Monday, July 30, 2018

IPv6 with OPNsense and Spectrum/TWC

"I still remember back in the day installing winsock clients on windows 3.1 machines so people at my work could get internet."

Although the above statement dates me a little bit, I have been using TCP/IP for a long time. One of the most used books I have is TCP/IP Illustrated. For the longest time I have avoided adopting IPv6 for an array of factors. First being the addresses are long, second is the lack of support from a lot of things out there, and third there is a lot of basic information out there but nothing that could address my needs.

Even though there really isn't much incentive for companies to move over, I figured I would give it a shot at home. I have a complex setup that I use to keep things organized and separated at home. Right now I have my main home network VLAN, a VLAN for work, and an isolated network for incoming connections. I have plans to segment even more for kids, guests, security cameras, the whole shebang. OPNsense is at the heart of all this and I use it to run the show.

I feel as if I should run a disclaimer that I am an IPv6 noob. I understand a lot of the basics but there is a ton of room for me to improve and grow my knowledge. I learn by doing so here is what I did and the struggles I faced. Your mileage may vary based on your ISP but a lot of these concepts should relate.

Test 1 - Does IPv6 from Spectrum even work?


Enable it on your WAN interface:


Now on your LAN interface select "Track Interface" under IPv6 Configuration Type:


Go to the bottom and set the interface to WAN and a prefix of 0:


Reboot your router and log back in. Under your main dashboard you should see a v6 address assigned to your WAN and LAN interfaces. Clients should also start picking up addresses and as long as you didn't change your default v6 rules you should be able to ping ipv6.google.com.

If all you have is a single LAN and want IPv6, CONGRATS! you are done!

Meat and Taterz time


After getting to the above I needed to segment. This is where I started looking for more advanced documentation. A lot of the suggestions out there was around assigning a static IP to the LAN and using DHCPv6 to hand out addresses etc. The main issue with that was if your ISP changes your /64 then everything is broken. Or at least that is how I understood it. I was really looking for a way to keep it simple and not have to mess with anything.

Several things I read suggested requesting a larger prefix from TWC/Spectrum and then just dishing out a /64 per network. After some testing and a bunch of floundering I came up with a working solution.

Change the following settings on your WAN interface:



So now go to each interface on OPNsense that represents the networks you want to add and change the prefix number to the next number. So we set LAN to 0 and in my case I set the other to to 1 and 2.  Rinse and repeat for all of your other networks. You can have up to 256 /64s from a /56 so in theory you are looking at supporting up to that many interfaces, although I am sure you will hit some sort of limit in OPNsense before that.

Once you have done all of that its time to add a firewall rule. I don't know if this is really needed or not but I saw it in a couple of other examples so I put it in there.

Allow your networks to get out and request an IP from your ISP. Add the below policy to the WAN interface on your firewall:


Apply that and REBOOT your OPNsense box. For some reason you have to reboot for IPv6 stuff to take hold. Once it is back up your interface list should look something like this:


Big thanks to the OPNsense twitter account for getting me over the last hurdle which was the prefix stuff. Please leave comments if anything above is incorrect but this is how I got mine working.