mirror of
https://github.com/unifi-utilities/unifios-utilities.git
synced 2024-08-30 18:32:21 +00:00
Support for ATT ipv6 and multiple PDs (#462)
* Support for ATT ipv6 and multiple PDs * Add example output for successful PD
This commit is contained in:
parent
8f9f73d82c
commit
e9ccdb2088
77
att-ipv6/10-att-ipv6.sh
Executable file
77
att-ipv6/10-att-ipv6.sh
Executable file
@ -0,0 +1,77 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
set -eo pipefail
|
||||||
|
|
||||||
|
wan_iface="eth8" # "eth9" for UDM Pro WAN2
|
||||||
|
vlans="br0" # "br0 br100 br101..."
|
||||||
|
domain="example.invalid" # DNS domain
|
||||||
|
dns6="[2001:4860:4860::8888],[2001:4860:4860::8844]" # Google
|
||||||
|
|
||||||
|
CONTAINER=att-ipv6
|
||||||
|
confdir=/mnt/data/att-ipv6
|
||||||
|
|
||||||
|
# main
|
||||||
|
mkdir -p "${confdir}/dhcpcd"
|
||||||
|
|
||||||
|
test -f "${confdir}/dhcpcd.conf" || {
|
||||||
|
: > "${confdir}/dhcpcd.conf.tmp"
|
||||||
|
cat >> "${confdir}/dhcpcd.conf.tmp" <<EOF
|
||||||
|
allowinterfaces ${wan_iface}
|
||||||
|
ipv6only
|
||||||
|
nooption domain_name_servers
|
||||||
|
nooption domain_name
|
||||||
|
duid
|
||||||
|
persistent
|
||||||
|
option rapid_commit
|
||||||
|
option interface_mtu
|
||||||
|
require dhcp_server_identifier
|
||||||
|
slaac private
|
||||||
|
noipv6rs
|
||||||
|
|
||||||
|
interface ${wan_iface}
|
||||||
|
ipv6rs
|
||||||
|
ia_na 0
|
||||||
|
EOF
|
||||||
|
|
||||||
|
ix=0
|
||||||
|
for vv in $vlans; do
|
||||||
|
echo " ia_pd ${ix} ${vv}/0"
|
||||||
|
ix=$((ix+1))
|
||||||
|
done >> "${confdir}/dhcpcd.conf.tmp"
|
||||||
|
mv "${confdir}/dhcpcd.conf.tmp" "${confdir}/dhcpcd.conf"
|
||||||
|
}
|
||||||
|
|
||||||
|
test -f "${confdir}/att-ipv6-dnsmasq.conf" || {
|
||||||
|
: > "${confdir}/att-ipv6-dnsmasq.conf.tmp"
|
||||||
|
cat >> "${confdir}/att-ipv6-dnsmasq.conf.tmp" <<EOF
|
||||||
|
#
|
||||||
|
# via att-ipv6
|
||||||
|
#
|
||||||
|
enable-ra
|
||||||
|
no-dhcp-interface=lo
|
||||||
|
no-ping
|
||||||
|
EOF
|
||||||
|
|
||||||
|
for vv in $vlans; do
|
||||||
|
cat <<EOF
|
||||||
|
|
||||||
|
interface=${vv}
|
||||||
|
dhcp-range=set:att-ipv6-${vv},::2,::7d1,constructor:${vv},slaac,ra-names,64,86400
|
||||||
|
dhcp-option=tag:att-ipv6-${vv},option6:dns-server,${dns6}
|
||||||
|
domain=${domain}|${vv}
|
||||||
|
ra-param=${vv},high,0
|
||||||
|
EOF
|
||||||
|
done >> "${confdir}/att-ipv6-dnsmasq.conf.tmp"
|
||||||
|
mv "${confdir}/att-ipv6-dnsmasq.conf.tmp" "${confdir}/att-ipv6-dnsmasq.conf"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if podman container exists "$CONTAINER"; then
|
||||||
|
podman start "$CONTAINER"
|
||||||
|
else
|
||||||
|
podman run -d --restart=always --name "$CONTAINER" -v "${confdir}/dhcpcd.conf:/etc/dhcpcd.conf" -v "${confdir}/dhcpcd:/var/lib/dhcpcd" --net=host --privileged ghcr.io/michaelw/dhcpcd
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Fix DHCP, assumes DHCPv6 is turned off in UI
|
||||||
|
cp "${confdir}/att-ipv6-dnsmasq.conf" /run/dnsmasq.conf.d/
|
||||||
|
start-stop-daemon -K -q -x /usr/sbin/dnsmasq
|
129
att-ipv6/README.md
Normal file
129
att-ipv6/README.md
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
# AT&T IPv6
|
||||||
|
|
||||||
|
On ATT IPv6, the RG (residential gateway) receives a /60 prefix itself, but only hands out one /64 to routers in IP Passthrough mode, regardless how big of a prefix was requested. The RG keeps the lower 8 /64s for its own purposes (`2600:1700:X:yyy0::/63`), and Unifi normally only receives `2600:1700:X:yyyf::/64`.
|
||||||
|
|
||||||
|
This script enables UDM to receive up to 8 PDs on ATT IPv6 (tested with RG BGW320-500), usually starting at `2600:1700:X:yyyf::/64` down to `2600:1700:X:yyy8::/64`.
|
||||||
|
Note that these may not always be assigned contiguous or in order.
|
||||||
|
|
||||||
|
The price to pay is that almost none of the IPv6 support native to UDM remains enabled, hence options like DHCPv6 cannot be changed in the UI anymore.
|
||||||
|
Firewall and routing rules remain functional, however.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
1. You have successfully setup the on boot script described [here](https://github.com/unifi-utilities/unifios-utilities/tree/main/on-boot-script)
|
||||||
|
2. You must set up the ATT RG in ["IP Passthrough" mode](https://patrickdomingues.com/2022/09/03/udm-pro-vpn-on-att-fiber-bgw320/)
|
||||||
|
3. You must turn off IPv6 on the ATT WAN connection, AND on each network/VLAN (IPv6 Interface Type: None)
|
||||||
|
4. You must add Firewall rules equivalent to (this can be done in the UI, select `Internet v6 Local` chain)
|
||||||
|
```
|
||||||
|
-A UBIOS_WAN_LOCAL_USER -p udp -m udp --sport 547 --dport 546 -j RETURN # select IPv6 Protocol "UDP" and create port groups for source port 547 and dest port 546
|
||||||
|
-A UBIOS_WAN_LOCAL_USER -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN # select IPv6 Protocol "ICMPv6" and IPv6ICMP Type Name "Router Advertisement"
|
||||||
|
```
|
||||||
|
5. You may want to add a "Traffic Management" route on your ATT WAN device to access 192.168.1.254/32, so that you can access the RG after it is in passthrough mode.
|
||||||
|
|
||||||
|
## Customization
|
||||||
|
|
||||||
|
Near the top of `10-att-ipv6.sh`:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
wan_iface="eth8" # use "eth9" for UDM Pro WAN2
|
||||||
|
vlans="br0" # "br0 br100 br101..."
|
||||||
|
domain="example.invalid" # DNS domain
|
||||||
|
dns6="[2001:4860:4860::8888],[2001:4860:4860::8844]" # Google
|
||||||
|
```
|
||||||
|
|
||||||
|
This generates configuration files in directory `/mnt/data/att-ipv6`, if they don't exist.
|
||||||
|
The files can be edited, or regenerated by deleting them and re-running the script.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cd /mnt/data/on_boot.d
|
||||||
|
curl -LO https://raw.githubusercontent.com/unifi-utilities/unifios-utilities/HEAD/att-ipv6/10-att-ipv6.sh
|
||||||
|
chmod +x 10-att-ipv6.sh
|
||||||
|
./10-att-ipv6.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The dhcpcd container being used is built [here](https://github.com/michaelw/dhcpcd-container/pkgs/container/dhcpcd)
|
||||||
|
|
||||||
|
## Validation
|
||||||
|
|
||||||
|
Running the script starts dhcpcd within the `att-ipv6` container on `eth8` (WAN1) and only for the default network (`br0`). This can be customized, see above.
|
||||||
|
|
||||||
|
To check that everything is working as expected, and the ATT RG delegates multiple prefixes:
|
||||||
|
|
||||||
|
On UDM:
|
||||||
|
```sh
|
||||||
|
$ ip -6 r # should see a default route on the WAN interface, and a 2600:1700:X:Y::/64 prefix on each configured VLAN bridge interface
|
||||||
|
2600:1700:X:yyy0::/64 dev eth9 proto ra metric 203 mtu 1500 pref medium
|
||||||
|
2600:1700:X:yyyb::/64 dev br104 proto dhcp metric 235 pref medium
|
||||||
|
2600:1700:X:yyyc::/64 dev br103 proto dhcp metric 234 pref medium
|
||||||
|
2600:1700:X:yyyd::/64 dev br102 proto dhcp metric 233 pref medium
|
||||||
|
2600:1700:X:yyye::/64 dev br101 proto dhcp metric 232 pref medium
|
||||||
|
2600:1700:X:yyyf::/64 dev br0 proto dhcp metric 212 pref medium
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ podman logs att-ipv6 # should see dhcpcd successfully acquiring prefixes
|
||||||
|
[...]
|
||||||
|
eth9: writing lease `/var/lib/dhcpcd/eth9.lease6'
|
||||||
|
eth9: delegated prefix 2600:1700:X:yyyf::/64
|
||||||
|
eth9: delegated prefix 2600:1700:X:yyye::/64
|
||||||
|
eth9: delegated prefix 2600:1700:X:yyyd::/64
|
||||||
|
eth9: delegated prefix 2600:1700:X:yyyc::/64
|
||||||
|
eth9: delegated prefix 2600:1700:X:yyyb::/64
|
||||||
|
br0: adding address 2600:1700:X:yyyf::1/64
|
||||||
|
br0: pltime 3600 seconds, vltime 3600 seconds
|
||||||
|
br0: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
|
||||||
|
br101: adding address 2600:1700:X:yyye::1/64
|
||||||
|
br101: pltime 3600 seconds, vltime 3600 seconds
|
||||||
|
br101: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
|
||||||
|
br102: adding address 2600:1700:X:yyyd::1/64
|
||||||
|
br102: pltime 3600 seconds, vltime 3600 seconds
|
||||||
|
br102: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
|
||||||
|
br103: adding address 2600:1700:X:yyyc::1/64
|
||||||
|
br103: pltime 3600 seconds, vltime 3600 seconds
|
||||||
|
br103: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
|
||||||
|
br104: adding address 2600:1700:X:yyyb::1/64
|
||||||
|
br104: pltime 3600 seconds, vltime 3600 seconds
|
||||||
|
br104: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
|
||||||
|
br0: adding route to 2600:1700:X:yyyf::/64
|
||||||
|
br101: adding route to 2600:1700:X:yyye::/64
|
||||||
|
br102: adding route to 2600:1700:X:yyyd::/64
|
||||||
|
br103: adding route to 2600:1700:X:yyyc::/64
|
||||||
|
br104: adding route to 2600:1700:X:yyyb::/64
|
||||||
|
lo: deleting reject route to 2600:1700:X:yyyf::/64
|
||||||
|
lo: deleting reject route to 2600:1700:X:yyye::/64
|
||||||
|
lo: deleting reject route to 2600:1700:X:yyyd::/64
|
||||||
|
lo: deleting reject route to 2600:1700:X:yyyc::/64
|
||||||
|
lo: deleting reject route to 2600:1700:X:yyyb::/64
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ ps auxw|grep dnsmasq # should see dnsmasq running
|
||||||
|
```
|
||||||
|
|
||||||
|
On BGW320-500, check https://192.168.1.254/cgi-bin/lanstatistics.ha for multiple PDs in `IPv6 Delegated Prefix Subnet (including length)`.
|
||||||
|
|
||||||
|
|
||||||
|
On clients:
|
||||||
|
```
|
||||||
|
ip -6 addr show # should see SLAAC and/or DHCPv6 addresses received (if not, check dnsmasq configuration in `/run/dnsmasq.conf.d`)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Useful commands
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# View dhcpcd logs to verify the container is running without error (ipv6 logs from dhcpcd are normal).
|
||||||
|
podman logs att-ipv6
|
||||||
|
|
||||||
|
# Restart dhcpcd (e.g., after configuration change)
|
||||||
|
podman exec -it dhcpcd -x
|
||||||
|
|
||||||
|
# Stop the container
|
||||||
|
podman stop att-ipv6
|
||||||
|
|
||||||
|
# Remove the container
|
||||||
|
podman rm att-ipv6
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user