EdgerouterでDS-LiteによるIPv4 over IPv6
はじめに
IIJmioひかりでIPoEオプションを契約し、Edgerouter-Lite3でDS-Lite接続してみた。
今回はあわせてひかり電話も契約し、DHCPv6-PDを使ってLAN内の端末にもIPv6アドレスを割り振れるよう設定する。
構成
+-----------------+ +--------------------------+
| pr-500ki | | EdgeRouter-Lite3 |
| | | |
| +----+ +----+ | | +----+ +----+ +----+ |
| |WAN | |LAN1| | | |eth0| |eth1| |eth2| |
+--+-+--+--+--+-+-+ +--+-+--+--+--+-+--+----+--+
| | | |
INTERNET +-----+ +------------+ +-------------+ LAN
光コラボレーション事業者であるところのIIJから貸与されたホームゲートウェイ(ひかり電話ルータ)はpr-500kiだった。PPPoE(IPv4)はEdgerouter-Lite3に任せるため、事前にpr-500kiのPPPoEは停止しPPPoEブリッジを有効にしておく。
Edgerouter-Lite3はeth0をWANポートに、eth1とeth2をLANポートとする。
eth1とeth2をブリッジさせることも可能なようだが、性能が大きく低下するため今回は個別のセグメントにしている。Edgerouter-Xならハードウェアブリッジが可能なので、そこまで性能低下しないはず。
今回はひかり電話契約ありのため、pr-500kiにはIPv6アドレスとして/60のprefixが割り当てられている。LAN内の端末にはこのprefixをさらに/64に分割し、DHCPv6で割り振る。
その他、あわせて以下を設定した。
- 192.168.1.1-192.168.1.63/24の範囲をサーバーセグメントとし、インターネット接続にはPPPoEを用いる
- 192.168.1.64-192.168.1.199/24の範囲をLANセグメントとし、インターネット接続にはDS-Liteを用いる
- 192.168.1.200-192.168.1.210/24の範囲をL2TP接続用にプールする
- PPPoEとDS-LiteはPolicy Based Routingにより振り分ける
- GoogleDomainで自ドメインを運用してDDNSを設定する
コンフィグ
EdgerouterのOS(EdgeMAX)はVyOSをフォークしたものであり、コンフィグもVyOSとほぼ同じ。
DS-Lite接続のためにはIPv6サービスプロバイダのtransixとIPIPトンネル(ipv6-tunnel)を作成する必要があるが、このときremote-ip
だけでなくlocal-ip
をIPv6グローバルアドレスで指定しなくてはならない。そのため、まずはeth0インタフェースにset interfaces ethernet ipv6 address autoconf
を設定し、IPv6グローバルアドレスが割り振られたのを確認してからipv6-tunnel設定をすればよい。
{{}}
内は各自の設定に合わせて置き換えること。
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WANv6 to LAN'
set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_IN rule 10 state established enable
set firewall ipv6-name WANv6_IN rule 10 state related enable
set firewall ipv6-name WANv6_IN rule 20 action accept
set firewall ipv6-name WANv6_IN rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_IN rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_IN rule 30 action drop
set firewall ipv6-name WANv6_IN rule 30 description 'Drop invalid state'
set firewall ipv6-name WANv6_IN rule 30 state invalid enable
set firewall ipv6-name WANv6_LOCAL default-action drop
set firewall ipv6-name WANv6_LOCAL description 'WANv6 to Router'
set firewall ipv6-name WANv6_LOCAL enable-default-log
set firewall ipv6-name WANv6_LOCAL rule 10 action accept
set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related'
set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
set firewall ipv6-name WANv6_LOCAL rule 20 action accept
set firewall ipv6-name WANv6_LOCAL rule 20 description 'Allow IPv6 ICMP'
set firewall ipv6-name WANv6_LOCAL rule 20 protocol ipv6-icmp
set firewall ipv6-name WANv6_LOCAL rule 30 action accept
set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow DHCPv6'
set firewall ipv6-name WANv6_LOCAL rule 30 destination port 546
set firewall ipv6-name WANv6_LOCAL rule 30 protocol udp
set firewall ipv6-name WANv6_LOCAL rule 30 source port 547
set firewall ipv6-name WANv6_LOCAL rule 40 action accept
set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DSLite'
set firewall ipv6-name WANv6_LOCAL rule 40 protocol ipip
set firewall ipv6-name WANv6_LOCAL rule 50 action drop
set firewall ipv6-name WANv6_LOCAL rule 50 description 'Drop invalid state'
set firewall ipv6-name WANv6_LOCAL rule 50 state invalid enable
set firewall name DSLite_IN default-action drop
set firewall name DSLite_IN description 'WAN(DSLite) to LAN'
set firewall name DSLite_IN rule 10 action accept
set firewall name DSLite_IN rule 10 description 'Allow established/related'
set firewall name DSLite_IN rule 10 state established enable
set firewall name DSLite_IN rule 10 state related enable
set firewall name DSLite_IN rule 20 action drop
set firewall name DSLite_IN rule 20 description 'Drop invalid state'
set firewall name DSLite_IN rule 20 state invalid enable
set firewall name DSLite_LOCAL default-action drop
set firewall name DSLite_LOCAL description 'WAN(DSLite) to Router'
set firewall name DSLite_LOCAL rule 10 action accept
set firewall name DSLite_LOCAL rule 10 description 'Allow established/related'
set firewall name DSLite_LOCAL rule 10 state established enable
set firewall name DSLite_LOCAL rule 10 state related enable
set firewall name DSLite_LOCAL rule 20 action drop
set firewall name DSLite_LOCAL rule 20 description 'Drop invalid state'
set firewall name DSLite_LOCAL rule 20 state invalid enable
set firewall name PPPoE_IN default-action drop
set firewall name PPPoE_IN description 'WAN(PPPoE) to LAN'
set firewall name PPPoE_IN rule 10 action accept
set firewall name PPPoE_IN rule 10 description 'Allow established/related'
set firewall name PPPoE_IN rule 10 state established enable
set firewall name PPPoE_IN rule 10 state related enable
set firewall name PPPoE_IN rule 20 action drop
set firewall name PPPoE_IN rule 20 description 'Drop invalid state'
set firewall name PPPoE_IN rule 20 state invalid enable
set firewall name PPPoE_LOCAL default-action drop
set firewall name PPPoE_LOCAL description 'WAN(PPPoE) to Router'
set firewall name PPPoE_LOCAL rule 10 action accept
set firewall name PPPoE_LOCAL rule 10 description 'Allow established/related'
set firewall name PPPoE_LOCAL rule 10 state established enable
set firewall name PPPoE_LOCAL rule 10 state related enable
set firewall name PPPoE_LOCAL rule 20 action accept
set firewall name PPPoE_LOCAL rule 20 description 'Allow ping'
set firewall name PPPoE_LOCAL rule 20 destination group address-group ADDRv4_pppoe0
set firewall name PPPoE_LOCAL rule 20 log disable
set firewall name PPPoE_LOCAL rule 20 protocol icmp
set firewall name PPPoE_LOCAL rule 30 action accept
set firewall name PPPoE_LOCAL rule 30 description 'Allow IKE, L2TP, NAT-T'
set firewall name PPPoE_LOCAL rule 30 destination port 500,1701,4500
set firewall name PPPoE_LOCAL rule 30 protocol udp
set firewall name PPPoE_LOCAL rule 40 action accept
set firewall name PPPoE_LOCAL rule 40 description 'Allow ESP'
set firewall name PPPoE_LOCAL rule 40 protocol esp
set firewall name PPPoE_LOCAL rule 50 action drop
set firewall name PPPoE_LOCAL rule 50 description 'Drop invalid state'
set firewall name PPPoE_LOCAL rule 50 state invalid enable
set firewall modify LAN_PBR rule 10 action modify
set firewall modify LAN_PBR rule 10 description 'LAN to LAN'
set firewall modify LAN_PBR rule 10 destination address 192.168.0.0/16
set firewall modify LAN_PBR rule 10 modify table main
set firewall modify LAN_PBR rule 20 action modify
set firewall modify LAN_PBR rule 20 description 'LAN to LAN(hairpin-nat)'
set firewall modify LAN_PBR rule 20 destination group address-group ADDRv4_pppoe0
set firewall modify LAN_PBR rule 20 modify table main
set firewall modify LAN_PBR rule 30 action modify
set firewall modify LAN_PBR rule 30 description 'LAN to WAN(PPPoE)'
set firewall modify LAN_PBR rule 30 modify table 1
set firewall modify LAN_PBR rule 30 source address 192.168.1.1-192.168.1.63
set firewall modify LAN_PBR rule 40 action modify
set firewall modify LAN_PBR rule 40 description 'LAN to WAN(DSLite)'
set firewall modify LAN_PBR rule 40 modify table 2
set firewall modify LAN_PBR rule 40 source address 192.168.1.64-192.168.1.254
set firewall options mss-clamp interface-type pppoe
set firewall options mss-clamp mss 1414
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id ':1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address '::1'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id ':2'
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length /60
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 pppoe 0 description IIJMio
set interfaces ethernet eth0 pppoe 0 default-route auto
set interfaces ethernet eth0 pppoe 0 mtu 1454
set interfaces ethernet eth0 pppoe 0 firewall in name PPPoE_IN
set interfaces ethernet eth0 pppoe 0 firewall local name PPPoE_LOCAL
set interfaces ethernet eth0 pppoe 0 name-server auto
set interfaces ethernet eth0 pppoe 0 password {{PPPOE_PASSWORD}}
set interfaces ethernet eth0 pppoe 0 user-id {{PPPOE_ACCOUNT}}@iij.ad.jp
set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description LAN1
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth1 firewall in modify LAN_PBR
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description LAN2
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ipv6-tunnel v6tun0 description DSLite
set interfaces ipv6-tunnel v6tun0 encapsulation ipip6
set interfaces ipv6-tunnel v6tun0 firewall in name DSLite_IN
set interfaces ipv6-tunnel v6tun0 firewall local name DSLite_LOCAL
set interfaces ipv6-tunnel v6tun0 local-ip {{GLOBAL_IPV6_ADDR_ETH0}}
set interfaces ipv6-tunnel v6tun0 mtu 1454
set interfaces ipv6-tunnel v6tun0 multicast disable
set interfaces ipv6-tunnel v6tun0 remote-ip '2404:8e00::feed:101'
set interfaces ipv6-tunnel v6tun0 ttl 64
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static interface-route 0.0.0.0/0 next-hop-interface v6tun0 distance 100
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface v6tun0
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server use-dnsmasq disable
set service dhcp-server static-arp disable
set service dhcp-server shared-network-name LAN1 authoritative enable
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 domain-name lan
set service dhcp-server shared-network-name LAN1 subnet 192.168.1.0/24 start 192.168.1.64 stop 192.168.1.240
set service dhcp-server shared-network-name LAN2 authoritative enable
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 lease 86400
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 domain-name lan
set service dhcp-server shared-network-name LAN2 subnet 192.168.2.0/24 start 192.168.2.64 stop 192.168.2.240
set service dns dynamic interface pppoe0 service custom-GoogleDomains host-name {{DDNS_HOSTNAME}}
set service dns dynamic interface pppoe0 service custom-GoogleDomains login nouser
set service dns dynamic interface pppoe0 service custom-GoogleDomains password {{DDNS_TOKEN}}
set service dns dynamic interface pppoe0 service custom-GoogleDomains protocol dyndns2
set service dns dynamic interface pppoe0 service custom-GoogleDomains server domains.google.com
set service dns dynamic interface pppoe0 web dyndns
set service dns forwarding cache-size 5000
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2
set service dns forwarding listen-on lo
set service dns forwarding name-server 202.232.2.32
set service dns forwarding name-server 202.232.2.33
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for WAN(PPPoE)'
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade
set service ssh disable-password-authentication
set service ssh port 22
set service ssh protocol-version v2
set system login user {{USERNAME}} authentication encrypted-password '{{PASSWORD}}'
set system login user {{USERNAME}} authentication public-keys {{USERNAME}}@host key {{PUBLIC_KEY}}
set system login user {{USERNAME}} authentication public-keys {{USERNAME}}@host type ssh-rsa
set system login user {{USERNAME}} level admin
set system name-server 127.0.0.1
set system ntp server 0.ubnt.pool.ntp.org
set system ntp server 1.ubnt.pool.ntp.org
set system ntp server 2.ubnt.pool.ntp.org
set system ntp server 3.ubnt.pool.ntp.org
set system time-zone Asia/Tokyo
set system syslog global facility all level notice
set system syslog global facility protocols level debug
set system syslog host 192.168.1.10 facility all level info
set system offload hwnat disable
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv6 forwarding enable
set system traffic-analysis dpi enable
set system traffic-analysis export enable
set vpn ipsec ipsec-interfaces interface pppoe0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username {{L2TP_USERNAME}} password {{L2TP_PASSWORD}}
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.1.240
set vpn l2tp remote-access client-ip-pool stop 192.168.1.254
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret {{PRE_SHARED_SECRET}}
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1280
set vpn l2tp remote-access outside-address 0.0.0.0
Discussion
L2TP/IPSecによるVPNはプロトコルとして古く、非推奨になるプラットフォームも出てきている様子。
IKEv2/IPSecによるVPNを導入する手順を書きました ⇒
その後、VPNはもうtailscaleに一任することにしました。個人用VPNはすべてこれでいいのではと思わせる設定の簡易さ。素晴らしい⇒