Skip to main content

Verizon Fios Native IPv6

Author
Jeffrey Forman

A long long time ago Verizon Fios did not provide native IPv6 connectivity to their IPv4 customers. Following a dslreports forum thread that started in 2018, it looked like it might never happen. But that thread came back to life in 2022 when IPv6 started rolling out to its footprint. This post is about how I set up IPv6 natively on Verizon Fios.

My network stack:

  • Verizon Fios with ethernet directly from ONT to my router/firewall.
  • OpenBSD 7.1 router/firewall already providing IPv4 services to my network
  • unbound/nsd for DNS resolution
  • dhcpcd to handle IPv6 DHCP-PD.

High level overview:

  • A WAN IPv6 IP is not given to your router’s externally-facing interface. (IA_NA address, slide 34)
  • A /56 is given via DHCP-PD that provides you with 256 /64’s to use on your local network.
  • SLAAC is used on my network to hand out prefixes and other network information. As long as Verizon keeps giving me the same prefix via DHCP-PD, the /64 prefixes on my network won’t change. I hope.

The first thing I did was take down my he.net tunnel which had served me well for years. I rebooted a few times to make sure everything came back up cleanly.

The following configuration changes were what I needed to provide IPv6 service to one of the subnets on my network.

/etc/dhcpcd.conf:

debug
ipv6only
noipv6rs
duid
persistent

allowinterfaces em0 vlan10 vlan11

nohook resolv.conf

interface em0
  ipv6rs
  iaid 1
  ia_pd 2 vlan10/10

This configuration hands out one prefix from the PD to each interface mentioned in the ia_pd specification, using the number after each interface as

/etc/hostname.vlan10:

inet6 autoconf group zone_dmz

Put vlan10 into SLAAC autoconfiguration mode and put it in the zone_dmz interface group. The interface group can then be used in the below pf rules.

/etc/rad.conf:

interface vlan10 {
  dns {
    nameserver 2600:4040:1234:ab0b::1
  }
}

Based upon the /56 prefix given to my network, assign ::1 from the /64 for the vlan10 interface as the DNS server.

/etc/pf.conf (snippet):

# ICMP Types:
# https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
# 2: Packet too big
common_icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"

ipv6_prefix=2600:4040:1234:ab00::/56

block in log inet6
pass out inet6

# IPv6 uses ICMPv6 for a lot of things. [1]
pass in inet6 proto icmp6 all icmp6-type $common_icmp6_types

# allow dhcpv6 traffic [2]
pass in on egress inet6 proto udp from fe80::/10 port dhcpv6-server \
  to fe80::/10 port dhcpv6-client no state

# Allow All-Routers ICMP traffic for SLAAC [3]
pass in log on zone_dmz inet6 proto icmp6 to ff02::2

# Traffic to allow [4]
pass in on zone_dmz inet6 proto udp to (zone_dmz:0) port 53
pass in on zone_dmz inet6 proto tcp to (zone_dmz:0) port 22
pass in on zone_dmz inet6 from any to ! $ipv6_prefix

This small snippet allows in the following traffic:

  1. ICMP is used for many things in IPv6. Let through relevant types regardless of the incoming interface.
  2. Allow DHCPv6 traffic to the egress interface for grabbing PD requests.
  3. SLAAC responses for various network confirmation information.
  4. These statements provide rudimentary access to hosts on this subnet. DNS and SSH to the router, but denying all other traffic to my local site. This allows traffic out to the Internet, but not to touch the other subnets on my local network. I feel like this list of rules are where most of the tinkering goes on.