IPv6
From Consultancy.EdVoncken.NET
A transition to Internet Protocol, version 6 is needed because we're running out of routable IPv4 addresses. During the transition period, you can run IPv6 over IPv4 using a tunnel.
IPv6 tunnel brokers:
- SixXS - free IPv6 tunnel
- Tunnelbroker (Hurricane Electric) - free IPv6 tunnel
Contents |
Background
IPv6 Security
IPsec is designed into IPv6; secure communications should be easier to accomplish with IPv6.
IPv6 addressing
IPv6 offers an 128-bit address range compared to the 32-bit range in IPv4. The netmask is fixed at 64 bits, supporting 2^64 networks each consisting of 2^64 hosts. The network address is advertised by a routing daemon (radvd / rtadvd).
There is no more need for a DHCP server: each host can automagically figure out their IPv6 address by using their 48-bit MAC address as a basis for the host address. Since the network address is advertised, the 128-bit IPv6 address is now fully known.
IPv6 and DNS
Configuration
IPv6 router with pfSense and Tunnelbroker
My configuration, a Tunnelbroker IPv6 tunnel on pfSense 1.2.3-RC1, is largely based on a blog posting by Remco Bressers. All commands are entered on the pfSense CLI (SSH command prompt).
Note: after signing up with Tunnelbroker, you will see two address ranges:
- One /64 range for the actual tunnel
- One routed /64 range for your network
These addresses look quite similar, it's easy to mix them up by mistake as I found out.
/usr/local/etc/rc.d/00-tunnelbroker.sh
In the script below, "Server" is the Tunnelbroker POP in Amsterdam, NL. "Client" is my static WAN IP address. Some addresses were changed to protect the innocent ;-)
#!/bin/sh ######################### ### IPv6 Tunnelbroker ### ######################### /usr/bin/logger "Setting up IPv6 tunnel with Tunnelbroker... " # Tunnelbroker information: # Server IPv4 address: 216.66.84.46 # Server IPv6 address: 2001:123:aaa:345::1/64 # Client IPv4 address: 88.123.67.231 # Client IPv6 address: 2001:123:aaa:345::2/64 # Routed /64: 2001:123:abc:345::/64 # Configure IPv6, see http://forum.pfsense.org/index.php/topic,9664.0.html # and instructions at https://www.sixxs.net/faq/connectivity/?faq=ossetup&os=freebsd # Configure the tunnel device (taken from Tunnelbroker.net) # ifconfig gif0 create ifconfig gif0 tunnel 88.123.67.231 216.66.84.46 ifconfig gif0 inet6 2001:123:aaa:345::2 2001:123:aaa:345::1 prefixlen 128 route -n add -inet6 default 2001:123:aaa:345::1 ifconfig gif0 up # Set my routable IPv6 Endpoint address on the LAN interface ifconfig em0 inet6 2001:123:abc:345::1 prefixlen 64 alias # If you plan to use your machine as a router: sysctl -w net.inet6.ip6.forwarding=1 #################################### ### Routing Advertisement Daemon ### #################################### # Configure the Routing Advertisement Daemon for stateless autoconfig on my LAN echo 'em0:\' >/etc/rtadvd.conf echo ' :addrs#1:addr="2001:123:abc:345::":prefixlen#64:tc=ether:' >>/etc/rtadvd.conf # Start routing daemon /usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf em0 # EOF
/usr/local/etc/rc.d/01-firewall6.sh
After running the 00-tunnelbroker.sh script, your IPv6 tunnel and routable network have been configured. Before we can actually use IPv6, the firewall rules need to be updated. This is done by modifying the /tmp/rules.debug file that is created by pfSense.
#!/bin/sh # See: http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/ ######################## ### IPv6 Firewalling ### ######################## /usr/bin/logger "Setting up IPv6 firewall rules... " lan="{ em0 }" wan="{ em1 }" # Configure PF # pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot # We will use these rules, add IPv6 additions, read the config with pfctl and # disable and enable PF cat /tmp/rules.debug | sed "/User-defined rules follow/{ p;s/.*/\ pass in quick on $lan inet6 from any to any\\ pass out quick on $lan inet6 from any to any\\ pass out quick on $wan inet6 from any to any\\ pass quick proto ipv6-icmp from any to any\\ pass in on $wan inet6 proto tcp from any to any port 22\\ /;}" > /tmp/rules.config-ipv6.txt # Read the new PF configuration file pfctl -f /tmp/rules.config-ipv6.txt pfctl -d; pfctl -e # EOF
Hook into firewall update script
Every change on the GUI results in a rewrite of the firewall rules. To survive these changes, create a link from our startup script to the pf hook-scripts directory:
# ln -s /usr/local/etc/rc.d/01-firewall6.sh /usr/local/pkg/pf/ # ls -l /usr/local/pkg/pf/ total 0 lrwxr-xr-x 1 root wheel 35 Sep 27 14:06 01-firewall6.sh -> /usr/local/etc/rc.d/01-firewall6.sh
Test the IPv6 link
Ping your end of the tunnel:
# ping6 2001:123:aaa:345::2
Ping the remote end of the tunnel:
# ping6 2001:123:aaa:345::1
Ping an actual IPv6 host on the Internet:
# ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:123:aaa:345::2 --> 2001:4860:a005::68 16 bytes from 2001:4860:a005::68, icmp_seq=0 hlim=58 time=9.283 ms 16 bytes from 2001:4860:a005::68, icmp_seq=1 hlim=58 time=8.837 ms 16 bytes from 2001:4860:a005::68, icmp_seq=2 hlim=58 time=9.117 ms
IPv6 client, Mac OS X Leopard
With the pfSense box acting as an IPv6 gateway and router advertisement daemon, client configuration becomes quite simple.
IPv6 Client configuration
- Go to System Preferences, Network.
- Click Advanced, and select the TCP/IP tab.
- Enable IPv6, set it at "Configure IPv6: Automatically", click OK.
If all is well, your Mac will obtain an IPv6 address from your routable /64 range.
Test the IPv6 link
Ping your end of the tunnel:
# ping6 2001:123:aaa:345::2
Ping the remote end of the tunnel:
# ping6 2001:123:aaa:345::1
Ping an actual IPv6 host on the Internet:
macbookpro:~ ed$ ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:123:abc:345:21e:dead:beef:9efd --> 2001:4860:a005::68 16 bytes from 2001:4860:a005::68, icmp_seq=0 hlim=57 time=19.894 ms 16 bytes from 2001:4860:a005::68, icmp_seq=1 hlim=57 time=13.432 ms 16 bytes from 2001:4860:a005::68, icmp_seq=2 hlim=57 time=10.376 ms