IPv6 on Cincinnati Bell Fioptics with VLANs using Ubiquiti USG

Cincinnati Bell Fioptics has recently started the deployment of IPv6 through the network. Luckily, we will be allowed to pull a /56 prefix.

A bit of a warning, but the /56 prefix is not sticky to you. If your network connection becomes disconnected for long enough (as of this writing it is 7 days), you could be assigned a new /56. Also, if you put a new device on with a different MAC, you will get a different /56 prefix.

Another note is DNS. You will not be getting AAAA records for the DNS servers. DNS queries will continue to go to their DNS servers using IPv4 addresses. This is fine. You will still get AAAA IPv6 addresses when available for domain names when available, just the communication to get that AAAA is over IPv4. Since you will be dual stack, having both IPv4 and IPv6, there will be no issues.

My network setup currently is as follows:

  • Connections
    • ONT is connected to the USG eth0 ethernet port (WAN)
  • Interfaces
    • WAN1
    • VLAN 1: Management
    • VLAN 2: Home Network
    • VLAN 3: DMZ Network
    • VLAN 4: Guest Network
  • Hardware / Software
    • Model: UniFi Security Gateway 3P
    • Version: 4.4.36.5146617
    • Controller Version: 5.10.20

Interface Setup

My goal is to have the WAN pull a /56 and then provision VLAN 2 – 4 with /64. Using the guide provided by Ubiquiti, here are some of the additional values you will need:

  • WAN Configuration
    • IPV6
      • Connection Type: using DHCPv6
      • Prefix Delegation Size: 56
  • LAN Configuration (All the same setting)
    • Configure IPV6 Network
      • IPv6 Interface Type: Prefix Delegation
      • IPv6 Prefix Delegation Interface: WAN
      • IPv6 Prefix ID: VLAN ID
        • I’ve chosen to use the VLAN ID to help identify in the firewall rules later. When it splits off a /64 for this network, it will just use the VLAN id as the 8 bit identifier.
      • IPv6 RA: Checked
      • IPv6 RA Priority: High
      • IPv6 RA Valid Lifetime: 86400
      • IPv6 RA Preferred Lifetime: 14400
      • DHCPv6/RDNSS DNS Control: Auto
Example WAN Settings
Example LAN Settings

Network Results

Security / Firewalls

The guide did not cover protecting yourself, but there are Firewall rules that can be set in the “Firewall -> Rules IPv6” section. I’m still researching how to create dynamic IPv6 settings based upon the /56 prefix delegation assigned. Since the /56 is dynamic, I do not want to have to keep changing the firewall rules each time a new /56 is assigned. Hit me up if you have some leads. It does not appear that the functionality exists at this time though.

UPnP / PCP

At this time, Ubiquiti does not support upnp or PCP with IPv6. As of this writing, while the miniupnpd included does support it, the compiler time flags need to be set when it’s built to add it in.

One common theme across the request for UPnP (and PCP) is the statement that it is not needed, since there is no NAT functionality. Sadly, this is incorrect, because UPnP does more than port forwarding, it also does WANIPv6FirewallControl. What this does is instead of doing NAT port forwarding, it just modifies the firewall to allow specific ports access instead, that are not client initiated. This comes in handy, when you do not have a permanent /56 assigned to you, along with future application / gaming system support to mimic access that ipv4 allows.

Support Forum: https://community.ubnt.com/t5/EdgeRouter/Edgerouter-IPv6-UPnP-support/td-p/2169141

Feature Request: https://community.ubnt.com/t5/UniFi-Routing-Switching-Feature/UPnP-IPv6-support/idi-p/2157325

Details / Statistics / Metrics

There is no support at this time through the controller software to actually see what is going on in IPv6 world. In fact, traffic that flows through IPv6 will not be included in any of the insights that are seen through the controllers software. You will have to SSH into the USG and perform some commands to find the details or use SNMP.

3/24/2019: An update to this section, I ended up using SNMP, Telegraf, and Grafana to pull the data. I looks like about 20% of my network usage is IPv6 now.

Traffic report for 3/24/2019

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>