DS-Lite status 2022 [DS-Lite WORKS IN OPNSENSE but broke after updating]

[DanAnimal]

Please see my third post below for my successful seting for connecting to Rakuten Hikari DS-Lite IPv4 over IPv6

Hi All,

Having been fabulously impressed by the Deciso device I have deployed for my work in the last few months I am looking at implementing OPNsense at home too.

My trepidation is that it isn't clear to me the state of DS-Lite connectivity and OPNsense.
And that my ISP requires DS-Lite support for my connection (Currently provided by my Synology RT2600AC from which I can glean a range of settings). And this is further exacerbated by my poor Japanese and being located in Japan which makes research of the intricacies of networking even trickier.
And, also, please forgive my naivety; I am an IPv6 infant.

It says here that Dual Stack IPv4 +IPv6 is known to work but I cannot find relevant documentation for this.
And is this Dual Stack the same as the dual stack implicit in DS-Lite?

It is mentioned here, that DS-Lite is a work in progress on OPNsense back in 2018.

DS-Lite is not part of our code yet. Initial work was done, but has not been finished yet.

We try to make this clear by not misleading people to say "DS-Lite support" anywhere in our roadmap.


Cheers,
Franco

Has this progressed in the years since? Possibly quietly into production?

I will attach a screen capture of the operational settings from my current router.

Can anyone point me in the right direction if I would be able to use OPNsence on my ISP?

Thank you in advance, and please tell me if this post should be in some other section.

[DanAnimal]

Further... I found this note from March 2019 on DS-Lite in OPNsense being feasible due to it's development upstream in FreeBSD. Although not implemented in the OPNsense GUI.
http://wiki.cable-wiki.xyz/OPNsense

Code: [Select]

ifconfig gif0 create
ifconfig gif0 inet6 tunnel <<LOCAL IPv6 ADDRESS>> <<AFTR ADDRESS>> mtu 1460 -accept_rtadv ifdisabled
ifconfig gif0 inet 192.0.0.2 192.0.0.1 netmask 255.255.255.248
route add default -interface gif0

Does this seem correct?
If so what would I need to do in the GUI to compliment this?
Would this persist though reboots/updates or would I need to somehow add a script, somehow, to effect this each time the networking stack initialises?

And I found this note of a script from a Japanese FreeBSD user in Japan April 2022.
Claiming to have made successful connection with FreeBSD to the same ISP I am using (though slow on their low resource VM and hardware (RasPi<4))
https://gist.github.com/l0rzl/8c7d2974bbf8031f5a6c0aeac76c26dd
https://twitter.com/l0rzl/status/1510737477711298560?cxt=HHwWgIDQverum_cpAAAA

Code: [Select]

#!/bin/sh
srcaddr=$(ifconfig hn0 | grep -o '2001:f[67][0-9a-f:]*')
dstaddr=$(drill dgw.xpass.jp aaaa | grep -o '2001:f[67][0-9a-f:]*')
ifconfig gif0 create
ifconfig gif0 inet6 -accept_rtadv -auto_linklocal tunnel $srcaddr $dstaddr
ifconfig gif0 up mtu 1500
route -4 delete default
route -4 add default -interface gif0 -mtu 1240
sysctl net.inet.ip.forwarding=1
ifconfig gif0
route -4 get default

Which seems to do similarly except they set an MTU to 1500 and then to 1240 in a subsequent command!?
While the first author indicates the MTU should be 1460.
And slightly different options to invoke the gif0 tunnel.
The regex in the second script seems to match the IPv6 ranges assigned by my ISP.

Do these things ring true for anyone in the know?
Does anyone know what the correct MTU values would be or how I can derive them from my existing connection?

I also found this note of a German user succeeding in connecting with pfsense with a differing but similar arrangement.
https://cybercyber.org/m-net-ds-lite-anschluss-mit-pfsense.html

There seem to be breadcrumbs here. If it is possible I would love to contribute to documenting how it can be possible in OPNsense!

[DanAnimal]

I acquired the hardware to install OPNsense and succeeded in connecting to Rakuten Hikari DS-Lite IPbv4 over IPv6 using OPNSense.

After a few false starts I stepped through carefully, saving many config backups and it worked.

From scratch:

Connected OPNsense cold to the ONU (NTT optical network terminator) and started up with only one host to work from on the LAN interface.

Ran the first start up Wizard. Set DHCP for the WAN, IP address for the LAN, IPv4 DNS and password etc.

Set the DNS servers in System > Settings > General (ISP, Google IPv6 & Google IPv4).


Created a GIF Tunnel to the AFTR under Interfaces > Other Types > GIF; as a child of the WAN using the IPv6 address of the AFTR and the 'well known addresses' from the DS-Lite specification. And seemingly it needed Disable ingress filtering checked to work in the end.

(Also wondering if I need to do something like the note in the GIF section about keeping the tunnel functional if the IP changes)

I assigned the Tunnel as an interface and named it under Interfaces > Assignments and renamed it and set MTU and MSS values as recommended by xmms.jp (not sure if they're the correct or best values)


And created a Gateway using the GIF tunnel interface under System > Gateways > Single for IPv4


Along the way I was testing using a DNS query from Interfaces > Diagnostics > DNS Lookup and when I was receiving responses from the IPv4 DNS servers I tested other protocols and found it was all live.

There was a time when the gateway was showing as defunct which I don't fully understand. And I'm still not sure with precision what is making it all go. But it does, and has been stable for hours and I was able to patch OPNSence into the rest of my network and have it take over DHCP and Gateway duties.

So… OPNSense can support DS-Lite IPv4 over IPv6!

Though it's a bit of a puzzle.

Please let me know if I've done anything foolish or could improve what I have done.
D

[DanAnimal]

This worked for months but now has broken updating to OPNsense 22.1.10

[Maurice]

Your configuration is mostly correct. Just a few suggestions:

• The WAN IPv4 configuration type shouldn't be set to DHCP. Ideally, this would be "None", but there is a bug in OPNsense which prevents DHCPv6-only WANs from coming up properly after a reboot. For the time being, I'd recommend setting this to "Static IPv4" and 127.0.0.2/32.
• 'Far Gateway' setting is not required - 192.0.0.1 and 192.0.0.2 are in the same /29.
• Using IPv4 DNS servers is kind of pointless with DS-Lite. If IPv6 is down, the IPv4 tunnel is down, too.
• Setting MSS shouldn't be required.

"Has broken" is rarely enough info for successful troubleshooting. What works, what doesn't? Do you still have working IPv6 connectivity? Does the AFTR respond to IPv6 and / or IPv4 pings? Are you confident this is actually caused by the update to 22.1.10? Which version did you use before?

Cheers
Maurice