Dropping the Altibox router/modem, and getting IPv6 using 6rd to work on OPNsense.
This post has been in my drafts folder since I first set up 6rd on OPNsense 18.7 in August 2018. The 6rd implementation has not been painless:
- I completely lost all internet connectivity when upgrading to 19.1.
- 6rd has stopped working again on 19.7.
At the time of publishing this post, I am in the process of replacing OPNsense with the Ubiquiti EdgeRouter 4. I’m hoping it will be more stable.
Table of contents
If your Altibox router/modem is in bridge mode, meaning it’s not a router, it doesn’t do much. Altibox uses VLANs to split IPTV and internet traffic;
- VLAN 101: IPTV
- VLAN 102: Internet
The only thing this box does, in bridge-mode, is split these two VLANs to different Ethernet ports. So you don’t need it.
Interfaces: Other Types: VLAN menu, I created a new VLAN interface:
Then I assigned that VLAN interface to the WAN port:
Interfaces: [WAN] menu, I cloned the MAC address of the Altibox router/modem box. I’m not sure this is required, but I did it to be sure:
And that was it 😃
Setting up 6rd on the WAN interface was easy. In the
Interfaces: [WAN] menu, I set
IPv6 Configuration Type to
6rd Tunnel and put in ISP settings:
I found these settings on the Altibox website.
A new gateway appeared on my OPNsense dashboard;
WAN_6RD. But my WAN interface did not get an IPv6 IP… Or at least none was shown on the dashboard.
I tried pinging an IPv6 IP and DNS from the
Interfaces: Diagnostics: Ping menu, and it was successful.
16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=0 hlim=56 time=9.370 ms 16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=1 hlim=56 time=9.396 ms 16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=2 hlim=56 time=9.401 ms --- facebook.com ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 9.370/9.389/9.401/0.014 ms
So the 6rd configuration seemed to work even though I could not see any IPv6 IP on the WAN interface. Alright on to the next step.
Now I needed my clients to get a working IPv6 configuration as well. In the
Interfaces: [LAN] menu, I set
IPv6 Configuration Type to
SLAAC on the LAN interface. But nothing happened. It didn’t work!
I’d read on Reddit and the OPNsense forum that people were using the
Track Interface option, so I tried that.
That didn’t work either. I tried rebooting the OPNsense router, and the clients still didn’t work. I tried disabling and enabling it numerous times, but the result was the same. It didn’t work.
Throughout my testing, I’d left the
IPv6 Prefix ID on
0, as it was the default. And I didn’t understand what this parameter was.
I scratched my head for a few days, trying to find articles and posts regarding OPNsense and 6rd. I noticed that the
IPv6 Prefix ID was sometimes set to
1, instead of
0. Alright, let’s try that.
BAM! My LAN interface suddenly got an IPv6 IP! 😄
Now a few more things were needed to complete the IPv6 setup:
First, I added IPv6 DNS servers in the
System: Settings: General menu.
Next, I opened ICMP to all in the WAN firewall. With IPv6, the clients must respond to ICMP requests.
Lastly, I made sure that I had a rule in LAN firewall the allowed incoming IPv6 traffic.
You get a /62 network from Altibox, which is four /64. So four LANs. It’s these LANs or subnets, that is selected using the
IPv6 Prefix ID setting. So each interface must use a different prefix.
In my testing, IPv6 would stop working on all interfaces if I set the prefix to
0 on any one of them. That leads me to suspect that the WAN interface is using the
0 prefix, even though this is not visible on the OPNsense dashboard. That could be because of 6rd; I’m not sure.
That leaves me with three available prefixes;
3. So, in addition to my LAN, I can also have two VLANs with IPv6.
In my experience, it’s a good idea to reboot OPNsense after changing IPv6 interface settings. Sometimes the changes wouldn’t take until a reboot; this made it confusing to debug.
When messing with the IPv6 LAN interface settings, the clients got multiple IPv6 addresses and gateways, of which only one worked. That wrongly made me think my configuration was bad on a couple of occasions, even though the settings may have been correct. So make sure to release and renew the IPv6 settings on the clients after changing something.
If the clients have a firewall; this may prevent the IPv6 ICMP traffic from reaching them. Make sure to poke an opening.
Last commit 2022-08-06, with message: add summary and emojies to older posts