My ISP, Skynet Belgacom Proximus, has been rolling out IPv6 since 2013. However, you need a B-Box 3 in order to get it. Recently, my B-Box 2 decided to stop working, so I got a (free) upgrade to a B-Box 3 (but see below).

The out-of-the-box setup that the B-Box 3 gives is actually quite good. You get a private (RFC1918) IPv4 /24 subnet, by default, but configurable. These addresses are NATed behind the single public IPv4 address that is assigned to the B-Box 3. (I noticed that on Proximus’ cellular data service, you get assigned a non-public RFC6598 address, but this is not (yet) the case for DSL)

For IPv6, you get a public /64 subnet, announced with a router advertisement:

  • The Managed address configuration flag is cleared: no DHCPv6 to get your IP address
  • The Other configuration flag is cleared: no other information is available via DHCPv6
  • A /64 prefix with:
    • On-Link flag set
    • Autonomous address configuration set
    • Lifetime of 4 day and 1 minute (both preferred and valid)

Note that there is no DNS information for IPv6, so DNS still requires IPv4.


Unfortunately, I ran in to several issues with this default setup:

  • Since the B-Box has the public IPv4 address, I need to jump through hoops to find out what address was assigned to me. It’s easier if I get the IPv4 address myself on my router.
  • Inbound IPv6 traffic is not allowed by the firewall inside the B-Box 3. One of the main advantages of IPv6 (restored end-to-end connectivity) is thereby blocked.
    • You can configure a single “DMZ host”, which should allow inbound traffic on both IPv4 and IPv6. Unfortunately, this didn’t seem work.

I’ve contacted Proximus about this last issue. I didn’t expect much of an answer, but contrary to my expectations, they actually looked in to the issue. I learned that Proximus actually has 2 devices that are called B-Box 3. One has Technicolor hardware, the other is made by Sagemcom. The Proximus engineer tried to reproduce my setup, and confirmed that on the Sagemcom-variant, it indeed did not work. They consider it a bug, so I expect it to be solved in the future. For reference, the current versions on my B-Box 3:

Software Version 6.28.221A
GUI Version 5.0.12
Hardware Version 2.1
Datapump Version A2pv6F039f3

The engineer also informed me that “full” IPv6 connectivity (i.e. multiple “DMZ hosts”) will probably never be configurable.

The solution

Luckily, the B-Box 3 is configured for “PPPoE passthrough”: you can simply set up an independent PPPoE session from the “LAN”-side, and the B-Box 3 will simply pass that on transparently, acting as a dumb bridge/modem.

I’ll skim over the IPv4 part of PPPoE. There is plenty of documentation on that. After running the Active Discovery, we get a destination MAC address and a Session ID to run PPP over. Next, LCP negotiates the link MTU, and asks for the username and password. In my case, authentication happens over CHAP, which means that the password is not sent over the wire in the clear. Next IPCP requests the usual stuff: IP address, DNS servers, gateway address. And we’re up and running.

The IPv6 part kicks in at the same time that IPCP requests IPv4 settings: IPv6CP exchanges “interface identifiers”, the lower 64 bits of the link-local addresses of both ends of the line. Once the link-local part of IPv6 is working, the usual Router Sollicitation and/or Router Advertisements are sent over the PPP link.

The router advertisement contains:

  • The Managed address configuration flag is cleared: no DHCPv6 to get your IP address
  • The Other configuration flag is set: other information is available via DHCPv6
  • A /64 prefix with:
    • On-Link flag set
    • Autonomous address configuration set
    • Lifetime of 1 day (preferred) and 2 days (valid)

Note that it does not contain an RDNSS option.

So the router can assign itself an EUI-64 address in this prefix, and get full connectivity.

I don’t understand why the On-Link flag is set. This means that Proximus is assigning a full /64 just for talking between the two ends of the PPP link. It would make more sense to have a single /64 pool for the Access Concentrator, and unset the on-link flag.

Getting an IPv6 prefix for the LAN

Getting an IPv6 prefix delegated is done over DHCPv6, by (additionally) setting the Identity Association for Prefix Delegation option. With some luck, the DHCPv6 server will assign you a /56 prefix with a lifetime (both preferred and valid) of 4 days and 1 minute.

Note that we still don’t get IPv6 DNS servers supplied, even though it was requested, so we still need IPv4 for DNS.


To get IPv6 connectivity, you obviously need an IPv6 capable router. The B-Box 3 has this capability, while the B-Box 2 does not. However, it appears that your account itself needs to be activated for IPv6 as well. I’ve used my (activated) account though a B-Box 2 (in PPPoE passthough) and got IPv6 connectivity. I also tried to configure another account (belonging to a B-Box 2 user) on my B-Box 3, but did not get IPv6 connectivity.

Connecting a fresh out-of-the-box B-Box 3 to a DSL line, replacing a B-Box 2, did activate IPv6 for the associated account.


  1. cast42 says:

    I enjoyed reading this. Thanks for writing this.

  2. fger1 says:

    Thanks for sharing!

Leave a Reply

Anti-Spam Quiz: