我最近切换运营商,新的运营商给我提供的是一个 /48 的地址前缀,这和我之前的运营商们不一样,他们大多使用 DHCP,直接给你分配一个 IPv6 的地址。尽管 v6 存在的意义就是地址“无限”,但分配一个的话能省掉很多配置上的麻烦事。
这次全新的设置让我措手不及。
好消息是,官方有教程。坏消息是,官方的教程不沃克。
这就有些让人头疼了,配置完没网,即使我手动给路由器添加了静态路由到出口,也无法路由出去。我这边使用的是 Mikrotik 路由器,系统是RouterOS v7
按照官方的教程,首先就是添加 dhcp 客户端,这一步很简单,与平时不同的是,不能勾选 address,如果勾选,则dhcp永远处在搜索状态,因为没人会回复给你一个 ip 地址。只请求地址前缀,匹配成功。
然后是手动给你的网桥和 wan 口一个 ip 地址,你只要写 ::/64 即可,路由器会自动生成对应的地址,尽管各个运营商给的前缀长度不同,但通常我们家用只要 /64 即可。给地址要勾选“宣告地址”这一项,这样你的电脑和手机什么的就能搜索到路由器并添加网关了。
最后是到 IPv6 的设置里开启 IPv6,接受转发和接受路由宣告。
最后重启路由器,完成!
那么问题来了……重启之后我还是没有 IPv6 的网。
既然 ping6 返回的错误是没有路由,那我就给它加一个,我首先就添加了全局静态路由到 ether1,也就是我的 wan 口。这下是有路由了,不过返回却是 timeout,显然,没有任何人可以应答。当然,有时候也会返回目标不可达。
仔细对比了 v6 版本的配置之后,我发现我缺少了防火墙配置,从网上找了默认防火墙配置导入,但还是不行。
经过几天在网上找答案,终于得以解惑:
原来是需要在 ND,也就是 IPv6 的邻居发现这里,添加 ether1,默认只有网桥,所以就只能发现内网的所有设备。添加 eth1 到设备发现后,重启路由器,果然在邻居列表里很快就发现了很多上级路由地址,路由器也成功添加了动态网关,测试发现,有网了。
接下来把我的配置用 cli 版本总结如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
ipv6 dhcp-client add interface=ether1 request=prefix pool-name=v6 pool-prefix-length=64 prefix-hint=::/48 ipv6 address add address=::/64 from-pool=v6 interface=bridge eui-64=yes advertise=yes ipv6 address add address=::/64 from-pool=v6 interface=ether1 eui-64=yes advertise=yes ipv6 firewall { address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" address-list add list=bad_ipv6 address=::1 comment="defconf: lo" address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other" address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other" address-list add list=bad_ipv6 address=::/104 comment="defconf: other" address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other" filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute" filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" } ipv6 nd add interface=ether1 ra-interval=20s-60s ra-lifetime=none ipv6 nd set [ find interface=bridge ] dns=2606:4700:4700::1111,2001:4860:4860::8888 interface=bridge managed-address-configuration=yes ra-interval=20s-1m other-configuration=yes |
本文由 落格博客 原创撰写:落格博客 » 如果你的运营商没有给分配的 IPv6 只有前缀而没有地址
转载请保留出处和原文链接:https://www.logcg.com/archives/3864.html
博主你好我有个疑问,因为我是在旁路网关开启的RA,这样所有其他设备的默认网关是旁路,这种情况下还需要开启NDP吗
根据我的经验……还是需要的,因为你的旁路也得能找到真实路由才可以。不过,如果做了静态路由,应该就不需要nd了吧,只在旁路由开即可。