Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






This HowTo describes how to place an IPv6 prefix as a /64 network on a specific interface.
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

12.2 11.8

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Network Network configuration

Introduction

It is possible by prefix delegation to split an IPv6 network (assigned by the provider) (e.g.:2001:0db8:aaaa:bb::/56) into /64 networks (e.g.:2001:0db8:aaaa:bb00::/64, 2001:0db8:aaaa:bb01::/64 etc.) and assign them to individual interfaces. All devices in this network segment can then receive an IPv6 address from their interface identifier and the prefix if router advertisement is activated. The respective interface of the UTM receives the first address, in the example 2001:0db8:aaaa:bb00::1/64.
IPv6 prefix delegation is enabled on the interface that is connected to the WAN.

notempty
The UTM can request an IPv6 prefix from the provider via the PPPoE connection and divide it into smaller /64 subnets and automatically place them on the interfaces.



Configuration

Activating the prefix delegation

In the menu Network Network configuration  Area Network interfaces Button the interface (e.g. wan0 ) that is assigned to a larger IPv6 network via PPPoE must be configured.
In the bottom section of the General tab:
Caption Value Description PPPoE-Schnittstelle bearbeiten UTMuser@firewall.name.fqdnNetworkNetwork configuration UTM v12.6 IPv6Prefix-Delegation Konfiguration Schnittstelle bearbeiten wan0-en.png Edit interface
IPv6: On Enable for IPv6 to be used at all
IPv6 Prefix Delegation: On Activates the prefix delegation
Only IPv6 networks from a delegated prefix are placed on an interface if they have the Router Advertisement feature and do not have a fixed configured IPv6 address.

Click Save and close to apply the changes.

Transfer to interface by router Advertisement

In the menu Network Network configuration  Area Network interfaces the interface to which the smaller /64 subnet is to be assigned (e.g.: LAN2) must be configured:
Caption Value Description Ethernet-Schnittstelle bearbeiten UTMuser@firewall.name.fqdnNetworkNetwork configuration UTM v12.6 IPv6Prefix-Delegation Konfiguration Schnittstelle bearbeiten LAN2-en.pngEdit interface Router Advertisement
Name: LAN2 Display of the selected interface
DHCP Client: off
Router Advertisement: On With this function, the allocation of a prefix is taken over by the router (here: the UTM firewall)
IPv6-Adressen vergeben: On Mit dieser Funktion wird aktiviert, dass der Router IPv6-Adressen verteilt
IPv6 Prefix Delegation: off Prefix Delegation ist nur für externe Schnittstellen zulässig.
Only IPv6 networks from a delegated prefix are placed on an interface if they have the Router Advertisement feature and do not have a fixed configured IPv6 address.

Click Save and close to apply the changes.

Network configuration UTMuser@firewall.name.fqdnNetwork UTM v12.6 IPv6Prefix-Delegation Konfiguration Schnittstellen Übersicht-en.pngDisplay in the network configuration

Add default route

In order to route the IPv6 addresses, a default route must be added under Network Network configuration  Area Routing Button Add default route.
Caption Value Description Add default route UTMuser@firewall.name.fqdnNetworkNetwork configuration UTM v12.6 IPv6Prefix-Delegation Konfiguration Default-Route hinzufuegen-en.pngDefault route
Gateway Type: IPInterface Der Typ des Gateways
Gateway: wan0 The selected interface
IPv6: On

Überprüfung

Under Network Network tools  Area Ping, a ping is performed on an address that reliably uses (and also answers) IPv6. This verifies that the routing is working properly.
Caption Value Description
Settings
Source: 2001:db08:aaaa:bbb00::1 Selection of the IPv6 address to be pinged with Netzwerkwerkzeuge UTMuser@firewall.name.fqdnNetzwerk UTM v12.6 PingIPv6 Ping-en.png IPv6 Ping-Test
Destination: k.root-servers.net Destination name or IP addresss
IPv6 On Enable for IPv6 to be used at all
Send Start Ping-Test
Response
The root server k.root-servers.net of the Ripe NCC should respond with the IP 2001:7fd::1 as shown in the picture



Adjust packet filter rules

notempty
When using IPv6, all packet filter rules must additionally be created for IPv6.

Create IPv6 network objects

External zone
Create the Internet zone for IPv6 under Firewall Network objects  Button Add object.
Caption Value Description Netzwerkobjekt hinzufügen UTMuser@firewall.name.fqdnFirewallNetwork configuration UTM v12.6 IPv6Prefix-Delegation Paketfilterregeln anpassen Netzwerkobjekt erstellen externe Zone-en.png Network object Internet_v6
Name: Internet_v6 Unique designation
Type: Network (address)
Address: ::/0 The entire Internet
Zone: external_v6 notempty
The zone must be assigned to the corresponding interface
Group:     The network object can be assigned to a group if applicable
Click Save and close to apply the changes.
Interne Zone
Configuration of the internal network object:
Caption Value Description Netzwerkobjekt hinzufügen UTMuser@firewall.name.fqdnFirewallNetwork configuration UTM v12.6 IPv6Prefix-Delegation Paketfilterregeln anpassen Netzwerkobjekt erstellen interne Zone-en.png Internal IPv6 network object
Name: Internal_Network_v6 Unique designation
Type: Network (interface) Selection according to your own requirements. For this example network (interface)
Interface: LAN2 Selection of the internal interface to be supplied with IPv6
Zone: internal_v6
Group:     The network object can be assigned to a group if applicable
Click Save and close to apply the changes.

Add packet filter rule

notempty
The existing ruleset only applies to IPv4. A completely new set of rules, including the network objects, must be created for IPv6.
Now a rule can be created under → Firewall Tab Packetfilter Button Add rule:
Caption Value Description Regel hinzufügen UTMuser@firewall.name.fqdnFirewallPaketfilter UTM v12.6 IPv6Prefix-Delegation Paketfilterregel hinzufuegen-en.png Packet filter rule for IPv6
Active: On
Source: Network.svg Internal_Network_v6 Source network
Destination: World.svg Internet_v6 Destination network
Service: Service-group.svg default-internet Select desired service or service group
Action: Accept Accept packet
Logging: Short - Log three entries per minute Select desired logging level
Group: IPv6 rules Add to desired group
notempty
Unlike IPv4, no NAT is required here!
Click Save or to save the packet filter rule.
Click Update rules to have the packet filter rules updated.