Since the AVM Fritz!Box should be considered pwned, I use my own firewall right behind the ISP-supplied router. A simplified version of my network looks like this:
+--------------------+ +----------+ | OpenBSD Firewall +-----+--+ WiFi AP | Fritzbox +-----+ + |vr3 | +----------+ vr2| DHCP/DNS/... | +---+ Laptop +--+-----------------+ | vlan4| +---------+ NAS +--- Guest Network
The steps necessary to get IPv6 working behind my OpenBSD-based firewall boiled down to the following:
- Enable IA_PD (Prefix Delegation) for the DHCPv6 server running on the Fritz!Box.
- Configure the OpenBSD router to request a prefix
on the interface connected to the Fritz!Box. I used the
dhcp6c
port with the following configuration for this:interface vr2 { send ia-pd 0; send rapid-commit; }; id-assoc pd { prefix-interface vr3 { sla-id 1; sla-len 2; }; prefix-interface vlan4 { sla-id 2; sla-len 2; }; };
This instructsdhcp6c
to request a prefix from a DHCPv6 server onvr2
and to configure two new prefixes on interfacesvr3
andvlan4
. - Configure
rtadvd
onvr3
andvlan4
to advertise IPv6 availability on the internal networks. - Configure the return route for the newly configured IPv6 prefixes
on the Fritz!Box. Otherwise the Fritz!Box will drop IPv6 reply
packets because it does not know what to do with them. For example, if
dhcp6c
configured the address2001:a60:13d1:c2fd:200:20ff:fea3:da47
onvr3
, we need to configure the Fritz!Box to forward packets for2001:a60:13d1:c2fd::/64
back to the firewall. This can't be done from the web GUI (for IPv6), so it needs to be done manually using telnet (fe80::200:20ff:fea3:fe41
being the link-local address ofvr2
):route -A inet6 add 2001:a60:13d1:c2fd::/64 gw fe80::200:20ff:fea3:fe41 dev lan
- Change
pf.conf
accordingly. - Check out the dancing turtle on kame.net!
If your ISP enforces a daily reconnect, your IPv4 address will change,
along with your IPv6 prefix. This will break the setup described above:
dhcp6c
will not notice that the prefix changed and will leave the old
addresses configured on the internal interfaces. Additionally there
will be no return route for the new prefix on the Fritz!Box (see step 4).
I wrote a small set of Shell and Expect scripts to work around these issues. Keep in mind that this is just a quick and dirty proof of concept.
Conclusion
- Fuck AVM for not implementing IPv6 properly. As of today, it's not possible to exclude delegated subnets or hosts from the built-in firewall. This renders DS-Lite based DSL connections useless for offering services (VPN, SSH, etc) to the Internet (on both IPv4 and IPv6).
- Fuck M-Net for enforcing compulsory routers.
- After having used the aforementioned setup for a few weeks, I have to say that it still runs surprisingly well, despite the dirty hacks involved.