Solved can’t get ipv6 to work on my gateway (behind a freebox)

[patpro]

Hello,

I’m running a FreeBSD (13.2-RELEASE-p2) gateway between my LAN and internet.
On the WAN side (em1) it’s hooked to a freebox (the fiber "modem" of my provider) setup in bridge mode.

Relevant rc configuration:

ifconfig_em1="DHCP"

gateway_enable="YES"

ifconfig_em0="inet 192.168.0.1 netmask 255.255.255.0"

wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country FR chanlist 12-13"
ifconfig_wlan0="inet 192.168.1.1 netmask 255.255.255.0 ssid boleskine up"

cloned_interfaces="bridge0"
ifconfig_bridge0="inet 192.168.2.1 netmask 255.255.255.0 up"

pf_enable="YES"

On the freebox management web GUI I have 8 /64 subnets I can use. In order to use one of them I must fill in em1’s inet6 local link address in the next hop field. See image below.



So:
- I execute sudo ifconfig em1 inet6 -ifdisabled to activate inet6 and get the local link address for em1 that I paste in the next hop field of one of these /64 subnets
- I add this to my rc.conf:

ifconfig_em1_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"

- I reboot

After the reboot I have:

em1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=481249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
    ether 70:54:xx:xx:xx:xx
    inet6 fe80::7254:d2ff:yada:yada%em1 prefixlen 64 scopeid 0x2
    inet6 2a01:e34:lala:lili:lulu:lele:lolo:lyly prefixlen 64 autoconf
    inet 78.bbb.ccc.ddd netmask 0xffffff00 broadcast 78.bbb.ccc.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

and it appears to be OK, but:

# ping -6 google.com
PING6(56=40+8+8 bytes) 2a01:e34:lala:lili:lulu:lele:lolo:lyly --> 2a00:1450:4007:807::200e
ping: sendmsg: Permission denied
ping6: wrote google.com 16 chars, ret=-1
ping: sendmsg: Permission denied
ping6: wrote google.com 16 chars, ret=-1
…

I’ve tried countless things but never got a working setup… Any help appreciated!

 

[juha]

Hello patpro

It looks like you are almost there since you have ipv6 addresses but I don't know how the freebox behaves in bridge mode, are you using VDSL on that? If not and it is fibre like you mentioned then might be better off removing the freebox and using the FreeBSD box as router instead? You have good pf.conf rules especially for ipv6?

As it stands perhaps your firewall (or freebox) is blocking IPv6 ICMP packets outbound?

Try adding into your pf.conf rules ... pass out quick on $ext_if inet6 all keep state

 

[SirDice]

gateway_enable="YES"

This turns on routing for IPv4 only. If you need to route IPv6 you also need ipv6_gateway_enable="YES".

might be better off removing the freebox and using the FreeBSD box as router instead?

I agree. Got fiber recently, never used the modem/router the ISP gave me. It's all terminated on my FreeBSD firewall.

 

[covacat]

how do you make your freebsd box use/talk gpon ? (which is the most common type of 'consumer fiber')

 

[SirDice]

My fiber provider uses PPPoE over a VLAN (as do a lot of other fiber providers in the Netherlands). It was just a matter of setting this up correctly.

 

[covacat]

My fiber provider uses PPPoE over a VLAN (as do a lot of other fiber providers in the Netherlands). It was just a matter of setting this up correctly.

so you don't actually have the fiber in your home, i understand. that use to be the case around here some years ago, you got utp copper and pppoe but the fiber terminated somewhere outside.
now you get internet, catv and phone land line over the same fiber which ends in operators "router". some models cant be swtiched to bridge mode unless you "root it" and then you are on your own

 

[SirDice]

so you don't actually have the fiber in your home, i understand.

I do. This is the FTU, inside my house. I need to attach an NT (active unit, converts fiber to ethernet). From there it's just ethernet cat 5 to my FreeBSD firewall (or the modem/router they give you).

imgur.com

Discover the magic of the internet at Imgur, a community powered entertainment destination. Lift your spirits with funny jokes, trending memes, entertaining gifs, inspiring stories, viral videos, and so much more from users.

imgur.com

 

[juha]

here my last 50 metres is twisted pair wires (old phone cable) but I could upgrade to fibre to the house, not sure what it has to do with Ipv6 issues

$ ping -6 google.com
PING6(56=40+8+8 bytes) 2403:5808:812c:1:24b0:60cd:6e61:d5c0 --> 2404:6800:4006:804::200e
16 bytes from 2404:6800:4006:804::200e, icmp_seq=0 hlim=119 time=6.089 ms
16 bytes from 2404:6800:4006:804::200e, icmp_seq=1 hlim=119 time=5.841 ms
16 bytes from 2404:6800:4006:804::200e, icmp_seq=2 hlim=119 time=6.466 ms
16 bytes from 2404:6800:4006:804::200e, icmp_seq=3 hlim=119 time=6.194 ms
^C

 

[SirDice]

not sure what it has to do with Ipv6 issues

Take out the ISP modem/router. Even if it's in "bridge" mode it's not really in 'bridge' mode, it interferes and only passes along certain things. My old cable provider modem could also be set in 'bridge' mode. This worked fine for IPv4, but IPv6 was never passed through.

 

[covacat]

here my last 50 metres is twisted pair wires (old phone cable) but I could upgrade to fibre to the house, not sure what it has to do with Ipv6 issues

most fiber@home setups (that im aware of) are gpon where you can't really bypass the operator box

GPON - Wikipedia

en.wikipedia.org

 

[juha]

Probably way off topic now, I did raise concerns with the OP freebox (I am not sure what it is)

Happy to give some IPv6 direction if it is needed

Just another FreeBSD fan

 

[SirDice]

juha you have FTTC (Fibre to the Curb/Cabinet). The last stretch from a central box to your home is done over the existing (old) copper telephone wires. Usually with some xDSL protocol. Then it's going to be difficult to replace/remove the modem/router.

If you have FTTH (and AON, not GPON) you can simply take out the modem and plug the RJ45 directly in your FreeBSD box. Which is what I did.

 

[covacat]

I do. This is the FTU, inside my house. I need to attach an NT (active unit, converts fiber to ethernet). From there it's just ethernet cat 5 to my FreeBSD firewall (or the modem/router they give you).

imgur.com

Discover the magic of the internet at Imgur, a community powered entertainment destination. Lift your spirits with funny jokes, trending memes, entertaining gifs, inspiring stories, viral videos, and so much more from users.

imgur.com

you still have an operator box which does that bridges gpon to ethernet
on many setups that part is integrated with the router / wifi / pstn / catv and what not
somenone on the forum (i think from spain) tried to bypass that altogether by using a gpon sfp (aliexpress sourced) in his sfp capable nic (melanox or chelsio can't remember)
can't remember if it worked in the end or not but it included support from the operator and such

 

[juha]

SirDice, yep I thought you were in Australia

For the OP I can give some advice ... it may be different for your ISP and what they expect, maybe a start, this may also give your LAN clients ipv6 so be aware ...

$ sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1

$ sysctl -a | grep redirect
net.inet6.ip6.redirect: 1


$ cat /etc/pf.conf
ext_if = "re0"
int_if = "em0"

pass in quick on $ext_if inet6 proto udp to port dhcpv6-client
pass in quick on $ext_if inet6 proto icmp6 to any icmp6-type { neighbradv, neighbrsol, routeradv, routersol, echoreq } #no state
pass out quick on $ext_if inet6 all keep state


$ cat /usr/local/etc/dhcp6c.conf
interface re0 {
     send ia-pd 0;
     send ia-na 1;
};

id-assoc na 1 {
};

id-assoc pd {
  prefix-interface em0 {
    sla-id 1;
  };
};



$ cat /etc/rtadvd.conf
em0:\
    :prefixlen#64:


/etc/rc.conf
ipv6_cpe_wanif="re0"
ipv6_gateway_enable="YES"
ifconfig_re0_ipv6="inet6 -ifdisabled accept_rtadv"
ifconfig_em0_ipv6="inet6 -accept_rtadv"
dhcp6c_enable="YES"
dhcp6c_interfaces="re0"
rtadvd_enable="YES"
rtadvd_interfaces="em0"
#ipv6_privacy="YES"

 

[patpro]

Hello patpro

It looks like you are almost there since you have ipv6 addresses but I don't know how the freebox behaves in bridge mode, are you using VDSL on that? If not and it is fibre like you mentioned then might be better off removing the freebox and using the FreeBSD box as router instead? You have good pf.conf rules especially for ipv6?

As it stands perhaps your firewall (or freebox) is blocking IPv6 ICMP packets outbound?

Try adding into your pf.conf rules ... pass out quick on $ext_if inet6 all keep state

Hello!

Thanks a lot, you nailed it. It was a problem with PF
I’ve tested the paa out rule for inet6 and boom, it worked!

I can’t ditch the freebox yet, it provides telephone and some TV services that someone in the household does not want to let go, yet

 

[patpro]

For the OP I can give some advice ... it may be different for your ISP and what they expect, maybe a start, this may also give your LAN clients ipv6 so be aware ...

(snip)

Interesting, thank you, I’ll play with that later as I plan to provide IPv6 to my LAN

 

[juha]

patpro, yeah bear in mind ipv6 doesn't care about them ipv4 NAT rules!

A good time to block unwanted guests ...