Freebox Configuration and IPv6 on OpenBSD router

                         [re0]          [athn0]
   ________      _________    \________/    ______
  (        )    |         |   |        |   /      \
 ( internet )---| freebox |---| router |--  laptop )
  (________)    |_________|   |________|   \______/
               /                           /
        [::/64]                      [iwm0]]

# Configure the freebox gateway

go into freebox manager interface
go into inet6 configuration
configure a subnet
add a new subnet with another hop (the local ip6 address of your router)

# Configure OpenBSD router

Configure ip6 forwarding

cat >> /etc/sysctl.conf << EOF
net.inet6.ip6.forwarding=1
EOF
sysctl net.inet6.ip6.forwarding=1

# Configure interface

Configure athn0 interface with a defined ip6 address of the subnet.

cat >> /etc/hostname.athn0 << EOF
inet6 2c02:abc:defa:1234::1/64
up
EOF

Note: I was looking for a solution without configuring the interface, by only using a route like route add 2c02:abc:defa:1234::/64 fe80::1%athn0 but it does not work.

# Configure packet filter

Allow ipv6 on packet filter. Note that this configuration will allow all traffic from the outside world. Maybe it's not the best choice for a local and private network.

cat >> /etc/pf.conf << EOF
pass on re0 inet6
pass on athn0 inet6
EOF

Here a configuration to deny connection from outside world. This configure will deny all connection to our "private" internal network and will allow outside traffic from it.

cat >> /etc/pf.conf << EOF
ip6_network = "2c02:abc:defa:1234::/64"
block in on athn0 inet6 to $ip6_network
pass out on athn0 inet6 from $ip6_network keep state
EOF

You can now enable your packet filter.

pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf

# Configure rad

Configure rad, the router advertiser daemon.

cat >> /etc/rad.conf << EOF
interface athn0 {
    prefix 2c02:abc:defa:1234::/64
}
EOF

And now enable it.

rcctl enable rad
rcctl start rad

# Configure OpenBSD Laptop

Configure the wireless interface

cat >> /etc/hostname.iwm0 << EOF
up
dhcp
inet6 autoconf eui64
EOF

And load the configuration with netstart script.

/etc/netstart iwm0

# Check your configuration

From our private network you can try to reach different services with ipv6 enabled.

ping6 wikipedia.org
traceroute6 freebsd.org

If you have servers with ipv6 enabled on it, you can check the 2 previous configuration by using netcat or nmap. For the first case, you will have the right to access services listening on all interfaces in your "private" ipv6 network. With the second configuration, these flow will be blocked and nmap will return a "filtered" result.

Enjoy.