RResidents in Japan

En hikari cross fixed ip for opnsense setup

  • March 8, 2026

enひかり Cross Xpass DS-Lite + Fixed IP on OPNsense – Complete Guide

Note: I wrote this because it took me way too long to figure out and I couldn’t find any proper guide online. Tested and confirmed working on OPNsense 26 running on Proxmox VM. I used AI to help draft and troubleshoot the settings.

—–

WHAT YOU NEED FROM ENHIKARI (fixed IP subscribers only)

– Fixed IPv4 address

– Tunnel Destination IPv6 address

– FQDN (e.g. abc123.v4v6.xpass.jp)

– DDNS Password

– DDNS User ID

– Basic Auth ID and Password

—–

PART 1 – WAN SETUP

  1. Go to Interfaces > WAN
  2. Set IPv4 Configuration Type to None
  3. Set IPv6 Configuration Type to DHCPv6
  4. Under DHCPv6 settings, enable Request only an IPv6 prefix, set Prefix Delegation size to 56, and enable Send IPv6 prefix hint
  5. Go to Interfaces > LAN
  6. Set IPv6 Configuration Type to Track Interface
  7. Set IPv6 Interface to WAN
  8. Set IPv6 Prefix ID to 0

Confirm WAN has a valid IPv6 address before continuing.

—–

PART 2 – DS-LITE SETUP (Xpass/Crosspath – shared IP)

  1. Go to Interfaces > Devices > GIF > Add
  2. Set Parent Interface to WAN
  3. Set GIF Remote Address to 2001:f60:0:200::1:1
  4. Set GIF Tunnel Local Address to 192.0.0.2
  5. Set GIF Tunnel Remote Address to 192.0.0.1
  6. Set Netmask to 29
  7. Check Disable Ingress Filtering
  8. Save and assign as new interface (e.g. XPASS), enable it
  9. Go to Firewall > NAT > Outbound, switch to Hybrid mode
  10. Add rule: Interface XPASS, Source LAN net, Destination any, Translation Interface address

—–

PART 3 – FIXED IP SETUP (IPIP6)

STEP 1 – Create the ::feed Virtual IP (this is the critical step)

  1. Go to Interfaces > Virtual IPs > Add
  2. Set Mode to IP Alias
  3. Set Interface to WAN
  4. Set Network Address to your /56 prefix with ::feed/128 at the end
  5. Example: if your prefix is 2001:f60:xxxx:xx00::/56, enter 2001:f60:xxxx:xx00::feed/128
  6. Save

STEP 2 – Run the DDNS Activation URL

Access this URL from a browser behind OPNsense. It must go over IPv6.

https://ddnsweb1.ddns.vbbnet.jp/cgi-bin/ddns_api.cgi?d=YOURFQDN&p=YOURPASSWORD&a=YOURPREFIX::feed&u=YOURFQDN

Replace YOURFQDN with your actual FQDN (e.g. abc123.v4v6.xpass.jp)

Replace YOURPASSWORD with your DDNS password

Replace YOURPREFIX::feed with your actual prefix + ::feed (e.g. 2001:f60:xxxx:xx00::feed)

A successful response will show: Query parameter check OK, Record update OK, DDNS API update Success

Important: You must re-run this URL whenever your WAN IPv6 changes (after reboot or reconnection)

STEP 3 – Create the IPIP6 GIF Tunnel

  1. Go to Interfaces > Devices > GIF > Add
  2. Set Parent Interface to WAN
  3. Set GIF Remote Address to your Tunnel Destination IPv6 from enひかり (e.g. 2001:f60:0:200::4)
  4. Set GIF Local Address to your ::feed Virtual IP created in Step 1
  5. Set GIF Tunnel Local Address to your fixed IPv4
  6. Set GIF Tunnel Remote Address to 192.0.0.3
  7. Set Netmask to 32
  8. Check Disable Ingress Filtering
  9. Save and assign as new interface (e.g. FIXEDIP), enable it

STEP 4 – Add NAT Outbound Rule

  1. Go to Firewall > NAT > Outbound (Hybrid mode)
  2. Add rule: Interface FIXEDIP, Source LAN net, Destination any, Translation Interface address

—–

PART 4 – ROUTING

To use Fixed IP as default for all traffic:

  1. Go to Firewall > Rules > LAN
  2. Edit the default IPv4 allow rule
  3. Expand Advanced Options
  4. Set Gateway to your FIXEDIP gateway
  5. Save and Apply

To keep DS-Lite as default and use Fixed IP only for specific traffic:

Leave the default LAN rule gateway unchanged and create specific policy rules as needed.

—–

PART 5 – VERIFICATION

Check your IP at https://ipv4.icanhazip.com – it should show your fixed IPv4 if routing is set correctly.

To test from OPNsense shell (System > Diagnostics > Shell):

ping -S YOURFIXEDIPV4 8.8.8.8

curl –interface YOURFIXEDIPV4 https://ipv4.icanhazip.com

—–

KEY NOTES

– The ::feed Virtual IP is essential. Without it OPNsense cannot properly source the IPIP6 tunnel. This is the step nobody documents and why most people fail.

– The DDNS activation URL must be accessed over IPv6. If DS-Lite is routing your traffic over IPv4 it will fail with Error 700.

– DS-Lite AFTR address for Xpass is 2001:f60:0:200::1:1 (dgw.xpass.jp)

– Fixed IP BR address is provided by enひかり in your documents

– Both tunnels can run simultaneously

—–

TROUBLESHOOTING

DDNS returns Error 700: You are accessing it over IPv4 via DS-Lite. Disable DS-Lite temporarily and try again over IPv6.

Fixed IP gateway not appearing: Check that the ::feed Virtual IP is created and set as GIF Local Address in the tunnel.

Still showing DS-Lite IP: Go to Firewall > Rules > LAN and set the Gateway on the default IPv4 rule to your FIXEDIP gateway.

Tunnel drops after reboot: Re-run the DDNS activation URL. Consider automating this with a cron script.

—–

Guide based on enひかり フレッツ光クロス with Arteria Networks Xpass. Confirmed working on OPNsense 26 on Proxmox VM.

by Reasonable_Monk_1822