Flets and IPoE and FreeBSD

Because having a stable setup is too boring, I tried the (not so) new IPoE setup.

I used Interlink because they have free trials. Initial registration involves entering my Flets customer ID and access key. That surely seems safe. Not sure what the security implication is but it’s needed for any ISP setup so whatever.

As a side note, I didn’t apply for anything special on Flets side. The Interlink signup page says v6 option must be enabled on Flets but I didn’t do that and it worked anyway. Or maybe Flets already enabled it for everyone.

Unlike PPPoE, IPoE uses router advertisement so there’s no setup involved if only for IPv6. So all I did was adding the modem port to my internal network bridge and then connected to it automatically gets IPv6.

As every packets come through the modem port, blocking that port is sufficient to block everything. And then followed by allowing ICMPv6 and whatever ports I need to allow.

On the IPv4 side, I found this blog describing how to setup the tunnel. With tunnel set up, everything just works. Well, NAT etc settings are still needed but it’s the same setup as my existing PPPoE setup. I noticed NAT is handled by the tunnel itself. Weird.

I use dnsmasq for DNS with Cloudflare DNS so I didn’t need to enable rtsold. It’s also used for distributing IPv4 addresses.

Overall, once I figure out how the setup works, it ended up quite a lot simpler compared to PPPoE + PPPoE-v6. Notably I don’t need:

  • dialup script (it’s now automatic)
  • dhcp-v6 setup/teardown script (also automatic)
  • rtadvd (handled by ISP)
  • NAT (also by ISP)

I do need to setup tunnel interface but that’s about it.

rc.conf setup:

# enable modem (re0), switch (em0), 10GbE 1 (ix0), 10GbE 2 (ix1) ports
ifconfig_re0=up
ifconfig_em0=up
ifconfig_ix0=up
ifconfig_ix1=up

# create a bridge (bridge0) and a tunnel (gif0)
cloned_interfaces="bridge0 gif0"

# setup internal ipv4, add interfaces, set bridge description
ifconfig_bridge0="192.168.1.1/24 addm re0 addm em0 addm ix0 addm ix1 description vm-internal

# enable ipv6. auto_linklocal isn't default with non-hardware interfaces
ifconfig_bridge0_ipv6="inet6 auto_linklocal accept_rtadv"

# setup IPv4 tunnel. First part is the IPv6 on bridge0, second part is NTT East tunnel IP. Using the domain gw.transix.jp may also work.
ifconfig_gif0="inet6 tunnel <bridge0_ipv6> 2404:8e00::feed:100 prefixlen 128"
# add IPv4 default route. It's weird no external IP involved
defaultrouter="-iface gif0"

# this will set the needed sysctl to forward IPv4 packets
gateway_enable=yes

# if needed
pf_enable=yes

# dnsmasq because lazy
dnsmasq_enable=yes

And then the optional pf.conf:

# I like pings. And IPv6 auto addressing
pass quick proto { icmp icmp6 }

# block all the incomes on IPv4. I'm not sure if this is needed. But just in case
block in on gif0
# block all the incomes on IPv6. This one is actually needed
block in on re0

# allow ssh to server IPv6
pass in on re0 proto tcp to <bridge0_ipv6> port ssh
# allow remote desktop to everything
pass in on re0 proto { tcp udp } port 3389

# etc...

I still need to figure out if I want to stay with Interlink or switch to IIJ.

Leave a Reply

Your email address will not be published.