How to 4rd with pfsense ?

p_bear

Hi everybody,

I'd like to replace my ISP box with my pfsense appliance. But, from the Informations I picked on different forums, my ISP is using 4rd (https://datatracker.ietf.org/doc/html/rfc7600). so they encapsulate the ipv4 packets into ipv6 ones.
Someone could replace the box with a Mikrotik an VyOS.

So my question is: can pfsense do that ? and how ?

Thank you

Edit: Maybe it's ipip6 ? I'm not sure if it's the same, it's completely beyond my knowledges

p_bear

If it's ipip6 , I found this thread: https://forum.netgate.com/topic/140905/ipv4-over-ipv6

It's almost 3 years old so I guess things have evaluate since then ?

p_bear

Anyone of Netgate team could explain if t's now possible and how to proceed ? Maybe from the CLI ? It can be done under linux but I don't know with BSD. I guess so.
Or if it's a futur feature ?
Or something I better forget ?
Thanks

sorg

Hi p_bear.

I guess we might have the same ISP.

My ISP is providing ipv4 by tunneling it within a ipip6 tunnel.

I tried to establish such a tunnel using the pfsense GIF interface, however, I am not able to fill all the fields, as the remote ipv4 is not known.

Here is the linux equivalent setup:

allow-hotplug ip4tnl0
auto ip4tnl0
iface ip4tnl0 inet tunnel
  description wan4
  address 82.64.11.22/32 # My public ipv4
  mode ipip6
  local 2a01:e0a:1111:2222:0:ffff:ffff:0 # My IPV6 address
  endpoint 2a01:e00:29:200a::fffd # The relay
  tunnel-physdev eth0.836

  post-up ip -6 tunnel change ip4tnl0 encaplimit none

  post-up sysctl -q net.ipv4.conf.ip4tnl0.forwarding=1
  # Adds IPv4 default route to pass by this interface
  post-up ip -4 route add default dev ip4tnl0
  mtu 1500

Is it possible to achieve the same within pfsense ? (If necessary, i can use the CLI).

p_bear

@sorg

Hello,

I still haven’t figured it out. It seems that there are not a lot of people in this situation because nobody has answered me.

I gave up for now, and I'm using my ISP box in bridge mode.

Dobby_

@p_bear

What is your ISP and in wich country you are?
It makes it a little bit more easy for us to help you

p_bear

This post is deleted!

sorg

@Dobby_ and, i am also from France with Free as ISP.

as @p-bear said, Free ipip6 tunnel has already been deployed on other firewall such as openwrt , vyos, ubiquiti, etc... But until now, i have not found a single testimony of a user of pfsense/opnsense.

https://lafibre.info/remplacer-freebox/tutorial-remplacer-la-freebox-par-une-box-gnulinux/
https://lafibre.info/remplacer-freebox/tuto-free-zmd-ipv4-fullstack-14-ipv4-plage-60-ipv6/

Dobby_

@p_bear said in How to 4rd with pfsense ?:

@Dobby_

I live in France for now. My ISP is Free.

The box from Free is serving you also TV,
telephone and WiFi? Then I would let it run
in front of the pfSense and the pfSense
behind it.

Here there is a guy could configure an Ubiquiti edge router : https://lafibre.info/remplacer-freebox/tuto-remplacer-sa-freebox-par-un-routeur-ubuiquity-en-zmd-10g-epon/

But others were reporting that the OPNVPN
and/or other VPN only will work with there
own box, I can´t tell you anything about, but
my personal choice will be the FreeBox first
and behind the pfSense to secure the entire
LAN and/or your devices.

p_bear

@Dobby_
I don't mind about the home phone, it is not even plugged. In France, the mobile (and internet) subscriptions are very cheap so everybody uses their mobiles.
I never had any TV subscription (again, here almost only the old generation still watches the tv channels, nowadays).

But that being said, we know that you'd keep the ISP box upfront, but we come here to find a solution to get rid of it. Therefore, to return to the initial subject, do you know how to configure 4rd with pfSense ?

sorg

Yes , the ISP router (named freebox) provide both Phone and TV Service.

I currently run my firewall behind the freebox (running in bridge mode, meaning, it does not route at all, it just forward the public ip adress to the Lan port).
This solution is far from perfect:

• the freebox draw more amps than necessary if it not used for its additional services.
• For some reason, the freebox in bridge mode limit the available bandwith.
• The freebox is quite large. It is composed of two seperates box: the router itself and the ONT dealing with the fiber connection + a large power brick. It is a mess in my cabinet.

The goal would be to remove the freebox, keeping the ONT only, and connecting it to the pfsense firewall.

Most users can live without the freebox additional services as the phone is not really necessary in a world where we all have a cellphone in our pocket , and we have good solution for TV too as Free is also providing IPTV without passing through their router with a simple app running on android TV, Tizen, etc... .

For the time being, i have been able to connect my firewall to the ONT and to get ipv6 connectivity.
In order to get ipv4 connectivity, i need to connect a tunnel over ipv6 according to linux ipip6 protocol.
As far as i understand this has not been available in freebsd for quite a long time. I wonder if the situation has changed.

Dobby_

@sorg & @p_bear

Alors le deux, on y va, peut-être ce quelque
chose pur vous!?

Avoir Internet en fibre sans utiliser la Freebox? Possible!

Ce n'est plus à jour, mais peut-être
cette veux marche encore.

I was only finding that article here about someone who get rid of the "Free" equipment and get it running, but it is from 2013 and
not really actual anymore but you can try it out.

sorg

@Dobby_ unfortunately this guide is based on a legacy protocol formerly used by Free.
This principle of connection is not used by Free qnymore.

Dobby_

@sorg said in How to 4rd with pfsense ?:

@Dobby_ unfortunately this guide is based on a legacy protocol formerly used by Free.
This principle of connection is not used by Free anymore.

HowTo
En clair, si le DSLAM ne détecte pas la bonne adresse MAC, il n'établit pas la connexion.

Internet > Free > DSLAM > modem > pfSense
Free gives you access to the internet on the street
the DSLAM from them ist placed and on your site
you will need a modem VDSL(2) where you must
clone the MAC address from your Freebox as I
see it right.

Or you could try out to install a MikroTik in
front of the pfSense to get out the informations you will need to set up then (later) the pfSense
with that numbers. May be another option.

Router
[Tuto][VDSL][6rd] Remplacer sa Freebox par un routeur Mikrotik, tout-en-un

I am pretty sure you would be able to insert such a modem also inside of your pfSense and set
it up!

Modem
ALLNET ALL4781V Mini GBIC, VDSL2
VDSL2 SFP Modem 180-T
GPON UNO

sorg

@Dobby_ said in How to 4rd with pfsense ?:

En clair, si le DSLAM ne détecte pas la bonne adresse MAC, il n'établit pas la connexion.
Internet > Free > DSLAM > modem > pfSense
Free gives you access to the internet on the street
the DSLAM from them ist placed and on your site
you will need a modem VDSL(2) where you must
clone the MAC address from your Freebox as I
see it right.
Or you could try out to install a MikroTik in
front of the pfSense to get out the informations you will need to set up then (later) the pfSense
with that numbers. May be another option.

This guide is not relevant for our situation.
We are not connected through VDSL, but with Fiber (FTTH using 10G-EPON.)

We already have the necessary hardware (the ONT) to connect the incoming fiber to a modem and we know the steps to achieve the results.

1. We need to spoof the MAC address of the Freebox on the ethernet interface that will be connected to the ONT: It's ok and working.
2. We need access to VLAN 836 on this interface and get an ipv6 link with dhcpv6 provisionning: It's ok and working.
3. We need to open a tunnel of type ipip6 over this link in order to get the ipv4 Wan connection.
   Ideally this tunnel is negotiated with 4rd or map-e protocol, however, we can also force the settings manually.

I have not been available to achieve this last step on pfsense/opnsense, while i have all this set up an working in vyos or openwrt.

Dobby_

@sorg said in How to 4rd with pfsense ?:

This guide is not relevant for our situation.
We are not connected through VDSL, but with Fiber (FTTH using 10G-EPON.)

Ok now I now it a bit better.

We already have the necessary hardware (the ONT) to connect the incoming fiber to a modem and we know the steps to achieve the results.

This was not clear to me from the opening post.

We need to spoof the MAC address of the Freebox on the ethernet interface that will be connected to the ONT: It's ok and working.
We need access to VLAN 836 on this interface and get an ipv6 link with dhcpv6 provisionning: It's ok and working.

Ok.

We need to open a tunnel of type ipip6 over this link in order to get the ipv4 Wan connection.
Ideally this tunnel is negotiated with 4rd or map-e protocol, however, we can also force the settings manually.

Oh ok I see it is in real another problem, so
I was not really able to get it right.

I have not been available to achieve this last step on pfsense/opnsense, while i have all this set up an working in vyos or openwrt.

Oh ok if you got it working in VyOS and OpenWRT it should be a way to find out
how it should work using pfSense.