {" >> /etc/radvd.conf
echo " IgnoreIfMissing on;" >> /etc/radvd.conf
echo " AdvCurHopLimit 64;" >> /etc/radvd.conf
echo " AdvLinkMTU 0;" >> /etc/radvd.conf
echo " AdvSendAdvert on;" >> /etc/radvd.conf
echo " MaxRtrAdvInterval 600;" >> /etc/radvd.conf
echo " AdvDefaultPreference medium;" >> /etc/radvd.conf
echo " AdvOtherConfigFlag off;" >> /etc/radvd.conf
echo " AdvReachableTime 0;" >> /etc/radvd.conf
echo " AdvDefaultLifetime 1800;" >> /etc/radvd.conf
echo " MinRtrAdvInterval 198;" >> /etc/radvd.conf
echo " AdvRetransTimer 0;" >> /etc/radvd.conf
echo " AdvManagedFlag off;" >> /etc/radvd.conf
echo " prefix $iface_prefix {" >> /etc/radvd.conf
echo " AdvPreferredLifetime 604800;" >> /etc/radvd.conf
echo " AdvOnLink on;" >> /etc/radvd.conf
echo " AdvValidLifetime 2592000;" >> /etc/radvd.conf
echo " AdvAutonomous on;" >> /etc/radvd.conf
echo " };" >> /etc/radvd.conf
echo "};" >> /etc/radvd.conf
echo " " >> /etc/radvd.conf
done
}
ipv6_checkdefaultroute() {
#Contrôle de la route par défaut et ajout ou modification (ne pas créer via set protocols)
default_iface=`ip -6 route | grep fe80::ba0:bab | awk -F ' ' '{print $5}'`
echo "Current default ipv6 route interface :" $default_iface | systemd-cat -p info -t dhclient6
if [ "$default_iface" != "$EXT_IFACE" ] ; then
if [ "$default_iface" = "" ] ; then
ip -6 route add default via fe80::ba0:bab proto kernel dev $EXT_IFACE
echo "Default ipv6 route is missing --> Add a new one" | systemd-cat -p warning -t dhclient6
else
ip -6 route change default via fe80::ba0:bab proto kernel dev $EXT_IFACE
echo "Default ipv6 route incorrectly set to $default_iface --> Remapping to $EXT_IFACE" | systemd-cat -p warning -t dhclient6
fi
fi
}
echo "Starting dhclient-ipv6 for $reason at `date`" | systemd-cat -p info -t dhclient6
current_pd=`cat $leasefile | grep prefix | awk -F ' ' '{print $2}'`
current_pdnet=`echo $current_pd | rev | cut -c6- | rev`
current_basenet=`echo $current_pdnet | cut -d: -f1-3`:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
ipv6_checkdefaultroute
case "$reason" in
BOUND6|REBIND6)
if [ ! -z "$new_ip6_prefix" ] ; then
echo "Received prefix : " $new_ip6_prefix | systemd-cat -p info -t dhclient6
ipv6_radvd_reconf
ipv6_ifsetup
fi
;;
REBOOT|PREINIT6)
if [ "$current_pd" != "" ] ; then
echo "IPv6 lease seems OK. Current prefix is $current_pd -> Start ipv6 config" | systemd-cat -p info -t dhclient6
ipv6_ifsetup
fi
;;
esac
Le fichier generate_dhcpv6_configfile.sh à mettre dans /config/script et à personnaliser avec vos interfaces :
#!/bin/bash
# Place in /config/scripts/generate_dhcpv6_configfile.sh
target_file="/etc/dhcp3/dhclient6_eth1_832.conf"
interface="eth1"
vif="832"
auth_string=$(/bin/cli-shell-api showCfg interfaces ethernet $interface vif $vif dhcp-options client-option | grep "send rfc3118-auth" | awk '{ print $4 }' | awk -F ";" '{print $1}')
mac_livebox=$(/bin/cli-shell-api showCfg interfaces ethernet $interface vif $vif dhcp-options client-option | grep "dhcp-client-identifier" | awk '{ print $4 }' | awk -F ";" '{print $1}')
read -r -d '' conffile <<EOF
# $target_file\n
option dhcp6.auth code 11 = string;\n
option dhcp6.vendorclass code 16 = string;\n
option dhcp6.userclass code 15 = string;\n
option dhcp6.vendor-specific-info code 17 = string;\n
\n
#External interface (VLAN must be 832 for Orange)\n
interface "eth1.832" {\n
\t#Orange France specific options\n
\tsend dhcp6.vendor-specific-info 00:00:00:00:05:58:00:06:00:0e:49:50:56:36:5f:52:45:51:55:45:53:54:45:44;\n
\tsend dhcp6.vendorclass 00:00:04:0e:00:05:73:61:67:65:6d;\n
\tsend dhcp6.userclass 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:34;\n
\tsend dhcp6.vendor-opts 00:00:05:58:00:06:00:0e:49:50:56:36:5f:52:45:51:55:45:53:54:45:44;\n
\n
\t#Authentication for Orange France DHCP server (same value as for DHCPv4)\n
\tsend dhcp6.auth $auth_string;\n
\n
\tsend dhcp6.client-id 00:03:00:01:fc:ec:da:43:03:9b;\n
\n
\trequest dhcp6.name-servers, dhcp6.vendorclass, dhcp6.userclass, dhcp6.auth;\n
}\n
EOF
echo -e $conffile > $target_file