Photoincat 2 IPv6 PPPoE:修订间差异

来自Photonicat Wiki
跳转到导航 跳转到搜索
←上一编辑
可视化wikitext
C2h2留言 | 贡献
行政员、​界面管理员、​管理员
501次编辑
无编辑摘要
Monstercat留言 | 贡献
66次编辑
 
(未显示2个用户的7个中间版本)
第1行: 第1行:
* 本文件说明如何在 OpenWrt 上配置 基于 PPPoE 的 IPv6。
* 在某些情况下,如果直接通过家庭光猫/路由器接入,运营商可能会自动提供 IPv6,并默认开启 '''NAT6'''。
* 但是,在 PPPoE 拨号连接(常见于 FTTH/DSL 场景)中,则需要手动配置 IPv6 协商、前缀委托以及 LAN 分发。
* This document explains how to configure IPv6 with PPPoE on OpenWrt.
* In some cases, if you connect directly through a home modem/router, IPv6 may be provided automatically with '''NAT6''' enabled by default.
* However, for PPPoE connections (typical in FTTH/DSL setups), you need to manually configure IPv6 negotiation, prefix delegation, and LAN distribution.
== PPPoE 与 IPv6 配置指南 ==
== PPPoE 与 IPv6 配置指南 ==


=== WAN 接口设置 (/cgi-bin/luci/admin/network/network) WAN===
=== WAN 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN===
# 进入 '''网络 → 接口 → WAN'''。
# 进入 '''网络 → 接口 → WAN'''。
# 在 IPv6 设置中:
# 在 IPv6 设置中:
第7行: 第14行:
## 委托 IPv6 前缀 → '''启用'''。
## 委托 IPv6 前缀 → '''启用'''。


; 说明
; 说明 WAN 是拨号接口,必须让 PPPoE 连接时顺便协商 IPv6 地址,并把上级分配的 IPv6 前缀传递下去,这样内网才能用到公网 IPv6。
: WAN 是拨号接口,必须让 PPPoE 连接时顺便协商 IPv6 地址,并把上级分配的 IPv6 前缀传递下去,这样内网才能用到公网 IPv6。


=== WAN6 接口设置 (/cgi-bin/luci/admin/network/network) WAN6 ===
=== WAN6 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN6 ===
# 进入 '''网络 → 接口 → WAN6'''。
# 进入 '''网络 → 接口 → WAN6'''。
# 设备选择 → '''pppoe-wan''' (原本默认为 eth0)。
# 设备选择 → '''pppoe-wan''' (原本默认为 eth0)。


; 说明
; 说明 WAN6 不是单独的物理口,而是跟随 PPPoE 拨号逻辑口。把它绑到 pppoe-wan 才能正确收发 IPv6 数据。
: WAN6 不是单独的物理口,而是跟随 PPPoE 拨号逻辑口。把它绑到 pppoe-wan 才能正确收发 IPv6 数据。
 
=== LAN 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) LAN ===
在高级设置中:
* IPv6 前缀过滤器:不设定,或设置为wan6


=== LAN 接口设置 (/cgi-bin/luci/admin/network/network) LAN ===
在 DHCPv6 相关配置中:
在 DHCPv6 相关配置中:
* RA 服务:'''服务器模式'''
* RA 服务:'''混合模式'''
* DHCPv6 服务:'''服务器模式'''
* DHCPv6 服务:'''混合模式'''
* NDP 代理:'''混合模式'''
* NDP 代理:'''混合模式'''


; 说明
; 说明 LAN 要作为 IPv6 地址分配的服务器,把前缀通过 RA 和 DHCPv6 分发给局域网设备。混合模式的 NDP 可以同时兼容静态地址和 DHCPv6 分配。
: LAN 要作为 IPv6 地址分配的服务器,把前缀通过 RA 和 DHCPv6 分发给局域网设备。混合模式的 NDP 可以同时兼容静态地址和 DHCPv6 分配。


=== 防火墙规则 (/cgi-bin/luci/admin/network/firewall/rules) ===
=== 防火墙规则 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/firewall/rules) ===
为了保证 IPv6 入站访问正常,需要添加一条入站规则:
为了保证 IPv6 入站访问正常,需要添加一条入站规则:
# 进入 '''网络 → 防火墙 → 自定义规则'''。
# 进入 '''网络 → 防火墙 → 自定义规则'''。
第38行: 第45行:
# 保存并应用。
# 保存并应用。


; 说明
; 说明 默认防火墙会拦截来自外部的 IPv6 流量。添加这条规则是为了让 IPv6 入站流量能通过,保证公网可以访问到内网设备(如服务器或 NAS)。
: 默认防火墙会拦截来自外部的 IPv6 流量。添加这条规则是为了让 IPv6 入站流量能通过,保证公网可以访问到内网设备(如服务器或 NAS)。


----
----
第48行: 第54行:
* LAN 接口通过 RA 和 DHCPv6 向内网设备下发 IPv6 地址和前缀。
* LAN 接口通过 RA 和 DHCPv6 向内网设备下发 IPv6 地址和前缀。
* 防火墙规则确保外部 IPv6 流量可以按需进入 LAN/设备。
* 防火墙规则确保外部 IPv6 流量可以按需进入 LAN/设备。
== IPv6 地址说明 ==
在查看接口(例如 '''eth0''')时,可能会看到多个 IPv6 地址。 
这是正常的,因为 IPv6 允许同一个接口同时拥有多个地址。
=== 示例输出 ===
<code>
ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
  inet 172.16.8.37  netmask 255.255.252.0  broadcast 172.16.11.255
  inet6 240e:32c:8d2d:f900::2e9/128  scopeid 0x0<global>
  inet6 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64  scopeid 0x0<global>
  inet6 fe80::be24:11ff:fe75:97aa/64  scopeid 0x20<link>
  inet6 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64  scopeid 0x0<global>
  ...
</code>
=== 地址类型解释 ===
* '''240e:32c:8d2d:f900::2e9/128''' → 主机专用 IPv6 地址(点对点)。 
* '''240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64''' → 全球 IPv6 地址,由网卡 MAC 自动生成(SLAAC)。 
* '''fe80::be24:11ff:fe75:97aa/64''' → 链路本地地址(Link-local),只在本链路内有效,用于路由邻居发现等。 
* '''240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64''' → 另一个由运营商下发的全球 IPv6 前缀(可能分配多个子网)。 
=== 什么是 “全球直连” ===
* 所有标记为 '''<global>''' 的 IPv6 地址(如 240e::/64 开头)都是 '''全球单播地址'''。 
* 意味着设备可以直接通过公网 IPv6 访问,无需 NAT 转换。 
* 这就是所谓的 **“全球直连”** —— 每个设备都能在互联网上直接通信。 
* 不像 IPv4 需要 NAT 才能共享公网 IP,IPv6 让每个设备都能拥有自己独立的公网地址。 
=== 客户提示 ===
* 一个接口上有多个 IPv6 地址是正常现象。 
* 只有 '''global''' 类型地址(例如 240e::/64)可以用于公网通信。 
* '''link-local (fe80::/64)''' 地址仅用于本地链路内的通信,不会上公网。 
* “全球直连” 表示设备已经在公网可见,因此需要合理配置防火墙,避免不必要的服务暴露。 
== PPPoE and IPv6 Configuration Guide ==
=== WAN Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN ===
# Go to '''Network → Interfaces → WAN'''.
# Under IPv6 settings:
## Obtain IPv6 address → '''Manual''' (enable IPv6 negotiation on the PPP link).
## Delegate IPv6 prefix → '''Enable'''.
; Note The WAN is the dialing interface. PPPoE must also negotiate an IPv6 address and pass down the delegated IPv6 prefix from the ISP, so the LAN can use global IPv6.
=== WAN6 Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN6 ===
# Go to '''Network → Interfaces → WAN6'''.
# Set device → '''pppoe-wan''' (instead of the default eth0).
; Note WAN6 is not a separate physical port. It follows the PPPoE logical interface. Binding it to pppoe-wan ensures IPv6 traffic can be sent and received correctly.
=== LAN Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) LAN ===
In Advanced Settings:
* IPv6 prefix filter: no filter, or wan6
In the DHCPv6-related settings:
* RA Service: '''Hybrid mode'''
* DHCPv6 Service: '''Hybrid mode'''
* NDP Proxy: '''Hybrid mode'''
; Note The LAN must act as an IPv6 address distributor, passing prefixes to internal devices via RA and DHCPv6. Hybrid NDP mode allows compatibility with both static and DHCPv6-assigned addresses.
=== Firewall Rule (http://172.16.0.1:8080/cgi-bin/luci/admin/network/firewall/rules) ===
To ensure inbound IPv6 traffic works properly, add an inbound rule:
# Go to '''Network → Firewall → Custom Rules'''.
# Add a new rule:
* Name: '''Allow-IPv6-Inbound'''
* Zone: '''wan'''
* Protocol: '''IPv6'''
* Source zone: '''wan'''
* Destination zone: '''device/lan'''
* Action: '''ACCEPT'''
# Save and apply.
; Note By default, the firewall blocks inbound IPv6 traffic. This rule ensures inbound IPv6 can pass through, allowing public access to internal devices (e.g., server or NAS).
----
=== Summary ===
* The WAN interface (pppoe-wan) is responsible for dialing and enabling IPv6 negotiation. 
* The WAN6 interface must be bound to the PPPoE logical interface, not a physical port like eth0. 
* The LAN interface distributes IPv6 addresses and prefixes to internal devices via RA and DHCPv6. 
* The firewall rule ensures external IPv6 traffic can reach LAN devices as needed. 
== IPv6 Address Explanation ==
When inspecting an interface (such as '''eth0'''), you may see multiple IPv6 addresses. 
This is normal, since IPv6 allows a single interface to hold multiple addresses.
=== Example Output ===
<code>
ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
  inet 172.16.8.37  netmask 255.255.252.0  broadcast 172.16.11.255
  inet6 240e:32c:8d2d:f900::2e9/128  scopeid 0x0<global>
  inet6 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64  scopeid 0x0<global>
  inet6 fe80::be24:11ff:fe75:97aa/64  scopeid 0x20<link>
  inet6 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64  scopeid 0x0<global>
  ...
</code>
=== Address Types Explained ===
* '''240e:32c:8d2d:f900::2e9/128''' → Host-specific IPv6 address (point-to-point). 
* '''240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64''' → Global IPv6 address, auto-generated from the NIC MAC (SLAAC). 
* '''fe80::be24:11ff:fe75:97aa/64''' → Link-local address, only valid within the same link, used for routing neighbor discovery. 
* '''240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64''' → Another global IPv6 prefix delegated by the ISP (possibly multiple subnets). 
=== What is "Global Direct Connection"? ===
* Any IPv6 address marked as '''<global>''' (such as those starting with 240e::/64) is a '''Global Unicast Address'''. 
* This means the device can be accessed directly from the public Internet, without NAT. 
* This is known as **“Global Direct Connection”** — every device can communicate directly on the Internet. 
* Unlike IPv4, which usually requires NAT to share a public IP, IPv6 gives each device its own public address. 
=== Customer Notes ===
* Having multiple IPv6 addresses on one interface is normal. 
* Only '''global''' addresses (e.g., 240e::/64) are usable for Internet communication. 
* The '''link-local (fe80::/64)''' address is only for communication within the local link and never goes out to the Internet. 
* “Global Direct Connection” means the device is already reachable on the public Internet, so proper firewall configuration is important to avoid exposing unwanted services.

2025年9月19日 (五) 12:17的最新版本

  • 本文件说明如何在 OpenWrt 上配置 基于 PPPoE 的 IPv6。
  • 在某些情况下,如果直接通过家庭光猫/路由器接入,运营商可能会自动提供 IPv6,并默认开启 NAT6
  • 但是,在 PPPoE 拨号连接(常见于 FTTH/DSL 场景)中,则需要手动配置 IPv6 协商、前缀委托以及 LAN 分发。
  • This document explains how to configure IPv6 with PPPoE on OpenWrt.
  • In some cases, if you connect directly through a home modem/router, IPv6 may be provided automatically with NAT6 enabled by default.
  • However, for PPPoE connections (typical in FTTH/DSL setups), you need to manually configure IPv6 negotiation, prefix delegation, and LAN distribution.

PPPoE 与 IPv6 配置指南

WAN 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN

  1. 进入 网络 → 接口 → WAN
  2. 在 IPv6 设置中:
    1. 获取 IPv6 地址 → 手动 (在 PPP 链路上启用 IPv6 协商)。
    2. 委托 IPv6 前缀 → 启用
说明 WAN 是拨号接口,必须让 PPPoE 连接时顺便协商 IPv6 地址,并把上级分配的 IPv6 前缀传递下去,这样内网才能用到公网 IPv6。

WAN6 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN6

  1. 进入 网络 → 接口 → WAN6
  2. 设备选择 → pppoe-wan (原本默认为 eth0)。
说明 WAN6 不是单独的物理口,而是跟随 PPPoE 拨号逻辑口。把它绑到 pppoe-wan 才能正确收发 IPv6 数据。

LAN 接口设置 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) LAN

在高级设置中:

  • IPv6 前缀过滤器:不设定,或设置为wan6

在 DHCPv6 相关配置中:

  • RA 服务:混合模式
  • DHCPv6 服务:混合模式
  • NDP 代理:混合模式
说明 LAN 要作为 IPv6 地址分配的服务器,把前缀通过 RA 和 DHCPv6 分发给局域网设备。混合模式的 NDP 可以同时兼容静态地址和 DHCPv6 分配。

防火墙规则 (http://172.16.0.1:8080/cgi-bin/luci/admin/network/firewall/rules)

为了保证 IPv6 入站访问正常,需要添加一条入站规则:

  1. 进入 网络 → 防火墙 → 自定义规则
  2. 添加新规则:
  • 名称:Allow-IPv6-Inbound
  • 区域:wan
  • 协议:IPv6
  • 来源区域:wan
  • 目标区域:device/lan
  • 动作:ACCEPT
  1. 保存并应用。
说明 默认防火墙会拦截来自外部的 IPv6 流量。添加这条规则是为了让 IPv6 入站流量能通过,保证公网可以访问到内网设备(如服务器或 NAS)。

说明

  • WAN 接口(pppoe-wan)负责拨号并启用 IPv6 协商。
  • WAN6 接口绑定到 PPPoE 逻辑接口,而不是物理网口 eth0。
  • LAN 接口通过 RA 和 DHCPv6 向内网设备下发 IPv6 地址和前缀。
  • 防火墙规则确保外部 IPv6 流量可以按需进入 LAN/设备。

IPv6 地址说明

在查看接口(例如 eth0)时,可能会看到多个 IPv6 地址。 这是正常的,因为 IPv6 允许同一个接口同时拥有多个地址。

示例输出

ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 

 inet 172.16.8.37  netmask 255.255.252.0  broadcast 172.16.11.255
 inet6 240e:32c:8d2d:f900::2e9/128   scopeid 0x0<global>
 inet6 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64   scopeid 0x0<global>
 inet6 fe80::be24:11ff:fe75:97aa/64   scopeid 0x20<link>
 inet6 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64   scopeid 0x0<global>
 ...

地址类型解释

  • 240e:32c:8d2d:f900::2e9/128 → 主机专用 IPv6 地址(点对点)。
  • 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64 → 全球 IPv6 地址,由网卡 MAC 自动生成(SLAAC)。
  • fe80::be24:11ff:fe75:97aa/64 → 链路本地地址(Link-local),只在本链路内有效,用于路由邻居发现等。
  • 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64 → 另一个由运营商下发的全球 IPv6 前缀(可能分配多个子网)。

什么是 “全球直连”

  • 所有标记为 <global> 的 IPv6 地址(如 240e::/64 开头)都是 全球单播地址
  • 意味着设备可以直接通过公网 IPv6 访问,无需 NAT 转换。
  • 这就是所谓的 **“全球直连”** —— 每个设备都能在互联网上直接通信。
  • 不像 IPv4 需要 NAT 才能共享公网 IP,IPv6 让每个设备都能拥有自己独立的公网地址。

客户提示

  • 一个接口上有多个 IPv6 地址是正常现象。
  • 只有 global 类型地址(例如 240e::/64)可以用于公网通信。
  • link-local (fe80::/64) 地址仅用于本地链路内的通信,不会上公网。
  • “全球直连” 表示设备已经在公网可见,因此需要合理配置防火墙,避免不必要的服务暴露。

PPPoE and IPv6 Configuration Guide

WAN Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN

  1. Go to Network → Interfaces → WAN.
  2. Under IPv6 settings:
    1. Obtain IPv6 address → Manual (enable IPv6 negotiation on the PPP link).
    2. Delegate IPv6 prefix → Enable.
Note The WAN is the dialing interface. PPPoE must also negotiate an IPv6 address and pass down the delegated IPv6 prefix from the ISP, so the LAN can use global IPv6.

WAN6 Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) WAN6

  1. Go to Network → Interfaces → WAN6.
  2. Set device → pppoe-wan (instead of the default eth0).
Note WAN6 is not a separate physical port. It follows the PPPoE logical interface. Binding it to pppoe-wan ensures IPv6 traffic can be sent and received correctly.

LAN Interface Settings (http://172.16.0.1:8080/cgi-bin/luci/admin/network/network) LAN

In Advanced Settings:

  • IPv6 prefix filter: no filter, or wan6

In the DHCPv6-related settings:

  • RA Service: Hybrid mode
  • DHCPv6 Service: Hybrid mode
  • NDP Proxy: Hybrid mode
Note The LAN must act as an IPv6 address distributor, passing prefixes to internal devices via RA and DHCPv6. Hybrid NDP mode allows compatibility with both static and DHCPv6-assigned addresses.

Firewall Rule (http://172.16.0.1:8080/cgi-bin/luci/admin/network/firewall/rules)

To ensure inbound IPv6 traffic works properly, add an inbound rule:

  1. Go to Network → Firewall → Custom Rules.
  2. Add a new rule:
  • Name: Allow-IPv6-Inbound
  • Zone: wan
  • Protocol: IPv6
  • Source zone: wan
  • Destination zone: device/lan
  • Action: ACCEPT
  1. Save and apply.
Note By default, the firewall blocks inbound IPv6 traffic. This rule ensures inbound IPv6 can pass through, allowing public access to internal devices (e.g., server or NAS).

Summary

  • The WAN interface (pppoe-wan) is responsible for dialing and enabling IPv6 negotiation.
  • The WAN6 interface must be bound to the PPPoE logical interface, not a physical port like eth0.
  • The LAN interface distributes IPv6 addresses and prefixes to internal devices via RA and DHCPv6.
  • The firewall rule ensures external IPv6 traffic can reach LAN devices as needed.

IPv6 Address Explanation

When inspecting an interface (such as eth0), you may see multiple IPv6 addresses. This is normal, since IPv6 allows a single interface to hold multiple addresses.

Example Output

ifconfig eth0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 

 inet 172.16.8.37  netmask 255.255.252.0  broadcast 172.16.11.255
 inet6 240e:32c:8d2d:f900::2e9/128   scopeid 0x0<global>
 inet6 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64   scopeid 0x0<global>
 inet6 fe80::be24:11ff:fe75:97aa/64   scopeid 0x20<link>
 inet6 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64   scopeid 0x0<global>
 ...

Address Types Explained

  • 240e:32c:8d2d:f900::2e9/128 → Host-specific IPv6 address (point-to-point).
  • 240e:32c:8d2d:f900:be24:11ff:fe75:97aa/64 → Global IPv6 address, auto-generated from the NIC MAC (SLAAC).
  • fe80::be24:11ff:fe75:97aa/64 → Link-local address, only valid within the same link, used for routing neighbor discovery.
  • 240e:32c:8cfb:2500:be24:11ff:fe75:97aa/64 → Another global IPv6 prefix delegated by the ISP (possibly multiple subnets).

What is "Global Direct Connection"?

  • Any IPv6 address marked as <global> (such as those starting with 240e::/64) is a Global Unicast Address.
  • This means the device can be accessed directly from the public Internet, without NAT.
  • This is known as **“Global Direct Connection”** — every device can communicate directly on the Internet.
  • Unlike IPv4, which usually requires NAT to share a public IP, IPv6 gives each device its own public address.

Customer Notes

  • Having multiple IPv6 addresses on one interface is normal.
  • Only global addresses (e.g., 240e::/64) are usable for Internet communication.
  • The link-local (fe80::/64) address is only for communication within the local link and never goes out to the Internet.
  • “Global Direct Connection” means the device is already reachable on the public Internet, so proper firewall configuration is important to avoid exposing unwanted services.
检索自“https://photonicat.com/index.php?title=Photoincat_2_IPv6_PPPoE&oldid=814