Linux Router with VPN on a Raspberry Pi (IPv6)

From Alpine Linux

Work in Progress: Following does not work and won't work!.

I have split this off the main article Linux Router with VPN on a Raspberry Pi as that works. IPv6 implementation requires a few changes to the initial article to work.

Introduction

IPv6 introduces a number of new complexities into our network. If you've completed previous IPv4 only guide Linux Router with VPN on a Raspberry Pi then read on.

Your VPN provider may only offers you a single stack connection (no IPv6). You won't be able to implement IPv6 addressing on VLAN 3 to carry your IPv6 traffic out of the VPN. If your ISP gives you IPv6 addressing you may still implement addressing on VLAN2 to carry traffic directly to your ISP. In this example I do both.

If you don't know much about IPv6 then these pages might be of interest to get you up to speed.


Network Diagram IPv4 and IPv6
Network Diagram IPv4 and IPv6

Enabling IPv6 support

Assuming you're using the Alpine Linux kernel, IPv6 support is available separately as a module.

modprobe ipv6

To add the module to our startup configuration.

echo "ipv6" >> /etc/modules

/etc/sysctl.d/local.conf

Modify the sysctl section to include IPv6 support:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Needed to use fwmark
net.ipv4.conf.all.rp_filter = 2

# http://vk5tu.livejournal.com/37206.html
# What's this special value "2"? Originally the value was "1", but this 
# disabled autoconfiguration on all interfaces. That is, you couldn't appear 
# to be a router on some interfaces and appear to be a host on other 
# interfaces. But that's exactly the mental model of a ADSL router. 

# Controls IP packet forwarding
net.ipv6.conf.all.forwarding = 2
net.ipv6.conf.default.forwarding = 2

# Accept Router Advertisments
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2

# We are a router so disable temporary addresses
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0

/etc/network/interfaces

Add an IPv6 interface for each VLAN. Note we don't need to add one for VLAN2 because dhcpcd will take care of that for us using our ISPs router advertisements. Also note the . (dot notation) represents a VLAN interface where as : (colon notation) used in the previous article represented an IP address aliased on an interface.

The reason we need VLANs here is because each VLAN has it's own broadcast and we don't want our router advertisements to be putting routes and addresses on all the interfaces. It also helps us with a more secure design, but requires a managed switch.

# VLAN 2 - DESTINED FOR ISP
auto eth0.2
iface eth0.2 inet static
    address 192.168.2.1
    netmask 255.255.255.0
    broadcast 192.168.2.255
    post-up /etc/network/fwmark_rules

# VLAN 3 - DESTINED FOR VPN
auto eth0.3
iface eth0.3 inet static
    address 192.168.3.1
    netmask 255.255.255.0
    broadcast 192.168.3.255

iface eth0.3 inet6 static
    address fde4:8dba:82e1:fff3::1
    netmask 64
    autoconf 0
    accept_ra 0
    privext 0

# VLAN 4 - LAN ONLY
auto eth0.4
iface eth0.4 inet static
    address 192.168.4.1
    netmask 255.255.255.0
    broadcast 192.168.4.255
    post-up /etc/network/route_LAN

iface eth0.4 inet6 static
    address fde4:8dba:82e1:fff4::1
    netmask 64
    autoconf 0
    accept_ra 0
    privext 0

Configuring PPP

Next up we need to configure our router to be able to dial a PPP connection with our modem.

See PPP, you will want to make sure you set your WAN interface, in this example we used eth1.

Check system log

Restart ppp.

poff yourISP

pon yourISP

In /var/log/messages you should see something like

pppd[]: Plugin rp-pppoe.so loaded.
pppd[]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
pppd[]: pppd 2.4.7 started by root, uid 0
pppd[]: PPP session is 49969
pppd[]: Connected to 00:53:00:ff:ff:f0 via interface eth1
pppd[]: Using interface ppp0
pppd[]: Connect: ppp0 <--> eth1
pppd[]: CHAP authentication succeeded
pppd[]: CHAP authentication succeeded
pppd[]: peer from calling number 00:53:00:FF:FF:F0 authorized
pppd[]: local  LL address fe80::0db8:ffff:ffff:fff1
pppd[]: remote LL address fe80::0db8:ffff:ffff:fff0
pppd[]: local  IP address 192.0.2.1
pppd[]: remote IP address 192.0.2.0
pppd[]: primary   DNS address 192.0.2.10
pppd[]: secondary DNS address 192.0.2.20

You should be able to now ping things such as

ping6 ipv6.google.com

from your router.

Prefix Delegation

The next step will be to configure DHCPv6 Prefix Delegation with your ISP. Install dhcpcd. While many guides do use the wide-dhcpv6-client it should be noted this is unmaintained and not included in Alpine Linux.

Don't use the ISC's dhclient either as this does not support Prefix Delegations on PPP links without a patch.

apk add dhcpcd

You can check out the manual for dhcpcd.conf. Installing dhcpcd-doc will allow you to read the man file. Eg:

apk add dhcpcd-doc

/etc/dhcpcd.conf

apk add dhcpcd

If the main repositories have dhcpcd below version 7.0.7 (at time of writing AlpineLinux 3.8 and below) you will need to use the latest version from edge as it fixes a bug with unique link local addresses on our VLANs dhcpcd ChangeLog this patch already applied in v7.0.7

apk add dhcpcd@edge

If you haven't you may need to add the edge repository for pinning Alpine Linux package management#Repository_pinning

# Enable extra debugging
#debug
#logfile /var/log/dhcpcd.log

# Allow users of this group to interact with dhcpcd via the control
# socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname gateway

# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with
# this set. In this case, comment out duid and enable clientid above.
duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option
# set on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes

# Most distributions have NTP support.
option ntp_servers

# Respect the network MTU.
# Some interface drivers reset when changing the MTU so disabled by
# default.
#option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate Stable Private IPv6 Addresses instead of hardware based
# ones
slaac private

# A hook script is provided to lookup the hostname if not set by the
# DHCP server, but it should not be run by default.
nohook lookup-hostname

# IPv6 Only
ipv6only

# Disable solicitations on all interfaces
noipv6rs

# Wait for IP before forking to background
waitip 6

# Don't touch DNS
nohook resolv.conf

# Use the interface connected to WAN
interface ppp0
    ipv6rs # enable routing solicitation get the default IPv6 route
    iaid 1
    ia_pd 1/::/56 eth0.2/2/64

Add dhcpcd to the default run level:

rc-update add dhcpcd default

Configuring iptables for IPv4 and IPv6 traffic

iptables

Here are some rules for iptables that I am currently using, yours may look something similar.

#########################################################################
# Uses 192.168.1.0 VLAN1 Management Untagged - no route
#      192.168.2.0 VLAN2                     - route to ISP
#      192.168.3.0 VLAN3                     - route to VPN
#      192.168.4.0 VLAN4                     - no route
# 
# Packets to/from 192.168.1.0/24 not in any VLAN ie tagged
# Packets to/from 192.168.2.0/24 are marked with 0x1 and routed to ISP
# Packets to/from 192.168.3.0/24 are marked with 0x2 and routed to VPN
# Packets to/from 192.168.4.0/24 are routed to LAN and not forwarded onto
#                                    the internet
#
# These destinations will always be marked with 0x1 from VLAN3:
#
# <ip_of_exception>       some exception
#########################################################################

# 
# Raw Table
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Create a log drop chain
:LOG_DROP_BOGON - [0:0]
:LOG_DROP_MSFT - [0:0]

# Create output chains
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Allows traffic from NNTP/DNS OVPN
-A PREROUTING -s 172.16.32.1/32 -i tun0 -j ACCEPT

# Block specified bogons coming in from ISP and VPN
# (unlikely to happen as they filter them on their router)
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON

# Block MSFT known tracking IPs from https://github.com/Nummer/Destroy-Windows-10-Spying
-A PREROUTING -i ppp0 -m set --match-set dropped-msft-ip-ipv4  src -j LOG_DROP_MSFT
-A PREROUTING -i tun0 -m set --match-set dropped-msft-ip-ipv4  src -j LOG_DROP_MSFT

# Allows my excepted ranges
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT

# Allows traffic originating from router to remote address on VPN
-A OUT_TUN0 -d 172.16.32.1 -j ACCEPT

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Log drop chain
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6
-A LOG_DROP_BOGON -j DROP
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT (ipv4) : " --log-level 6
-A LOG_DROP_MSFT -j DROP

# Block packets originating from the router destined to bogon ranges
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Blocks packets originating from the router destined to bogon ranges
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Block packets originating from the router destined to msft ranges
-A OUT_PPP0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT

# Blocks packets originating from the router destined to msft ranges
-A OUT_TUN0 -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT

COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding for Bittorrent through VPN
-A PREROUTING -i tun0 -p tcp -m tcp --dport 20001 -j DNAT --to-destination 192.168.3.30
-A PREROUTING -i tun0 -p udp -m udp --dport 20001 -j DNAT --to-destination 192.168.3.30

# Allows routing to our modem subnet so we can access the web interface
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE

# Allows routing to Printer
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.4.9/32 -o eth0 -j MASQUERADE

# Allows hosts of the network to use the VPN tunnel
-A POSTROUTING -o tun0 -j MASQUERADE

# Allows hosts of the network to use the PPP tunnel
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]
:FWD_V1_MGMT - [0:0]
:FWD_V2_ISP - [0:0]
:FWD_V3_VPN - [0:0]
:FWD_V4_LANONLY - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]
:IN_V1_MGMT - [0:0]
:IN_V2_ISP - [0:0]
:IN_V3_VPN - [0:0]
:IN_V4_LANONLY - [0:0]

# Create a drop/reject chains
:LOG_DROP - [0:0]
:LOG_DROP_BOGON - [0:0]
:LOG_DROP_MSFT - [0:0]
:LOG_REJECT_LANONLY - [0:0]

# Create an output chains
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_V1_MGMT
-A INPUT -i eth0.2 -j IN_V2_ISP
-A INPUT -i eth0.3 -j IN_V3_VPN
-A INPUT -i eth0.4 -j IN_V4_LANONLY
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_V1_MGMT
-A FORWARD -i eth0.2 -j FWD_V2_ISP
-A FORWARD -i eth0.3 -j FWD_V3_VPN
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Forward HTTP packets from network to modem
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.3.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward Bittorrent Port
-A FWD_TUN0 -d 192.168.3.30/32 -p tcp -m tcp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_TUN0 -d 192.168.3.30/32 -p udp -m udp --dport 20001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Forward established packets to hosts in VLAN2/3 from Printer
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FWD_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Refuse to forward bogons from VLAN1 (Untagged Management)
-A FWD_V1_MGMT -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Refuse to forward msft from VLAN1 (Untagged Management)
-A FWD_V1_MGMT -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT

# Forward traffic from VLAN2 to Modem
-A FWD_V2_ISP -d 192.168.0.1/32 -j ACCEPT

# Forward traffic from VLAN2 to Printer
-A FWD_V2_ISP -d 192.168.4.9/32 -j ACCEPT

# Drop bogons from VLAN2
-A FWD_V2_ISP -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Drop msft from VLAN2
-A FWD_V2_ISP -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT

# Allow rest from VLAN2
-A FWD_V2_ISP -s 192.168.2.0/24 -j ACCEPT

# Forward traffic from VLAN3 to Modem
-A FWD_V3_VPN -d 192.168.0.1/32 -j ACCEPT

# Forward traffic from VLAN3 to Printer
-A FWD_V3_VPN -d 192.168.4.9/32 -j ACCEPT

# Allow rest from VLAN3
-A FWD_V3_VPN -s 192.168.3.0/24 -j ACCEPT

# Drop bogons from VLAN3
-A FWD_V3_VPN -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON

# Drop msft from VLAN3
-A FWD_V3_VPN -m set --match-set dropped-msft-ip-ipv4 dst -j LOG_DROP_MSFT

# Forward some exception to ppp0 from VLAN3
-A FWD_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT

# Allow in NTP from Router (this machine)
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow in HTTP from Router (this machine)
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
# -A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_PPP0 -j LOG_DROP

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on TUN0
# -A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6
-A IN_TUN0 -j LOG_DROP

# Allow in established packets from Printer to hosts in VLAN2/3
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.4.9/32 -d 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# FreeRadius Clients (access point A & B)
-A IN_V1_MGMT -s 192.168.1.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.11/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Ubiquiti UAP Device Discovery Broadcast
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.10/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A IN_V1_MGMT -s 192.168.1.11/32 -p udp -m udp --dport 3478 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow rest in from VLAN1
-A IN_V1_MGMT -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow ssh in from VLAN2
-A IN_V2_ISP -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow DNS in from VLAN2
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# ALLOW NTP in from VLAN2
-A IN_V2_ISP -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow rest from VLAN2
-A IN_V2_ISP -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow ssh in from VLAN3
-A IN_V3_VPN -s 192.168.3.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow DNS in from VLAN3
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# Allow NTP in from VLAN3
-A IN_V3_VPN -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow rest from VLAN3
-A IN_V3_VPN -s 192.168.3.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow some exception direct from ppp0 to VLAN3
-A IN_V3_VPN -s 192.168.3.0/24 -d <ip_of_exception>/32 -o ppp0 -j ACCEPT

# Log dropped bogons that never got forwarded
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6
-A LOG_DROP_BOGON -j DROP

# Log dropped msft tracking that never got forwarded
-A LOG_DROP_MSFT -j LOG --log-prefix "Dropped MSFT forward(ipv4) " --log-level 6
-A LOG_DROP_MSFT -j DROP

# Log rejected packets
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only" --log-level 6
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable
COMMIT

#
# Mangle Table
# This is the place where our markings happen, whether they be 0x1 or 0x2
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# If packet MARK is 2, then it means there is already a connection mark and the
# original packet came in on VPN
-A PREROUTING -s 192.168.3.0/24 -m mark --mark 0x2

# Check some exception are 0x1
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -m mark --mark 0x1

# Mark packets coming from 192.168.3.0/24 are 0x2
-A PREROUTING -s 192.168.3.0/24 -j MARK --set-xmark 0x2/0xffffffff

# If packet MARK is 1, then it means there is already a connection mark and the
# original packet came in on ISP
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x1

# Mark packets 192.168.2.0/24 are 0x1
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x1/0xffffffff

# Mark some exception as 0x1
-A PREROUTING -s 192.168.3.0/24 -d <ip_of_exception>/32 -j MARK --set-xmark 0x1/0xffffffff

# Strip mark if packet is destined for modem
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff

# Strip mark if packet is destined for printer
-A PREROUTING -d 192.168.4.9/32 -j MARK --set-xmark 0x0/0xffffffff

# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

ip6tables

You'll need to modify your prefix in one of the rules.

#########################################################################
# Uses 2001:0db8:1234:ffff::1/64 VLAN2 - route to ISP
#      fde4:8dba:82e1:fff3::1/64  VLAN3 - route to VPN
#########################################################################

#
# Raw Table
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Create a log drop chain
:LOG_DROP_BOGON - [0:0]

# Create output chains
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Allows my excepted ranges
-A PREROUTING -m set --match-set allowed-nets-ipv6 src,src -j ACCEPT

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0
COMMIT

#
# NAT Table
# This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Allows hosts of the network to use the VPN tunnel for IPv6
# Needs to be changed when change VPN server, use (ip a s tun0) scope global address
-A POSTROUTING -o tun0 -j SNAT --to-source fd48:0db8:c66d:8f7d:ffff:ffff:ffff:ffff:ff02
COMMIT

#
# Mangle Table
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Drop unusually large ping packets
-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m length --length 170:65535 -j DROP
COMMIT

#
# Filter Table
# This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Create rule chain per input interface for forwarding packets
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
:FWD_TUN0 - [0:0]
:FWD_V1_MGMT - [0:0]
:FWD_V2_ISP - [0:0]
:FWD_V3_VPN - [0:0]
:FWD_V4_LANONLY - [0:0]

# Create rule chain per input interface for input packets (for host itself)
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
:IN_TUN0 - [0:0]
:IN_V1_MGMT - [0:0]
:IN_V2_ISP - [0:0]
:IN_V3_VPN - [0:0]
:IN_V4_LANONLY - [0:0]

# Create a drop/reject chains
:LOG_DROP - [0:0]
:LOG_DROP_BOGON - [0:0]
:LOG_REJECT_LANONLY - [0:0]

# Create an output chains
:OUT_PPP0 - [0:0]
:OUT_TUN0 - [0:0]

# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_V1_MGMT
-A INPUT -i eth0.2 -j IN_V2_ISP
-A INPUT -i eth0.3 -j IN_V3_VPN
-A INPUT -i eth0.4 -j IN_V4_LANONLY
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
-A INPUT -i tun0 -j IN_TUN0

# Track forwarded packets
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_V1_MGMT
-A FORWARD -i eth0.2 -j FWD_V2_ISP
-A FORWARD -i eth0.3 -j FWD_V3_VPN
-A FORWARD -i eth0.4 -j FWD_V4_LANONLY
-A FORWARD -i eth1 -j FWD_ETH1
-A FORWARD -i ppp0 -j FWD_PPP0
-A FORWARD -i tun0 -j FWD_TUN0

# Rate limit ICMPv6 PING
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 30/min -j ACCEPT

# Pass output interface to corresponding chain
-A OUTPUT -o ppp0 -j OUT_PPP0
-A OUTPUT -o tun0 -j OUT_TUN0

# Forward VLAN2 to ISP
-A FWD_V2_ISP -s 2001:0db8:1234:ffff::/64 -j ACCEPT

# Forward VLAN3 to VPN
-A FWD_V3_VPN -o tun0 -j ACCEPT

# Accept incoming tracked PPP0 connection
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG_DROP

# Allow and rate limit ICMP
-A IN_PPP0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A IN_PPP0 -p ipv6-icmp -m limit --limit 30/sec -j ACCEPT

# Allow DHCPv6 PD on Link Local from ISP
-A IN_PPP0 -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Log dropped packets coming in on PPP0
-A IN_PPP0 -j LOG_DROP

# Accept incoming tracked TUN0 connection
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log dropped packets on VPN
-A IN_TUN0 -j LOG_DROP

# Allow tracked connections in from ppp0 to VLAN2
-A IN_V2_ISP -s 2001:0db8:1234:ffff::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow ICMP in from VLAN2
-A IN_V2_ISP -p ipv6-icmp -j ACCEPT

# Allow tracked connections in from tun0 to VLAN3
-A IN_V3_VPN -s fde4:8dba:82e1:fff3::/64 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# Allow ICMP in from VLAN3
-A IN_V3_VPN -p ipv6-icmp -j ACCEPT
COMMIT

Add ip6tables to the default run level:

rc-update add ip6tables default

Router Advertisements

apk add radvd

Once radvd is installed, you may configure it:

/etc/radvd.conf

Note this will cause an IPv6 address to be routed to your systems. Those systems will now leak via IPv6 to the Internet if you're on a subnet like 192.168.2.0/24 using an aliased connection.

To mitigate this we would use VLANs, which behave as separate network interfaces. For that you need to replaced the unmanaged switch with a managed one, and each interface, eg eth0:2 with eth0.2.

interface eth0 {

  # We are sending advertisements (route)
  AdvSendAdvert on;

  # Suggested Maximum Transmission setting for using the
  # Hurricane Electric Tunnel Broker.
  # AdvLinkMTU 1480;

  # We have native Dual Stack IPv6 so we can use the regular MTU
  # http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues
  AdvLinkMTU 1500;

  prefix 2001:0db8:1234:b001::/64 {
    AdvOnLink on;
    AdvAutonomous on; # SLAAC based on EUI
    AdvRouterAddr on;
  };

  RDNSS 2001:0db8:1234:0001::1 {
  };
  # DNSSL example.id.au {
  # };
};

Add radvd to the default run level:

rc-update add radvd default

Enable Privacy extensions in /etc/sysctl.conf

When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the IPv6 Privacy Extensions standard (RFC 4941) has been developed. With privacy extensions the kernel generates a temporary address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:

# Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.nic0.use_tempaddr = 2
...
net.ipv6.conf.nicN.use_tempaddr = 2

Using DHCPv6

You may decide you want more control over your network address assignment. For this you'll need to use DHCPv6. DHCPv4 and DHCPv6 need to run on separate instances of DHCPD.

Make a symlink for the init script:

ln -s /etc/init.d/dhcpd /etc/init.d/dhcpdv6

Include it in the router provision file:

lbu include /etc/init.d/dhcpdv6

Copy the DHCP Daemon configuration file:

cp /etc/conf.d/dhcpd /etc/conf.d/dhcpdv6

Enable it to run on IPv6. DHCPD can only run on one IP protocol at a time. By default it defaults to IPv4.

sed -i 's/# DHCPD_OPTS=""/DHCPD_OPTS="-6"/g' /etc/conf.d/dhcpdv6

Copy the DHCP configuration file:

cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpdv6.conf

Change the owner of the configurations to the dhcp user and group

chown -R dhcp:dhcp /etc/dhcp

/etc/dhcp/dhcpdv6.conf

You will want to edit your MAC address in the host declarations. The client-id or DUID can be found in /etc/dhcpcd.duid when you've installed dhcpcd on your client.

You can also see it in /var/log/messages on your router when a client tries to authenticate on your network eg:

dhcpd: Advertise NA: address 2001:0db8:1234:0001::240 to client with duid <DEVICE DUID> iaid = <DEVICE IAID> valid for 43200 seconds

Currently Android does not have DHCPv6 support and Google seem unwilling to add it.

If you're using a version of dhcpcd below 6.9.3 you may need to set "ipv6ra_accept_nopublic" in your /etc/dhcpcd.conf.

authoritative;
ddns-update-style interim;

shared-network home {
  subnet6 2001:0db8:1234:0001::/64 {
    range6 2001:0db8:1234:0001::10 2001:0db8:1234:0001::240;
    range6 2001:0db8:1234:0001:: temporary;
    option dhcp6.name-servers 2001:0db8:1234:0001::1;
    option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
    allow unknown-clients;
  }

  subnet6 fde4:8dba:82e1:ffff::/64 {
    range6 fde4:8dba:82e1:ffff::10 fde4:8dba:82e1:ffff::240;
    range6 fde4:8dba:82e1:ffff:: temporary;
    option dhcp6.name-servers 2001:0db8:1234:0001::1;
    option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
    ignore unknown-clients;
  }
}

host Gaming_Computer {
  hardware ethernet 00:53:00:FF:FF:11;;
  host-identifier option dhcp6.client-id <YOUR_DUID>;
  fixed-address6 2001:0db8:1234:0001::20;
  fixed-prefix6 2001:0db8:1234:0001::/64;
  option dhcp6.name-servers 2001:0db8:1234:0001::1;
  option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
}

host Linux Workstation {
  hardware ethernet 00:53:00:FF:FF:22;;
  host-identifier option dhcp6.client-id <YOUR_DUID>;
  fixed-address6 fde4:8dba:82e1:ffff::21;
  fixed-prefix6 2001:0db8:1234:0001::/64;
  option dhcp6.name-servers 2001:0db8:1234:0001::1;
  option dhcp6.sntp-servers 2001:0db8:1234:0001::1;
}

/etc/radvd.conf

Finally you'll want to change add "AdvManagedFlag", and "AdvOtherConfigFlag". You will also want to toggle "AdvAutonomous" to off if you do not want IPs generated by SLAAC based on EUI.

interface eth0 {

  # We are sending advertisements (route)
  AdvSendAdvert on;

  # When set, host use the administered (stateful) protocol
  # for address autoconfiguration. The use of this flag is
  # described in RFC 4862
  AdvManagedFlag on;

  # When set, host use the administered (stateful) protocol
  # for address autoconfiguration. For other (non-address)
  # information.
  # The use of this flag is described in RFC 4862
  AdvOtherConfigFlag on;

  # Suggested Maximum Transmission setting for using the
  # Hurricane Electric Tunnel Broker.
  # AdvLinkMTU 1480;

  # We have native Dual Stack IPv6 so we can use the regular MTU
  # http://blogs.cisco.com/enterprise/ipv6-mtu-gotchas-and-other-icmp-issues
  AdvLinkMTU 1500;

  prefix 2001:0db8:1234:0001::/64 {
    AdvOnLink on;
    AdvAutonomous off;
    AdvRouterAddr on;
  };

  # RDNSS 2001:0db8:1234:0001::1 {
  # };
  # DNSSL example.id {
  # };
};