Adding IPv6 to my network

Posted on

As part of my work at Logitech, I’m part of the Security and Network Tiger Team. Last week, I got a question from a coworker if and how we would support IPv6 on our VC products, unfortunately I was not able to answer his questions.

In the past I used to have a 4-to-6 tunnel, delivering a IPv6 address to my home. But this got shut down, as the provider no longer saw the need for and IP v6 tunnel service. And I was fine without the support for IPv6 for the longest time.

But now I needed to and get IPv6 service, my SP would not deliver a IPv6 address, nor a IPv6 subnet, which I could use internally. In order to get a IPv6 tunnel, I searched online for a free tunnel provider and support for my OpnSense firewall.

“Voila”, I ended up with Hurricane Electric’s IPv6-in-IPv4 tunnel. This is a free service and documented to work with my OpnSense firewall setup.

The SignUp

You register yourself on the https://tunnelbroker.net/register.php website. Make sure you use a “personal” or “professional” e-mail. Services like Google or alike are not supported!

Further your mail server must only support encrypted mail!

Once this is done, you can request a new tunnel. This is very simple, and takes a few minutes.

Setup

Basically we follow the OpnSense guide on how to configure the tunnel:

https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

Do net forget to add the tunnel interface as the “default-GW” in the “Systems”-“Gateway” configuration.

Local LAN setup

As mentioned in the guide, configure a static IPv6 address to the LAN network (in my case it’s the VLAN30 interface.

I deviated from the guide, as I wanted to give each subnet a different IPv6 address. I changed the network mask from /64bits (half of the address space), to a /80bit mask. This allows me to add my own identifier, the VLAN-ID “30” to this part of the address. With that, I can easily see which subnet I’m in, and it relates to the VLAN-ID and the IPv4 subnet address.

DHCPv6 and Router Advertisements

IPv6 works a bit different than IPv4, with IPv6 you need to enable Router Advertisements service, in order to provide a IPv6 address. The DHCPv6 service can optionally deliver more information to the clients. So they work in tandem with each other.

Router Advertisements

Create a new Router Advertisement in the Services tab, and set the following settings:

DHCPv6

Normally I would run the new KEA DHCP server, but on OpnSense, it would not feature IPv6 support today (1.2025). Therefore I enabled the ISC DHCPv6 Server. To my surprise, you can use the DHCPv6 without enabling the DHCPv4 server! Which was great, as I did not want to use the ISC DHCPv4 server.

Most of the settings have been taken over from the interface settings, and little modifications have been needed to make.

First I’ve limited the DHCP range from 000f to ffff, so plenty of clients.

Second, add the DNS server, in my case the OpnSense  VLAN-30 IPv6 address and the search domain.

Last I’ve added the NTP server too.

So this is it, all working fine, after the restart of the DHCP and Router Advertisement service.

On your client, you should now get a IPv6 address from the DHCPv6 scope and the DNS server you have specified.

 

What is next?

  • Enable the websites, mailserver and other things with IPv6
  • Add the AAAA DNS entries in my public DNS service, so they are reachable
  • And test my Logi gear with IPv6, so I can come back to my customers request.

Related Posts

A Stormy day at home

Last night we went for a little walk around the house before we had dinner. All day it was rainy and we did not go out..so the kids become a […]