iTranslated by AI
Configuring J:COM IPv6 (DHCPv6-PD) on NEC IX2215
I bought an IX2215, so I decided to try it out.
I have a subscription to J:COM NET and have been using IPv6 with the router provided by J:COM. Since I could not find information on how to use J:COM's IPv6 service with an IX2215, I am documenting my configuration here.
Minimum Required Configuration
J:COM's IPv6 service appears to distribute a /56 prefix via DHCPv6-PD. To use this with the IX2215, the minimum required configuration is as follows. You will also need to disable the router and Wi-Fi AP functions of your cable modem.
ip dhcp enable
!
ipv6 dhcp enable
ipv6 access-list permit-all permit ip src any dest any
ipv6 access-list wan-in-dhcpv6 permit udp src fe80::/64 sport eq 547 dest fe80::/64 dport eq 546
ipv6 access-list wan-in-icmpv6 option optimize
ipv6 access-list wan-in-icmpv6 permit icmp type 1 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 2 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 3 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 4 src any dest any
ipv6 access-list wan-in-ra deny icmp type 134 src any dest any
ipv6 access-list dynamic dyn-permit-all access permit-all
!
ip dhcp profile lan0
dns-server 192.168.0.1
!
ipv6 dhcp client-profile pd
ia-pd subscriber GigaEthernet2.0 ::/64 eui-64
!
ipv6 dhcp server-profile lan0
dns-server dhcp
!
interface GigaEthernet0.0
ip address dhcp receive-default
ip napt enable
ip napt hairpinning
ipv6 enable
ipv6 dhcp client pd
ipv6 filter wan-in-dhcpv6 1 in
ipv6 filter wan-in-icmpv6 2 in
ipv6 filter wan-in-ra 3 in suppress-logging
ipv6 filter dyn-permit-all 999 out
no shutdown
!
interface GigaEthernet2.0
ip address 192.168.0.1/24
ip dhcp binding lan0
ipv6 enable
ipv6 dhcp server lan0
ipv6 nd ra enable
ipv6 nd ra other-config-flag
proxy-dns ip enable
no shutdown
!
I will explain a few of the configuration items below.
DHCPv6-PD Client
ipv6 dhcp client-profile pd
ia-pd subscriber GigaEthernet2.0 ::/64 eui-64
!
interface GigaEthernet0.0
ipv6 dhcp client pd
This starts the DHCPv6-PD client on GE0 and assigns an address to GE2 from the distributed prefix. If VLANs are required, you would specify different addresses for each subinterface as follows:
ipv6 dhcp client-profile pd
ia-pd subscriber GigaEthernet2.1 0:0:0:0::/64 eui-64
ia-pd subscriber GigaEthernet2.2 0:0:0:1::/64 eui-64
!
interface GigaEthernet0.0
ipv6 dhcp client pd
RA and DHCPv6 Server
ipv6 dhcp enable
!
ipv6 dhcp server-profile lan0
dns-server dhcp
!
interface GigaEthernet2.0
ipv6 enable
ipv6 dhcp server lan0
ipv6 nd ra enable
ipv6 nd ra other-config-flag
This distributes IPv6 addresses via RA (Router Advertisement). Furthermore, it distributes DNS server information received by the DHCPv6 client feature via DHCPv6. By enabling the RA O-flag, it makes clients obtain DNS server information via DHCPv6.
Note that with this configuration, automatic IPv6 DNS server assignment cannot be used on Android. This is because Android only supports RDNSS and not DHCPv6. As long as the IPv4 DNS server is active, I do not believe this will cause any problems.
The IX2215 does support RDNSS, but with RDNSS, you must hard-code the DNS server addresses into the configuration. You cannot distribute the DNS server information received via the DHCPv6 client feature. Since the IX2215's own IPv6 address may change, using the proxy-DNS feature will not circumvent this issue.
Access Lists and Filters
ipv6 access-list permit-all permit ip src any dest any
ipv6 access-list wan-in-dhcpv6 permit udp src fe80::/64 sport eq 547 dest fe80::/64 dport eq 546
ipv6 access-list wan-in-icmpv6 option optimize
ipv6 access-list wan-in-icmpv6 permit icmp type 1 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 2 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 3 src any dest any
ipv6 access-list wan-in-icmpv6 permit icmp type 4 src any dest any
ipv6 access-list wan-in-ra deny icmp type 134 src any dest any
ipv6 access-list dynamic dyn-permit-all access permit-all
!
interface GigaEthernet0.0
ipv6 filter wan-in-dhcpv6 1 in
ipv6 filter wan-in-icmpv6 2 in
ipv6 filter wan-in-ra 3 in suppress-logging
ipv6 filter dyn-permit-all 999 out
Since there is no NAT in IPv6, it is desirable to configure filters that serve the role of a firewall equivalent to NAT. Using the dynamic filter feature, we allow only response packets for packets originating from the inside to the outside.
In addition, you need to allow DHCPv6-PD packets and ICMPv6 Type 1, 2, 3, and 4 packets. Specifically, ICMPv6 Type 2 is important because it is used for Path MTU Discovery. The official configuration examples were ambiguous regarding these, and I struggled to get them working correctly.
RA is not used, so there is no need to pass it. Since RAs arrive from the WAN side every few dozen seconds, I have configured it to suppress logging when they are blocked.
Settings That Are Not Mandatory but Recommended
Although omitted in the minimum configuration example at the beginning, I will introduce some settings that are good to include. I will skip general settings such as passwords, logging, UFS cache, and HTTP/SSH servers.
NAPT and Dynamic Filter Session Timeouts
ipv6 access-list dynamic timer icmp-timeout 60
ipv6 access-list dynamic timer tcp-fin-timeout 240
ipv6 access-list dynamic timer tcp-idle-timeout 7440
ipv6 access-list dynamic timer tcp-syn-timeout 240
ipv6 access-list dynamic timer udp-idle-timeout 300
interface GigaEthernet0.0
ip napt translation tcp-timeout 7440
ip napt translation syn-timeout 240
ip napt translation finrst-timeout 240
In IPv4, NAPT (NAT), and in IPv6, dynamic filters allow only response packets for packets sent from the inside to the outside. Since the default session duration for these is too short, set them to a sufficiently long duration.
| IPv4 NAPT Timer Type | Default Value (sec) | Changed Value (sec) |
|---|---|---|
| tcp-timeout | 900 | 7440 |
| syn-timeout | 30 | 240 |
| finrst-timeout | 60, 1 | 240, 1 |
| udp-timeout | 300 | (Unchanged) |
| icmp-timeout | 60 | (Unchanged) |
| dns-timeout | 60 | (Unchanged) |
| gre-timeout | (Same as other-timeout) | (Unchanged) |
| other-timeout | 60 | (Unchanged) |
| IPv6 Dynamic Filter Timer Type | Default Value (sec) | Changed Value (sec) |
|---|---|---|
| tcp-syn-timeout | 30 | 240 |
| tcp-fin-timeout | 5 | 240 |
| tcp-idle-time | 300 | 7440 |
| udp-idle-time | 30 | 300 |
| dns-timeout | 30 | (Unchanged) |
| icmp-timeout | 30 | 60 |
| global-timeout | 60 | (Unchanged) |
I referred to the following article.
There are opinions that these should be shortened in FLET'S Hikari IPoE environments, where the number of usable ports is limited. In J:COM, since you can use all ports, there should be no reason to shorten them.
NAPT Cache Count Limit
interface GigaEthernet0.0
ip napt translation max-entries per-address 4096
If a single terminal opens a large number of connections, the NAPT entry count might reach its limit, preventing other terminals from opening connections. To prevent this, I limit the maximum number of entries per client.
Static Filters
ip access-list permit-all permit ip src any dest any
ip access-list wan-out-basic option optimize
ip access-list wan-out-basic deny udp src any sport any dest any dport range 137 139
ip access-list wan-out-basic deny tcp src any sport any dest any dport range 137 139
ip access-list wan-out-basic deny udp src any sport any dest any dport eq 445
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 445
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 2049
ip access-list wan-out-basic deny udp src any sport any dest any dport eq 2049
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 1243
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 12345
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 27374
ip access-list wan-out-basic deny tcp src any sport any dest any dport eq 31785
ip access-list wan-out-basic deny udp src any sport any dest any dport eq 31789
ip access-list wan-out-basic deny udp src any sport any dest any dport eq 31791
!
ipv6 access-list wan-out-basic option optimize
ipv6 access-list wan-out-basic deny udp src any sport any dest any dport range 137 139
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport range 137 139
ipv6 access-list wan-out-basic deny udp src any sport any dest any dport eq 445
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 445
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 2049
ipv6 access-list wan-out-basic deny udp src any sport any dest any dport eq 2049
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 1243
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 12345
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 27374
ipv6 access-list wan-out-basic deny tcp src any sport any dest any dport eq 31785
ipv6 access-list wan-out-basic deny udp src any sport any dest any dport eq 31789
ipv6 access-list wan-out-basic deny udp src any sport any dest any dport eq 31791
!
interface GigaEthernet0.0
ip filter wan-in-basic 1 in
ip filter permit-all 999 in
ipv6 filter wan-out-basic 1 out
Referring to the default settings of recent home routers, I have configured port restrictions for some outbound packets. It seems to restrict ports used by NetBIOS, SMB, NFS, and ports once used by malware. It is unclear whether these settings are still effective today, but I am setting them just in case. Since NAPT and dynamic filters are configured, there is no need to restrict inbound packets.
Discarding Packets with Invalid Source or Destination
ip access-list wan-in-invalid option optimize
ip access-list wan-in-invalid deny ip src 0.0.0.0/8 dest any
ip access-list wan-in-invalid deny ip src 127.0.0.0/8 dest any
ip access-list wan-in-invalid deny ip src 169.254.0.0/16 dest any
ip access-list wan-in-invalid deny ip src 192.0.2.0/24 dest any
ip access-list wan-in-invalid deny ip src 198.51.100.0/24 dest any
ip access-list wan-in-invalid deny ip src 203.0.113.0/24 dest any
ip access-list wan-out-invalid option optimize
ip access-list wan-out-invalid deny ip src any dest 0.0.0.0/8
ip access-list wan-out-invalid deny ip src any dest 127.0.0.0/8
ip access-list wan-out-invalid deny ip src any dest 169.254.0.0/16
ip access-list wan-out-invalid deny ip src any dest 192.0.2.0/24
ip access-list wan-out-invalid deny ip src any dest 198.51.100.0/24
ip access-list wan-out-invalid deny ip src any dest 203.0.113.0/24
!
ipv6 access-list wan-in-invalid option optimize
ipv6 access-list wan-in-invalid deny ip src 2001:db8::/32 dest any
ipv6 access-list wan-out-invalid option optimize
ipv6 access-list wan-out-invalid deny ip src any dest ::/96
ipv6 access-list wan-out-invalid deny ip src any dest ::ffff:0:0/96
ipv6 access-list wan-out-invalid deny ip src any dest 2001:db8::/32
ipv6 access-list wan-out-invalid deny ip src any dest fec0::/10
!
interface GigaEthernet0.0
ip filter wan-in-invalid 2 in
ip filter wan-out-invalid 1 out
ip filter permit-all 999 out
ipv6 filter wan-in-invalid 2 in
ipv6 filter wan-out-invalid 2 out
Discard packets with invalid source or destination addresses. This includes private IP addresses, loopback addresses, documentation IP addresses, etc. The ISP should discard such packets, but I configure this just in case.
Also, packets originating from the outside with a source address that is part of the prefix distributed by DHCPv6-PD should essentially be discarded. Unfortunately, it seems there is no way to achieve this on the IX2215.
Conclusion
I introduced the configuration for using J:COM's IPv6 on the IX2215. I use this configuration with additions such as port VLAN/tag VLAN, and adjustments to RA intervals and UFS cache parameters. I hope this article is helpful.
References
Discussion