We are coming on two decades since IPv6 became a recognised standard and generally available but it is still not being widely adopted by people and organisations that have easy access to IPv4 address space. Even if you have a native IPv4 address, it will typically be in the form of some CG-NAT or other NAT on your customer premises equipment (CPE).
Things work so much better when they have a dedicated, routable IP address, especially when they don’t need to share a state table with other connections.
In Australia there are a few ISPs that offer IPv6 and one of those is Aussie Broadband (ABB). If you are on CG-NAT (or any of their services really) and your router supports IPv6, I highly recommend looking at introducing IPv6 into your network as it gives you the ability to access your devices (pending firewall rules obviously), without having to do any sort of port hackery like port forwarding, binat or redirection.
This post is specifically around the integration of IPv6 using OpenBSD and Aussie Broadband. The details are pretty generic but it wouldn’t take much to modify for your ISP of choice if they offer IPv6. At time of writing, this is applicable to OpenBSD 7.0.
First up, you’ll need an existing OpenBSD installation that is acting as a firewall. These instructions will be an addition to that working configuration. You are going to have to pollute base on your firewall with a package from ports. Install dhcpcd:
pkg_add -v dhcpcd
You’ll need to add some IPv6 specific items into /etc/pf.conf. This is not an exhaustive list of rules and some should only be left for testing, then removed. The rule for ‘port dhcpv6-client’ needs to remain for RA etc:
/etc/pf.conf
icmp6_types="{ unreach, toobig, timex, paramprob, echoreq, echorep, routeradv, routersol, neighbradv, neighbrsol }"
pass in log on $ext_if inet6 proto udp to port dhcpv6-client
pass inet6 proto icmp6 icmp6-type $icmp6_types
pass on $int_if inet6
pass on $int2_if inet6
pass out on $ext_if inet6
autoconf configuration is required to manage the default route through slaacd(8). So configure your ABB facing interface something like the following:
/etc/hostname.<extif>
inet autoconf
inet6 autoconf
up
Configure the dhcpcd.conf file as follows. Change interfaces based on what is presented in your system:
/etc/dhcpcd.conf
ipv6only
duid
persistent
option rapid_commit
require dhcp_server_identifier
# If you run your own domain resolver, don't accept certain options
nooption domain_name_servers, domain_name, domain_search, host_name
# disable running any hooks; not typically required for simple DHCPv6-PD setup
script /usr/bin/true
# Disable dhcpcd's own router solicitation support; allow slaacd
# to do this instead by setting "inet6 autoconf" in hostname.em0
noipv6rs
# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces em0 em1 em2
interface em1
# address from the /64
ia_na 1
# request prefix delegation for downstream interfaces.
ia_pd 2 em0/1 em2/2
Note above: The use of ‘nooption’ maybe required depending on if you run your own internal resolvers.
If you are distributing IPv6, configure rad(8) for the interfaces that you want to participate and distribute IPv6 addresses:
/etc/rad.conf
interface em0
interface em2
Finally configure /etc/rc.conf.local to start everything up on boot:
/etc/rc.conf.local
rad_flags=
pkg_scripts=dhcpcd
That completes the configuration. Simply reboot your host and everything should work as intended. A machine on the same subnet as em0 interface above should be able to do:
C:\Users\desktop>ping -6 google.com
Pinging google.com [2404:6800:4015:803::200e] with 32 bytes of data:
Reply from 2404:6800:4015:803::200e: time=6ms
Reply from 2404:6800:4015:803::200e: time=5ms
Reply from 2404:6800:4015:803::200e: time=5ms
Reply from 2404:6800:4015:803::200e: time=5ms
Ping statistics for 2404:6800:4015:803::200e:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 6ms, Average = 5ms
The same machine should also be able to pass all tests with a 20/20 result on the IPv6 Test website:
It is time for the world to move to the IPv6 space. Some countries and telcos have been forced to move to IPv6 because IPv4 and CG-NAT is just not an option, as well, the big players already have presence here too (except for some notable exceptions). Take it from me, the water is fine, come on in!