unifios-utilities/att-ipv6/README.md

# AT&T IPv6

On ATT IPv6, the RG (residential gateway) receives a /60 prefix itself, but only hands out one /64 to routers in IP Passthrough mode, regardless how big of a prefix was requested. The RG keeps the lower 8 /64s for its own purposes (`2600:1700:X:yyy0::/63`), and Unifi normally only receives `2600:1700:X:yyyf::/64`.

This script enables UDM to receive up to 8 PDs on ATT IPv6 (tested with RG BGW320-500), usually starting at `2600:1700:X:yyyf::/64` down to `2600:1700:X:yyy8::/64`.
Note that these may not always be assigned contiguous or in order.

The price to pay is that almost none of the IPv6 support native to UDM remains enabled, hence options like DHCPv6 cannot be changed in the UI anymore.
Firewall and routing rules remain functional, however.

## Requirements

1. You have successfully setup the on boot script described [here](https://github.com/unifi-utilities/unifios-utilities/tree/main/on-boot-script)
2. You must set up the ATT RG in ["IP Passthrough" mode](https://patrickdomingues.com/2022/09/03/udm-pro-vpn-on-att-fiber-bgw320/)
3. You must turn off IPv6 on the ATT WAN connection, AND on each network/VLAN (IPv6 Interface Type: None)
4. You must add Firewall rules equivalent to (this can be done in the UI, select `Internet v6 Local` chain)
   ```
   -A UBIOS_WAN_LOCAL_USER -p udp -m udp --sport 547 --dport 546 -j RETURN   # select IPv6 Protocol "UDP" and create port groups for source port 547 and dest port 546
   -A UBIOS_WAN_LOCAL_USER -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN # select IPv6 Protocol "ICMPv6" and IPv6ICMP  Type Name "Router Advertisement"
   ```
5. You may want to add a "Traffic Management" route on your ATT WAN device to access 192.168.1.254/32, so that you can access the RG after it is in passthrough mode.

## Customization

Near the top of `10-att-ipv6.sh`:

    ```sh
    wan_iface="eth8"            # use "eth9" for UDM Pro WAN2
    vlans="br0"                 # "br0 br100 br101..."
    domain="example.invalid"    # DNS domain
    dns6="[2001:4860:4860::8888],[2001:4860:4860::8844]" # Google
    ```

This generates configuration files in directory `/data/att-ipv6`, if they don't exist.
The files can be edited, or regenerated by deleting them and re-running the script.

## Installation

    ```sh
    cd /data/on_boot.d
    curl -LO https://raw.githubusercontent.com/unifi-utilities/unifios-utilities/HEAD/att-ipv6/10-att-ipv6.sh
    chmod +x 10-att-ipv6.sh
    ./10-att-ipv6.sh
    ```

The dhcpcd container being used is built [here](https://github.com/michaelw/dhcpcd-container/pkgs/container/dhcpcd)

## Validation

Running the script starts dhcpcd within the `att-ipv6` container on `eth8` (WAN1) and only for the default network (`br0`). This can be customized, see above.

To check that everything is working as expected, and the ATT RG delegates multiple prefixes:

On UDM:

```sh
$ ip -6 r               # should see a default route on the WAN interface, and a 2600:1700:X:Y::/64 prefix on each configured VLAN bridge interface
2600:1700:X:yyy0::/64 dev eth9 proto ra metric 203 mtu 1500 pref medium
2600:1700:X:yyyb::/64 dev br104 proto dhcp metric 235 pref medium
2600:1700:X:yyyc::/64 dev br103 proto dhcp metric 234 pref medium
2600:1700:X:yyyd::/64 dev br102 proto dhcp metric 233 pref medium
2600:1700:X:yyye::/64 dev br101 proto dhcp metric 232 pref medium
2600:1700:X:yyyf::/64 dev br0 proto dhcp metric 212 pref medium
[...]
```

```sh
$ podman logs att-ipv6  # should see dhcpcd successfully acquiring prefixes
[...]
eth9: writing lease `/var/lib/dhcpcd/eth9.lease6'
eth9: delegated prefix 2600:1700:X:yyyf::/64
eth9: delegated prefix 2600:1700:X:yyye::/64
eth9: delegated prefix 2600:1700:X:yyyd::/64
eth9: delegated prefix 2600:1700:X:yyyc::/64
eth9: delegated prefix 2600:1700:X:yyyb::/64
br0: adding address 2600:1700:X:yyyf::1/64
br0: pltime 3600 seconds, vltime 3600 seconds
br0: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
br101: adding address 2600:1700:X:yyye::1/64
br101: pltime 3600 seconds, vltime 3600 seconds
br101: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
br102: adding address 2600:1700:X:yyyd::1/64
br102: pltime 3600 seconds, vltime 3600 seconds
br102: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
br103: adding address 2600:1700:X:yyyc::1/64
br103: pltime 3600 seconds, vltime 3600 seconds
br103: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
br104: adding address 2600:1700:X:yyyb::1/64
br104: pltime 3600 seconds, vltime 3600 seconds
br104: executing `/lib/dhcpcd/dhcpcd-run-hooks' DELEGATED6
br0: adding route to 2600:1700:X:yyyf::/64
br101: adding route to 2600:1700:X:yyye::/64
br102: adding route to 2600:1700:X:yyyd::/64
br103: adding route to 2600:1700:X:yyyc::/64
br104: adding route to 2600:1700:X:yyyb::/64
lo: deleting reject route to 2600:1700:X:yyyf::/64
lo: deleting reject route to 2600:1700:X:yyye::/64
lo: deleting reject route to 2600:1700:X:yyyd::/64
lo: deleting reject route to 2600:1700:X:yyyc::/64
lo: deleting reject route to 2600:1700:X:yyyb::/64
[...]
```

```sh
$ ps auxw|grep dnsmasq  # should see dnsmasq running
```

On BGW320-500, check https://192.168.1.254/cgi-bin/lanstatistics.ha for multiple PDs in `IPv6 Delegated Prefix Subnet (including length)`.

On clients:

```
ip -6 addr show # should see SLAAC and/or DHCPv6 addresses received (if not, check dnsmasq configuration in `/run/dnsmasq.conf.d`)
```

### Useful commands

```sh
# View dhcpcd logs to verify the container is running without error (ipv6 logs from dhcpcd are normal).
podman logs att-ipv6

# Restart dhcpcd (e.g., after configuration change)
podman exec -it dhcpcd -x

# Stop the container
podman stop att-ipv6

# Remove the container
podman rm att-ipv6
```