2017-06-17

Setting up a Unifi Security Gateway (USG) for Telus Optik IPv6

I recently upgraded my home network setup with some Ubiquiti gear: two Unifi APs and a Unifi Security Gateway (USG) router. It's great stuff: nice hardware with a great management interface. The only real limitation is that the management UI does not yet support configuring IPv6 on the USG, even though its router software fully supports it. Telus gives me native IPv6, so I wanted to use it.

I started out with the config.gateway.json file provided on the Unifi Community knowledgebase but after applying it my USG disconnected from the controller and seemed to be very slow over SSH. This blog post about setting up Telus IPv6 on an Edgerouter, which runs roughly the same software as the USG, pointed me in the right direction. The lag and disconnects I was seeing were caused by the lack of the prefix-only directive in the config.

I applied the config from the blog post on my router, substituting br0 for eth1, which is my LAN interface. Then I generated a config file and copied over the relevant stuff to a new config.gateway.json along with the firewall directives from the Unifi community config. After forcing a provision on the USG by updating its DHCP server settings and rebooting the UAPs so they'd pick up IPv6 addresses, my wireless clients have IPv6 and everything seems to work as expected.

Here's my config.gateway.json:

{
  "firewall": {
    "ipv6-name": {
      "wan_in-6": {
        "default-action": "drop",
        "description": "wan_in",
        "enable-default-log": "''",
        "rule": {
          "1": {
            "action": "accept",
            "description": "Allow Enabled/Related state",
            "state": {
              "established": "enable",
              "related": "enable"
            }
          },
          "2": {
            "action": "drop",
            "description": "Drop Invalid state",
            "log": "enable",
            "state": {
              "invalid": "enable"
            }
          },
          "5": {
            "action": "accept",
            "description": "Allow ICMPv6",
            "log": "enable",
            "protocol": "icmpv6"
          }
        }
      },
      "wan_local-6": {
        "default-action": "drop",
        "description": "wan_local",
        "enable-default-log": "''",
        "rule": {
          "1": {
            "action": "accept",
            "description": "Allow Enabled/Related state",
            "state": {
              "established": "enable",
              "related": "enable"
            }
          },
          "2": {
            "action": "drop",
            "description": "Drop Invalid state",
            "log": "enable",
            "state": {
              "invalid": "enable"
            }
          },
          "5": {
            "action": "accept",
            "description": "Allow ICMPv6",
            "log": "enable",
            "protocol": "icmpv6"
          },
          "6": {
            "action": "accept",
            "description": "DHCPv6",
            "destination": {
              "port": "546"
            },
            "protocol": "udp",
            "source": {
              "port": "547"
            }
          }
        }
      }
    }
  },
  "interfaces": {
    "ethernet": {
      "eth0": {
        "dhcpv6-pd": {
          "pd": {
            "0": {
              "interface": {
                "eth1": {
                  "prefix-id": ":0",
                  "service": "slaac"
                }
              },
              "prefix-length": "56"
            }
          },
          "prefix-only": "''",
          "rapid-commit": "enable"
        },
        "firewall": {
          "in": {
            "ipv6-name": "wan_in-6"
          },
          "local": {
            "ipv6-name": "wan_local-6"
          }
        },
        "ipv6": {
          "dup-addr-detect-transmits": "1",
          "router-advert": {
            "cur-hop-limit": "64",
            "link-mtu": "0",
            "managed-flag": "true",
            "max-interval": "600",
            "other-config-flag": "false",
            "reachable-time": "0",
            "retrans-timer": "0",
            "send-advert": "true"
          }
        }
      }
    }
  }
}