6rd support added

databeestje

6rd support has been added over the past week and I'm searching for pfSense users that have access to such a connection.

The current limitations of our 6rd support is that it will only work with ISPs that embed the entire IPv4 address in the 6rd address. So if the ISP uses a 6rd prefix longer then 32 bits I would like to know.

I'm also looking for a list of various ISPs that employ 6rd and their respective settings.

France: Free.fr 2a01:0e3::/28 ->64.98.1.1 ? = delegated /60
Switzerland: Swisscom. 2a02:1200::/28 -> 6rd.swisscom.com (193.5.122.254) = delegated /60
America: Charter 2602:/32 -> 68.114.165.1 = delegated /64
Japan: Sakura 2001:e41::/32 -> 61.211.224.125 = delegated /64
America: ATT Uverse 2602:300::/28 -> 12.83.49.81 = delegated /60
Japan: Softbank –-
Netherlands: Telfort Pilot ---- 2a00:cd8::/32 ? = delegated /64
Netherlands: Lijbrandt Unsupported 2A02:80C0:FF00::/41 -> 188.142.72.5 IPv4 masklength 17 = delegated /56
Canada: Videotron Unsupported 2607:fa48:6dc0::/42 -> 74.59.126.1 IPv4 masklength 18 = delegated /60
Italy: FastWeb ---- 2001:b07::/32 = delegated /64

If others can add to this list, please.

kris2k

Canada/Videotron seems to be using multiple 6RD prefixes, and needs to be discovered via DHCP option 212.

Example of option 212 output (you need to tell your dhcp client to request option-212):
11:2d:26:7:fa:48:6e:c0:0:0:0:0:0:0:0:0:0:0:18:30:0:1

(based on http://tools.ietf.org/html/rfc5969)

Which translates to (simple hex-to-decimal conversion of tokens 1,2,19,20,21,22):
17 45 2607:f148:6ec0 24.48.0.1

Consequently, the interpretation would be:
2607:f148:6ec0::/45 -> 24.48.0.1 IPv4 masklength 17, delegated / 60

The delegated prefix seems to be calculated like this:
32 - 17(IPv4MaskLen) + 45 (6rdPrefixlen) = 60

How to pick-up dhcp option-212?
Create a dhclient.conf in /etc:
echo 'request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, option-212;' > /etc/dhclient.conf
echo 'script "/etc/dhclient.script";' >> /etc/dhclient.conf

Create a dhclient.script in /etc:
echo '#!/bin/sh' > /etc/dhclient.script
echo 'echo $new_option_212 >/tmp/6rd-212.log' >>/etc/dhclient.script
chmod 755 /etc/dhclient.script

Restart your DHCP client by specifying your dhcp configuration file
/sbin/dhclient -c /etc/dhclient.conf <waninterfacename>(you will have to kill the pid if the process exists already)

Consult /tmp/6rd-212.log for your 6RD parameters
cat /tmp/6rd-212.log and decode it based on the above sample.</waninterfacename>

databeestje

Which still wouldn't work because our 6rd interface does not yet support prefix lenghts larger then 32 bits.

vinsomething

America: CenturyLink 2602:0::/24 -> 205.171.2.64 = delegated /64  Gateway does not respond to ICMP so I'm monitoring 2 hops further away.  I'll see if I can get their access-list loosened up a bit.

databeestje

Some of the 6rd relays reply on 6rdrelay::1and not on address 0. Try that.

doughecka

I'm trying to set this up on my UVerse connection… I'm getting this error in the logs:
php: : The interface IPv4 '99.74.122.32' address on interface 'sk0' is not public, not configuring 6RD tunnel

It IS a public address, although the ip address is issued by a 'LAN' dhcp server (192.168.1.254). Other people report success using ipv6 with 6rd on the 2wire modems... But nobody with pfsense apparently. Any tips on how to start digging in and tweaking this so it'll work?

Example: https://supportforums.cisco.com/docs/DOC-25121

databeestje

I'll have to look into that check and why it is triggering the private address check.

Strange.

You are right though, it should just work.

doughecka

Do you need to see any additional log entries to help troubleshoot this? I started working on getting HE setup, but if 6rd 'should' work I'll clear all that config off so I can be ready to try something.

databeestje

no time yet

doughecka

Well, I think I found why it detects my ip as 'private':
function is_private_ip($iptocheck) {
        $isprivate = false;
        $ip_private_list=array(
              "10.0.0.0/8",
              "172.16.0.0/12",
              "192.168.0.0/16",
              "99.0.0.0/8"
        );
        foreach($ip_private_list as $private) {
                if(ip_in_subnet($iptocheck,$private)==true)
                        $isprivate = true;
        }
        return $isprivate;

This is located in pfsense-utils.inc. Rather odd. I'm going to upgrade to the latest snapshot, and then adjust that ip to see if 6rd works.

doughecka

Removing the ip fixed the private ip issue (and Chris changed MASTER to remove the bad ip range), and the firewall now appears to auto-config the correct ips (as best as I can tell), however I'm not getting a default route for some reason. I guess I'll fiddle with this some more over the weekend. Almost there.

EDIT: typing this in: route add -inet6 default 2602:300:c533:1510::
fixed my default route issue, once I put that in, everything (even PCs on the LAN) can ping ipv6 stuff. Yay!

So the major issue is fixed, with the private ip being detected wrongly… the minor issue, 6rd isn't auto-setting the default route properly.

Speed test comes back a bit slow, probably because I'm pulling from Calif, and I'm in the Louisville area.

CpuID

Australia: iiNet 2001:4479::/32 ->203.0.178.66 = delegated /64

Still trying to get this working, just fiddling with my pfSense settings at the moment.

Paste of the forum post below of their example Cisco config:

–---------------------------------------------------------------------------

Hi,

If you have Cisco hardware capable of running a version of IOS that supports 6rd (minimum: 15.1(3)T) you will be able to add the following information to your config to get IPv6 connectivity.

This is provided 'as is' and at your own risk. No support will be offered by iiNet, nor will any responsibility be taken for unsecured networks resulting from adding this to your config.

It is your own responsibility to obtain the appropriate version of IOS and secure it appropriate. This will not be supported by iiNet.

!
ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
description 6RD Tunnel interface
no ip address
no ip redirects
ipv6 enable
ipv6 mtu 1280
tunnel source Dialer1                          (OR DIALER0 etc.. whatever you have configured for WAN interface)
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 2001:4479::/32
tunnel 6rd br 203.0.178.66
!
Int bvi1                                        (OR VLAN1 etc.. .. you lan interface)
ipv6 address DELEGATED_PREFIX ::/64 eui-64
!
ipv6 route 2001:4479::/32 Tunnel0
ipv6 route ::/0 Tunnel0 2001:4479:CB00:B242::1
!

Matt Hutchinson
Project Officer - Operations
iiNet Ltd.

A Former User

America: Charter Communications (Cable internet)

i havent tried this YET as i have a Tunnel running at the moment here at home but this is from there
web page.

6RD Configuration Settings
As part of Charter's IPv6 Trials we have made available a Public 6rd Border Relay. If you are interested in participating in our early trials and own a device that supports 6RD use this configuration information to begin experiencing the Next Generation Internet:

6rd Prefix = 2602:/32
    Border Relay Address = 68.114.165.1
    6rd prefix length = 32
    IPv4 mask length = 0

Primary DNS Address = 2607:f428:1::5353:1
Secondary DNS Address = 2607:f428:2::5353:1

Best regards

pyrodex

@SunCatalyst:

America: Charter Communications (Cable internet)

i havent tried this YET as i have a Tunnel running at the moment here at home but this is from there
web page.

6RD Configuration Settings
As part of Charter's IPv6 Trials we have made available a Public 6rd Border Relay. If you are interested in participating in our early trials and own a device that supports 6RD use this configuration information to begin experiencing the Next Generation Internet:

6rd Prefix = 2602:/32
    Border Relay Address = 68.114.165.1
    6rd prefix length = 32
    IPv4 mask length = 0

Primary DNS Address = 2607:f428:1::5353:1
Secondary DNS Address = 2607:f428:2::5353:1

Best regards

I have recent used Charter's 6RD setup and noticed a quirk on my side… My lan is setup as a TRACK for IPv6 and it does get an address and then each client gets an IPv6 address without issues from there. However I've noticed in my setup the IPv6 DNS server isn't coming across in windows. My DHCP server in PFSense (IPv4) is setup to send the IPv4 LAN address which is able to resolve IPv6 DNS servers but how do I allow my DHCP to send a IPv6 DNS server also?

wallabybob

@pyrodex:

how do I allow my DHCP to send a IPv6 DNS server also?

How do you have DNS items configured in pfSense DHCP server page?

pyrodex

@wallabybob:

How do you have DNS items configured in pfSense DHCP server page?

They are blank which would mean they inherit they are setup as the IPv4 LAN address. But in my case is the PFSense DHCPv4 actually issuing DHCP to my IPv6 clients or is Charter's 6RD platform?

MaxPF

I haven't tried it myself, but in Canada, Rogers offers this:

Setting Confirmation Required
Provider Prefix 2607:F090
Provider Prefix Sites 32
Mask Bits 0
Relay Address 66.185.95.192

kradalby

I guess i am a little too nooby to get all this,

My isp information is:
Altibox 6RD border relay: 213.167.115.92
15 bits prefix.

Can someone explain how this thing works, or is there an article i cant find on the wiki?

-Kristoffer

mgysi

Please note that Swisscom will change the IP of its 6rd Border Relays to 193.5.29.1 at April 9th, 08:00. This change will be reflected in the DNS name 6rd.swisscom.com at the same time (plus some propagation time through DNS).

Nulani

Altibox/Lyse, Norway
6RD IPv6 Prefix: 2a01:79c::/30
6RD Border Relay: 213.167.115.92
6RD IPv4 Prefix length: 0

Results in a /62.

They're using dhcp option 212 to distribute the configuration to the devices that support it.

I haven't managed to get it to work myself yet. It adds the correct address to the interface - the one I've been told I'm supposed to get - but I can't actually reach anything from it. Not entirely sure if the problem is on my end or with my ISP. Running Pfsense 2.1-RC0 (amd64) built on Tue Jun 4 20:54:59 EDT 2013.