I've re-enabled IPv6 using a tunnel and IP update script for CenturyLink (after migrating from Comcast). My Macs and NAS are getting IPv6 addresses, but my Android devices aren't. I know that Android is a trouble child in this regard- can anyone recommend a modification to my config to provide address to Android?
I'd also welcome any advice to improve the IPv6 firewall rules as well if anyone sees issues. Thank you in advance for your help!
Best regards,
Allen
firewall {
all-ping disable
broadcast-ping disable
group {
address-group Flowroute {
address 216.115.69.144
address 70.167.153.130
description "Flowroute SIP IP"
}
network-group BOGONS {
description BOGONS
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/4
network 240.0.0.0/4
}
port-group Operator {
description "SIP ports"
port 5060
port 5061
port 10000-19999
}
}
ipv6-name Internet-To-LAN {
default-action drop
description "Internet to LAN"
rule 1 {
action accept
description "Drop Incoming IPv6 unless related"
state {
established enable
related enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
}
ipv6-name LAN-To-Internet {
default-action accept
description "LAN to Internet"
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VIDEO {
default-action drop
description "Video VLAN blocking"
rule 1 {
action drop
description "Block main"
destination {
address 192.168.2.0/24
}
log disable
protocol all
source {
address 192.168.5.0/24
}
}
}
name WAN_IN {
default-action drop
description "WAN Inbound"
rule 1 {
action accept
description "Accept Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description "Accept established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related disable
}
}
rule 3 {
action accept
description "Accept SIP"
destination {
group {
port-group Operator
}
}
log disable
protocol all
source {
group {
address-group Flowroute
}
}
}
rule 4 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet to router"
rule 10 {
action accept
description "Accept Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow L2TP"
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 30 {
action accept
description "Allow ESP"
log disable
protocol 50
}
rule 50 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 51 {
action drop
description "drop bogon source"
log disable
protocol all
source {
group {
network-group BOGONS
}
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.2.1/24
address IPv6 address
description Local
duplex auto
firewall {
in {
ipv6-name LAN-To-Internet
}
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 1472
managed-flag false
max-interval 300
other-config-flag false
prefix IPv6 prefix {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
vif 5 {
address 192.168.5.1/24
description "Video VLAN"
firewall {
out {
name VIDEO
}
}
mtu 1500
}
}
ethernet eth1 {
description Internet
duplex auto
firewall {
in {
}
local {
}
}
speed auto
vif 201 {
description "Centurylink VLAN"
firewall {
in {
}
}
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password PASSWORD
user-id USER
}
}
}
ethernet eth2 {
address 192.168.10.1/24
description "GDD Guest"
duplex auto
speed auto
}
loopback lo {
}
tunnel tun0 {
6rd-prefix 2602::/24
6rd-default-gw ::205.171.2.64
address IPv6 address
description "CenturyLink IPv6 6rd tunnel"
encapsulation sit
firewall {
in {
ipv6-name Internet-To-LAN
}
}
local-ip IPv4
mtu 1472
multicast disable
ttl 255
}
}
port-forward {<SNIP>
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name GDD-DHCP {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.10.5 {
stop 192.168.10.10
}
}
}
shared-network-name LAN-DHCP {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.2.100 {
stop 192.168.2.199
}
<SNIP>
}
}
shared-network-name Video-DHCP {
authoritative disable
subnet 192.168.5.0/24 {
default-router 192.168.5.1
dns-server 8.8.8.8
dns-server 4.4.2.2
lease 86400
start 192.168.5.1 {
stop 192.168.5.254
}<SNIP>
}
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface pppoe0 {
service <SNIP>
}
}
}
forwarding {
cache-size 150
listen-on eth0
listen-on eth0.5
}
}
gui {
http-port 80
https-port 443
older-ciphers disable
}
nat {
rule 1 {
description "L2TP protocol 50"
inbound-interface pppoe0
inside-address {
address 192.168.2.2
}
log disable
protocol 50
type destination
}
rule 5000 {
description PPPoE
log disable
outbound-interface pppoe0
protocol all
type masquerade
}
}
ssh {
listen-address 192.168.2.1
port 22
protocol-version v2
}
upnp {
}
}
system {
host-name AERouter
login {
banner {
post-login "Welcome to EdgeMAX"
pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
}
user admin {
authentication {
encrypted-password PASSWORD
plaintext-password ""
}
full-name USER
level admin
}
user allen {
authentication {
encrypted-password PASSWORD
plaintext-password ""
}
full-name "USER"
level operator
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
pppoe enable
vlan enable
}
}
static-host-mapping {<SNIP>
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task ipv6-6rd-update {
executable {
path /config/scripts/ipv6-6rd-update.sh
}
interval 5m
}
}
time-zone America/Los_Angeles
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
advanced-queue {
filters {
match 1 {
application {
category Voice-over-IP
}
attach-to 1023
ip {
destination {
address 192.168.2.0/24
}
}
target 1
}
match 2 {
application {
category Voice-over-IP
}
attach-to 1023
ip {
source {
address 192.168.2.0/24
}
}
target 2
}
match 3 {
application {
category Streaming-Media
}
attach-to 1023
ip {
destination {
address 192.168.2.0/24
}
}
target 3
}
}
leaf {
queue 1 {
bandwidth 128kbit
parent 1023
queue-type UBNT_BQ_FQ_CODEL
}
queue 2 {
bandwidth 128kbit
parent 1023
queue-type UBNT_BQ_FQ_CODEL
}
queue 3 {
bandwidth 4096kbit
parent 1023
queue-type UBNT_BQ_FQ_CODEL
}
}
queue-type {
fq-codel UBNT_BQ_FQ_CODEL {
}
}
root {
queue 1023 {
attach-to global
bandwidth 1000mbit
description UBNT-BQ
}
}
}
smart-queue WAN {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 40mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 20mbit
}
wan-interface pppoe0
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */