XS4ALL's FTTH product in Amsterdam is delivered over Reggefiber (formerly Glashart) physical infrastructure and transported over KPN infrastructure to XS4ALL's IP infrastructure and THE INTERNETS.
In recent years, KPN has made an admirable swing in embracing FTTH as access technology. However, they have not yet let go of their old mindset for deploying access infrastructure. Hence, the service delivery is overly complicated.
Rather than delivering a port where the customer can just speak DHCP and DHCPv6 on, KPN requires the customer to configure PPPoE over a 802.1Q VLAN, and use DHCPv6 over the resulting PPP interface for IPv6-PD.
This results in the following requirements if you wish to move away from the supplied FRITZ!Box 7390, with the assumption that em1 leads to the Genexis CPE:
The stock ISC DHCP daemon found in the FreeBSD Ports Collection does not support queries over tunnel interfaces. You'll have to apply a patch and recompile. This can be accomplished by placing this patch in /usr/ports/net/isc-dhcp42-server/files/ and building the port from source. Use this patch for v4.3.3, this patch for v4.3.3P1, or this patch for v4.4.1 with support for mpd5 (ng0) as well as the standard PPP client (tun0).
From here on you can follow two directions: one is to use /usr/sbin/ppp, and the other is to use ports/mpd5. The latter is rumoured to have lower CPU usage. It builds on top of the Netgraph framework so it comes with a host of features like Netflow and IP accounting. It also has a web server built in and can do mini jumbos (RFC4538) allowing you an IP MTU of 1500 bytes again like with RFC1483bridged.
For PPP:
Add the following lines to /etc/rc.conf:
gateway_enable="YES" ifconfig_em1="up -wol -arp" vlans_em1="vlan0" create_args_vlan0="vlan 6 -arp" ifconfig_em1_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" ifconfig_vlan0_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" ppp_enable="YES" ppp_mode="ddial" ppp_nat="YES" ppp_profile="pppoe" netwait_enable="YES" netwait_if="tun0" netwait_ip="194.109.5.211"
Add the following to /etc/ppp/ppp.conf:
default: set log Phase IPCP IPV6CP tun +connect nat deny_incoming no disable dns pppoe: ident Fritz!box 7390 set device PPPoE:vlan0 set speed sync set mru 1492 set mtu 1492 set ctsrts off enable mssfixup disable enddisc set server /var/run/ppp/pppoe "" 0177 set ifaddr 0.0.0.0/0 194.109.5.211/16 255.255.255.255 0.0.0.0 add! default HISADDR add! default HISADDR6 set authname FB7390@xs4all.nl set authkey FB7390 #enable lqr echo <-- buggy remote end responds with different magic set redial 0 0 set dial set login set vj slotcomp off
PPP's /etc/ppp/ppp.linkup script can start the patched DHCPv6 client to request a Prefix Delegation:
# # ppp searches the labels in this file as follows: # 1) The label that matches the IP number assigned to our side. # 2) The label specified on the command line to ppp. # 3) If no label has been found, use MYADDR if it exists. # pppoe: !bg /sbin/ifconfig INTERFACE inet6 accept_rtadv -nud -no_radr !bg /usr/local/sbin/dhclient -6 -P -pf /var/run/dhclient6.pid INTERFACEI add a global IPv6 address from the delegated range using iface add! here; you can also do that from e.g. /usr/local/sbin/dhclient6-script.
And likewise in /etc/ppp/ppp.linkdown to stop the DHCPv6 client:
pppoe: log UPTIME v4in:IPOCTETSIN v4out:IPOCTETSOUT v6in: IPV6OCTETSIN v6out: IPV6OCTETSOUT !bg test -f /var/run/dhclient6.pid && kill `cat /var/run/dhclient6.pid`(Note: logging may not work if the PPP daemon was started before syslogd.)
For mpd5:
Add the following lines to /etc/rc.conf, again assuming the Genexis NTU is connected to em1:
gateway_enable="YES" vlans_em1="vlan6" create_args_vlan6="vlan 6 -arp" ipv6_cpe_wanif="ng0" ifconfig_vlan6_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" ifconfig_em1="-wol -arp mtu 1508" netwait_enable="YES" netwait_if="ng0" netwait_ip="194.109.5.175" mpd_enable="YES"
You will probably want to change the header of /usr/local/etc/rc.d/mpd5 so that the daemon is started in the right order during bootup:
# PROVIDE: ppp mpd5 # REQUIRE: netif # BEFORE: DAEMON # KEYWORD: shutdown nojail
Add the following to /usr/local/etc/mpd5/mpd.conf:
startup:
set global max-children 32
set user superuserlogin superuserpassword admin
set console self 127.0.0.1 5005
set console open
set web self 127.0.0.1 5006
#set web auth disable
set web open
default:
load pppoe
pppoe:
create bundle static B
set iface up-script /usr/local/etc/mpd5/linkup.sh
set iface down-script /usr/local/etc/mpd5/linkdown.sh
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
#set ipcp ranges your-static-ip/0 194.109.5.175/16
set bundle enable ipv6cp
set iface route default
load nat
create link static P pppoe
set link action bundle E
set link latency 1200
set link bandwidth 100000000
set link keep-alive 30 120
set link redial-delay 1
set link max-redial 0
set link mtu 1492
set pppoe max-payload 1500
set auth authname FB7390@xs4all.nl
set auth password FB7390
set pppoe iface vlan6
set pppoe service ""
open
nat:
set iface enable nat
set iface enable tcpmssfix
set nat enable incoming
set nat red-port udp 0.0.0.0 5004-5090 192.168.1.your-sip-phone 5004-5090
. . .
A sample /usr/local/etc/mpd5/linkup.sh follows:
#!/bin/sh
#
test -z "$1" && exit 1
if [ "$2" = "inet" ]
then
/usr/bin/renice -n -5 $PPID
(sleep 3; env - /etc/rc.d/named restart) &
fi
if [ "$2" = "inet6" ]
then
/bin/rm /var/db/dhclient6.leases
/sbin/ifconfig "$1" inet6 accept_rtadv -nud -no_radr
(sleep 3; /usr/local/sbin/dhclient -P -pf /var/run/dhclient6.pid -lf /var/db/dhclient6.leases "$1") &
fi
exit 0
And a sample /usr/local/etc/mpd5/linkdown.sh:
#!/bin/sh
#
test -z "$1" && exit 1
if [ "$2" = "inet" ]
then
/usr/bin/renice -n +5 $PPID
fi
if [ "$2" = "inet6" ]
then
/usr/local/sbin/dhclient -r -pf /var/run/dhclient6.pid "$1" & sleep 3
test -f /var/run/dhclient6.pid && kill `cat /var/run/dhclient6.pid`
fi
exit 0
These two scripts are called once per address family with the following
arguments:
script interface proto local-ip remote-ip authname peer-address
mpd5 needs ng_tee ng_ppp ng_l2tp ng_pppoe ng_ether ng_iface ng_socket ng_ksocket loaded; on top of that, NAT will need ng_nat ng_tcpmss.
In June 2013 XS4ALL replaced their old BRASs with Juniper MX960s which did not ignore the requests generated by dhclient6 for the -N option, causing IPv6 PD to fail, so I've removed that option from the example above; it sometimes still takes a long time to obtain a lease, though.
There are several places that document the scripts that dhclient6 calls in order to populate configuration files such as /etc/rtadvd.conf, but since prefixes delegated this way seem quite stable, I've hardcoded them on my end in the various configuration files, and made my /usr/local/sbin/dhclient6-script just immediately call exit 0.
Should you want to run your own local caching nameserver, add the following to /usr/local/etc/dhclient6.conf:
timeout 60; retry 60; reboot 10; select-timeout 5; initial-interval 2; script "/usr/local/sbin/dhclient6-script"; supersede domain-name "xs4all.nl"; supersede domain-name-servers 127.0.0.1; supersede dhcp6.domain-search "xs4all.nl"; supersede dhcp6.name-servers ::1;(If not, remove disable dns from /etc/ppp/ppp.conf, or add set ipcp enable req-pri-dns req-sec-dns to /usr/local/etc/mpd5/mpd.conf.)
Should dhclient6 fail to think of a DHCP Client Identifier, you can override this in /usr/local/etc/dhclient6.conf: (assuming your em1 MAC address is 0012.3456.789a; replace tun0 with ng0 if you use mpd5)
interface "tun0" {
send dhcp6.client-id 00:01:00:01:17:08:93:7B:00:12:34:56:78:9A;
}
XS4ALL stops routing your IPv6 prefix after a few hours if you don't periodically request new leases.
If you previously had a different CPE attached to the Genexis, XS4ALL may take an hour or two to time out its MAC address and accept PPPoE connection attempts from a new address.
Don't forget to enable IPv6 for your new connection in XS4ALL's Service Center. The option appeared a day or so after my physical connection was delivered.
You'll have to run rtadvd(8) to enable IPv6 on machines connected to your LAN.
In January 2016 XS4ALL began pushing their legacy (Cistron and Demon) RFC1483bridged ADSL customers to migrate to VDSL where available. This configuration will work with such a setup too (VPI/VCI 8/48, VC-Mux, if you manage to locate a modem that supports transparent bridge mode).
XS4ALL can also deliver VoIP and television over this connection. According to Paul de Weerd, these are delivered on VLANs 5 and 4, respectively. You'll have to figure these out by yourself as I don't subscribe to these services at the moment.
Alternatives to ISC DHCP include WIDE (hints page for Ubuntu) and dibbler which is advertised to run on FreeBSD but for which sadly no port is available.