DS-Lite (光電話なし)VyOS 設定例

/ 2019-05-25 16:03

DS-Liteとは

DS-Lite(光電話なし)VyOS 設定例

検証構成

検証環境

VyOS 1.1.8

ブリッジインターフェイス作成

vyos@DS-Lite-VyOS:~$ configure [edit] vyos@DS-Lite-VyOS# set interfaces b bonding bridge [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 address 192.168.0.1/24 [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 address autoconf [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 disable-forwarding [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 dup-addr-detect-transmits 1 [edit] vyos@DS-Lite-VyOS#
vyos@DS-Lite-VyOS:~$ configure
vyos@DS-Lite-VyOS# set interfaces b
bonding  bridge
vyos@DS-Lite-VyOS# set interfaces bridge br0
vyos@DS-Lite-VyOS# set interfaces bridge br0 address 192.168.0.1/24
vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 address autoconf
vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 disable-forwarding
vyos@DS-Lite-VyOS# set interfaces bridge br0 ipv6 dup-addr-detect-transmits 1

ブリッジインターフェイス物理インターフェイス適応

vyos@DS-Lite-VyOS# set interfaces ethernet eth0 bridge-group bridge br0 [edit] vyos@DS-Lite-VyOS# set interfaces ethernet eth1 bridge-group bridge br0 [edit]
vyos@DS-Lite-VyOS# set interfaces ethernet eth0 bridge-group bridge br0
vyos@DS-Lite-VyOS# set interfaces ethernet eth1 bridge-group bridge br0

割り当てIPv6アドレスについて

br0に割り当てたIPv6アドレスを控える

vyos@DS-Lite-VyOS:~$ show interfaces Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down Interface IP Address S/L Description ——— ———- — ———– br0 192.168.0.1/24 u/u 2409:250:X:X:X:X:X:X/64 eth0 – u/u eth1 – u/u lo 127.0.0.1/8 u/u ::1/128 vyos@DS-Lite-VyOS:~$
vyos@DS-Lite-VyOS:~$ show interfaces
Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
Interface        IP Address                        S/L  Description
———        ———-                        —  ———–
br0              192.168.0.1/24                    u/u
                 2409:250:X:X:X:X:X:X/64
eth0             –                                 u/u
eth1             –                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

DS-Lite向けTunnelインターフェイス作成

トンネルの接続先は今回 2404:8E01::FEED:101 にしていますが、NTT-東日本、西日本では異なりかつそれぞれ2つのアドレスがあります。下記のリンク先にアドレスが記載していますので環境に合わせて設定してください。
インターネットマルチフィード株式会社Cisco1812J 接続確認情報
local-ipは先ほど確認した自信に割り当てたipv6アドレスを記載する。

vyos@DS-Lite-VyOS:~$ conf [edit] vyos@DS-Lite-VyOS# set interfaces tunnel tun0 [edit] vyos@DS-Lite-VyOS# set interfaces tunnel tun0 encapsulation ipip6 [edit] f:fe8e:931ce-VyOS# set interfaces tunnel tun0 local-ip 2409:250:X:X:X:X:X:X [edit] vyos@DS-Lite-VyOS# set interfaces tunnel tun0 remote-ip 2404:8e01::feed:101 [edit] vyos@DS-Lite-VyOS# commit
vyos@DS-Lite-VyOS# set interfaces tunnel tun0
vyos@DS-Lite-VyOS# set interfaces tunnel tun0 encapsulation ipip6
f:fe8e:931ce-VyOS# set interfaces tunnel tun0 local-ip 2409:250:X:X:X:X:X:X
vyos@DS-Lite-VyOS# set interfaces tunnel tun0 remote-ip 2404:8e01::feed:101

DS-Lite向けデフォルトルート設定

vyos@DS-Lite-VyOS:~$ configure [edit] face tu0Lite-VyOS# set protocols static interface-route 0.0.0.0/0 next-hop-interface tun0 [edit] vyos@DS-Lite-VyOS# commit
vyos@DS-Lite-VyOS:~$ configure
face tu0Lite-VyOS# set protocols static interface-route 0.0.0.0/0 next-hop-interface tun0

スポンサーリンク

クライアント向けルータ設定および動作確認

クライアント向けインターフェイス設定

vyos@client:~$ configure [edit] vyos@client# set interfaces ethernet eth0 address 192.168.0.100/24 [edit] vyos@client# set interfaces ethernet eth0 ipv6 address autoconf [edit] vyos@client# set interfaces ethernet eth0 ipv6 disable-forwarding [edit] vyos@client# set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1 [edit] vyos@client# commit
vyos@client:~$ configure
vyos@client# set interfaces ethernet eth0 address 192.168.0.100/24
vyos@client# set interfaces ethernet eth0 ipv6 address autoconf
vyos@client# set interfaces ethernet eth0 ipv6 disable-forwarding
vyos@client# set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1

デフォルトルート設定

vyos@client:~$ configure [edit] vyos@client# set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 [edit] vyos@client# commit [edit] vyos@client# save Saving configuration to ‘/config/config.boot’… Done [edit] vyos@client#
vyos@client:~$ configure
vyos@client# set protocols static route 0.0.0.0/0 next-hop 192.168.0.1
Saving configuration to ‘/config/config.boot’…

インターネット疎通確認

vyos@client:~$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_req=1 ttl=59 time=8.07 ms 64 bytes from 8.8.8.8: icmp_req=2 ttl=59 time=7.39 ms 64 bytes from 8.8.8.8: icmp_req=3 ttl=59 time=5.86 ms 64 bytes from 8.8.8.8: icmp_req=4 ttl=59 time=6.10 ms ^C — 8.8.8.8 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 5.867/6.858/8.074/0.913 ms vyos@client:~$ ping 2001:4860:4860::8888 PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=58 time=19.2 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=58 time=4.69 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=58 time=4.84 ms 64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=58 time=4.60 ms ^C — 2001:4860:4860::8888 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 4.602/8.344/19.233/6.287 ms vyos@client:~$
vyos@client:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=59 time=8.07 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=59 time=7.39 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=59 time=5.86 ms
64 bytes from 8.8.8.8: icmp_req=4 ttl=59 time=6.10 ms
— 8.8.8.8 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.867/6.858/8.074/0.913 ms
vyos@client:~$ ping 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=58 time=19.2 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=58 time=4.69 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=58 time=4.84 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=58 time=4.60 ms
— 2001:4860:4860::8888 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 4.602/8.344/19.233/6.287 ms

注意事項

IPv6 をブリッジ接続して IPv6をパススールをしているので、IPv4のNAT配下のアドレスと違いIPv6は外部からの接続性があります。そのためクライアント側でFWを設定しないと外部に無防備にさらされるので注意が必要です。下記で片方向のみ許可する通信が可能です。

IPv6を片方向(LAN→インターネット方向だけの通信)用のFW設定

vyos@DS-Lite-VyOS:~$ configure [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW default-action reject [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 10 action accept [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 10 protocol icmpv6 [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 action accept [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 description DS-Lite [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 protocol 4 [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 100 action accept [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 100 source address 2409:250:X:X::-2409:250:X:X:ffff:ffff:ffff:ffff [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 action accept [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 source address 2409:250:X:X::-2409:250:X:X:ffff:ffff:ffff:ffff [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 state related enable [edit] vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 state established enabl [edit] vyos@DS-Lite-VyOS# set interfaces bridge br0 firewall in ipv6-name IPv6FW [edit] vyos@DS-Lite-VyOS# commit [edit]
vyos@DS-Lite-VyOS:~$ configure
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW default-action reject
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 10 action accept
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 10 protocol icmpv6
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 action accept
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 description DS-Lite
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 20 protocol 4
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 100 action accept
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 100 source address 2409:250:X:X::-2409:250:X:X:ffff:ffff:ffff:ffff
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 action accept
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 source address 2409:250:X:X::-2409:250:X:X:ffff:ffff:ffff:ffff
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 state related enable
vyos@DS-Lite-VyOS# set firewall ipv6-name IPv6FW rule 200 state established enabl
vyos@DS-Lite-VyOS# set interfaces bridge br0 firewall in ipv6-name IPv6FW

検証用Config

その他設定例集

Shared via Inoreader