A quick guide to setting up a IPv6 Tunnel using public 6to4 relays under GNU/Linux

Setting up a 6to4 tunnel will allow IPv6 (or dualstack) hosts on networks that only have Public IPv4 addresses to access sites and services that are available via IPv6. The main steps are calculating the IPv6 version of your Public IPv4 address; establishing a 6to4 tunnel to one of the free IPv6 relays available; and configuring the local network to route IPv6 via the tunnel.


Overview of the Topology

  


  



Calculate IPv6 version of Public IP and Setup 6to4 tunnel


Calculate the 6to4 prefix (/48) of your Public IPv4 Address (http://checkip.dyndns.org) using WYAE's IPv6 Tunnel Calculator at http://www.wyae.de/docs/ipv6calc/



Alternatively, calculate the prefix from a Bash prompt, as below:
# printf "2002:%02x%02x:%02x%02x\n" `echo 123.187.233.132 | tr . ' '`
2002:7bbb:e984




Create the tunnel named '6to4' and allow any traffic to leave via the IPv4 WAN address (the address of the network card that is the next hop towards the Internet, 192.168.0.17 in the below example):
# ip tunnel add 6to4 mode sit remote any local 192.168.0.17

Bring up the tunnel:
# ip link set 6to4 up

Assign an IPv6 address to the tunnel interface, beginning with the prefix calculated earlier:
# ip addr add 2002:7bbb:e984::1/16 dev 6to4

Set the default IPv6 route to use the standard 6to4 Anycast address:
# ip -6 route add default via ::192.88.99.1 dev 6to4



Enable IPv6 routing


Enable forwarding:
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Install radvd (Router Advertisement Daemon) if not present:
# apt-get install radvd

Add an entry for your LAN interface to /etc/radvd.conf (use /64 prefix made up of combination of public IPv6 + padding. eg: 'f00d' as below)

interface eth1 {

  AdvSendAdvert on;

  prefix 2002:7bbb:e984:f00d::/64 {

    AdvOnLink on;

    AdvAutonomous on;

  };

};

Assign an address in the range specified in prefix to the LAN adaptor (eg: 2002:7bbb:e984:f00d::1/64) by setting in /etc/network/interfaces:

allow-hotplug eth1
iface eth1 inet6 static
address 2002:7bbb:e984:f00d::1
netmask 64

Start radvd:
# /etc/init.d/radvd start

On a client, bring up the network interface:
# ip link set dev eth3 up

radvd should have assigned it an address starting with the prefix specified in radvd.conf. Check the address, paying attention to the address shown in the global scope:
# ip -6 addr show dev eth3
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2002:7bbb:e984:f00d:a00:27ff:fe37:a19c/64 scope global dynamic
valid_lft 85969sec preferred_lft 13969sec
inet6 fe80::a00:27ff:fe37:a19c/64 scope link
valid_lft forever preferred_lft forever



DNS Resolution


Modify /etc/resolv.conf to use Google's free IPv6 servers:
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844



Testing


Show neighbors on the radvd router
# ip -6 neigh show
2002:7bbb:e984:f00d:a00:27ff:fe37:a19c dev eth1 lladdr 08:00:27:37:a1:9c REACHABLE

Show neighbors on the autoconfigured client
# ip -6 neigh show
fe80::a00:27ff:fe87:9124 dev eth3 lladdr 08:00:27:87:91:24 router STALE
2002:7bbb:e984:f00d::1 dev eth3 lladdr 08:00:27:87:91:24 REACHABLE

Show address of the interface:
# ip -6 addr show dev eth3
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2002:7bbb:e984:f00d:a00:27ff:fe37:a19c/64 scope global dynamic
valid_lft 86359sec preferred_lft 14359sec
inet6 fe80::a00:27ff:fe37:a19c/64 scope link
valid_lft forever preferred_lft forever

Optionally, on the client: manually add the radvd router as the default gateway:
# ip -6 route add default via 2002:7bbb:e984:f00d::1

# ip -6 route show
2002:7bbb:e984:f00d::/64 dev eth3 proto kernel metric 256 expires 86187sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth3 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::a00:27ff:fe87:9124 dev eth3 proto kernel metric 1024 expires 1581sec mtu 1500 advmss 1440 hoplimit 64
default via 2002:7bbb:e984:f00d::1 dev eth3 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295

 Test by pinging Google's DNS server. Use ping6 rather than ping.
# ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=56 time=299 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=56 time=298 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=56 time=297 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 297.606/298.244/299.020/0.585 ms


Ping Google's IPv6 site:
# ping6 ipv6.google.com

PING ipv6.google.com(fra07s07-in-x69.1e100.net) 56 data bytes
64 bytes from fra07s07-in-x69.1e100.net: icmp_seq=1 ttl=58 time=431 ms
^C
--- ipv6.google.com ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1000ms
rtt min/avg/max/mdev = 431.460/431.460/431.460/0.000 ms


Test web access with lynx:





Example Bash script to automatically configure 6to4 tunnel and update radvd.conf

(requires that lynx be installed and obviously needs to be modified to reflect different interfaces, etc.)

#!/bin/bash

# find WAN address
WAN_ADDR=`ifconfig eth0 | grep inet\ addr | awk -F: '{ print $2 }' | awk '{ print $1 }'`
echo "WAN Address: $WAN_ADDR"

# find public IP address
/usr/bin/lynx -dump http://checkip.dyndns.org > /tmp/public-ip.txt
PUBLIC_IPv4=`cat /tmp/public-ip.txt | grep Addr | awk '{print $4}'`
export PUBLIC_IPv4
echo "Public IPv4 address: $PUBLIC_IPv4"

# convert public IP address to create IPv6 prefix
PUBLIC_IPv6=`printf "2002:%02x%02x:%02x%02x\n" \`echo $PUBLIC_IPv4 | tr . ' '\``
export PUBLIC_IPv6
echo "Public IPv6 prefix: $PUBLIC_IPv6"

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# create the tunnel and allow any traffic to leave via the WAN address
ip tunnel add 6to4 mode sit remote any local $WAN_ADDR

# bring up the tunnel
ip link set 6to4 up

# add the converted public IP to the tunnel
ip addr add $PUBLIC_IPv6::1/16 dev 6to4

# route all IPv6 traffic to the 6to4 converter via the tunnel
ip -6 route add default via ::192.88.99.1 dev 6to4

# add dns servers to resolv.conf
echo "
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
" > /etc/resolv.conf

# update radvd.conf
cp /etc/radvd.conf /tmp/radvd.conf.BAK
echo "interface eth1 {
AdvSendAdvert on;

prefix $PUBLIC_IPv6:f00d::/64 {
AdvOnLink on;
AdvAutonomous on;
};
};" > /etc/radvd.conf

# restart radvd
/etc/init.d/radvd restart

Comments

Post a Comment

Popular posts from this blog

Change the ComputerName value in Unattend.xml using PowerShell

A quick and dirty PowerShell script to update the value of ComputerName in Unattend.xml before imaging. This particular value is located at: <unattend>  <settings pass="generalize">   <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">     <computername> Which is a bit of a mouthful, but we can be lazy and just pull the value from the nth component node (in my case it's 3, or the 4th component node). PowerShell uses dots to describe the hierarchical path, which looks a lot neater than the above: $xml.unattend.settings.component[3].computername To repeat, the value of .component[n] will change depending on the structure of the file. The value of the
Read more

Testing out Link Aggregation

Image
I picked up a TP-Link managed switch last week as something of a compromise between affordability and features - as it turns out though, it does just about everything I could ask for, just without the extra expense from buying something that has HP or Cisco written on the side. I grabbed the TL-SG3216, a fanless L2 managed switch with 16x1Gigabit ports as it ticked all the boxes: Silent (fanless) Managed Link Aggregation/802.3ad (LACP) 802.1Q (VLAN) STP As a bonus, the CLI interface (via console cable or ssh) is very similar to Cisco's IOS, so I don't have to learn an entirely new syntax to configure it. Before I replace my existing switch, I spent a bit of time testing out its features. First up, I setup a spare Raspberry Pi with a second ethernet interface (via a USB dongle) to test out link aggregation. First up, the configuration on the Pi (Raspbian): Install ifenslave to allow for the creation of bonded network interfaces # apt-get install ifenslav
Read more

Adding 802.1Q Trunking to Debian GNU/Linux

Here's a quick guide to setting up 802.1Q trunking for VLANs on a Debian GNU/Linux box connected to one or more Cisco Catalyst switches, which could then be used as a cheap router replacement. Configuration on the Debian box: Add 8021q to /etc/modules so 802.1Q support is enabled at startup. To install it immediately: # modprobe 8021q Use vconfig to add the VLANs to the interface you'll be using (if vconfig is missing, run apt-get install vlan ): # vconfig add eth0 2 (In the above, eth0 is the physical interface and 2 is the ID of the VLAN) Give the interface an IP. Choose an address in the range you've set aside for that particular VLAN. In this example, VLAN 2 is using 192.168.2.0/24. # ifconfig eth0.2 192.168.2.201 netmask 255.255.255.0
Read more