AT&T Fiber full bypass on OPNsense 26.x: IPv6 persistence gotchas

Started by grevelle, Today at 02:52:02 AM

Previous topic - Next topic
Sharing a few OPNsense 26.x-specific notes after doing a BGW210 full bypass (wpa_supplicant EAP-TLS on the WAN, no netgraph / no Auth Bridge). The EAP path from this thread and the usual cert + MAC spoof + PCP 1 setup still applies. What burned time was IPv6 coming back cleanly after a cold reboot.

1) Put the AT&T DUID where dhcp6c actually reads it

On current OPNsense, set the DUID-EN under:

Interfaces → Settings → DHCP Unique Identifier

That maps to OPNsense/Interfaces/settings/dhcp6_duid and should also be present in /var/db/dhcp6c_duid and /conf/dhcp6c_duid.

Do not rely on system.ipv6duid alone. In our case dhcp6c ignored that and fell back to a DUID-LLT derived from the real NIC MAC, so DHCPv6 Solicits never got Replies after reboot even though EAP and IPv4 were fine.

Quick check:

php -r 'require_once "util.inc"; echo dhcp6c_duid_read(),"\n";'
Confirm that prints your AT&T DUID-EN, not a link-layer DUID.

2) VLAN priority field names must be exact

For AT&T you want PCP Background (1) on both DHCP and DHCPv6.

In config the keys are:
  • dhcpvlanprio = 1
  • dhcp6vlanprio = 1

GUI: WAN → Use VLAN priority → Background (1) for IPv4 and IPv6.

Wrong names such as dhcpvlanpriority / dhcp6vlanpriority do nothing. Everything looks configured, but AT&T never answers.

Verify IPv6 PCP is in pf:

pfctl -sr | grep "dhcpv6-server set ( prio 1 )"
3) Leave "Request only an IPv6 prefix" truly unset

If you want IA_NA + IA_PD (WAN GUA + PD), do not leave an empty dhcp6prefixonly value in the config. An empty string still counts as set in the PHP generator and can suppress IA_NA. Use basic DHCPv6 with PD size 60 and Send IPv6 prefix hint, prefix-only unchecked.

Generated /var/etc/dhcp6c.conf should include both send ia-na and send ia-pd, plus prefix ::/60 and sla-len 4 for a /60.

4) Boot race: DHCP/DHCPv6 can run before EAP is Authorized

On cold boot, dhcp6c can Solicit before wpa_supplicant finishes EAP-TLS. We kept the usual early/04-wpa hook (OPENSSL_CONF + wpa_supplicant on the WAN NIC, MAC spoof), and added a short background wait for EAP state=SUCCESS, then:

configctl interface reconfigure wan
That fixed IPv6 not returning after reboot while IPv4/EAP looked fine.

Also: while staging behind the BGW LAN, leave the early hook non-executable (chmod 644). On ONT cutover, chmod +x.

5) Judge IPv6 by the LAN GUA, not WAN IA_NA pings

AT&T often will not answer ICMP from the WAN IA_NA. If you have a PD and a LAN 2600:... GUA that can ping6 out (source the LAN GUA), you are good.

Stack that worked here (high level)

  • OPNsense 26.7, Intel igb WAN/LAN
  • Full bypass: ONT → OPNsense WAN (BGW cold spare)
  • wpa_supplicant EAP-TLS + OpenSSL SECLEVEL=0 / unsafe renegotiation (as in this thread)
  • Spoof RG WAN MAC on WAN
  • Disable hardware VLAN filtering
  • DHCP + DHCPv6 with PCP 1, DUID-EN, PD /60, LAN track interface prefix ID 0

Huge thanks to everyone who posted the SECLEVEL=0 / early-hook pattern on another thread; hope the DUID + vlanprio naming notes save someone a reboot loop.