Customer CPE with IPv4 & IPv6
- Basic Machine Setup
- Configuration

Customer CPE with IPv4 & IPv6

This config, by default, NATs out traffic from the LAN on IPv4 and allows IPv6 traffic out from the LAN, but not from the Internet towards the LAN. This helps protect internal machines which do not have proper IPv6 firewalling.

Please note that the config provided here is simply for example. You will need to make custom changes and review the config files or bad things may happen (like getting locked out).

Basic Machine Setup

eth0: Internet facing interface
eth1: LAN facing interface
Dynamic IPv4 address from ISP on eth0
Dynamic IPv6 /64 range from ISP assigned to eth1
Need to MSS clamp outbound traffic due to PPPoE in the path
Internal LAN machines are on private subnet mask 192.168.0.0/24

Configuration

Config: etc/srfirewall/local.conf

local.conf

Defaultv4InPolicy="DROP"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="DROP"

Defaultv6InPolicy="DROP"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="DROP"

Enablev6NAT="no"

Config: etc/srfirewall/ipv4/nat.conf

nat.conf

MASQ eth1 192.168.0.0/24 eth0

Config: etc/srfirewall/ipv4/mss-clamp.conf and etc/srfirewall/ipv6/mss-clamp.conf

mss-clamp.conf

eth0			-		out
eth0			-		fwd

Config: etc/srfirewall/ipv6/forward.conf

forward.conf

ACCEPT eth1 - eth0 - no - - - - NEW,ESTABLISHED,RELATED
ACCEPT eth0 - eth1 - no - - - - ESTABLISHED,RELATED
DROP eth0 - eth1 - no - - - - INVALID

Table of Contents

Customer CPE with IPv4 & IPv6

Basic Machine Setup

Configuration