From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

The security router was designed for IPv6, and makes no assumptions of IPv4 being more preferred than its newer counterpart. For example, an interface's addresses and firewall rules are configured without specifying the address family;

interface em0 {
   group "wan"
   address 2a01:2b0:2000:54::2/64
   route default
   route default 2a01:2b0:2000:54::1
   firewall {
      table <admins> { 2001:470:27:389::2 }
      pass in quick from <admins> to (self) label admins

All administration and maintenance tasks are supported in IPv6-only configurations. Even our license and update servers (dl.halon.se and link.halon.se) have IPv6 connectivity. For security reasons, it's important to understand that IPv6 routing (forwarding) is enabled by default, and that system services such as the HTTP and SSH servers are listing to IPv6 as well as IPv4. Please remember that one rarely uses IPv6 with NAT, and therefore needs to explicitly make sure that no traffic is allowed to "internal" networks.


This section describes both DHCPv6 and IPv6 auto-configuration (router advertisement), because of how they work together. This is very much unlike IPv4, which was designed without auto-configuration in mind.

DHCPv6 client and router solicitation

Normally, a router should not use auto-configuration, as specified by IPv6 RFCs. It might however be necessary in some cases, for example if the router should configure its local interfaces using DHCPv6 prefix delegation. In its most simple form, this can be configured like

interface em0 {
   group "wan"
interface em1 {
   group "lan"

which configures the WAN address and route automatically using IPv6 router solicitation, requests DHCPv6 information, and assigns the LAN address automatically using the delegated prefix. More options are available and described in the configuration file syntax. The dhcp6-client implicitly configures a router-solicitation client, which is rarely used by itself.

DHCPv6 server and router advertisement

Many organizations will use IPv6 router advertisement (RA) without DHCPv6, simply because it's sufficient. In that case, just add the router-adverisment to a LAN interface. However, in order to announce additional information such as DNS, or even use stateful configuration (as IPv4's DHCP normally do), the router advertisement and DHCPv6 server should be used in conjunction, like

interface em1 {
   group "lan"

The DHCPv6 server, and its arguments, affects the router advertisement flags accordingly, so that the client knows which information to request over DHCPv6. Possible arguments for the dhcp6-server are listed on the configuration file page.

Note that the advertised IPv6 prefix length must be 64 bits for the stateless address auto-configuration to work.

NAT64 and other address family translations

It's possible to deploy IPv6-only networks while retaining backward compatibility with IPv4 by using NAT64. The router can effectively "NAT" outbound IPv6 traffic to IPv4 if configured wit the af-to keyword. This is normally achieved by adding af-to inet to X.X.X.X which extracts the IPv4 destination from the IPv6 packet, assuming a /64 prefix. Though the clients are theoretically capable of producing an IPv4-mapped IPv6 address, the most common configuration is to use NAT64 in conjunction with a DNS64-capable DNS server. Recent versions of BIND supports this, via the dns64 statement. In that case, the firewall is configured with something like

pass in on lan inet6 from any to 64:ff9b::/96 af-to inet from

It's also possible to use af-to the other way around, translating IPv4 into IPv6 statically. Whereas NAT64 exploits the fact that IPv6 is able to embed the entire IPv4 address space into it, IPv4-to-v6 translation requires an explicit address mapping. This technique is suitable for allowing IPv4-only hosts to access a limited number of IPv6-only resources/servers. For example

pass in on lan inet from any to af-to inet6 from 2001::1 to 2001::2

IPv6-over-IPv4 tunneling

Out of the box, tunneled IPv6 (RFC 1933) is supported using the gif interface. It can be configured graphically on the Network > Interfaces page, or directly in the configuration. The example below uses Hurricane Electric's http://tunnelbroker.net service. Text marked in green is what is added, in relation to what a normal configuration contains.

interface gif0 {
   group "hurricane"
   address 2001:470:27:321::2/128 2001:470:27:321::1
   route default 2001:470:27:321::1
   firewall {
      pass out quick
interface em0 {
   group "wan"
   route default
   firewall {
      pass out quick
      pass in quick from label "hurricane"
interface em1 {
   group "lan"
   address 2001:470:27:389::2/64
   firewall {
      pass quick


OpenBSD does support the tunnelling protocol of 6RD (rapid deployment), but it currently needs to be manually configured. Below is a script from undeadly.org


sub convert
        my $ip = @_[0];
        my ($a, $b, $c, $d) = (split(/\./, $ip));
        $out = sprintf("%x%x%x%x:%x%x%x%x",
                $a / 16, $a % 16,
                $b / 16, $b % 16,
                $c / 16, $c % 16,
                $d / 16, $d % 16);
        return $out;

my ($prefix, $bip, $ip);
print "Enter IPv6 6rd Prefix (2602:100:): ";
chomp($prefix = <STDIN>);
print "Enter IPv4 Border Relay address: ";
chomp($bip = <STDIN>);
print "Enter your public IP: ";
chomp($ip = <STDIN>);

$dest = convert($bip);
$src = convert($ip);

print   "\ninterface gif0 {\n",
        "\tgroup "wan"\n",
        "\tmtu 1480\n",
        "\ttunnel ", $ip, " ", $bip, "\n",
        "\taddress ", $prefix, $src, "::1/128 ", $prefix, $dest, "::1\n",
        "\troute default ", $prefix, $dest, "::1\n";

which would result in something like

interface gif0 {
	group "wan"
	mtu 1480
	address 2602:100:18f7:14a2::1/128 2602:100:4472:a501::1
	route default 2602:100:4472:a501::1

Compatibility checklist

  • Administration
    • Web (HTTP)
    • SSH
    • Software update (dl.halon.se has IPv6 connectivity)
    • Subscriptions (link.halon.se has IPv6 connectivity)
    • Syslog
    • SNMP
    • NTP
  • Routing and firewalling
    • BGP
    • OSPFv3
    • MPLS/LDP provider edge
    • Router advertisements
    • Address redundancy (failover)
    • Layer 3 load balancing
    • Layer 7 and HTTPS accelerating load balancing
    • Internet (route) failover
    • Static routes
    • DHCPv6
    • Stateful packet filtering
    • Address family translation (NAT)
    • Quality of Service
  • VPN
    • IPSec with manual keying
    • IPSec with IKEv1
    • IPSec with IKEv2
    • IPv6 over IPv4 and IPv4 over IPv6 tunnels (RFC 1933)
    • Ethernet over IPv6 tunnels (RFC 3378)