[SOLVED] OPNSense if_stf and ifconfig

[turjake]

Greetings!

I "ported" the if_stf patch from OPNSense to FBSD 11.2-p5 and both the world and kernel built without a hitch. I can get the stf0 up, assign it an ipv6 /64 address per my ISP's instructions. What I cannot get to work is connecting my IPv4 endpoint to the ISP's 6rd router.

I've tried:
ifconfig stf0 tunnel <my_ext_ip>/32 <isp_6rd_router>
ifconfig stf0 tunnel >my_ext_if> <isp_6rd_router>
but no go.

As the manpage is unmodified vanilla from freebsd, the 6rd setup is bit esoteric

//EDIT
Got the ported if_stf working with help from kindly soul at #OPNSense

[franco]

Hi there,

May I ask why you did this:

> I "ported" the if_stf patch from OPNSense to FBSD 11.2-p5 a

Because we have a src.git with a master branch (11.2) and a stable/18.7 (11.1) that both have this included and working ok?


Cheers,
Franco

[turjake]

Hello Franco

May I ask why you did this:

> I "ported" the if_stf patch from OPNSense to FBSD 11.2-p5 a

Because we have a src.git with a master branch (11.2) and a stable/18.7 (11.1) that both have this included and working ok?

Sure you may

I'm a creature of habit used to run a FreeBSD+PF box as "front of house" ever since PF was introduced into FreeBSD. As such, I haven't really seen any benefit for *me* in changing over to more appliance based approach as I can deal with most of the firewalling etc. stuff manually.

I have happily been advocating OPNSense to people with different needs and no desire to manage a FreeBSD box on "bare metal" level.

So that's why I rather brought over the 6rd bits to my existing and already setup router box instead of going the full shebang route

-Reko

[franco]

Hi Reko,

Oh so you have no GUI, I see

Would you mind sharing the solution for likeminded individuals?


Cheers,
Franco

[turjake]

Would you mind sharing the solution for likeminded individuals?

Of course. Been quiet as I'm still fighting with this stuff and trying to understand how 6rd work for internal net. I've been able to connect and ping outside from firewall though.

Basically, what I did was bringing the whole if_stf commit from opnsense repo, both ifconfig and the if bits. (just overwrote the existing files, as they haven't been changed in freebsd for a good while.) Then "make biuldworld, make buildkernel, make installkernel, make installworld" exercise. Userland and kernel compiled without errors with the patch in.

The bit that eluded me was setting up if_stf, especially the tunnel related ifconfig options. By looking at the OPNsense sources a kind soul pointed me to at #OPNSense they are as follows:

ifconfig_stf0_ipv6="2001:2003:xxxx:yyyy::zzzz/64"
create_args_stf0="stfv4net <my external ip addr>/32 stfv4br <ISP supplied 6rd bridge IP> link2"

That link2 parameter I got from a 6rd setup of a OPNSense nano test I set up for my firewall. Sadly it was unupdateable and the i386 installer bootlooped.

But as said, still fighting a bit to get this working reliably...

-Reko

//EDIT
I might have put the Solved in there a bit prematurely, but basically I found answer to my starting question about if_stf setup options

Also, big Thank You to both FreeBSD based firewall appliance communities, pfSense making the initial patch and OPNSense folks bringing it up to date for FBSD 11.2!

[turjake]

The correct /etc/rc.conf stanza is:

Code: [Select]

cloned_interfaces="stf0"
ifconfig_stf0_ipv6="inet6 accept_rtadv <ISP 32 bit prefix>:<my ext addr in hex>::1/64"
create_args_stf0="mtu 1480 stfv4net <my ext IP>/32 stfv4br <ISP supplied 6rd bridge IP> link2"
The problems still with the setup are:

• Need to do "route -6 add default <ISP 32 bit prefix>:<my ext addr in hex>::1 manually before I can ping outside
• If I add <ISP 32 bit prefix>:<my ext addr in hex>::xx in other interfaces in /etc/rc.conf the 6rd can't get connection. I can add aliases later, though
• I cant reach IPv6 from home network at all, even the router.

So there are still bits to solve; do internal interfaces need accept_rtadvd, what about rtsold, do I need some kind of NAT/RDR from the inside and use the linklocals  etc. but I'm slowly getting there.

[franco]

Thanks for sharing!

/64 is problematic if you want to have our LAN clients use it. The route will not match up and traffic doesn't know where to go. You should see if you can get away with a /63 or greater.

For some details see https://github.com/opnsense/core/issues/2663


Cheers,
Franco

[turjake]

Hello Franco and a big thank you for handing me the keys for final piece of the puzzle!

/64 is problematic if you want to have our LAN clients use it. The route will not match up and traffic doesn't know where to go. You should see if you can get away with a /63 or greater.

So, my final and working /etc/rc.conf relevant bits:

Code: [Select]

ipv6_gateway_enable="YES"            #Tell the system that we're acting as IPv6 gateway
ipv6_defaultrouter="-iface stf0"        #Bind forward routing to tunnel interface

ifconfig_xxx0="SYNCDHCP"               #My external NIC getting IP via DHCP

ifconfig_xxx0="inet 192.168.xx.yy netmask 255.255.255.0"                    #Setting up intenal net
ifconfig_xxx0_alias0="inet 192.168.xx.yy netmask 255.255.255.0"          #As we serve rtadv via this,
ifconfig_xxx0_ipv6="inet6 -accept_rtadv <ISP 32 bit prefix>:<my ext addr in hex>::1" #thus -accept_rtadvd

cloned_interfaces="stf0"                                                                        #6rd tunnel, using ISP supplied prefix
ifconfig_stf0_ipv6="inet6 accept_rtadv 2001:2003:54f8:1bc8::/32"           #length as mask.
create_args_stf0="mtu 1480 stfv4net 84.248.27.200/32 stfv4br 80.221.111.254 link2" #Set up the tunnel

wlans_xxx0="wlan0"
create_args_wlan0="wlanmode hostap..."                                               #And the wlan
ifconfig_wlan0="inet 192.168.xx.zz netmask 255.255.255.0"                    #Similar to internal wired
ifconfig_wlan0_ipv6="inet6 -accept_rtadv <ISP 32 bit prefix>:<my ext addr in hex>::2/64"
#ifconfig_wlan0_ipv6="inet6 -accept_rtadv"

rtsold_enable="YES"                                  #Enable the routing daemons on relevant interfaces
rtadvd_enable="YES"
rtadvd_interfaces="rl0 wlan0"

So the final hurdle was to use the ISP prefix on stf0 and it seems giving an IP to that interface is unnecessary as well.

The only slight problem still is that machines from internal net are unable to reach the other nic wlan0<->xxx0, but this is a minor annoyance only anymore that can be solved at my leisure.