Auteur Sujet: Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)  (Lu 164761 fois)

0 Membres et 1 Invité sur ce sujet

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #468 le: 16 avril 2017 à 12:37:19 »
mon ifup -v vlan838 done

root@gateway:~# ifup -v vlan838
Configuring interface vlan838=vlan838 (inet)
run-parts --exit-on-error --verbose /etc/network/if-pre-up.d
run-parts: executing /etc/network/if-pre-up.d/bridge
run-parts: executing /etc/network/if-pre-up.d/vlan
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 838 to IF -:eth2:-
dhclient -4 -cf /etc/dhcp/838.conf -v -pf /run/dhclient.vlan838.pid -lf /var/lib/dhcp/dhclient.vlan838.leases -sf /sbin/dhclient-script vlan838
Internet Systems Consortium DHCP Client 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Entering  (PREINIT)
Exiting  (PREINIT)
Listening on LPF/vlan838/00:23:7d:c4:7b:f2
Sending on   LPF/vlan838/00:23:7d:c4:7b:f2
Sending on   Socket/fallback
DHCPREQUEST on vlan838 to 255.255.255.255 port 67
DHCPACK from 10.226.35.254
Entering  (REBOOT)
Exiting  (REBOOT)
bound to 10.226.35.125 -- renewal in 43230 seconds.
/bin/ip link set dev vlan838 type vlan egress 0:4 1:4 2:4 3:4 4:4 5:4 6:6 7:4
run-parts --exit-on-error --verbose /etc/network/if-up.d
run-parts: executing /etc/network/if-up.d/bind9
run-parts: executing /etc/network/if-up.d/ip
run-parts: executing /etc/network/if-up.d/mountnfs
run-parts: executing /etc/network/if-up.d/openssh-server
run-parts: executing /etc/network/if-up.d/openvpn
run-parts: executing /etc/network/if-up.d/upstart

Je vois pas d'erreur
« Modifié: 16 avril 2017 à 13:18:54 par Labure »

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #469 le: 16 avril 2017 à 13:21:33 »
Zoc est ce que tu peux me donner ton ifup -v de ton vlan838 que je compare ?

zoc

  • Client Orange Fibre
  • *
  • Messages: 3 052
  • Antibes (06)
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #470 le: 16 avril 2017 à 14:03:50 »
Je suis sur un ERL (qui à la base est une debian mais avec une surcouche)... Donc non, je ne peux pas...

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #471 le: 16 avril 2017 à 14:07:28 »
j'ai vu que pci utilise dhclient isc 4.3.5 moi c'est un isc-dhclient-4.3.1 peut etre un lien ?

zoc

  • Client Orange Fibre
  • *
  • Messages: 3 052
  • Antibes (06)
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #472 le: 16 avril 2017 à 14:09:05 »
J'utilise une version 4.1...

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #473 le: 16 avril 2017 à 14:11:33 »
si on regarde bien mon log de mon ifup je vois aucune mention au script rfc3442-classless-routes je trouve ca bizzare ?

zoc

  • Client Orange Fibre
  • *
  • Messages: 3 052
  • Antibes (06)
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #474 le: 16 avril 2017 à 14:12:53 »
Je ne sais pas si quelque chose est sensé apparaître. Dans un premier temps, je pense qu'il serait bien de vérifier que les routes sont bien dans la réponse DHCP, avec wireshark par exemple...

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #475 le: 16 avril 2017 à 14:14:40 »
au pire est'ce que je peux les rajouter manuellement avec un script ?

zoc

  • Client Orange Fibre
  • *
  • Messages: 3 052
  • Antibes (06)
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #476 le: 16 avril 2017 à 14:16:52 »
Oui, c'est ce qu'on faisait avant que l'ERL supporte le script pour les routes classless... Avec celles que j'ai donné plus haut ça doit marcher.

Labure

  • Client Orange Fibre
  • *
  • Messages: 34
  • Béziers 34
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #477 le: 16 avril 2017 à 15:11:09 »
j'ai rajouté les routes manuellement mais toujours pas de dailymotion erreur D02 mon ip route ca donne ça :

par contre la vod et les replay marche

root@gateway:~# ip route
default via 90.113.24.1 dev vlan832
10.8.0.0/24 via 10.8.0.4 dev tun0
10.8.0.4 dev tun0  proto kernel  scope link  src 10.8.0.3
10.226.35.0/24 dev vlan838  proto kernel  scope link  src 10.226.35.125
80.10.117.120/31 via 10.226.35.254 dev vlan838
80.10.204.0/22 via 10.226.35.254 dev vlan838
81.253.206.0/24 via 10.226.35.254 dev vlan838
81.253.210.0/23 via 10.226.35.254 dev vlan838
81.253.214.0/23 via 10.226.35.254 dev vlan838
88.164.71.0/24 dev eth0  proto kernel  scope link  src 88.164.71.X
90.113.24.0/21 dev vlan832  proto kernel  scope link  src 90.113.24.X
172.19.20.0/23 via 10.226.35.254 dev vlan838
172.20.224.167 via 10.226.35.254 dev vlan838
172.23.12.0/22 via 10.226.35.254 dev vlan838
192.168.4.0/24 dev vlan840  proto kernel  scope link  src 192.168.4.254
192.168.10.0/24 via 10.8.0.4 dev tun0
192.168.90.0/24 via 10.8.0.4 dev tun0
192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.254
192.168.101.0/24 dev vlan22  proto kernel  scope link  src 192.168.101.254
192.168.110.0/24 via 10.8.0.4 dev tun0
192.168.120.0/24 via 10.8.0.4 dev tun0
192.168.130.0/24 via 10.8.0.4 dev tun0
192.168.140.0/24 via 10.8.0.4 dev tun0
192.168.150.0/24 via 10.8.0.4 dev tun0
192.168.151.0/24 via 10.8.0.4 dev tun0
192.168.152.0/24 via 10.8.0.4 dev tun0
192.168.153.0/24 via 10.8.0.4 dev tun0
192.168.160.0/24 via 10.8.0.4 dev tun0
192.168.200.0/24 via 10.8.0.4 dev tun0
192.168.210.0/24 via 10.8.0.4 dev tun0
193.253.67.88/29 via 10.226.35.254 dev vlan838
193.253.153.227 via 10.226.35.254 dev vlan838
193.253.153.228 via 10.226.35.254 dev vlan838

J'ai laissé tout en brut , j'en ai oublié une ?

mystogan

  • Client Orange Fibre
  • *
  • Messages: 15
  • Noisy le Grand 93
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #478 le: 04 mai 2017 à 00:06:14 »
Je viens de m’apercevoir que je n'ai plus accès a internet en passant par la livebox, l'accès via le routeur debian est ok.
Toutes les tentatives d’accès à internet donnent la page livebox/captivePortal.html

Pourtant  la livebox donne encore la télé et le téléphone
Dans les menus de la livebox tout est Ok
La livebox directement sur Internet permet de récupérer internet

Bizarre

J'ai changé d'IP et de prefix IPV6 dans la nuit de lundi à mardi, résultat plus d'internet/télé/téléphone mardi matin (pourtant, normalement, ça aurait dû changer tout seul).
J'ai du tout redémarrer pour que ça remarche.
Un collègue en fibre orange dans ma ville à aussi changé d'IP, ça a donc l'air d'être géographique.

J'en ai profité pour ré-initialiser la livebox, ça à l'air d'avoir réglé son problème.

ohmer

  • Client Orange Fibre
  • *
  • Messages: 3
  • Issy (92)
Remplacer la livebox avec DHCP+DHCPv6-pd (linux/openbsd)
« Réponse #479 le: 09 mai 2017 à 01:45:48 »
Bonjour,

Je vous partage ma recette après avoir pas mal galéré.
En espérant que cela puisse être utile aux autres abonnés fibre Orange.

Mon objectif était de simplifier la configuration d'un Linux en me basant sur ce qui a partagé ici (merci).
Plus précisèment je voulais remplacer une Livebox Pro V4 par un NUC avec une seconde interface Ethernet en USB.
La distribution que j'ai choisi est un Ubuntu. Au début une 16.04 pour rester en LTS mais le package ifupdown manquait d'une fonctionnalité alors j'ai du l'upgrade en 16.04.
Ma recette se contente d'un accès IPv4 + IPv6 (pas de TV ou de ToIP).
Elle utilise ufw, isc-dhcp, dnsmasq et dnscrypt.

/etc/udev/rules.d/70-persistent-net.rules
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_LB>", NAME="wan"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_LAN>", NAME="lan"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="<MAC_ADDR_WLAN>", NAME="wifi"

/etc/network/interfaces.d/lan
allow-auto lan

iface lan inet static
        address 192.168.0.1
        netmask 255.255.255.0

/etc/network/interfaces.d/wan
allow-auto wan

iface wan inet manual
      hwaddress <MAC_ADDR_LB>

/etc/network/interfaces.d/wan.832
allow-auto wan.832

iface wan.832 inet dhcp
      vlan-id 832
      vlan-raw-device wan

iface wan.832 inet6 dhcp
      vlan-id 832
      vlan-raw-device wan
      accept_ra 2
      request_prefix 1

Le package ifupdown de la release 16.04 ne supporte pas d'invoquer le client DHCPv6 en mode délégation de prefixe (option -P).
Cela a été rajouté dans une version ultérieure : https://anonscm.debian.org/git/collab-maint/ifupdown.git/commit/?id=9af9a607274bec491ca165f9b8af6af26bbdf585.
La 17.04 à une version plus récente du package qui contient cette fonction.

/etc/dhcp/dhclient.conf
option rfc3118-authentication code 90 = string;

option dhcp6.auth code 11 = string;
option dhcp6.userclass code 15 = string;
option dhcp6.vendorclass code 16 = string;

interface "wan.832" {
    send vendor-class-identifier "sagem";
    send dhcp-client-identifier <MAC_ADDR_LB>;
    send user-class "+FSVDSL_livebox.Internet.softathome.Livebox3";
    send rfc3118-authentication 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:<ORANGE_ID>;

    request subnet-mask,
            routers,
            domain-name,
            broadcast-address,
            dhcp-lease-time,
            dhcp-renewal-time,
            dhcp-rebinding-time,
            rfc3118-authentication;

    send dhcp6.client-id 00:03:00:01:7c:26:64:64:cc:c8;
    send dhcp6.vendorclass 00:00:04:0e:00:05:73:61:67:65:6d;
    send dhcp6.userclass 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33;
    send dhcp6.auth 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:<ORANGE_ID>;

    request dhcp6.auth, dhcp6.name-servers, dhcp6.sip-servers-names;
}

/etc/dhcp/dhclient-exit-hooks.d/ipv6
make_resolv_conf() { : ; }

ip_addr_add () {
    local prefix=$1
    local valid_lft=$2
    local preferred_lft=$3

    ip -6 addr add ${prefix%%/*}1/$((8 + ${prefix##*/})) dev lan \
       scope global valid_lft ${valid_lft} preferred_lft ${preferred_lft}
    return $?
}

ip_addr_del () {
    local prefix=$1

    ip -6 addr del ${prefix%%/*}1/$((8 + ${prefix##*/})) dev lan
    return $?
}

ip_addr_flush () {
    ip -6 addr flush dev lan scope global
    return $?
}

if [ "$interface" = "wan.832" ]
then
    case $reason in
        PREINIT6)
            ip_addr_flush
            ;;
        BOUND6)
            if [ -z "${ip6_prefix}" ]; then
                exit 2
            fi

            ip_addr_add ${ip6_prefix} ${max_life} ${preferred_life}
            exit_status=$((exit_status|$?))
            ;;
        REBIND6|RENEW6)
            if [ -z "${new_ip6_prefix}" ]; then
                exit 2
            fi

            if [ -n "${old_ip6_prefix}" ] && [ "${new_ip6_address}" != "${old_ip6_address}" ]; then
                ip_addr_del ${old_ip6_prefix}
            fi

            ip_addr_add ${new_ip6_prefix} ${new_max_life} ${new_preferred_life}
            exit_status=$((exit_status|$?))
            ;;
        EXPIRE6|RELEASE6|STOP6)
            ;;
    esac
fi

/etc/dnsmasq.conf
log-queries
log-dhcp

server=127.0.0.1#54

domain-needed
bogus-priv
filterwin2k
localise-queries
local=/local/
domain=local
expand-hosts
no-negcache
no-resolv
no-poll

enable-ra
dhcp-range=tag:lan, ::100, ::1ff, constructor:lan, ra-names, 64, 12h

dhcp-authoritative
dhcp-leasefile=/tmp/dhcp.leases
dhcp-range=192.168.0.100,192.168.0.200,12h
dhcp-option=1,255.255.255.0
dhcp-option=3,192.168.0.1
dhcp-option=6,192.168.0.1
read-ethers


/etc/dnscrypt-proxy/dnscrypt-proxy.conf
# A more comprehensive example config can be found in
# /usr/share/doc/dnscrypt-proxy/examples/dnscrypt-proxy.conf

ResolverName random
Daemonize no

# LocalAddress only applies to users of the init script. systemd users must
# change the dnscrypt-proxy.socket file.
# LocalAddress 127.0.2.1:53

/lib/systemd/system/dnscrypt-proxy.socket
[Unit]
Description=dnscrypt-proxy listening socket
Documentation=man:dnscrypt-proxy(8)
Wants=dnscrypt-proxy-resolvconf.service

[Socket]
ListenStream=127.0.0.1:54
ListenDatagram=127.0.0.1:54

[Install]
WantedBy=sockets.target

/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i wan.832 -p tcp --dport 3122  -j DNAT --to-destination 192.168.0.10:22
-A POSTROUTING -s 192.168.0.0/24 -o wan.832 -j MASQUERADE
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

/etc/ufw/before6.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw6-before-input
#   ufw6-before-output
#   ufw6-before-forward
#
*mangle
:PREROUTING ACCEPT [0:0]

-A POSTROUTING -o wan.832 -p udp --dport 547 -j DSCP --set-dscp-class CS6
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines


# allow all on loopback
-A ufw6-before-input -i lo -j ACCEPT
-A ufw6-before-output -o lo -j ACCEPT

# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

# quickly process packets for which we already have a connection
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for FORWARD (rfc4890, 4.3.1)
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# ok icmp codes for FORWARD (rfc4890, 4.3.2)
# Home Agent Address Discovery Reques
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
# Home Agent Address Discovery Reply
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
# Mobile Prefix Solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
# Mobile Prefix Advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

# allow MULTICAST mDNS for service discovery
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

/etc/default/ufw
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=yes

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_irc nf_nat_irc nf_conntrack_ftp nf_nat_ftp nf_conntrack_tftp nf_nat_tftp"

On laisse tout passer sur l'interface interne :
sudo ufw allow in on lan from any to any
Résultat, mes machines sur le LAN recupèrent bien un accès IPv4 et IPv6 (la machine agissant comme resolver DNS dual stack, DHCPv4 et DHCPv6).
Je n'ai pas testé tous les cas que script dhcp-exit-hook doit couvrir mais pour l'instant cela fonctionne comme voulu.

Je suis preneur de vos contributions si vous voyez des problèmes avec ma méthode.

 

Mobile View