IPv6 with the Ubiquiti ERL

ISP: Comcast
Modem: Motorola SB6141
Router: Ubiquiti EdgeMax Router Lite
EdgeOS System Image: v1.9
WAN Interface: eth0
LAN-Wired Interface: eth1
LAN-Wireless Interface: eth2

Cleanup:

There's a high chance you've been trying out other guides prior to getting here. Let's just make sure you're current config doesn't have any remaining bits that'll mess this up

  1. SSH into the EdgeMax Router Lite
  2. Enter configure mode: admin@ubnt: configure
delete interfaces ethernet eth0 dhcpv6-pd
delete interfaces ethernet eth1 ipv6
delete interfaces ethernet eth2 ipv6
delete protocols static interface-route6
commit
save
exit

I've included an example pre-config at the bottom of this guide for you to use to verify there's nothing left over.

Tutorial:

  1. SSH into EdgeMax Router Lite
  2. Enter configure mode: admin@ubnt: configure
  3. Let's do this!
 set interfaces ethernet eth0 dhcpv6-pd pd 0
 set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 60 
 set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable

 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 host-address ::1
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 prefix-id :1
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth1 service slaac
 
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 host-address ::1
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 prefix-id :2
 set interfaces ethernet eth0 dhcpv6-pd pd 0 interface eth2 service slaac
 
 set interfaces ethernet eth1 ipv6 router-advert prefix ::/64
 set interfaces ethernet eth2 ipv6 router-advert prefix ::/64
 commit
 save
  1. Verify interfaces have addresses assigned:
    a) exit configure mode
    b) show interfaces
admin@ubnt:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
ether        <redacted>/23                     u/u  WAN
             <redacted>/128
eth1         172.16.0.1/24                     u/u  LAN-Wired
             <redacted>1::1/64
eth2         172.16.1.1/24                     u/u  LAN-Wireless
             <redacted>2::1/64
lo           127.0.0.1/8                       u/u
             ::1/128

Note: If the IPv6 Address do not show up, run renew dhcpv6-pd interface eth0 twice
5. All hosts should now be able to obtain an IPv6 address via DHCPv6. You should be able to ping both IPv6 and IPv4 addresses. Test IPv6 sites like, http://test-ipv6.com should be getting you a 100% ready rating.
6. Let's enable local IPv6 DNS queries. Make sure to enter the configure mode: admin@ubnt: configure

Enabling Local IPv6 DNS
set interfaces ethernet eth1 ipv6 router-advert name-server <ipv6-address-assigned-to-eth1>
set interfaces ethernet eth2 ipv6 router-advert name-server <ipv6-address-assigned-to-eth2>
commit
save

a) Renew your DHCP addresses on a local host and they should now pickup the corresponding address set above. You may verify DNS queries are working with dig -6 google.com.
7. Let's setup an extremely basic firewall. Based on https://help.ubnt.com/hc/en-us/articles/205197660-EdgeMAX-SOHO-Example but modified for IPv6 which allows ICMPv6 traffic.
a) SSH into EdgeMax Router Lite
b) Enter configure mode: admin@ubnt: configure

IPv4 Firewall
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description "IPv4 packets from the internet to LAN and WAN"
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 1 action accept
set firewall name WAN_IN rule 1 state established enable
set firewall name WAN_IN rule 1 state related enable
set firewall name WAN_IN rule 1 protocol all
set firewall name WAN_IN rule 1 log enable
set firewall name WAN_IN rule 1 description "Allow established and related packets"
set firewall name WAN_IN rule 2 action drop
set firewall name WAN_IN rule 2 log enable
set firewall name WAN_IN rule 2 state invalid enable
set firewall name WAN_IN rule 2 protocol all
set firewall name WAN_IN rule 2 log enable
set firewall name WAN_IN rule 2 description "Drop invalid packets"
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description "IPv4 packets from internet to router"
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 1 action accept
set firewall name WAN_LOCAL rule 1 state established enable
set firewall name WAN_LOCAL rule 1 state related enable
set firewall name WAN_LOCAL rule 1 protocol all
set firewall name WAN_LOCAL rule 1 log enable
set firewall name WAN_LOCAL rule 1 description "Allow established and related packets"
set firewall name WAN_LOCAL rule 2 action drop
set firewall name WAN_LOCAL rule 2 log enable
set firewall name WAN_LOCAL rule 2 state invalid enable
set firewall name WAN_LOCAL rule 2 protocol all
set firewall name WAN_LOCAL rule 2 log enable
set firewall name WAN_LOCAL rule 2 description "Drop invalid packets"
set firewall name WAN_LOCAL rule 3 action accept
set firewall name WAN_LOCAL rule 3 log enable
set firewall name WAN_LOCAL rule 3 protocol icmp
set firewall name WAN_LOCAL rule 3 description "Allow ICMP packets"
IPv6 Firewall
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ipv6-name WAN6_IN default-action drop
set firewall ipv6-name WAN6_IN description "IPv6 packets from the internet to LAN and WAN"
set firewall ipv6-name WAN6_IN enable-default-log
set firewall ipv6-name WAN6_IN rule 1 action accept
set firewall ipv6-name WAN6_IN rule 1 state established enable
set firewall ipv6-name WAN6_IN rule 1 state related enable
set firewall ipv6-name WAN6_IN rule 1 description "Allow established and related packets"
set firewall ipv6-name WAN6_IN rule 2 action drop
set firewall ipv6-name WAN6_IN rule 2 log enable
set firewall ipv6-name WAN6_IN rule 2 state invalid enable
set firewall ipv6-name WAN6_IN rule 2 description "Drop invalid packets"
set firewall ipv6-name WAN6_IN rule 3 action accept
set firewall ipv6-name WAN6_IN rule 3 log enable
set firewall ipv6-name WAN6_IN rule 3 protocol icmpv6
set firewall ipv6-name WAN6_IN rule 3 description "Allow ICMPv6 packets"
set firewall ipv6-name WAN6_LOCAL default-action drop
set firewall ipv6-name WAN6_LOCAL description "IPv6 packets from internet to router"
set firewall ipv6-name WAN6_LOCAL enable-default-log
set firewall ipv6-name WAN6_LOCAL rule 1 action accept
set firewall ipv6-name WAN6_LOCAL rule 1 state established enable
set firewall ipv6-name WAN6_LOCAL rule 1 state related enable
set firewall ipv6-name WAN6_LOCAL rule 1 description "Allow established and related packets"
set firewall ipv6-name WAN6_LOCAL rule 2 action drop
set firewall ipv6-name WAN6_LOCAL rule 2 log enable
set firewall ipv6-name WAN6_LOCAL rule 2 state invalid enable
set firewall ipv6-name WAN6_LOCAL rule 2 description "Drop invalid packets"
set firewall ipv6-name WAN6_LOCAL rule 3 action accept
set firewall ipv6-name WAN6_LOCAL rule 3 log enable
set firewall ipv6-name WAN6_LOCAL rule 3 protocol icmpv6
set firewall ipv6-name WAN6_LOCAL rule 3 description "Allow ICMPv6 packets"
Apply firewall policies to WAN interface
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall in ipv6-name WAN6_IN
set interfaces ethernet eth0 firewall local ipv6-name WAN6_LOCAL
commit
save
Note:

The IPv6 firewall rules (as of ER v1.9.0) will not appear in the WebGUI. You may verify that the rulesets are applied to eth0 with show interfaces ethernet eth0 firewall

Example Pre-Config:

admin@ubnt:~$ configure
admin@ubnt# show
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "packets from the internet to LAN and WAN"
         enable-default-log
         rule 1 {
             action accept
             description "allow established session"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action drop
             description "drop invalid packets"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "packets from internet to router"
         enable-default-log
         rule 1 {
             action accept
             description "allow established and related "
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action drop
             description "drop invalid"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description WAN
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         address 172.16.0.1/24
         description LAN-Wired
         duplex auto
         speed auto
     }
     ethernet eth2 {
         address 172.16.1.1/24
         description LAN-Wireless
         duplex auto
         speed auto
     }
     loopback lo {
     }
 }
 port-forward {
 }
 protocols {
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN-Wired {
             authoritative disable
             subnet 172.16.0.0/24 {
                 default-router 172.16.0.1
                 dns-server 172.16.0.1
                 lease 86400
                 start 172.16.0.10 {
                     stop 172.16.0.254
                 }
                 static-mapping <redacted> {
                     ip-address 172.16.0.50
                     mac-address <redacted>
                 }
             }
         }
         shared-network-name LAN-Wireless {
             authoritative disable
             subnet 172.16.1.0/24 {
                 default-router 172.16.1.1
                 dns-server 172.16.1.1
                 lease 86400
                 start 172.16.1.10 {
                     stop 172.16.1.254
                 }
                 static-mapping UniFi-AC {
                     ip-address 172.16.1.10
                     mac-address <redacted>
                 }
             }
         }
     }
     dns {
         forwarding {
             cache-size 150
             listen-on eth1
             listen-on eth2
         }
     }
     gui {
         https-port 443
     }
     nat {
         rule 5000 {
             description "Masquerade for WAN"
             log disable
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     upnp {
         listen-on eth1 {
             outbound-interface eth0
         }
         listen-on eth2 {
             outbound-interface eth0
         }
     }
 }
 system {
     host-name ubnt
     login {
         user <redacted> {
             authentication {
                 encrypted-password <redacted>
                 plaintext-password ""
             }
             full-name <redacted>
             level admin
         }
     }
     name-server 8.8.8.8
     name-server 8.8.4.4
     name-server 2001:4860:4860::8888
     name-server 2001:4860:4860::8844
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     offload {
         ipsec enable
         ipv4 {
             forwarding enable
         }
         ipv6 {
             forwarding disable
         }
     }
     package {
         repository wheezy {
             components "main contrib non-free"
             distribution wheezy
             password ""
             url http://httpredir.debian.org/debian
             username ""
         }
         repository wheezy-security {
             components main
             distribution wheezy/updates
             password ""
             url http://security.debian.org
             username ""
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
     traffic-analysis {
         dpi enable
         export enable
     }
 }