DS-Lite status 2022 [DS-Lite WORKS IN OPNSENSE but broke after updating]

Started by DanAnimal, April 13, 2022, 10:46:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 13, 2022, 10:46:15 AM Last Edit: August 21, 2022, 02:44:29 AM by DanAnimal
Please see my third post below for my successful seting for connecting to Rakuten Hikari DS-Lite IPv4 over IPv6

Hi All,

Having been fabulously impressed by the Deciso device I have deployed for my work in the last few months I am looking at implementing OPNsense at home too.

My trepidation is that it isn't clear to me the state of DS-Lite connectivity and OPNsense.
And that my ISP requires DS-Lite support for my connection (Currently provided by my Synology RT2600AC from which I can glean a range of settings). And this is further exacerbated by my poor Japanese and being located in Japan which makes research of the intricacies of networking even trickier.
And, also, please forgive my naivety; I am an IPv6 infant.

It says here that Dual Stack IPv4 +IPv6 is known to work but I cannot find relevant documentation for this.
And is this Dual Stack the same as the dual stack implicit in DS-Lite?

It is mentioned here, that DS-Lite is a work in progress on OPNsense back in 2018.
Quote from: franco on October 21, 2018, 08:17:48 PM
DS-Lite is not part of our code yet. Initial work was done, but has not been finished yet.

We try to make this clear by not misleading people to say "DS-Lite support" anywhere in our roadmap. :)


Cheers,
Franco
Has this progressed in the years since? Possibly quietly into production?

I will attach a screen capture of the operational settings from my current router.

Can anyone point me in the right direction if I would be able to use OPNsence on my ISP?

Thank you in advance, and please tell me if this post should be in some other section.
Deciso DEC2640 AMD GX-420MC 8gb
HUNSN RS34g Intel J4125 16gb
April 13, 2022, 02:52:20 PM #1 Last Edit: April 13, 2022, 03:36:07 PM by DanAnimal
Further... I found this note from March 2019 on DS-Lite in OPNsense being feasible due to it's development upstream in FreeBSD. Although not implemented in the OPNsense GUI.
http://wiki.cable-wiki.xyz/OPNsense

Code Select

ifconfig gif0 create
ifconfig gif0 inet6 tunnel <<LOCAL IPv6 ADDRESS>> <<AFTR ADDRESS>> mtu 1460 -accept_rtadv ifdisabled
ifconfig gif0 inet 192.0.0.2 192.0.0.1 netmask 255.255.255.248
route add default -interface gif0


Does this seem correct?
If so what would I need to do in the GUI to compliment this?
Would this persist though reboots/updates or would I need to somehow add a script, somehow, to effect this each time the networking stack initialises?

And I found this note of a script from a Japanese FreeBSD user in Japan April 2022.
Claiming to have made successful connection with FreeBSD to the same ISP I am using (though slow on their low resource VM and hardware (RasPi<4))
https://gist.github.com/l0rzl/8c7d2974bbf8031f5a6c0aeac76c26dd
https://twitter.com/l0rzl/status/1510737477711298560?cxt=HHwWgIDQverum_cpAAAA

Code Select

#!/bin/sh
srcaddr=$(ifconfig hn0 | grep -o '2001:f[67][0-9a-f:]*')
dstaddr=$(drill dgw.xpass.jp aaaa | grep -o '2001:f[67][0-9a-f:]*')
ifconfig gif0 create
ifconfig gif0 inet6 -accept_rtadv -auto_linklocal tunnel $srcaddr $dstaddr
ifconfig gif0 up mtu 1500
route -4 delete default
route -4 add default -interface gif0 -mtu 1240
sysctl net.inet.ip.forwarding=1
ifconfig gif0
route -4 get default


Which seems to do similarly except they set an MTU to 1500 and then to 1240 in a subsequent command!?
While the first author indicates the MTU should be 1460.
And slightly different options to invoke the gif0 tunnel.
The regex in the second script seems to match the IPv6 ranges assigned by my ISP.

Do these things ring true for anyone in the know?
Does anyone know what the correct MTU values would be or how I can derive them from my existing connection?

I also found this note of a German user succeeding in connecting with pfsense with a differing but similar arrangement.
https://cybercyber.org/m-net-ds-lite-anschluss-mit-pfsense.html

There seem to be breadcrumbs here. If it is possible I would love to contribute to documenting how it can be possible in OPNsense! :)
Deciso DEC2640 AMD GX-420MC 8gb
HUNSN RS34g Intel J4125 16gb
April 23, 2022, 02:59:44 AM #2 Last Edit: April 23, 2022, 03:02:05 AM by DanAnimal
I acquired the hardware to install OPNsense and succeeded in connecting to Rakuten Hikari DS-Lite IPbv4 over IPv6 using OPNSense.

After a few false starts I stepped through carefully, saving many config backups and it worked.

From scratch:

Connected OPNsense cold to the ONU (NTT optical network terminator) and started up with only one host to work from on the LAN interface.

Ran the first start up Wizard. Set DHCP for the WAN, IP address for the LAN, IPv4 DNS and password etc.

Set the DNS servers in System > Settings > General (ISP, Google IPv6 & Google IPv4).


Created a GIF Tunnel to the AFTR under Interfaces > Other Types > GIF; as a child of the WAN using the IPv6 address of the AFTR and the 'well known addresses' from the DS-Lite specification. And seemingly it needed Disable ingress filtering checked to work in the end.

(Also wondering if I need to do something like the note in the GIF section about keeping the tunnel functional if the IP changes)

I assigned the Tunnel as an interface and named it under Interfaces > Assignments and renamed it and set MTU and MSS values as recommended by xmms.jp (not sure if they're the correct or best values)


And created a Gateway using the GIF tunnel interface under System > Gateways > Single for IPv4


Along the way I was testing using a DNS query from Interfaces > Diagnostics > DNS Lookup and when I was receiving responses from the IPv4 DNS servers I tested other protocols and found it was all live.

There was a time when the gateway was showing as defunct which I don't fully understand. And I'm still not sure with precision what is making it all go. But it does, and has been stable for hours and I was able to patch OPNSence into the rest of my network and have it take over DHCP and Gateway duties.

So... OPNSense can support DS-Lite IPv4 over IPv6!

Though it's a bit of a puzzle.

Please let me know if I've done anything foolish or could improve what I have done.
D
Deciso DEC2640 AMD GX-420MC 8gb
HUNSN RS34g Intel J4125 16gb
August 21, 2022, 02:45:08 AM #3
This worked for months but now has broken updating to OPNsense 22.1.10
Deciso DEC2640 AMD GX-420MC 8gb
HUNSN RS34g Intel J4125 16gb
August 22, 2022, 03:44:44 AM #4
Your configuration is mostly correct. Just a few suggestions:

  • The WAN IPv4 configuration type shouldn't be set to DHCP. Ideally, this would be "None", but there is a bug in OPNsense which prevents DHCPv6-only WANs from coming up properly after a reboot. For the time being, I'd recommend setting this to "Static IPv4" and 127.0.0.2/32.
  • 'Far Gateway' setting is not required - 192.0.0.1 and 192.0.0.2 are in the same /29.
  • Using IPv4 DNS servers is kind of pointless with DS-Lite. If IPv6 is down, the IPv4 tunnel is down, too.
  • Setting MSS shouldn't be required.

"Has broken" is rarely enough info for successful troubleshooting. What works, what doesn't? Do you still have working IPv6 connectivity? Does the AFTR respond to IPv6 and / or IPv4 pings? Are you confident this is actually caused by the update to 22.1.10? Which version did you use before?

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions