28
2019
07

ER-X如何设置支持ipv6上网?

这是我的ipv6部分以及相应防火墙的设置,er-x sfp,应该和er-x差不多,eth0是wan口,eth1-eth4为lan口,switch0,供参考:

configure

#Configure the PPPoE for IPv6(eth0):

set interfaces ethernet eth0 pppoe 0 ipv6 enable

set interfaces ethernet eth0 pppoe 0 ipv6 address autoconf

set interfaces ethernet eth0 pppoe 0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 prefix-length /60

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd rapid-commit enable

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only


#Enable IPv6 SLAAC on the LAN(switch0):

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 host-address ::1

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 prefix-id :0

set interfaces ethernet eth0 pppoe 0 dhcpv6-pd pd 0 interface switch0 service slaac


#Enable IPv6 on switch0:

set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1

set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64

set interfaces switch switch0 ipv6 router-advert link-mtu 0

set interfaces switch switch0 ipv6 router-advert managed-flag false

set interfaces switch switch0 ipv6 router-advert max-interval 600

set interfaces switch switch0 ipv6 router-advert other-config-flag false

set interfaces switch switch0 ipv6 router-advert prefix '::/64' autonomous-flag true

set interfaces switch switch0 ipv6 router-advert prefix '::/64' on-link-flag true

set interfaces switch switch0 ipv6 router-advert prefix '::/64' valid-lifetime 2592000

set interfaces switch switch0 ipv6 router-advert reachable-time 0

set interfaces switch switch0 ipv6 router-advert retrans-timer 0

set interfaces switch switch0 ipv6 router-advert send-advert true


#create a policy for WAN->Router:

set firewall ipv6-name WANv6_LOCAL default-action drop

set firewall ipv6-name WANv6_LOCAL description 'Local network traffic'

set firewall ipv6-name WANv6_LOCAL enable-default-log

set firewall ipv6-name WANv6_LOCAL rule 10 action accept

set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'

set firewall ipv6-name WANv6_LOCAL rule 10 state established enable

set firewall ipv6-name WANv6_LOCAL rule 10 state related enable

set firewall ipv6-name WANv6_LOCAL rule 20 action drop

set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'

set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable

set firewall ipv6-name WANv6_LOCAL rule 30 action accept

set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'

set firewall ipv6-name WANv6_LOCAL rule 30 protocol icmpv6

set firewall ipv6-name WANv6_LOCAL rule 40 action accept

set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'

set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546

set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp

set firewall ipv6-name WANv6_LOCAL rule 40 source port 547

#create a policy for WAN->LAN Clients:

set firewall ipv6-name WANv6_IN default-action drop

set firewall ipv6-name WANv6_IN description 'WAN inbound traffic to the router'

set firewall ipv6-name WANv6_IN enable-default-log

set firewall ipv6-name WANv6_IN rule 10 action accept

set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'

set firewall ipv6-name WANv6_IN rule 10 state established enable

set firewall ipv6-name WANv6_IN rule 10 state related enable

set firewall ipv6-name WANv6_IN rule 20 action drop

set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'

set firewall ipv6-name WANv6_IN rule 20 state invalid enable

set firewall ipv6-name WANv6_IN rule 30 action accept

set firewall ipv6-name WANv6_IN rule 30 description 'Allow IPv6 icmp'

set firewall ipv6-name WANv6_IN rule 30 protocol icmpv6

set firewall ipv6-name WANv6_IN rule 40 action accept

set firewall ipv6-name WANv6_IN rule 40 description 'allow dhcpv6'

set firewall ipv6-name WANv6_IN rule 40 destination port 546

set firewall ipv6-name WANv6_IN rule 40 protocol udp

set firewall ipv6-name WANv6_IN rule 40 source port 547

set firewall ipv6-receive-redirects disable

set firewall ipv6-src-route disable

set interfaces ethernet eth0 pppoe 0 firewall in ipv6-name WANv6_IN

set interfaces ethernet eth0 pppoe 0 firewall local ipv6-name WANv6_LOCAL


commit

save

exit


« 上一篇