La Fibre
Datacenter et équipements réseaux => Routeurs => 
Remplacer la LiveBox par un routeur => Discussion démarrée par: galerien le 05 mai 2023 à 17:46:53
-
En espérant que cela pourra être utile à certain, j'ai enfin réussi à faire fonctionner l'IPv6 sur les machines derrière un pfsense connecté directement à un ER4.
L'architecture est la suivante (cf image) :
- Port Eth1 de ER4 branché en direct sur ONT Orange,
- Port Eth0 de l'ER4 branché direct sur PFsense WAN
- PC branché sur LAN Pfsense
Le fichier de config.boot (en PJ, le fichier complet):
firewall {
...
ipv6-name WANv6_IN {
default-action drop
description "WANv6 inbound traffic forwarded to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WANv6 inbound traffic to the router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow ICMPv6"
protocol icmpv6
}
rule 40 {
action accept
description "Allow DHCPv6 Client/server"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 50 {
action accept
description "Allow DHCPv6 Relaying"
destination {
port 547
}
protocol udp
source {
port 547
}
}
}
ipv6-name WANv6_OUT {
default-action accept
description "WANv6 outbound traffic"
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "packets from Internet to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related disable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
....
}
interfaces {
ethernet eth0 {
address dhcp
description LAN0_Internal_Network
duplex auto
speed auto
vif 10 {
address 10.10.0.1/24
address dhcpv6
description "Vlan Pfsense"
ip {
enable-proxy-arp
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
}
}
ethernet eth1 {
address dhcp
description LAN1_Internet_ONT
dhcp-options {
default-route update
default-route-distance 210
name-server update
}
duplex auto
speed auto
vif 832 {
address dhcp
description "Internet Orange DHCP"
dhcp-options {
client-option "send vendor-class-identifier "sagem";"
client-option "send user-class "\053FSVDSL_livebox.Internet.softathome.Livebox4";"
client-option "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, domain-search, rfc3118-auth, SIP,V-I;"
client-option "send dhcp-client-identifier xx:xx:xx:xx:xx:xx:xx;"
client-option "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:1a:09:00:00:05:58:01:03:41:01:0d:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx;"
default-route update
default-route-distance 210
global-option "option rfc3118-auth code 90 = string;"
global-option "option SIP code 120 =string;"
global-option "option V-I code 125 =string;"
name-server update
}
dhcpv6-pd {
pd 0 {
interface eth0.10 {
host-address ::1
prefix-id ::1
}
interface eth2.832 {
host-address ::1
prefix-id ::3
}
prefix-length 56
}
prefix-only
rapid-commit enable
}
egress-qos "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0"
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
out {
ipv6-name WANv6_OUT
name WAN_OUT
}
}
ipv6 {
address {
autoconf
}
dup-addr-detect-transmits 1
}
}
vif 840 {
address 10.10.2.254/32
description "VLAN TV Canal 1 - Zap"
egress-qos "0:5 1:5 2:5 3:5 4:5 5:5 6:5 7:5"
}
}
ethernet eth2 {
address 10.10.1.1/24
description LAN2_Livebox
duplex auto
speed auto
vif 832 {
address 10.10.1.254/24
description Voip
}
}
}
protocols {
igmp-proxy {
disable-quickleave
interface eth0 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth1 {
role disabled
threshold 1
}
interface eth1.832 {
role disabled
threshold 1
}
interface eth1.840 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
static {
route 10.20.0.0/16 {
next-hop 10.10.0.2 {
}
}
route6 ::/0 {
next-hop fe80::ba0:bab {
distance 1
interface eth1.832
}
}
route6 2a01:xx:xx:d202::/64 {
next-hop fe80::250:56ff:fe97:c099 {
interface eth0.10
}
}
}
}
service {
Les points importants :
- Rajouter distance 1 à la route par défaut (route6 ::/0) => M'a déjà fait le bon gag de remplacer la route par défaut Ipv6 Internet par celle de la dernière route statique créer. :-\
- Rajouter dans protocols static la route vers votre réseau Lan derriere pfsense en indiquant l'addresse en fe:xx:xx de l'interface Wan du pfsense
Si le gag de la route par défaut ::/0 vous arrive, c'est très certainement que votre route statique vers votre lan derrière pfsense à une priorité supérieur à la route Internet par défaut. exemple :
root@Routeur:~# show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
S ::/0 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 02:05:38 ======>non non non, la route Internet par défaut n'est pas mon lan
C ::1/128 via ::, lo, 02:06:15
C 2a01:xx:xx:d2::/64 via ::, eth1.832, 01:54:26
C 2a01:xx:xx:d201::/64 via ::, eth0.10, 01:54:26
S 2a01:xx:xx:d202::/64 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 01:40:04
C fe80::/64 via ::, eth1.832, 02:05:47
root@Routeur:~# ip -6 route
2a01:xx:xx:d2::/64 dev eth1.832 proto kernel metric 256 pref medium
2a01:xx:xx:d201::2 dev eth0.10 proto kernel metric 256 expires 86035sec pref medium
2a01:xx:xx:d201::/64 dev eth0.10 proto kernel metric 256 pref medium
2a01:xx:xx:d202::/64 via fe80::250:56ff:fe97:c099 dev eth0.10 proto zebra metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev eth1.840 proto kernel metric 256 pref medium
fe80::/64 dev eth1.832 proto kernel metric 256 pref medium
default via fe80::250:56ff:fe97:c099 dev eth0.10 proto ra metric 1024 expires 1435sec hoplimit 64 pref medium
default via fe80::ba0:bab dev eth1.832 proto zebra metric 1024 pref low ============> Aie priorité inférieur à celle de dessus....
[b]Identifier la route qui vous pose problème et taper la commande [/b]
ip -6 route delete default via fe80::250:56ff:fe97:c099 dev eth0.10
root@Routeur:~# show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type 2, B - BGP
Timers: Uptime
IP Route Table for VRF "default"
S ::/0 [1/0] via fe80::ba0:bab, eth1.832, 02:05:38
C ::1/128 via ::, lo, 02:06:15
C 2a01:xx:xx:d2::/64 via ::, eth1.832, 01:54:26
C 2a01:xx:xx:d201::/64 via ::, eth0.10, 01:54:26
S 2a01:xx:xx:d202::/64 [1/0] via fe80::250:56ff:fe97:c099, eth0.10, 01:40:04
C fe80::/64 via ::, eth1.832, 02:05:47
Le fichier dhclient6.service à mettre dans /etc/systemd/system ave un chmod 755 et à personnaliser avec vos interfaces
#/etc/systemd/system/dhclient6.service
[Unit]
Description=dhclient for sending IPv6 DUID
After=network.target auditd.service vyatta-router.service netplug.service
[Service]
Type=forking
ExecStartPre=/config/scripts/generate_dhcpv6_configfile.sh
ExecStartPre=/sbin/ip6tables -t mangle -F
ExecStartPre=/sbin/ip6tables -t mangle -I POSTROUTING -p udp --dport dhcpv6-server -j CLASSIFY --set-class 0:6
ExecStart=/sbin/dhclient -6 -P -nw -cf /etc/dhcp3/dhclient6_eth1_832.conf -pf /var/run/dhclient6_eth1_832.pid -lf /var/run/dhclient6_eth1_832.leases eth1.832
NonBlocking=yes
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
Le fichier dhclient-ipv6 à mettre dans /etc/dhcp3/dhclient-exit-hooks.d/ et à personnaliser avec vos interfaces
#!/bin/bash
leasefile='/var/run/dhclient6_eth1_832.leases'
EXT_IFACE='eth1.832' #une seule interface autorisée
INT_IFACE=('eth0.10' 'eth2.832') #Plusieurs interfaces autorisées ex : INT_IFACE=('eth0' 'eth0.10')
INT_PREFIX=('01') #Plusieurs prefixes autorisés (chaque interface doit avoir un préfixe) ex : INT_PREFIX=('01' '02')
#Les logs sont consultables avec journalctl -t dhclient6
#Il faut configurer autoconf sur $INT_IFACE pour recevoir le prefix uniquement
#Il faut parfois attendre 20 minutes pour recevoir route par défaut+préfix de chez Orange
#Rendre ce fichier executable
ipv6_ifsetup(){
#Suppression des anciennes adresses/routes pour les interfaces internes/externes
#Recréation des adresses/routes internes
systemctl stop radvd >/dev/null 2>&1
for if in ${!INT_IFACE[@]} ; do
IFACE=${INT_IFACE[$if]}
IPREFIX=${INT_PREFIX[$if]}
iface_prefix=`echo $current_pdnet | cut -d: -f1-3`
iface_prefix+=:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
iface_prefix+=$IPREFIX
iface_prefix+="::/64"
#Suppression des adresses internes
ifip=($(ip -6 a s dev $IFACE scope global| grep inet6 | awk -F' ' '{print $2}'))
for i in ${!ifip[@]} ;do
iface_ip=${ifip[$i]}
ip -6 a d "$iface_ip" dev $IFACE
echo "Delete ipv6 address : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
done
#Suppression des routes internes
ifrt=($(ip -6 r s dev $IFACE | grep -v -e "default via" -e "fe80::/64" | awk -F' ' '{print $1}'))
for i in ${!ifrt[@]} ;do
iface_rt=${ifrt[$i]}
ip -6 r d "$iface_ip" dev $IFACE
echo "Delete ipv6 route : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
done
iface_ip=`echo $iface_prefix |sed 's|::/64|::1/64|g'`
echo "Create ipv6 address : $iface_ip on interface $IFACE" | systemd-cat -p info -t dhclient6
ip -6 a a "$iface_ip" dev $IFACE scope global
if [ "$(ip -6 r s $iface_prefix dev $IFACE)" = "" ] ; then
echo "Check ipv6 route failed : create route $iface_prefix on interface $IFACE" | systemd-cat -p info -t dhclient6
ip -6 r a "$iface_prefix" dev $IFACE proto kernel
fi
done
extifip=($(ip -6 a s dev $EXT_IFACE scope global| grep inet6 | awk -F' ' '{print $2}'))
for i in ${!extifip[@]} ; do
ip -6 a d "${extifip[$i]}" dev $IFACE
echo "Delete ipv6 address : ${extifip[$i]} on interface $EXT_IFACE" | systemd-cat -p info -t dhclient6
done
extifrt=($(ip -6 r s dev $EXT_IFACE | grep -v -e "default via" -e "fe80::/64" | awk -F' ' '{print $1}'))
for i in ${!extifrt[@]} ; do
ip -6 r d "${extifrt[$i]}" dev $IFACE
echo "Delete ipv6 address : ${extifrt[$i]} on interface $EXT_IFACE" | systemd-cat -p info -t dhclient6
done
systemctl restart radvd >/dev/null 2>&1
}
ipv6_radvd_reconf(){
#Suppression du fichier /etc/radvd.conf
echo > /etc/radvd.conf
for if in ${!INT_IFACE[@]}
do
IFACE=${INT_IFACE[$if]}
IPREFIX=${INT_PREFIX[$if]}
iface_prefix=`echo $current_pdnet | cut -d: -f1-3`
iface_prefix+=:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
iface_prefix+=$IPREFIX
iface_prefix+="::/64"
echo "# Generated automatically by dhclient6-script exit-hook on `date`" >> /etc/radvd.conf
echo "interface $IFACE {" >> /etc/radvd.conf
echo " IgnoreIfMissing on;" >> /etc/radvd.conf
echo " AdvCurHopLimit 64;" >> /etc/radvd.conf
echo " AdvLinkMTU 0;" >> /etc/radvd.conf
echo " AdvSendAdvert on;" >> /etc/radvd.conf
echo " MaxRtrAdvInterval 600;" >> /etc/radvd.conf
echo " AdvDefaultPreference medium;" >> /etc/radvd.conf
echo " AdvOtherConfigFlag off;" >> /etc/radvd.conf
echo " AdvReachableTime 0;" >> /etc/radvd.conf
echo " AdvDefaultLifetime 1800;" >> /etc/radvd.conf
echo " MinRtrAdvInterval 198;" >> /etc/radvd.conf
echo " AdvRetransTimer 0;" >> /etc/radvd.conf
echo " AdvManagedFlag off;" >> /etc/radvd.conf
echo " prefix $iface_prefix {" >> /etc/radvd.conf
echo " AdvPreferredLifetime 604800;" >> /etc/radvd.conf
echo " AdvOnLink on;" >> /etc/radvd.conf
echo " AdvValidLifetime 2592000;" >> /etc/radvd.conf
echo " AdvAutonomous on;" >> /etc/radvd.conf
echo " };" >> /etc/radvd.conf
echo "};" >> /etc/radvd.conf
echo " " >> /etc/radvd.conf
done
}
ipv6_checkdefaultroute() {
#Contrôle de la route par défaut et ajout ou modification (ne pas créer via set protocols)
default_iface=`ip -6 route | grep fe80::ba0:bab | awk -F ' ' '{print $5}'`
echo "Current default ipv6 route interface :" $default_iface | systemd-cat -p info -t dhclient6
if [ "$default_iface" != "$EXT_IFACE" ] ; then
if [ "$default_iface" = "" ] ; then
ip -6 route add default via fe80::ba0:bab proto kernel dev $EXT_IFACE
echo "Default ipv6 route is missing --> Add a new one" | systemd-cat -p warning -t dhclient6
else
ip -6 route change default via fe80::ba0:bab proto kernel dev $EXT_IFACE
echo "Default ipv6 route incorrectly set to $default_iface --> Remapping to $EXT_IFACE" | systemd-cat -p warning -t dhclient6
fi
fi
}
echo "Starting dhclient-ipv6 for $reason at `date`" | systemd-cat -p info -t dhclient6
current_pd=`cat $leasefile | grep prefix | awk -F ' ' '{print $2}'`
current_pdnet=`echo $current_pd | rev | cut -c6- | rev`
current_basenet=`echo $current_pdnet | cut -d: -f1-3`:`echo $current_pdnet | awk -F':' '{print "000"$4}' | rev | cut -c3-4 | rev`
ipv6_checkdefaultroute
case "$reason" in
BOUND6|REBIND6)
if [ ! -z "$new_ip6_prefix" ] ; then
echo "Received prefix : " $new_ip6_prefix | systemd-cat -p info -t dhclient6
ipv6_radvd_reconf
ipv6_ifsetup
fi
;;
REBOOT|PREINIT6)
if [ "$current_pd" != "" ] ; then
echo "IPv6 lease seems OK. Current prefix is $current_pd -> Start ipv6 config" | systemd-cat -p info -t dhclient6
ipv6_ifsetup
fi
;;
esac
Le fichier generate_dhcpv6_configfile.sh à mettre dans /config/script et à personnaliser avec vos interfaces :
#!/bin/bash
# Place in /config/scripts/generate_dhcpv6_configfile.sh
target_file="/etc/dhcp3/dhclient6_eth1_832.conf"
interface="eth1"
vif="832"
auth_string=$(/bin/cli-shell-api showCfg interfaces ethernet $interface vif $vif dhcp-options client-option | grep "send rfc3118-auth" | awk '{ print $4 }' | awk -F ";" '{print $1}')
mac_livebox=$(/bin/cli-shell-api showCfg interfaces ethernet $interface vif $vif dhcp-options client-option | grep "dhcp-client-identifier" | awk '{ print $4 }' | awk -F ";" '{print $1}')
read -r -d '' conffile <<EOF
# $target_file\n
option dhcp6.auth code 11 = string;\n
option dhcp6.vendorclass code 16 = string;\n
option dhcp6.userclass code 15 = string;\n
option dhcp6.vendor-specific-info code 17 = string;\n
\n
#External interface (VLAN must be 832 for Orange)\n
interface "eth1.832" {\n
\t#Orange France specific options\n
\tsend dhcp6.vendor-specific-info 00:00:00:00:05:58:00:06:00:0e:49:50:56:36:5f:52:45:51:55:45:53:54:45:44;\n
\tsend dhcp6.vendorclass 00:00:04:0e:00:05:73:61:67:65:6d;\n
\tsend dhcp6.userclass 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:34;\n
\tsend dhcp6.vendor-opts 00:00:05:58:00:06:00:0e:49:50:56:36:5f:52:45:51:55:45:53:54:45:44;\n
\n
\t#Authentication for Orange France DHCP server (same value as for DHCPv4)\n
\tsend dhcp6.auth $auth_string;\n
\n
\tsend dhcp6.client-id 00:03:00:01:fc:ec:da:43:03:9b;\n
\n
\trequest dhcp6.name-servers, dhcp6.vendorclass, dhcp6.userclass, dhcp6.auth;\n
}\n
EOF
echo -e $conffile > $target_file
-
Je fais un peu la même chose entre un ER4 et une VM VyOS, mais j’utilise OSPFv3 pour distribuer les routes ce qui évite l’utilisation de routes statiques. Un peu overkill pour une seule route, mais formateur ;)
-
hello
peux tu nous dire en quelle version de firmware de ton ER4 tu es ?
merci
-
Qui ? @galerien ?
Sans aucun doute une version 2.X vu qu'il n'y a pas systemd sur la 1.10.11 (celle que personnellement j'utilise).