IPv6 on OPNsense with Verizon FiOS

[Ground_0]

I looked for a tutorial on the forums, but could not find one, so I copied this great information from here.

IPv6 on Verizon Fios with OPNsense:

UNDER INTERFACES > WAN:
IPv4 Configuration Type: keep using DHCP
IPv6 Configuration Type: DHCPv6
Request only an IPv6 Prefix: ✓ (enabled)
Prefix delegation size: 56
Send IPv6 prefix hint: ✓ (enabled)
UNDER INTERFACES > LAN:
IPv4 Configuration Type: keep using Static IPv4
IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN (which interface to track)
IPv6 Prefix ID: 0

If you have other local networks, like a guest network VLAN, you can assign those interfaces a different prefix ID to keep them isolated.

Enjoy.

[frankhecker]

Thanks for adding this! Note that I did a tutorial on this a while ago for people who want to go an extra step and run their own DHCPv6 servers: https://forum.opnsense.org/index.php?topic=32741.0

[planar3d]

Anybody else on FIOS?

Does your WAN interface have a real IPv6 address (i.e. a globally unique address)? I remember some people speculating that FIOS had started using the RFC6603 PD Exclude option.

https://datatracker.ietf.org/doc/html/rfc6603

Other people discussed this problem a few years ago here: https://forum.netgate.com/topic/174980/fios-getting-56-pd-via-dhcp6-but-no-v6-is-assigned-to-wan/18

During that talk someone came up with a script to try a work around to this problem but I believe franco commented on it in another thread noting that the script could cause problems: https://github.com/luckman212/assign-gua-from-iapd

The topic came up again here: https://forum.netgate.com/topic/177981/no-ipv6-after-upgrade-to-23-01/86

Also, does anybody know what DHCP/DHCPv6 client OPNsense is using? Is it dhcpd? https://roy.marples.name/projects/dhcpcd

[Ground_0]

Anybody else on FIOS?

Does your WAN interface have a real IPv6 address (i.e. a globally unique address)? I remember some people speculating that FIOS had started using the RFC6603 PD Exclude option.

I have a 2600 address on the LAN, and I can ping ipv6.google.com. I am not clear on how to establish if I am actually receiving a globally unique address. The example in your link citing the example

Fios users have asked or searched for at one point if anyone has a script or something or ideas on how to automate the WAN geting a GUA assigned that will draw from the /56 so we don't have ONLY a link local ipv6 addresson wan. Verizon's own routers seem to have something hardcoded that makes it so that FF::1 is used for the wan. People thought that it was RFC6603 being used, but when the traffic was analyzed at the packet level verizon did not seem to be responding to the RFC6603 prefix exclusion request.

..is a little above my head. My WAN ipv6 (from the interfaces widget) ends with a %em0, and my gateway ends in FF:xxxx:xxxx.

[mattlach]

Ugh,

I have been dreading having to learn how to configure IPV6 for over a decade now.   

I have my complicated network set up the way I like it, with many local VLAN's each on a separate IPV4 subnet inside the 10.0.0.0/8 private range.

Ever since I first learned of IPV6 in the 90's I thought it was a terrible implementation.   I don't even use DNS or hostnames for my local hosts because I have all of their IPV4 addresses memorized and haven't had to.   I know IP address exhaustion is a real problem, and has been for a very long time, but creating these insanely long and human non-readable IP addresses has been a huge pet peeve of mine when we could have just added another octet to IPV4 and called it a day.   We don't need a unique IP address for every atom on the planet.

I'm also not a fan of IPV6 creating hardware addresses based on mac address and using it to communicate on the local network.  I feel like it removes a level of control I previously had.

And if I'm honest, while I know lots of people hate it, I really like NAT.   I like having a single exit point for everything from my network and keeping control over everything that is internal.   I'm not a fan of "everything on the internet being 1:1" as it breaks my concept of my own little private network that just happens to be connected to the internet, and turns it into an "everything is the internet" model.    It's just like nails on chalkboard to me.  I've never though of my home LAN as "part of the internet".   I've thought of it as my home network.  And occasionally things transit my gateway to the public internet. (but most traffic is local) and I like that NAT:ed single point of entry (as long as I control the gateway)

I've also been using the fact that Android doesn't support DHCPv6 as an excuse to keep my entire network all IPV4 until such time as everything on my local network supports DHCPv6, as the concept of SLAAC really makes me uncomfortable and makes me feel like I am no longer in control

Thus I've just kept IPV6 disabled on the WAN and LAN interfaces of the OPNSense box just because I haven't had the time at any point in 10 years to sit down and re-learn how to properly firewall off ipv6 so I don't have unintentional leaks. I also disable IPV6 on all local machines and devices on my network and have every network firewall configured to block all IPV6 traffic. 

My theory here is that if I just block and disable IPV6 everywhere, my network remains firewalled the way I want it, until I have the time to relearn everything.  I know this means I don't necessarily have IPV6 tunneling blocked, but I try.  But to be true, I can't stay on top of blocking all IPV4 tunneling providers either.

I figured I'd get around to learning it at some point, but I just haven't had the time for over a decade now, and I have no idea when I will.  I'm in my mid 40's now.  I may very well go to my grave without ever enabling IPV6  :p

Everything about this is about control to me.  I am the dictator of my LAN.   I don't want a single bit moving on my network or through my WAN without me intentionally telling it to.  I hate all forms of automatic scanning/discovery  of networks.  With the exception of DHCP I don't like my clients or servers to even behave as if the LAN exists until I tell it which IP address to connect to, and click OK (or hit enter)

So in other words, I use local network like its the 90's, and that's the way I like it.   I consider it to be distinct and separate from the internet, and that's the way I like it.

It may very well be that I just don't understand IPV6 well enough yet, but I feel like with IPV6 I am giving up a lot of control I previously had, and it makes me very uncomfortable.

Anyway, moving along to my issue:

I recently had a cloud backup service offer me a significant discount if I am able to connect only via ipv6, so they don't have to burn one of their precious remaining ipv4 addresses, so this ipv6 thing is finally getting real  :'(

Any way I can easily allow only a single ipv6 address through to the source system of the cloud backups and keep it blocked for anything and everything everything else until I have time to properly read up on how to configure IPV6 correctly to get the level of control I want? 

[mattlach]

UNDER INTERFACES > WAN:
IPv4 Configuration Type: keep using DHCP
IPv6 Configuration Type: DHCPv6
Request only an IPv6 Prefix: ✓ (enabled)
Prefix delegation size: 56
Send IPv6 prefix hint: ✓ (enabled)

Well, I'm not ready to allow any of my local networks to use IPV6 yet (as mentioned above, I want to learn how to secure it first) I decided to see if I could at least get DHCPv6 to communicate with upstream by making the above changes.

My WAN interface now has an IPV6 address but sadly it starts with fe80: which I understands means it is a non-routable local hardware address only.

I guess this means it failed to grab an IPV6 address range from upstream?

Maybe it is not yet enabled here?

Appreciate any thoughts.

[mattlach]

So, I have done some more tinkering and reading.

One guide suggested that checking the box for obtaining IPV6 over IPV4 (I forget the exact name of the ckeckbox right now, but it is the one in the interface settings)

I tried that, but my WAN interface still did not pull an IPV6 address other than the fe80: hardware/linklocal/whatever (I don't know the ipv6 terminology yet) address.

Should I be expecting the WAN interface to pull an IPV66 address if it is working?  Or, since it is no longer NAT with IPV6 maybe it doesn't even need one?

In the IPV4 side, Verizon is notorious for being tricky with their DHCP, often requiring a manual release and renew of the lease by calling their support if you are doing something like changing a router.

Maybe I need to request a manual release renew to be able to start using IPV6?

Is there any way I can even confirm whether or not it is enabled upstream?   Can I somehow query Verizon's DHCP and get an output as to what is available, so I know whether or not I am wasting my time?

I'd appreciate any input anyone may have.  Despite IPV6 being around for a long time now, I still feel like I am fumbling in the dark here.