mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
manual: how-to for FritzBox IPv6
New HowTo to explain the setup of an OPNsense as IPv6 router / firewall behind an AVM Fritz!Box (common German Router)
This commit is contained in:
parent
c0c1bb9e5c
commit
1eecec559c
154
source/manual/how-tos/ipv6_fb.rst
Normal file
154
source/manual/how-tos/ipv6_fb.rst
Normal file
@ -0,0 +1,154 @@
|
||||
======================================
|
||||
Configure IPv6 behind an AVM Fritz!Box
|
||||
======================================
|
||||
**Original Author:** Thomas Klein
|
||||
|
||||
------------
|
||||
Introduction
|
||||
------------
|
||||
|
||||
The `AVM Fritz!Box`, or FB for short, is a popular home router for
|
||||
DSL, Cable and Fiber in Germany. This guide will setup a OPNSense
|
||||
behind a FB, handover delegated prefixes from the provider and
|
||||
configure local interfaces on the OPNSense to cope with dynamically changing IPv6 prefixes.
|
||||
|
||||
This guide is based on a Vodafone Cable connection (formerly Kabel-BW) and an
|
||||
`AVM Fritz!Box Cable 6591` running `Fritz!OS 7.29`.
|
||||
|
||||
The settings presented here should work for most other dial-up scenarios and FB models
|
||||
too. The size of the delegated subnet may differ.
|
||||
|
||||
------------
|
||||
The Scenario
|
||||
------------
|
||||
|
||||
This guide will configure a home network behind a common dial-up type ISP connection.
|
||||
The OPNsense has an interface pointing to the ISP named `WAN` and has three internal
|
||||
interfaces called `DMZ`, `LAN` and `WLAN`. Each of those internal interfaces will get a /64
|
||||
subnet from the delegated IPv6 prefix. This way it is easy to control the dataflow between
|
||||
all four segments on the OPNsense.
|
||||
|
||||
In this example the dial-up ISP assigns a `/59` prefix to the FB, so there are enough bits left
|
||||
for subnetting in a SOHO setup.
|
||||
|
||||
------------------------------
|
||||
Step 1 - prepare the Fritz!Box
|
||||
------------------------------
|
||||
|
||||
The AVM website has a knowledge base article about the basic settings required on each FB model to enable IPv6 on client devices.
|
||||
https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-6591-cable/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/
|
||||
The crucial setting is the checkbox **allow other routers IPv6 prefixes**. Without that the delegated internal prefixes will
|
||||
not be reachable from the Internet.
|
||||
|
||||
Also, not stated in above document, it is possible to modify the **Internet - Permit Access** settings for
|
||||
the OPNsense host. Select :menuselection:`Internet --> Permit Access --> <your OPN Host> --> IPv6 Settings --> Open firewall for delegated IPv6 prefixes of this device`
|
||||
in order to make your delegated internal subnets available via Internet.
|
||||
|
||||
------------------------------------
|
||||
Step 2 - configure the WAN interface
|
||||
------------------------------------
|
||||
|
||||
On the OPNSense go to :menuselection:`Interfaces --> WAN` and set the configuration type for IPv6 to **DHCPv6**. On the bottom part of the dialog in
|
||||
**DHCPv6 Client configuration** make sure to select
|
||||
|
||||
* checkbox: **Request only an IPv6 prefix**
|
||||
* checkbox: **Send IPv6 prefix hint**
|
||||
* dropdown: **Prefix delegation size**. For this example setup select `60`
|
||||
|
||||
Note the following:
|
||||
|
||||
1. the requested prefix differs by one bit compared to what the ISP delegated the FB (60 vs. 59)
|
||||
2. the setting **Request only an IPv6 prefix** is the important part.
|
||||
With this setting the FB acknowledges
|
||||
the OPNsense as a router and really delegates a prefix. The OPNSense will only get a link-local `0xfe80`
|
||||
address but that is fine. If this checkbox is not selected the FB considers the OPNsense as an end-user device
|
||||
and plainly refuses to delegate a prefix to it. The OPNsense end up with an valid IPv6 address but with `/64`
|
||||
netmask so nothing to delegate into the internal network.
|
||||
|
||||
-----------------------------------------------------------
|
||||
Step 3 - configure the internal DMZ / LAN / WLAN interfaces
|
||||
-----------------------------------------------------------
|
||||
|
||||
Now it is time to set up the internal interfaces. The settings are more or less the same for all of them.
|
||||
Instead of **DHCPv6** select **Track Interface** and on the bottom IPv6 dialog and choose the `WAN` interface for tracking.
|
||||
This is also the place to divide the delegated prefix into distinct subnets. Just specify an individual **Interface prefix ID**
|
||||
for each interface. In this example the FB gave us `aaaa:bbbb:cccc:9410::/60` and we choose:
|
||||
|
||||
========= =================== =======================
|
||||
Interface Interface prefix ID result-prefix
|
||||
========= =================== =======================
|
||||
`DMZ` `0x01` `aaaa:bbbb:cccc:9411::`
|
||||
`WLAN` `0x02` `aaaa:bbbb:cccc:9412::`
|
||||
`LAN` `0x03` `aaaa:bbbb:cccc:9413::`
|
||||
========= =================== =======================
|
||||
|
||||
The **Interface prefix Id** acts as the subnet extension (for lack of better wording) on top of the prefix provided by the FB.
|
||||
In this example we have a /60 prefix so effectively there are 4 bits left for subnetting. As a result valid values for **Interface prefix Id** are between `0x00` and `0x0f`.
|
||||
|
||||
In order to being able to manually set up the router advertisements in the next step make sure to select the checkbox
|
||||
**Allow manual adjustment of DHCPv6 and Router Advertisements** for each of the internal interfaces. If the
|
||||
setting is not used the system tries to set sane defaults for both Router Advertisements and DHCPv6 server.
|
||||
|
||||
----------------------------------------------
|
||||
Step 3.1 - configure the Router Advertisements
|
||||
----------------------------------------------
|
||||
|
||||
With the new subnets in place it is time to configure the **Router Advertisements**.
|
||||
For this guide the following settings have been chosen:
|
||||
|
||||
=========================== =========== ======================================================================
|
||||
Setting Value Comment
|
||||
=========================== =========== ======================================================================
|
||||
Router Advertisements Assisted this enables DHCPv6 and SLAAC
|
||||
Router Priority Normal Default is high which would work too
|
||||
Source Address Automatic the default
|
||||
Advertise Default Gateway checked the default
|
||||
Advertise Routes empty
|
||||
DNS options empty this gives away the OPNsense as DNS server with the current dynamic IP
|
||||
=========================== =========== ======================================================================
|
||||
|
||||
---------------------------------------
|
||||
Step 3.2 - configure the DHCPv6 service
|
||||
---------------------------------------
|
||||
|
||||
The clients would now be able to grab an IPv6 via SLAAC, find their router and get a DNS resolver but not all clients do
|
||||
know SLAAC. Also there are valid reasons to assign fixed IPv6 address via DHCP to some clients for instance to make them available
|
||||
from the Internet.
|
||||
|
||||
In :menuselection:`Services --> DHCPv6 --> [DMZ]` (and similar for the other interfaces) the DHCPv6 settings can be configured.
|
||||
Initially the dynamically acquired subnet including the interface id and the available range is shown.
|
||||
|
||||
Consider assigning a suitable address pool for DHCP client leases. The target range for the DMZ looks like
|
||||
this: `aaaa:bbbb:cccc:9411::1:0` --> `aaaa:bbbb:cccc:9411::1:ffff`.
|
||||
|
||||
But wait! The prefix is dynamic. How to deal with that?
|
||||
|
||||
Easy. Just omit the variable prefix and configure the DHCPv6 range to be `::1:0` --> `::1:ffff`
|
||||
|
||||
OPNSense will automatically prefix this pattern with the dynamically acquired prefix.
|
||||
|
||||
Repeat for all the other subnets. Do not forget to configure the `Domain search list` to match the SOHO internal DNS domain if applicable.
|
||||
|
||||
-----------------------------
|
||||
Step 4 - setup Firewall rules
|
||||
-----------------------------
|
||||
|
||||
By default outgoing traffic should already be possible but traffic from the Internet to the internal server needs a firewall rule.
|
||||
There are different philosophies on how to manage firewall rules. Just use a similar strategy as with your IPv4 setup so rule management
|
||||
is consistent.
|
||||
|
||||
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The build-in macros like `DMZ net` will work for the whole network.
|
||||
But if you need a rule for a single server your should setup an alias pointing to your (fixed) DHCP IP and use this instead.
|
||||
|
||||
---------------
|
||||
Troubleshooting
|
||||
---------------
|
||||
|
||||
While discovering the specifics of IPv6 behind a FB in combination with OPNsense the first point of debugging was always
|
||||
connecting via SSH to OPNsense on the CLI.
|
||||
|
||||
In the directory `/tmp/` you will find several IPv6 related intermediate files. The most helpful here was `/tmp/<interfacename>_prefixv6`.
|
||||
In this file you will find the prefix delegated to you by your upstream router. If you are behind an FB and this file does not exist chances
|
||||
are you forgot to seth the **Request only an IPv6 prefix** setting on the WAN interface.
|
||||
|
||||
Another helpful command is `radvdump`. This tool dumps the output of the router advertisements in a nicely formatted way.
|
Loading…
Reference in New Issue
Block a user