Solved replaced the ISP fiber modem with TP-Link MC220L : no more IPv6

[patpro]

Hello,

I have this setup:

FreeBSD server acting as a router/fw behind my ISP Fiber modem (bridge mode)

ifconfig_em1="DHCP"
ifconfig_em1_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"

It gives me working IPv4 and IPv6

I’ve removed the modem and put a TP-Link MC220L, then setup the FreeBSD interface like this:

ifconfig_em1="up"
vlans_em1="836"
ifconfig_em1_836="DHCP"
ifconfig_em1_836_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"

IPv4 works great but I can’t get IPv6:

# ifconfig em1.836
em1.836: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4600403<RXCSUM,TXCSUM,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 70:****
    inet 78.**** netmask 0xffffff00 broadcast 78.****
    inet6 fe80::****%em1.836 prefixlen 64 scopeid 0x6
    groups: vlan
    vlan: 836 vlanproto: 802.1q vlanpcp: 0 parent interface: em1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Edit: apparently my ISP modem have a 6rd role, and once it’s gone it’s probably up to FreeBSD to take over. I don’t know how
For the record my router runs FreeBSD 14.2-RELEASE.

Any idea?

 

[SirDice]

Any idea?

Have you tried DHCPv6? That's what I need to use for my ISP. But I also need PPPoE to connect, so there's definitely a difference in how our fibre providers are working.

 

[patpro]

Do you mean I should replace

ifconfig_em1_836_ipv6="inet6 accept_rtadv"

with

ifconfig_em1_836_ipv6="DHCPv6"

 

[CeXP1917]

What says / changes after

rtsol em1.836

?
First of all, you must know, what method your ISP uses for ipv6, ipoe/pppoe, prefixes (/48, /56 or /64), slaac/dhcpv6...
What about firewall? Dont forget, you must allow icmpv6, packets for DHCPv6, and be sure make nat only for 'inet' family.

For example: my ISP gives me /56 thru PPPoE, so I use ppp, dhcpcd in ipv6only mode to get SLA 0 with /48 and rtadvd for LAN.

 

[SirDice]

ifconfig_em1_836_ipv6="DHCPv6"

I wish it was that simple. I'm using net/dhcp6; dhcp6c(8).

For example: my ISP gives me /56 thru PPPoE, so I use ppp, dhcpcd in ipv6only mode to get SLA 0 with /48 and rtadvd for LAN.

Similar setup here.

 

[patpro]

What says / changes after

rtsol em1.836

?

it says nothing and nothing changes, with -d I got this:

# rtsol -d em1.836
rtsol: No answer after sending 3 RSs

As far as I understand my ISP, I’ll have to play with 6rd. Luckily it seems to be native in FreeBSD 14.2, but I still have to figure out exactly what to try. In the mean time I’ll try with net/dhcp6

Edit: dhcp6 does not work, but I’ve found a Linux how-to that I’ll try to adapt. It’s a tough one as it uses iptable on OpenWRT https://watchmysys.com/blog/2019/04/6rd-on-free/ but if anyone knows how to do the same on FreeBSD 14.2, that would be helpful

 

[patpro]

I’ve made some progress but I’m not out of the wood yet.

rc.conf content related to WAN interface:

  1 # without ISP box
  2 ifconfig_em1="up"
  3 vlans_em1="836"
  4 ifconfig_em1_836="SYNCDHCP"
  6 cloned_interfaces="stf0"
  7 ifconfig_stf0_ipv6="inet6 accept_rtadv 2a01:e34:xxxx:yyyy::/64"
  8 create_args_stf0="mtu 1480 stfv4net A.B.C.D/32 stfv4br 192.88.99.101 link2"
  9 ifconfig_stf0="up"
 10 ipv6_defaultrouter="-iface stf0"
 11 rtsold_enable="YES"
 12
 13
 14 # with ISP box
 15 #ifconfig_em1="up"
 16 #ifconfig_em1="DHCP"
 17 #ifconfig_em1_ipv6="inet6 accept_rtadv"
 18 #rtsold_enable="YES"

This config corresponds to the last example in stf(). If I understand correctly the modem of my ISP acts as a “6rd Customer Edge (CE)”, and now that I’ve replaced it my a dumb fiber-to-ethernet converter my FreeBSD router must become the “6rd CE”. I might be wrong, though, but the howto about openWRT with the same ISP shows the 6rd tunnel is needed.

Unfortunately it fails at boot time: stf0 is not created.

After boot I can create stf0 and a /etc/netstart ensures the config. The result is still broken for some reason (probably a problem in my pf.conf, for later).

Right now I would like to create+configure stf0 at boot-time. Any idea why it fails? (no trace in dmesg -a except for the error route: interface 'stf0' does not exist).

 

[subnetspider]

That's strage, I've just copied your /etc/rc.conf settings to a FreeBSD 14.2 VM and the stf0 interface gets created at boot without any errors.
Do you maybe have another "cloned_interfaces" statement somewhere in your /etc/rc.conf?
If possible, can you post your full /etc/rc.conf (with any private info removed, of course)?

 

[patpro]

You are absolutely right! I do have another cloned_interfaces line later in the file
Its for the internal bhyve/jail bridge.
I didn’t realize only one is allowed. Hence replacing:

cloned_interfaces="stf0"
../..
cloned_interfaces="bridge0"

with:

cloned_interfaces="bridge0 stf0"

works way better! Thanks.
Now I don’t need to create stf0 before running /etc/netstart so I’m confident that it’ll do the trick at boot-time.

Also, adding

pass out on $stf_if inet6 all keep state

to pf.conf helps a lot, as I can now ping6, curl -6, etc.

But I still don’t have my public IPv6 address on my WAN interface, meaning I’m not reachable via inet6…
Nah, wrong bit of config on my side. Replacing the short prefix in ifconfig_stf0_ipv6="inet6 accept_rtadv 2a01:e34:xxxx:yyyy::/64" by the expected public IPv6 address does the trick.
That is a bit counter intuitive, and I feel its cheating (and fragile) to setup manually IP addresses that are supposed to be dynamically obtained. Anyway they are static, so not a big deal.

 

[patpro]

My problem seems to be solved, but the result is an unexpected mess
I’ll wait few hours / days to make sure everything is OK before posting a quick how-to.

 

[subnetspider]

You are absolutely right! I do have another cloned_interfaces line later in the file
Its for the internal bhyve/jail bridge.
I didn’t realize only one is allowed.

I made the exact same mistake a few weeks ago, so the memory was still fresh.

 

[patpro]

Ok so before change:

LAN---[freebsd router]---[ISP box in bridge mode]---internet

freebsd rc.conf WAN related lines:

ifconfig_em1="up"
ifconfig_em1="DHCP"
ifconfig_em1_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"
cloned_interfaces="bridge0"

em1 has both IPv4 and IPv6 addresses, both dynamically obtained.

After change:

LAN---[freebsd router]---[TP-Link MC220L]---internet

freebsd rc.conf WAN related lines:

ifconfig_em1="up"
vlans_em1="836"
ifconfig_em1_836="SYNCDHCP"
ifconfig_stf0_ipv6="inet6 accept_rtadv 2a01:e34:A:B:C:D:E:F/64"
create_args_stf0="mtu 1480 stfv4net W.X.Y.Z/32 stfv4br 192.88.99.101 link2"
ipv6_defaultrouter="-iface stf0"
rtsold_enable="YES"
cloned_interfaces="bridge0 stf0"

em1 has no IP address.
em1.836 has IPv4 address dynamically obtained.
stf0 has IPv6 address statically assigned.

2a01:e34:A:B:C:D:E:F is my static IPv6 address, as obtained before change.
Note that "2a01:e3" is ISP prefix, "4:A:B" is HEX form of WAN IPv4 address "W.X.Y.Z" (see https://www.browserling.com/tools/ip-to-hex).
192.88.99.101 is the 6rd endpoint of my ISP (see https://watchmysys.com/blog/2019/04/6rd-on-free for method to retrieve that address).

I could have used:

ifconfig_stf0_ipv6="inet6 accept_rtadv 2a01:e34:A:B::/64"

but then my WAN IPv6 would have been different from the one I’ve had previously and that is used in DNS glue records, web server config, etc.

pf.conf must be tuned accordingly since IPv6 is no longer on the same interface as IPv4, and WAN IPv4 interface has moved from em1 to em1.836

So far, everything is working, but I’m not so sure about the stf0 config and especially the security of the 6rd tunnel.