Opnsense PFSense - Option 60 Internet connection

  • Hi,

    I’using my Internet Box 2 in DMZ mode connected to my Opnsense VM, I would like to remove the Swisscom Router and change my WAN configuration on my Opnsense Firewall.

    I found these information:

    change IPv4 to DHCP

    go to Lease Requirements and put this string: dhcp-class-identifier “100008,0001,,opnsense”

    I tried also to configure vlan 10 but I think this is not my case because I’m not on FTTH.

    I also tried to put on my WAN interface the MAC address of my Internet Box.

    Someone can help me?

    With these configuration I’m not able to retrieve the IP.

    Thanks

      You don’t have to do any of this. Just assign it a static IP address from the private range.

      I would like to remove Swisscom Box and use my pfsense as router.

      Right now I have the configuration yo suggest.

      It’s a hassle, you need an DSL modem/router anyway. Why don’t you just get Internet-Box 3?

      If your router is IB2 accessing internet over DSL, it’s already configured there and you’re getting the IP address on it. Then it forwards the traffic to the DMZ.

      You only need to do this if your router is directly connected to the Swisscom infrastructure.

      That applies to the the setup where the modem/router (TP-Link) is in bridge mode. From what I understood you are on DSL. In your specific case you would need a router that can be put in bridge mode.

      You can’t do that with IB2, hence the DMZ method you’re using. This is more like port forwarding than a regular DMZ where each device in the DMZ gets a public IP address.

      The TP-Link MC220L is a media converter and not a bridge modem from what I see…

      If I would like to test another modem/router that permit bridge mode, is there any special recommendation or any generic modem/router can work?

      Any would do, but I would go for one that supports G.fast.

      Hi Gasebeitt77

      you indeed need to add the DHCP parameter in order to receive the IPv4 address from Swisscom, when using a non-official device, which is exactly what I do.

      I have a Zyxel G.Fast router which I only use as a bridge, and then terminate the IPv4 and IPv6 connections on an OPNsense box running on an PCengines APU2 box.

      This is the WAN interface configuration:

      Screenshot 2023-04-01 at 17.20.59.png

      Screenshot 2023-04-01 at 17.21.13.png

      Apart from a few issues with IPv6, which I can discuss if you need, things have been working well for 2 years or so, with my Zyxel alone first, and the added OPNsense box later.

      Here I discussed the upgrade to the Zxyel router back in 2020:

      https://community.swisscom.ch/t5/Router-Hardware/Report-on-good-VDSL2-experience-with-Zyxel-XMG3927-B50A/m-p/642747#M448

      Here I discussed the G.Fast upgrade to my line in 2022:

      https://community.swisscom.ch/t5/Internet-general/Is-G-fast-or-VDSL2-profile-35b-turned-on-by-default-on-a-copper/m-p/695652

      Hope this helps, let me know if I can help you in any other way!

      Bye, Luca

      Hi

      thanks for the info! I’ll do as suggested!

      do you use Swisscom tv with this configuration? Could you also share your configuration?

      thanks

      Great, let us know how it goes!

      For Swisscom TV, I use it sooo little that I have resorted to sharing the Blue TV app screen from my iPad on my Apple TV in the two times a year I want to watch something on Blue TV.

      I did some tests in the past, but they were unsuccessful.

      I would need to do some traffic capture in order to see where the problem lies, that’s the issue!

      Bye, Luca

      a year later

      Hi Luca,

      I’m also using OPNSense with my Swisscom connection. It works nicely with DHCP works nicely with option 60. For DHCPv6, I tried to use option 60 as well, but I’m not getting any IPv6 address/prefix.

      Is there something more I’d do?

      Big thanks in advance.
      Cheers

      Raphael

      Hi Raphael,

      I have not used OPNsense as a firewall towards my Swisscom VDSL connection for a while, as I have changed to using a Swisscom Internet Box 3 as gateway, and only use OPNsense as a “smart” DHCP and DNS server, after disabling the DHCP function in the IB3.

      I wouldn’t know how to answer the issue you are facing with the IPv6 assignment on the WAN port, but I am not sure that you really need DHCPv6 as a client in order to get your prefix assigned by Swisscom.

      To be fair, one of the reasons to remove OPNsense as a firewall and gateway was also an issue I faced when Swisscom changed from 6to4 to full IPv4/IPv6 stack a while back, as I could not find a suitable IPv6 configuration, and did not have time to troubleshoot the issue.

      So I decided to go back to using a Swisscom provided router, and I have not yet thought about switching back to using OPNsense as a firewall/gateway for now.

      Sorry for not being of much help!

      Ciao, Luca

      Thanks for the input Luca,

      Actually, I wanted to get rid of the IB. Either by replacing it with OPNSense or by putting OPNSense behind (and having two levels of NAT), I don’t like the idea that the devices in my LAN are managed/seen by my provider.

      Thanks bitracer, nice catch!

      Did you manage to have ipv6 working with opnsense or pfsense?

      I thought about running double NAT too, but then I ran into issue with the Swisscom TV thing, and I could not find a suitable configuration for OPNsense to make the TV work.

      So I put OPNsense “on a stick” and am now just using it for DHCP and internal DNS with a DoH forwarder to an external DNS provider.

      Meanwhile I have moved apartments at the end of June, and in the new setup which I am still finalizing I will probably revamp OPNsense, as we don’t use Swisscom TV (now Blue TV) much any longer.

      So many things to do, so little time…

      Ciao, Luca

      No, for the brief time I was running third party router (Mikrotik) with Swisscom, I ran it single stack.

      The main reason I was using Mikrotik was CAPSMAN, but then I found out that IB + WLAN-Boxes worked quite well with zero effort.

      In the documentation provided by Swisscom, it doesn’t say anything about options with IPv6. I presume it’s not needed.