twi 5p gith

Fritz!Box + IPv6 Prefix-Delegation

Since the AVM Fritz!Box should be considered pwned, I use my own firewall right behind the ISP-supplied router. A simplified version of my network looks like this:

+----------+     |  OpenBSD Firewall  +-----+--+ WiFi AP
| Fritzbox +-----+         +          |vr3  |
+----------+  vr2|    DHCP/DNS/...    |     +---+ Laptop
                 +--+-----------------+     |
               vlan4|                       +---------+ NAS
                    +--- Guest Network

The steps necessary to get IPv6 working behind my OpenBSD-based firewall boiled down to the following:

  1. Enable IA_PD (Prefix Delegation) for the DHCPv6 server running on the Fritz!Box.
  2. Configure the OpenBSD router to request a prefix on the interface connected to the Fritz!Box. I used the dhcp6c port with the following configuration for this:
            interface vr2 {
                    send ia-pd 0;
                    send rapid-commit;
            id-assoc pd {
                    prefix-interface vr3 {
                            sla-id 1;
                            sla-len 2;
                    prefix-interface vlan4 {
                            sla-id 2;
                            sla-len 2;
    This instructs dhcp6c to request a prefix from a DHCPv6 server on vr2 and to configure two new prefixes on interfaces vr3 and vlan4.
  3. Configure rtadvd on vr3 and vlan4 to advertise IPv6 availability on the internal networks.
  4. Configure the return route for the newly configured IPv6 prefixes on the Fritz!Box. Otherwise the Fritz!Box will drop IPv6 reply packets because it does not know what to do with them. For example, if dhcp6c configured the address 2001:a60:13d1:c2fd:200:20ff:fea3:da47 on vr3, we need to configure the Fritz!Box to forward packets for 2001:a60:13d1:c2fd::/64 back to the firewall. This can't be done from the web GUI (for IPv6), so it needs to be done manually using telnet (fe80::200:20ff:fea3:fe41 being the link-local address of vr2):
    route -A inet6 add 2001:a60:13d1:c2fd::/64 gw fe80::200:20ff:fea3:fe41 dev lan
  5. Change pf.conf accordingly.
  6. Check out the dancing turtle on!

If your ISP enforces a daily reconnect, your IPv4 address will change, along with your IPv6 prefix. This will break the setup described above: dhcp6c will not notice that the prefix changed and will leave the old addresses configured on the internal interfaces. Additionally there will be no return route for the new prefix on the Fritz!Box (see step 4).

I wrote a small set of Shell and Expect scripts to work around these issues. Keep in mind that this is just a quick and dirty proof of concept.


  1. Fuck AVM for not implementing IPv6 properly. As of today, it's not possible to exclude delegated subnets or hosts from the built-in firewall. This renders DS-Lite based DSL connections useless for offering services (VPN, SSH, etc) to the Internet (on both IPv4 and IPv6).
  2. Fuck M-Net for enforcing compulsory routers.
  3. After having used the aforementioned setup for a few weeks, I have to say that it still runs surprisingly well, despite the dirty hacks involved.