ATT Fiber/IPv6/DMZ+ mode

Started by lrosenman, August 08, 2017, 08:01:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 08, 2017, 08:01:33 PM
I've just moved into a nice new house with ATT Fiber.  ATT'S RG (Pace 5268AC) doesn't pass IPv6 through to the DMZ+ host (will be the firewall).  It *DOES* however allow IPV6 to other devices connected to it's own switch.

Should I be able to route IPv6 from another interface to my LAN and do Firewall stuff?  My suspicion is YES, but I'm not near it right now.

Basically the setup:
                                                    +--->WAN port on OPNSENSE (IPv4/DMZ+)----+
ATTONT->ONT PORT on 5268AC ---|                                                                     |----> LAN port on OPNSENSE
                                                    +--->OPT1 port on OPNSENSE (IPv6/DHCPv4) .+ 

Would this allow me to have dual stacked hosts on the LAN ?

August 09, 2017, 03:47:41 PM #1
No go.  If I set WAN to SLAAC, remove the 2nd interface to the 5268AC, I can ping6 from the FW, but can NOT get IPv6 to work on the LAN.

see my post to freebsd-net@FreeBSD.org.
August 09, 2017, 04:34:43 PM #2
Perhaps I'm being a bit dumb here but why do you have OPT1 & the WAN port connected to the switch on your ATT device, urely it should be just the WAN port? The DMZ & the LAN ports are internal IPs on the OPNsense device.
Regards


Bill
August 09, 2017, 04:40:53 PM #3
it was a hack that didn't work out.

Now what I have is:

ATTONT-> ONT Port on 5268AC
                 5268AC ETH1 -> WAN port on OpnSense
                              LAN port on OpnSense -> my LAN

The 5268AC is set in DMZ+ mode for the OPNSense MAC

The WAN port on OPNSense is set for SLAAC (for v6) and DHCP (for V4)

ping6 from within the FW works fine.

if I put a static V6 address on the LAN port, and have radvd running, my LAN devices get a IPV6 address, but no IPv6 connectivity.

What am I missing?

(here's the post I made to freebsd-net with more details):
I just moved into a brand new house, and it has ATT Fiber.  I have their
gateway (Pace/Arris 5268AC) in DMZ+ mode with an OPNsense (FreeBSD 11)
Firewall Router as the DMZ Host.

I can get IPv6 on the router / FW:
root@home-fw:~ # ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2602:304:cfaf:f750:242:43ff:feac:29c --> 2607:f8b0:4000:812::200e
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=0 hlim=55 time=10.084 ms
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=1 hlim=55 time=10.103 ms
^C
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 10.084/10.093/10.103/0.010 ms
root@home-fw:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
   ether 00:42:43:ac:02:9c
   inet6 fe80::242:43ff:feac:29c%em0 prefixlen 64 scopeid 0x1
   inet6 2602:304:cfaf:f750:242:43ff:feac:29c prefixlen 64 autoconf
   inet 76.250.255.117 netmask 0xfffffc00 broadcast 76.250.255.255
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
   ether 00:42:43:ac:02:9d
   inet6 fe80::242:43ff:feac:29d%em1 prefixlen 64 scopeid 0x2
   inet6 2602:304:cfaf:f751::1 prefixlen 64
   inet 192.168.200.11 netmask 0xfffffc00 broadcast 192.168.203.255
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
em2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
   ether 00:42:43:ac:02:9e
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect
   status: no carrier
em3: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
   ether 00:42:43:ac:02:9f
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect
   status: no carrier
enc0: flags=0<> metric 0 mtu 1536
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
   groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
   groups: pfsync
   syncpeer: 0.0.0.0 maxupd: 128 defer: off
root@home-fw:~ # ndp -a
Neighbor                             Linklayer Address  Netif Expire    S Flags
fe80::f6f5:d8ff:fedb:e124%em1        f4:f5:d8:db:e1:24    em1 23h58m15s S
fe80::20d:5dff:fe10:b4fb%em1         00:0d:5d:10:b4:fb    em1 23h52m14s S
2602:304:cfaf:f751::1                00:42:43:ac:02:9d    em1 permanent R
fe80::f6f5:d8ff:fead:65f4%em1        f4:f5:d8:ad:65:f4    em1 23h59m58s S
fe80::230:48ff:fecf:2b1c%em1         00:30:48:cf:2b:1c    em1 23h53m48s S
fe80::f6f5:d8ff:feae:4136%em1        f4:f5:d8:ae:41:36    em1 23h58m8s  S
2602:304:cfaf:f751:c412:15dc:8924:30d7 68:5b:35:9f:90:21  em1 23h55m0s  S
fe80::f6f5:d8ff:feac:48d0%em1        f4:f5:d8:ac:48:d0    em1 23h59m35s S
fe80::242:43ff:feac:29d%em1          00:42:43:ac:02:9d    em1 permanent R
fe80::f6f5:d8ff:fec9:776e%em1        f4:f5:d8:c9:77:6e    em1 23s       R
fe80::1842:632e:39ae:76d3%em1        68:5b:35:9f:90:21    em1 23h56m26s S
fe80::5a9c:fcff:fe0b:6e07%em1        58:9c:fc:0b:6e:07    em1 23h59m59s S
fe80::f6f5:d8ff:fedf:11ec%em1        f4:f5:d8:df:11:ec    em1 23h58m8s  S
2602:304:cfaf:f751:d7:b8ff:fe51:f200 02:d7:b8:51:f2:00    em1 12s       R
fe80::d7:b8ff:fe51:f200%em1          02:d7:b8:51:f2:00    em1 7s        R
2602:304:cfaf:f750::1                d4:b2:7a:9e:cf:05    em0 23h56m55s S R
2602:304:cfaf:f750:230:48ff:fecf:2b1c (incomplete)        em0 expired   I  3
fe80::d6b2:7aff:fe9e:cf05%em0        d4:b2:7a:9e:cf:05    em0 9s        R R
2602:304:cfaf:f750:242:43ff:feac:29c 00:42:43:ac:02:9c    em0 permanent R
fe80::242:43ff:feac:29c%em0          00:42:43:ac:02:9c    em0 permanent R
root@home-fw:~ #

ATT uses 6RD:
6rd IPv6 Internet Connection Type    Value
Default Gateway    2602:300:c533:1510::1
6rd BR    12.83.49.81
6rd Prefix    2602:300::/28
6rd Delegated Prefix    2602:304:cfaf:f750::/60
6rd MTU    1472

How can I extend this to the LAN?

I currently have the LAN defined with an address out of subnet 1.

and if I have my Mac or FreeBSD box SLAAC, the IPv6 packets do not traverse to the
internet.

If I tcpdump the LAN interface, I see the packets enter, but nothing leaves.

Anyone have an idea on what I'm missing here?

(or is the Pace/Arris box getting in the way?
August 10, 2017, 02:19:54 PM #4
Anyone?
August 10, 2017, 08:48:12 PM #5
I am playing with this myself, and I still trying to learn the new world of IPv6 at the same time.

Here is what I have so far:
IP Passthrough setup on my ATT NVG589 Gateway.

On OPNsense WAN
-IPv4 set to DHCP
-IPv6 set to DHCPv6

On OPNsense LAN
-IPv4 set static 192.168. address
-IPv6 set to Track Interface "WAN"

On WAN I get a routable IPv4 and IPv6 address.  On LAN I have my Static RFC1918 address and I get a routable IPv6 address from the delegated prefix listed on the router.

Now that I have this setup and the /64 appears to be properly delegated to my LAN, I need to figure out to my clients will get addresses.  not sure if they should be using SLAAC or if I should configured DHCPv6 on OPNsense.
August 10, 2017, 08:49:27 PM #6
Almost forgot, to get the delegated address on my LAN I had to enable "Directly send SOLICIT" on WAN.
August 11, 2017, 05:36:38 AM #7
I get addresses delegated to the lan but they do *NOT* work.  My suspicion is that the 5268AC doesn't really pass *EVERYTHING* to the DMZ+ device.

ATT Support has been exactly *USELESS*

August 11, 2017, 01:27:58 PM #8
Ok, game over:

notice   Aug 11 06:25:31   
IN=br1 MAC=d4:b2:7a:9e:cf:04 SRC=184.105.253.10 DST=76.250.255.117 LEN=76 TTL=248 PROTO=41 Drop all traffic not from the border relay

I set up a HE.net tunnel, and it doesn't work either in DMZ+

Above is a smoking gun.
August 16, 2017, 05:00:01 AM #9
Got ATT to swap me to a Arris NVG899 Gateway, and all works with pfSense.  OpnSense has issues with the 6rd setup.

August 16, 2017, 06:23:52 AM #10
Sure, it works with OPNsense 16.7 on FreeBSD 10.3. ;)

6rd is a pfSense patch that never made it to FreeBSD so it is currently not available for FreeBSD 11.0, because 2.3 is still based on FreeBSD 10.3.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Print
Go Up Pages1
User actions