How to configure Telus Optik IPv6 on a Ubiquiti Edgerouter

After switching to Telus Optik, I wanted to take advantage of Telus IPv6 support, using my Ubiquiti Edgerouter Lite. After a lot of googling, I was able to put enough pieces together to get full IPv6 working across my network. This configuration will work with EdgeOS 1.9.0, and should work with versions of EdgeOS going back at least to 1.7.0.

Note: I am running my Edgerouter with eth0 connected to WAN, which is connected to the Telus router, in bridge mode. The Edgerouter’s eth1 is connected to LAN, and eth2 is connected to WLAN (a wireless AP). There are a few peculiarities to the way Telus provides IPv6 addresses that make standard router configurations problematic. It’s worthwhile to read this comment from a Telus employee:

“Now if you want to use your own router, you can do what you mentioned by using the port 1 bridge mode on the Actiontec and connecting your device into this. It will work fine, however there are a few issues with a majority of 3rd party devices. In order for it to work your device must:

1. Only request a dhcp6-pd (So only send IA-PD in the dhcp6 solicit message). This is what the Actiontecs actually do.

2. If the device does request both an IA-NA, and an IA-PD in the solicit message, then it must conform to RFC 7550. We are not using IA-NA so in our dhcp Advertise message there will be a NoAddrAvail message for the IA-NA, and a prefix for the IA-PD.

#2 is where most of the 3rd party devices have issues. They don’t handle this case and will usually reject the dhcp advertise message that is sent down and just go into and endless solicit loop.”

If your Edgerouter isn’t configured to “only request a dhcp6-pd” and not request an IA-NA, your router’s CPU usage will jump to 100% as the dhcp6-pd log is flooded with denied IA-NA messages. To get around this, you MUST set the Edgerouter WAN interface’s dhcpv6-pd option to “prefix-only”.

Also, if you are running your LAN (local ports) in bridged mode, you don’t assign IPv6 addresses to your ethernet ports. Instead, you only assign an IPv6 address to your bridge port. If you assign IPv6 addresses to your ethernet ports when they are bridged, your Edgerouter will get an IPv6 address, and it will be able to ping IPv6 addresses on the WAN, but no IPv6 traffic will get out from the LAN to the WAN. This cost me a lot of lost time as I tried to figure out why things weren’t working.

Before you go any further, make a backup of your current configuration! This will give you a way to roll back your changes. Changes must be made from the EdgeRouter CLI, in configure mode.

Here are the commands to issue, assuming eth0 is WAN, eth1 and eth2 are bridged LAN, and br0 is the bridge:

set interfaces ethernet eth0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface br0 prefix-id :0
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface br0 service slaac
set interfaces ethernet eth0 ipv6 router-advert managed-flag true
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
commit

Give your EdgeRouter some time, as obtaining an IPv6 address is not always instantaneous. Eventually, your EdgeRouter dashboard should show an IPv6 address (as well as an IPv4 address, at least until you turn IPv4 off) attached to your bridge interface:

screen-shot-2016-10-09-at-10-02-48-pm

Edit – October 2017: If you’re not using your EdgeRouter in bridge mode (and I highly recommend not using your EdgeRouter in bridge mode, it really does slow down throughput), just replace the instances of ‘br0’ in the sample code above with the appropriate ‘eth<n>’.

Because IPv6 gives every device a (theoretically) routable address, you really should set up some firewall rules on the router. There is a basic ruleset that is widely available online, and which will provide you with some basic protection. To set this up, enter these commands:

set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ipv6-name WAN6_IN default-action drop
set firewall ipv6-name WAN6_IN description "IPv6 packets from the internet to LAN and WAN"
set firewall ipv6-name WAN6_IN enable-default-log
set firewall ipv6-name WAN6_IN rule 10 action accept
set firewall ipv6-name WAN6_IN rule 10 state established enable
set firewall ipv6-name WAN6_IN rule 10 state related enable
set firewall ipv6-name WAN6_IN rule 10 description "Allow established and related packets"
set firewall ipv6-name WAN6_IN rule 20 action drop
set firewall ipv6-name WAN6_IN rule 20 log enable
set firewall ipv6-name WAN6_IN rule 20 state invalid enable
set firewall ipv6-name WAN6_IN rule 20 description "Drop invalid packets"
set firewall ipv6-name WAN6_IN rule 30 action accept
set firewall ipv6-name WAN6_IN rule 30 log enable
set firewall ipv6-name WAN6_IN rule 30 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 30 description "Allow ICMPv6 packets"
set firewall ipv6-name WAN6_LOCAL default-action drop
set firewall ipv6-name WAN6_LOCAL description "IPv6 packets from internet to router"
set firewall ipv6-name WAN6_LOCAL enable-default-log
set firewall ipv6-name WAN6_LOCAL rule 10 action accept
set firewall ipv6-name WAN6_LOCAL rule 10 state established enable
set firewall ipv6-name WAN6_LOCAL rule 10 state related enable
set firewall ipv6-name WAN6_LOCAL rule 10 description "Allow established and related packets"
set firewall ipv6-name WAN6_LOCAL rule 20 action drop
set firewall ipv6-name WAN6_LOCAL rule 20 log enable
set firewall ipv6-name WAN6_LOCAL rule 20 state invalid enable
set firewall ipv6-name WAN6_LOCAL rule 20 description "Drop invalid packets"
set firewall ipv6-name WAN6_LOCAL rule 30 action accept
set firewall ipv6-name WAN6_LOCAL rule 30 log enable
set firewall ipv6-name WAN6_LOCAL rule 30 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 30 description "Allow ICMPv6 packets"
set firewall ipv6-name WAN6_LOCAL rule 40 action accept
set firewall ipv6-name WAN6_LOCAL rule 40 description "allow DHCPv6 client/server"
set firewall ipv6-name WAN6_LOCAL rule 40 destination port 546
set firewall ipv6-name WAN6_LOCAL rule 40 source port 547
set firewall ipv6-name WAN6_LOCAL rule 40 protocol udp
set interfaces ethernet eth0 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth0 firewall local ipv6-name WAN6_LOCAL
commit

You can test IPv6 connectivity using ping6 (Google’s IPv6 DNS server 2001:4860:4860::8888 is a good test), or using the IPv6 test site. You should get a score of 10/10.

If anything went wrong, you can always return to your pre-IPv6 configuration by rebooting the router. If you are satisfied that the settings are working, save them using the save command.

8 thoughts on “How to configure Telus Optik IPv6 on a Ubiquiti Edgerouter”

  1. Are you on DSL or GPON? I’ve been trying to get IPv6 working with the ERLite3 connected directly to the ONT with GPON rather than bridging the actiontec and the same configuration doesn’t appear to work nor does dhcpv6-stateless instead of slaac.

    1. I am connected to Telus fibre (Optik) via a bridged port on the Telus router. According to the interwebs, that would be GPON, not DSL. Unsure if I could bypass the Telus-provided router, but in theory a bridged port should be equivalent to running without the Telus router.

  2. Chris,

    I’m trying to get this configuration working on my EdgeOS. I’m using an ER-X with firmware v1.9.7, connected to the T3200M, which is set to bridge mode. I can’t seem to get the ER-X to even initiate a dhcpv6-pd request. I’ve run dhcp6c in debug mode to try to troubleshoot the issue. An abbreviated log is at https://pastebin.ca/3862458. The key line I keep seeing is “client6_send: transmit failed: Operation not permitted”. Any ideas on what next steps I can take to debug?

    1. Hi Faisal. This may be an obviously-I-tried-that question, but are you able to get an IPV6 address via DHCP if you connect a device directly to the T3200M’s bridged port?

  3. Is anyone else seeing their IPv6 assignment change every time the Ubiquiti router reboots? This makes it difficult to setup internal servers with static IPs and I haven’t found much information on this. I would expect that if I kept the router offline for a long period of time that it would change but not on every reboot.

    1. Hi Alan. Now I’m curious. I have started tracking my own IPv6 assignments to test this.

      To clarify: Are you referring to the router’s address or to the addresses of specific devices on your network?

      1. Hi Chris,

        I am talking about the prefix that I get from TELUS. Ubiquiti will always autoconfigure the addresses on the interfaces as per the rules I set so the host part is the same. The network part keeps changing.

        I did a bit more testing today and found that it will change even if I issue this command: renew dhcpv6-pd interface ethX. This doesn’t happen every time but seems to happen after a bit of time like 6 min or so. I only tested this once so I don’t know if it is time related for sure. I don’t believe this happens to the Actiontec so I want to start wireshark captures and compare the two devices and how they ask for the IPv6 info.

        1. Confirmed, I am experiencing the same thing as you. My IPv6 prefix from Telus changes on reboot.

          before reboot:
          2001:569:----:----:----:----:----:59dc
          node-1w7jr9-------------------.ipv6.telus.net
          
          after reboot:
          2001:569:----:----:----:----:----:9eee
          node-1w7jr9-------------------.ipv6.telus.net
          

          It was very slow to obtain a new IPv6 address too – it took between 10 and 20 minutes before any IP check site was able to resolve my IPv6 address.

Leave a Reply

Your email address will not be published. Required fields are marked *