Adding howto to set up french fiber provider SFR/RED (#179)

source/interfaces.rst

@@ -39,4 +39,5 @@ Setup guides
    manual/how-tos/interface_wireless_internal
    manual/how-tos/orange_fr_fttp
    manual/how-tos/orange_fr_tvf
+   manual/how-tos/sfr_red_fr_ftth
    manual/how-tos/SkyUK

source/manual/how-tos/sfr_red_fr_ftth.rst

@@ -0,0 +1,309 @@
+SFR/RED France FTTH IPv4 & IPv6 & Phone
+=======================================
+
+**Original Author:** Philippe Gaultier
+
+**Introduction / Getting ready to make the connection**
+-------------------------------------------------------
+
+This guide is for SFR/RED France FTTH using DHCPv4  / DHCPv6 to connect.
+
+The guide deals with internet connection and phone. Support for TV has not been tested.
+
+.. Note::
+    Before starting this guide, you should have the MAC address of your SFR/RED Box. In the guide you should replace xx:xx:xx:xx:xx:xx with your SFR/RED Box MAC address.
+
+SFR/RED requires that the WAN interface assignment should look similar to this:
+
+.. image:: images/SFRRED_assignations.png
+	:width: 100%
+
+* WAN interface has MAC xx:xx:xx:xx:xx:xx which is the original WAN MAC of the BOX (spoofed),
+* LAN interface has MAC 00:11:22:33:44:55 which is the original MAC of the firewall,
+* DUID is 00:03:00:01:xx:xx:xx:xx:xx:xx it's derived from the original WAN MAC of the BOX (spoofed).
+
+**Configuring the WAN Interface**
+---------------------------------
+
+Select :menuselection:`Interfaces --> [WAN]`
+
+In order to establish the IPv4 and IPv6 connection, SFR/RED requires that the correct parameters are passed for the DHCPv4 and DHCPv6
+requests respectively.
+
+Select options:
+
+* IPv4 configuration: DHCPv4,
+* IPv6 configuration: DHCPv6.
+
+.. image:: images/SFRRED_WAN_configuration_1.png
+	:width: 100%
+
+**On the DHCPv4 request it is a requirement to pass the following:**
+
+.. image:: images/SFRRED_WAN_configuration_2.png
+	:width: 100%
+
+.. Note::
+    It is necessary to specify the following ”Send Options”:
+
+    * dhcp-class-identifier "neufbox_NB6VAC-FXC"
+
+.. Note::
+    It is necessary to specify the following ”Request Options”:
+
+    * subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, ntp-servers, nis-domain, root-path, merit-dump
+
+
+**On the DHCPv6 request we need to use raw options**
+
+.. image:: images/SFRRED_WAN_configuration_3.png
+	:width: 100%
+
+.. Note::
+    It is necessary to specify the following ”Send Options”:
+
+    * ia-pd 1, raw-option 16 00:00:a0:0c:00:40:6e:65:75:66:62:6f:78:5f:4e:42:36:56:41:43:2d:46:58:43
+
+.. Note::
+    It is necessary to specify the following ”Request Options”:
+
+    * domain-name-servers, domain-name
+
+.. Note::
+    Set Identity Association options to:
+
+    * Delegate prefix: checked,
+    * id-assoc pd ID: 1,
+    * Prefix: ::/0.
+
+    Set Prefix Interface option to:
+
+    * Prefix Interface: 8.
+
+Click ”Save” and then ”Apply”.
+
+
+**Configuring the LAN Interface**
+---------------------------------
+
+Interfaces / Parameters
++++++++++++++++++++++++
+
+Select :menuselection:`Interfaces --> Parameters` and set your DUID.
+
+.. image:: images/SFRRED_interfaces_parameters.png
+	:width: 100%
+
+.. Note::
+    The DUID is based on the SFR/RED Box MAC address : 00:03:00:01:xx:xx:xx:xx:xx:xx.
+
+Click ”Save” and then ”Apply”
+
+Interfaces / [LAN]
+++++++++++++++++++
+
+Select :menuselection:`Interfaces --> [LAN]` and set IPv4 to “Static IPv4” and IPv6 Configuration Type to
+“Track Interface”.
+
+.. image:: images/SFRRED_LAN_configuration_1.png
+	:width: 100%
+
+
+And define the IPv6 Prefix ID to ”0”
+Finally, set the following parameters as shown:
+ * the IPv4 address to the one wanted,
+ * the IPv6 interfacet to ”WAN”,
+ * the IPv6 Prefix ID to ”0”.
+
+
+.. image:: images/SFRRED_LAN_configuration_2.png
+	:width: 100%
+
+Click ”Save” and then ”Apply”
+
+
+
+.. Note::
+    It is advisable at this point to reboot the system. This will allow you to retrieve an IPv4 address which will be used in next part.
+
+**Configuring NGINX to provision the SFR/RED BOX**
+--------------------------------------------------
+
+In order to set up the phone, as the SIP parameters (user/password) are not public, we will add the SFR/RED box in our LAN.
+This will allow us to plug our regular phone in the SFR/RED box.
+
+.. Note::
+    This how-to does not cover installation of NGINX nor the use of SSH / shell commands.
+
+First SSH into your OPNSense firewall and create a folder **/srv/sfrredbox**. In this folder, we will add the scripts used to spoof the SFR/RED Box requests.
+
+In this directory create a file **index.php**
+
+.. code-block:: php
+
+    $currentFirewall = 'firewall.localdomain.intra';
+    // can probably be replaced with
+    // $currentFirewall = exec('hostname');
+    if (isset($_GET['ip_dhcp'])) {
+        // adjust re0 to your WAN interface
+        $_GET['ip_dhcp'] = exec('ifconfig re0 | grep \'inet \' | cut -d\' \' -f2');
+        // if the ifconfig command does not work, set the external IP manually
+        // $_GET['ip_dhcp'] = 'your.external.ip.address';
+    }
+    $_SERVER['DOCUMENT_URI'] = str_replace('/index.php', '', $_SERVER['DOCUMENT_URI']);
+    $parameters = http_build_query($_GET);
+    $url = $_SERVER['REQUEST_SCHEME'].'://'.$_SERVER['HTTP_HOST'].'/'.trim($_SERVER['DOCUMENT_URI'], '/?') .'?'.$parameters;
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'readHeaderLine');
+    $data = curl_exec($ch);
+    $data = preg_replace('/<proxy([^>]+)>([^<]+)<\/proxy>/', '<proxy$1>'.$currentFirewall.'</proxy>', $data);
+    curl_close($ch);
+    header('Content-Length: '.strlen($data));
+    header('Content-Type: application/xml');
+    echo $data;
+
+
+.. Warning::
+    Code cannot be copied / pasted as-is, you will have to adjust the parameters and make it consistent with your own settings.
+
+Services / Nginx / Configuration
+++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Nginx --> Configuration`
+
+Activate NGINX
+
+.. image:: images/SFRRED_services_nginx_configuration_1.png
+	:width: 100%
+
+Services / Nginx / Configuration / HTTP(s)
+++++++++++++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Nginx --> Configuration --> HTTP(s)`
+
+Create a new config
+
+.. image:: images/SFRRED_services_nginx_configuration_2.png
+	:width: 100%
+
+.. Note::
+    Important settings are:
+
+    * Description,
+    * URL Pattern,
+    * File System Root,
+    * Pass Request To Local PHP Interpreter / Threat Upstream.
+
+Services / Nginx / Configuration / HTTP(s) / URL Rewriting
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Nginx --> Configuration --> HTTP(s) --> URL Rewriting`
+
+Add a new rewrite rule
+
+.. image:: images/SFRRED_services_nginx_configuration_3.png
+	:width: 100%
+
+Services / Nginx / Configuration / HTTP(s) / HTTP Server
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Nginx --> Configuration --> HTTP(s) --> HTTP Server`
+
+Add a new rewrite rule
+
+.. image:: images/SFRRED_services_nginx_configuration_4.png
+	:width: 100%
+
+.. Note::
+    NGINX should be serving the page we have created.
+
+
+**Configuring Siproxd to provision the SFR/RED BOX**
+-----------------------------------------------------
+
+To allow phone to work, the easiest way is to set Siproxd on the firewall.
+
+Services / Unbound DNS / General
+++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Unbound DNS --> General`
+
+Add parameters to let SFR/RED Box discover the SIP proxy:
+
+.. image:: images/SFRRED_services_unbound_configuration_1.png
+	:width: 100%
+
+.. Warning::
+    It appears OPNSense will drop support of functionnality of **advanced** parameters so I don't know if it will be possible in future releases
+    to define the DNS stuff using:
+
+    * local-data: "_sip._udp.firewall.localdomain.intra. 180 IN SRV 10 60 5060  firewall.localdomain.intra."
+
+Services / Siproxd
+++++++++++++++++++
+
+Select :menuselection:`Services --> Siproxd`
+
+Define basic parameters:
+
+.. image:: images/SFRRED_services_siproxd_configuration_1.png
+	:width: 100%
+
+Services / Siproxd / Outbound Domains
++++++++++++++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> Siproxd --> Outbound Domains`
+
+Create the configuration for outbound domain:
+
+.. image:: images/SFRRED_services_siproxd_configuration_2.png
+	:width: 100%
+
+.. Note::
+    The IP address and the port of outbound domain was discovered using an **host** request on the proxy returned by SFR/RED while provisionning the box.
+    You will have to check the <proxy></proxy> fields of **voip2.xml**.
+
+    .. highlights::
+        host -t SRV _sip._udp.residential.p-cscf.sfr.net
+
+.. Note::
+    the host request result gives available SIP servers with the port to use (in my case 5062).
+
+    .. highlights::
+        _sip._udp.residential.p-cscf.sfr.net has SRV record 10 0 5062 mitry.p-cscf.sfr.net.
+        _sip._udp.residential.p-cscf.sfr.net has SRV record 10 0 5062 corbas.p-cscf.sfr.net.
+        _sip._udp.residential.p-cscf.sfr.net has SRV record 10 0 5062 trappes.p-cscf.sfr.net.
+
+
+**Configuring NAT to redirect SFR/RED BOX calls to NGINX**
+----------------------------------------------------------
+
+To allow correct port forwarding, we will configure OPNSense to affect a **static** IP to the SFR/RED Box and we will create an alias for it.
+
+Services / DHCPv4 / [LAN]
++++++++++++++++++++++++++
+
+Select :menuselection:`Services --> DHCPv4 --> [LAN]`
+
+Click on `[+]` to add a static mapping:
+
+.. image:: images/SFRRED_services_dhcp_lan.png
+	:width: 100%
+
+Firewall / NAT / Port Forward
++++++++++++++++++++++++++++++
+
+Select :menuselection:`Firewall --> NAT --> Port Forward`
+
+Add a new forwarding rule:
+
+.. image:: images/SFRRED_lan_port_forwarding.png
+	:width: 100%
+
+
+
+.. Note::
+    Right now, everything should be ready. Restart the firewall, once ready plug the SFR/RED Box on your LAN and start it.
+    You should be able to enjoy IPv4, IPv6 and Phone.