2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/manual/how-tos/ipv6_fb.rst
Thomas 1eecec559c
manual: how-to for FritzBox IPv6
New HowTo to explain the setup of an OPNsense as IPv6
router / firewall behind an AVM Fritz!Box (common German Router)
2023-08-29 14:06:09 +02:00

154 lines
8.3 KiB
ReStructuredText

======================================
Configure IPv6 behind an AVM Fritz!Box
======================================
**Original Author:** Thomas Klein
------------
Introduction
------------
The `AVM Fritz!Box`, or FB for short, is a popular home router for
DSL, Cable and Fiber in Germany. This guide will setup a OPNSense
behind a FB, handover delegated prefixes from the provider and
configure local interfaces on the OPNSense to cope with dynamically changing IPv6 prefixes.
This guide is based on a Vodafone Cable connection (formerly Kabel-BW) and an
`AVM Fritz!Box Cable 6591` running `Fritz!OS 7.29`.
The settings presented here should work for most other dial-up scenarios and FB models
too. The size of the delegated subnet may differ.
------------
The Scenario
------------
This guide will configure a home network behind a common dial-up type ISP connection.
The OPNsense has an interface pointing to the ISP named `WAN` and has three internal
interfaces called `DMZ`, `LAN` and `WLAN`. Each of those internal interfaces will get a /64
subnet from the delegated IPv6 prefix. This way it is easy to control the dataflow between
all four segments on the OPNsense.
In this example the dial-up ISP assigns a `/59` prefix to the FB, so there are enough bits left
for subnetting in a SOHO setup.
------------------------------
Step 1 - prepare the Fritz!Box
------------------------------
The AVM website has a knowledge base article about the basic settings required on each FB model to enable IPv6 on client devices.
https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-6591-cable/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/
The crucial setting is the checkbox **allow other routers IPv6 prefixes**. Without that the delegated internal prefixes will
not be reachable from the Internet.
Also, not stated in above document, it is possible to modify the **Internet - Permit Access** settings for
the OPNsense host. Select :menuselection:`Internet --> Permit Access --> <your OPN Host> --> IPv6 Settings --> Open firewall for delegated IPv6 prefixes of this device`
in order to make your delegated internal subnets available via Internet.
------------------------------------
Step 2 - configure the WAN interface
------------------------------------
On the OPNSense go to :menuselection:`Interfaces --> WAN` and set the configuration type for IPv6 to **DHCPv6**. On the bottom part of the dialog in
**DHCPv6 Client configuration** make sure to select
* checkbox: **Request only an IPv6 prefix**
* checkbox: **Send IPv6 prefix hint**
* dropdown: **Prefix delegation size**. For this example setup select `60`
Note the following:
1. the requested prefix differs by one bit compared to what the ISP delegated the FB (60 vs. 59)
2. the setting **Request only an IPv6 prefix** is the important part.
With this setting the FB acknowledges
the OPNsense as a router and really delegates a prefix. The OPNSense will only get a link-local `0xfe80`
address but that is fine. If this checkbox is not selected the FB considers the OPNsense as an end-user device
and plainly refuses to delegate a prefix to it. The OPNsense end up with an valid IPv6 address but with `/64`
netmask so nothing to delegate into the internal network.
-----------------------------------------------------------
Step 3 - configure the internal DMZ / LAN / WLAN interfaces
-----------------------------------------------------------
Now it is time to set up the internal interfaces. The settings are more or less the same for all of them.
Instead of **DHCPv6** select **Track Interface** and on the bottom IPv6 dialog and choose the `WAN` interface for tracking.
This is also the place to divide the delegated prefix into distinct subnets. Just specify an individual **Interface prefix ID**
for each interface. In this example the FB gave us `aaaa:bbbb:cccc:9410::/60` and we choose:
========= =================== =======================
Interface Interface prefix ID result-prefix
========= =================== =======================
`DMZ` `0x01` `aaaa:bbbb:cccc:9411::`
`WLAN` `0x02` `aaaa:bbbb:cccc:9412::`
`LAN` `0x03` `aaaa:bbbb:cccc:9413::`
========= =================== =======================
The **Interface prefix Id** acts as the subnet extension (for lack of better wording) on top of the prefix provided by the FB.
In this example we have a /60 prefix so effectively there are 4 bits left for subnetting. As a result valid values for **Interface prefix Id** are between `0x00` and `0x0f`.
In order to being able to manually set up the router advertisements in the next step make sure to select the checkbox
**Allow manual adjustment of DHCPv6 and Router Advertisements** for each of the internal interfaces. If the
setting is not used the system tries to set sane defaults for both Router Advertisements and DHCPv6 server.
----------------------------------------------
Step 3.1 - configure the Router Advertisements
----------------------------------------------
With the new subnets in place it is time to configure the **Router Advertisements**.
For this guide the following settings have been chosen:
=========================== =========== ======================================================================
Setting Value Comment
=========================== =========== ======================================================================
Router Advertisements Assisted this enables DHCPv6 and SLAAC
Router Priority Normal Default is high which would work too
Source Address Automatic the default
Advertise Default Gateway checked the default
Advertise Routes empty
DNS options empty this gives away the OPNsense as DNS server with the current dynamic IP
=========================== =========== ======================================================================
---------------------------------------
Step 3.2 - configure the DHCPv6 service
---------------------------------------
The clients would now be able to grab an IPv6 via SLAAC, find their router and get a DNS resolver but not all clients do
know SLAAC. Also there are valid reasons to assign fixed IPv6 address via DHCP to some clients for instance to make them available
from the Internet.
In :menuselection:`Services --> DHCPv6 --> [DMZ]` (and similar for the other interfaces) the DHCPv6 settings can be configured.
Initially the dynamically acquired subnet including the interface id and the available range is shown.
Consider assigning a suitable address pool for DHCP client leases. The target range for the DMZ looks like
this: `aaaa:bbbb:cccc:9411::1:0` --> `aaaa:bbbb:cccc:9411::1:ffff`.
But wait! The prefix is dynamic. How to deal with that?
Easy. Just omit the variable prefix and configure the DHCPv6 range to be `::1:0` --> `::1:ffff`
OPNSense will automatically prefix this pattern with the dynamically acquired prefix.
Repeat for all the other subnets. Do not forget to configure the `Domain search list` to match the SOHO internal DNS domain if applicable.
-----------------------------
Step 4 - setup Firewall rules
-----------------------------
By default outgoing traffic should already be possible but traffic from the Internet to the internal server needs a firewall rule.
There are different philosophies on how to manage firewall rules. Just use a similar strategy as with your IPv4 setup so rule management
is consistent.
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The build-in macros like `DMZ net` will work for the whole network.
But if you need a rule for a single server your should setup an alias pointing to your (fixed) DHCP IP and use this instead.
---------------
Troubleshooting
---------------
While discovering the specifics of IPv6 behind a FB in combination with OPNsense the first point of debugging was always
connecting via SSH to OPNsense on the CLI.
In the directory `/tmp/` you will find several IPv6 related intermediate files. The most helpful here was `/tmp/<interfacename>_prefixv6`.
In this file you will find the prefix delegated to you by your upstream router. If you are behind an FB and this file does not exist chances
are you forgot to seth the **Request only an IPv6 prefix** setting on the WAN interface.
Another helpful command is `radvdump`. This tool dumps the output of the router advertisements in a nicely formatted way.