All Tech Php

Ipv6 Tunnel

Introduction

IPv6 is the latest version of the Internet Protocol and it replaces the current version, IPv4. IPv6 was designed to overcome many of the shortcomings of the current protocol. The increased address space is the most recognized shortcoming that IPv6 overcomes. Others advantages include simplified IPsec, QoS, and stateless auto-configuration of hosts, better Moble-IP, improved multicasting, and less packet fragmentation. The main problem with IPv6 is that ISPs don't support the new technology. ISPs get a premium for the small address space they hand out at every tier, so with the comparatively unlimited address space IPv6 has, it is not in their interest from a profit standpoint. If my ISP supported IPv6, I could get directly connected to the new network easily, but they don't. As an alternative, a tunnel broker can be used to encapsulate the IPv6 traffic in IPv4 packets between my network and the broker. Any IPv6 traffic would then be routed to the broker. This page describes how to set up FreeBSD 6 for use with IPv6 and a tunnel broker.

IPv6 Broker

The most important part of the IPv6 tunnel is the broker. The broker accepts all the IPv6 traffic from my network and routes it to the correct place. There are many brokers available all across the world. Some require special clients to set up the tunnel while others are statically set up. I tried freenet6 a while back, but never really liked having to use a 3rd party client. I used the Hurricane Electric IPv6 Tunnel Broker for a while, but I have had the most success with SixXS. SixXS has PoPs all over the world and does not require a client application. The best part is that you can obtain an entire /48 network so you can create multiple /64 subnets and still use stateless autoconfiguration. SixXS uses credits that you gain by having uptime. The more uptime, the more credits you can use for tunnels and such.

Layout

    -----------------        -------------------  ___2001:1234:1234:0001::1(fxp1)
    | Tunnel Broker |        |    FreeBSD 6    |-/ 
    | 64.71.128.82  |===//===|  66.35.250.151  |-\___2001:1234:1234:0002::1(fxp2)
    -----------------        -------------------
2001:FFFF:FFFF:FFFF::396   2001:FFFF:FFFF:FFFF::397

The diagram about shows the basic layout of the tunnel. The IPv4 tunnel is set up between these two hosts and an IPv6 address is given which all IPv6 traffic will be routed to. These address will be all given by the tunnel broker when you sign up.

Kernel

To support the IPv6 network and the create the tunnel, an option and device need to be enabled in the kernel config. Luckily this option and device are now enabled by default in the GENERIC kernel. So unless you have made a custom kernel, there is no need to do anything. Just in case you have, here are the options:

options         INET6
device          gif

rc.conf Configuration

To get the tunnel to work on boot, a few settings need to be set in /etc/rc.conf Below are the options for ipv6 and the tunnel.

ipv6_enable="YES"
ipv6_gateway_enable="YES"
ipv6_network_interfaces="fxp1 fxp2 lo0 gif0"
gif_interfaces="gif0"
gifconfig_gif0="69.134.137.178 66.35.250.151"
ifconfig_gif0="inet6 2001:FFFF:FFFF:FFFF::397 2001:FFFF:FFFF:FFFF::396 prefixlen 128"
ipv6_defaultrouter="2001:FFFF:FFFF:FFFF::396"

The first two options enable IPv6 and set up forwarding for the rest of my local network. The third and forth lines set up the gif tunnel between the two IPv4 addresses. The fourth line sets up the IPv6 addresses for the gif interface. The last line sets up the default IPv6 router which is the IPv6 address of the broker.

ipv6_ifconfig_fxp1="2001:1234:1234:0001::1 prefixlen 64"
ipv6_ifconfig_fxp2="2001:1234:1234:0002::1 prefixlen 64"
rtadvd_enable="YES"
rtadvd_interfaces="fxp1 fxp2"

The first two lines set up the ipv6 subnets for internal interfaces fxp1 and fxp2 and the last two enable stateless autoconfiguration using rtadvd.

Firewall

With the tunnel set up and forwarding, all your inside hosts are accessible from the side, even if you NAT your IPv4 addresses. Although few people use IPv6, and scanning such a large subnet would take ages, a basic set of firewall rules is advised. Every host should be firewalled, but often the inside network needs to be a bit more flexible, so filtering on our gateway will help out. Here is a basic set of rules for pf, that will block everything but icmp6. With this you can ping any host on the inside, but not access any tcp/udp resources from the outside. If you don't know what the rules below are doing, don't even think of setting up a tunnel. Below is a small snippet of a few rules related to IPv6 that can be used for filtering IPv6 traffic.

int_if = "fxp1"
tun_if6 = "gif0"
pass out quick proto ipv6 all keep state
pass in quick on $tun_if6 inet6 proto icmp6 from any to { $int_if:network, $tun_if6:network }
pass out quick on $tun_if6 inet6 from { $int_if:network, $tun_if6:network } to any keep state

The first two lines set up variables for what interfaces are used. The first is the inside interface and the second is the gif interface. The third line allows the IPv6 protocol to pass out. Without this line a sendmsg: Operation not permitted error will occur when using ping6. The fourth allows incoming pings to pass through. There are many web sites that will allow you to ping your local IPv6 IPs, and that line enables those pings to pass in. The fifth line allows your outgoing IPv6 requests to pass and their state kept. This will allow you to visit IPv6 web sites, IPv6 IRC, and ping IPv6 hosts.

Add your comments:
Name:
Verify: verify