Altibox 6rd on OPNsense

From uCtrl
This post has been in my drafts folder since I first set up 6rd on OPNsense 18.7 in August 2018. The 6rd implementation has not been painless:

At the time of publishing this post, I am in the process of replacing OPNsense with the Ubiquiti EdgeRouter 4. I’m hoping it will be more stable.

Dell Optiplex 9010 SFF with OPNsense sticker

Drop the "modem"

If your Altibox router/modem is in bridge mode, meaning it’s not a router, it doesn’t do much. Altibox uses VLANs to split IPTV and internet traffic;

  • VLAN 101: IPTV
  • VLAN 102: Internet

The only thing this box does, in bridge-mode, is split these two VLANs to different Ethernet ports. So you don’t need it.

In the Interfaces: Other Types: VLAN menu, I created a new VLAN interface:

OPNsense VLAN interface menu

Then I assigned that VLAN interface to the WAN port:

OPNsense WAN interface assignment

In the Interfaces: [WAN] menu, I cloned the MAC address of the Altibox router/modem box. I’m not sure this is required, but I did it to be sure:

OPNsense WAN setup menu

And that was it :)

IPv6 with 6rd tunnel

WAN

Setting up 6rd on the WAN interface was easy. In the Interfaces: [WAN] menu, I set IPv6 Configuration Type to 6rd Tunnel and put in ISP settings:

OPNsense WAN IPv6 type selection

OPNsense WAN 6rd configuration menu

I found these settings on the Altibox website.

A new gateway appeared on my OPNsense dashboard; WAN_6RD. But my WAN interface did not get an IPv6 IP… Or at least none was shown on the dashboard.

OPNsense gateway dashboard

I tried pinging an IPv6 IP and DNS from the Interfaces: Diagnostics: Ping menu, and it was successful.

16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=0 hlim=56 time=9.370 ms
16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=1 hlim=56 time=9.396 ms
16 bytes from 2a03:2880:f10a:83:face:b00c:0:25de, icmp_seq=2 hlim=56 time=9.401 ms

--- facebook.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.370/9.389/9.401/0.014 ms

So the 6rd configuration seemed to work even though I could not see any IPv6 IP on the WAN interface. Alright on to the next step.

LAN

Now I needed my clients to get a working IPv6 configuration as well. In the Interfaces: [LAN] menu, I set IPv6 Configuration Type to SLAAC on the LAN interface. But nothing happened. It didn’t work!

I’d read on Reddit and the OPNsense forum that people were using the Track Interface option, so I tried that.

OPNsense LAN IPv6 type selection

That didn’t work either. I tried rebooting the OPNsense router, and the clients still didn’t work. I tried disabling and enabling it numerous times, but the result was the same. It didn’t work.

Throughout my testing, I’d left the IPv6 Prefix ID on 0, as it was the default. And I didn’t understand what this parameter was.

I scratched my head for a few days, trying to find articles and posts regarding OPNsense and 6rd. I noticed that the IPv6 Prefix ID was sometimes set to 1, instead of 0. Alright, let’s try that.

OPNsense LAN IPv6 track menu

BAM! My LAN interface suddenly got an IPv6 IP! :D

OPNsense LAN interface information

Finishing up

Now a few more things were needed to complete the IPv6 setup:

First, I added IPv6 DNS servers in the System: Settings: General menu.

OPNsense DNS servers menu

Next, I opened ICMP to all in the WAN firewall. With IPv6, the clients must respond to ICMP requests.

OPNsense IPv6 ICMP firewall rule

Lastly, I made sure that I had a rule in LAN firewall the allowed incoming IPv6 traffic.

OPNsense IPv6 LAN incoming firewall rule

Regarding the IPv6 Prefix ID

You get a /62 network from Altibox, which is four /64. So four LANs. It’s these LANs or subnets, that is selected using the IPv6 Prefix ID setting. So each interface must use a different prefix.

In my testing, IPv6 would stop working on all interfaces if I set the prefix to 0 on any one of them. That leads me to suspect that the WAN interface is using the 0 prefix, even though this is not visible on the OPNsense dashboard. That could be because of 6rd; I’m not sure.

That leaves me with three available prefixes; 1, 2, and 3. So, in addition to my LAN, I can also have two VLANs with IPv6.

Pitfalls

In my experience, it’s a good idea to reboot OPNsense after changing IPv6 interface settings. Sometimes the changes wouldn’t take until a reboot; this made it confusing to debug.

When messing with the IPv6 LAN interface settings, the clients got multiple IPv6 addresses and gateways, of which only one worked. That wrongly made me think my configuration was bad on a couple of occasions, even though the settings may have been correct. So make sure to release and renew the IPv6 settings on the clients after changing something.

If the clients have a firewall; this may prevent the IPv6 ICMP traffic from reaching them. Make sure to poke an opening.