Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to get Gentoo running as a IPv6 router/firewall.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Mon Apr 28, 2003 5:00 pm    Post subject: How to get Gentoo running as a IPv6 router/firewall. Reply with quote

How to get Gentoo running as a IPv6 router/firewall.

First we need some things to be done:

1: You need to have an IPv6 segment (You can get one from http://www.xs26.net or http://ipng.org.uk/) This guide is based on the http://ipng.org.uk/ settings, but it shouldn't be much different with any other one.
2: You will also need to have a reverse DNS set up, look at http://ipng.org.uk/ to see how this is done with BIND.

This all is based on this configuration:

eth0 = external interface of router/firewall
eth1 = internal interface of router/firewall

Ok, lets get to work.

1: Kernel configuration. (Based on gentoo-sources-2.4.20-r2)

Here is what is needed:

In Networking options:
Code:

[*] Network packet filtering (replaces ipchains)
[*] Socket Filtering
<*>   The IPv6 protocol (EXPERIMENTAL)


In Networking options -> IPv6: Netfilter Configuration:
Code:

<*> Userspace queueing via NETLINK (EXPERIMENTAL)
<*> IP6 tables support (required for filtering/masq/NAT)
<*>   limit match support
<*>   MAC address match support
<*>   Condition variable match support
<*>   HL match support
<*>   Routing header match support (EXPERIMENTAL)
<*>   Hop-by-Hop and Dst opts header match (EXPERIMENTAL)
<*>   Fragmentation header match support (EXPERIMENTAL)
<*>   Multiple port match support
<*>   Owner match support (EXPERIMENTAL)
<*>   netfilter MARK match support
<*>   Packet Length match support
<*>   EUI64 address check (EXPERIMENTAL)
<*>   AH/ESP match support (EXPERIMENTAL)
<*>   EUI64 address check (EXPERIMENTAL)
<*>   Packet Length match support
<*>   IPv6 Extension Headers Match (EXPERIMENTAL)
<*>   Packet filtering
<*>     HL target support
<*>     LOG target support
<*>     REJECT target support
<*>   Packet mangling
<*>     MARK target support


Then compile the kernel and copy it to /boot .
BEFORE you reboot, emerge the things that gets messed up by a new kernel (iptables, nvidia-kernel etc.)
reboot to use the new kernel.

2: Obtaining a IPv6 segment

First, go to http://ipng.org.uk/ and click signup, fill in all the required information and submit them.
Now wait about 3 minuttes, and you should be able to log in.

Now you have to submit the address of your reverse DNS, read at the page for how to set this up.

Once this is set up correct, your information will be like this:

Your IPv6 prefix is:: 2001:618:4:1234::/64
Your ipv6 tunnel end ip is:: 2001:618:4:2000::1235
The IPNG ipv6 tunnel end ip is:: 2001:618:4:2000::1236
The IPNG ipv4 tunnel end ip is:: 213.253.1.201
(1234, 1235 and 1236 will be different for you)

If your IPv6 prefix is: ::/64, then you still need to submit your reverse DNS.

If this is done, then congratulation, you just got your own private IPv6 segment :)

3: Installing the needed utillities
These utillities is needed, so emerge those you don't have:

Code:

iptables
iproute


4: Making the script to make it work

Here is the init script I use, it is called net.ipv6:

Code:

#!/sbin/runscript
depend() {
        need net
        before iptables
}

start() {
        ebegin "Starting up IPv6"
        einfo "Setting up tunnel"
        /sbin/ip tunnel add ipng mode sit ttl 64 remote 213.253.1.201
        einfo "Bringing ipng up"
        /sbin/ifconfig ipng up
        einfo "Adding IPv6 address to ipng"
        /sbin/ifconfig ipng add 2001:618:4:2000::1235/128
        einfo "Adding IPv6 address to eth1"
        /sbin/ifconfig eth1 add 2001:618:4:1234::1/64
        einfo "Adding default route"
        /sbin/ip ro add 2000::/3 dev ipng
        eend 0
}

stop() {
        ebegin "Shutting down IPv6"
        einfo "Removing default route"
        /sbin/ip ro del 2000::/3 dev ipng
        einfo "Removing IPv6 address from eth1"
        /sbin/ifconfig eth1 del 2001:618:4:1234::1/64
        einfo "Removing IPv6 address from ipng"
        /sbin/ifconfig ipng del 2001:618:4:2000::1235/128
        einfo "Bringing ipng down"
        /sbin/ifconfig ipng down
        einfo "Removing tunnel"
        /sbin/ip tunnel del ipng
        eend 0
}


Save it as /etc/init.d/net.ipv6 and do a:

Code:
rc-update add net.ipv6 default


(It has a little bug when shutting down, but that doesn't do any harm.) (If people doesn't understand what I mean with the (text)/128 , please tell me, and I'll try to explain it a bit better.) (I know the header of the init script i missing, this is because I don't know how to make it "The Gentoo Way" :) )

So far, so good. Now we need to edit /etc/conf.d/iptables and enable IPv6 forwarding.

5: Final stuff to be done

It you have an iptables firewall, that by default blocks trafic comming from the outside, u will need to add this one to it:

Code:
 iptables -A INPUT -i eth0 -p ipv6 -j ACCEPT
(eth0 = your external interface)

6: Testing it

First, reboot to make sure network and tunnel gets startet with the system, and without errors.
Once the system gets up, goto here: http://ipng.org.uk/lg.cgi and select ping6 as the tool, and write this in the textbox: 2001:618:4:1234::1 .
If everýthing goes well, it will ping you and get answer back.

7: Setting up clients to use the router with IPv6

Since we don't use masquerading, every client will have it's own public IPv6 address, if people wants to firewall trafic it can be done on the router between the ipng and the eth1 interface with the ip6tables command, man ip6tables for more info on this subject.

Well, back to getting the clients up and running.

Windows 2000/XP
Well, somebody might still be using this :)
Get a commandprompt and do this:

Code:

ipv6 install


Then do this:

Code:

ipv6 if


Now find your network interface and remeber what number it has (normally 4). (X in the script a bit below is this number)

After doing this, it should have installed the IPv6 stack, now make a .bat file for giving your NIC an IPv6 address.

Code:

ipv6 rtu 2002::/16 X
ipv6 adu X/2001:618:4:1234::2
ipv6 rtu ::/0 X/2001:618:4:1234::1 pub life 1800


Now create a shortcut to this .bat file in your startup folder.

Linux

I haven't yet made a client IPv6 init script, but it only has to run these 2 commands:

Code:

ifconfig eth0 add 2001:618:4:1234::2/64
route -A inet6 add 2000::/3 gw 2001:618:4:1234::1


(eth0 = interface connected to eth1 on the router/firewall)

That should complete this, PLEASE give me feedback on this one
_________________
Queen Rocks.


Last edited by GurliGebis on Thu May 08, 2003 2:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
69link
n00b
n00b


Joined: 18 Apr 2003
Posts: 53
Location: Sweden

PostPosted: Wed May 07, 2003 2:19 pm    Post subject: Reply with quote

Great guide.

I followed it and was up in no-time.

But this is my first experience with ipv6 and i dont know what to do with it yet :oops:
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed May 07, 2003 2:54 pm    Post subject: Reply with quote

hehe, I use it to be able to connect directly to my machines behind my router.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
zingit
n00b
n00b


Joined: 08 May 2003
Posts: 8
Location: London, England

PostPosted: Thu May 08, 2003 2:52 pm    Post subject: Excellent Reply with quote

Followed the guide easily enough, got it working!! yay!

Few pitfalls though:
:arrow: Make sure you put the right numbers in the right places; its very easy to mix up the tunnel IPv6 addresses.
:arrow: When compiling your kernel, be sure to miss out
Code:
[ ]     IP: IPv6 over IPv4 tunneling support (replaces sitXX devices)

this option, as it will produce errors from the init script like
Code:
ioctl: No such device

:arrow: I seem to be having problems putting the Windows setup lines into a batch file (the first line of script is repeated until Ctrl+C'ed. If anyone has any idea, please post (I'm not that good at windows :? )
:arrow: If you're looking at the init script, it really does mean eth1, not eth0. Honest. Don't change it or it won't work. (unless your internal NIC is something else than eth1)

Have fun with IPv6,

zingit
Back to top
View user's profile Send private message
robbat2
Developer
Developer


Joined: 19 Feb 2003
Posts: 81

PostPosted: Mon May 12, 2003 8:20 am    Post subject: Reply with quote

one request for an additional to this.
what DHCP stuff can be done to hand out IPv6 addresses automatically to your internal network?
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Mon May 12, 2003 8:33 am    Post subject: Reply with quote

AFAIK none IPv6 stuff can be done over DHCP yet. :(
_________________
Queen Rocks.
Back to top
View user's profile Send private message
robbat2
Developer
Developer


Joined: 19 Feb 2003
Posts: 81

PostPosted: Mon May 12, 2003 8:35 am    Post subject: Reply with quote

look up neighbour discovery and router discovery for IPv6.
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Mon May 12, 2003 8:37 am    Post subject: Reply with quote

hehe, it would be great is ISC's DHCPD could give out IPv6 addresses too, but it might happend some day :)
_________________
Queen Rocks.
Back to top
View user's profile Send private message
IWBCMAN
Guru
Guru


Joined: 25 Jun 2002
Posts: 474

PostPosted: Mon May 12, 2003 9:11 am    Post subject: Reply with quote

ok -braindead questions.....

does one have to have their own DNS with a static IP to do this(ie. I use dyndns ....) ?

-I am unfortunately so ignorant as to not even know whether this IP4 stuff is necessary to to work with IP6.....


does one have to have their own domain registered on the internet ?

does anybody here wish to elaborate a little on the whole IP6 thing....I have read some stuff about it and hav an ultra vague understanding of what it is about(ie. much larger address space, no need for NAT, coupling IP6/IP4 via a NAT-6:4..) but I am an absolute noob about this stuff...

;)
Back to top
View user's profile Send private message
IWBCMAN
Guru
Guru


Joined: 25 Jun 2002
Posts: 474

PostPosted: Wed May 14, 2003 8:54 am    Post subject: Reply with quote

ok I guess my questions were too dumb....

still would love some feedback though.....
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed May 14, 2003 3:30 pm    Post subject: Reply with quote

I have a dynamic IP, I just change it on their website when it changes (happends once og twice a year).
_________________
Queen Rocks.
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Sun Jun 01, 2003 10:45 pm    Post subject: Reply with quote

About the client script.
Just add the two lines of code to /etc/conf.d/local.start , and it will be executed as the last thing it bootup (Why am I telling you this, people already knows this :))
_________________
Queen Rocks.
Back to top
View user's profile Send private message
wlkerboh
n00b
n00b


Joined: 30 Mar 2003
Posts: 3

PostPosted: Tue Jun 24, 2003 10:30 pm    Post subject: radvd Reply with quote

Install radvd for ipv6 auto-conf. Just make sure to edit the conf file to hand out your IP addresses and not someone elses :)
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed Jun 25, 2003 11:49 am    Post subject: Reply with quote

Does radvd has an option to give a specific ipv6 address to a specific MAC address, like DHCPD has?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
wlkerboh
n00b
n00b


Joined: 30 Mar 2003
Posts: 3

PostPosted: Wed Jun 25, 2003 12:33 pm    Post subject: Reply with quote

Not that I've seen. radvd announces the link global prefix (the network portion of the address). An ipv6 capable host takes this and the mac address to produce a usable IP address. Of couse you still have the option of static IP addresses for servers.
Back to top
View user's profile Send private message
clumsyninja
n00b
n00b


Joined: 27 Jun 2003
Posts: 61
Location: North Texas

PostPosted: Sat Jul 05, 2003 4:21 pm    Post subject: Reply with quote

i understand why ipv6 is being implemented, but i have an additional question (one that i can't seem to find an answer to after spending some time googling around).
are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4? would i carry both an ipv4 address and an ipv6 address? can i go with ipv4 on my internal network (no worries about running out of ip addresses here ;)) and ipv6 on my external device? wtf happend to ipv5? :D

i figured asking people who really use it is probably the best way to find out.

thanks in advance for any replies.
_________________
katana root # cat /proc/sys/kernel/osrelease
2.4.20-gentoo-r7
Back to top
View user's profile Send private message
wlkerboh
n00b
n00b


Joined: 30 Mar 2003
Posts: 3

PostPosted: Thu Jul 17, 2003 3:59 am    Post subject: Reply with quote

clumsyninja wrote:

are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4?


Haven't done any performance tests. Feels just as fast as v4. Might be a few cycles slower due to longer addresses, but nothing that you and I are likely to notice.

clumsyninja wrote:
would i carry both an ipv4 address and an ipv6 address?

Each version is a unique network stack. Sort of like running IPX and IP on the same wire. There are provisions in the spec for a v6-only host to communicate with a v4-only host, but I haven't played with that aspect yet.

clumsyninja wrote:
can i go with ipv4 on my internal network and ipv6 on my external device?

Could, but why? v6 is designed to operate with many IP addresses per interface, each with a different scope: link (aka local) or global. If you were using v6 internally and only v4 externally (no 6to4 tunnels), your router would have to NAT. I'm sure this functionality exists somewhere, I haven't bothered looking for it though.

clumsyninja wrote:
wtf happend to ipv5? :D

Already assigned to a now defunct test protocol. Google for this and you will come up with a more detailed answer.
Back to top
View user's profile Send private message
depptr0tt
n00b
n00b


Joined: 21 May 2003
Posts: 16

PostPosted: Tue Aug 12, 2003 11:41 am    Post subject: Reply with quote

hmm does this share internet ?.
I mean does eth0 give eth1 acess to internet or what should i add in iptables then ?
Back to top
View user's profile Send private message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 957
Location: Denmark

PostPosted: Wed Jun 09, 2004 1:59 pm    Post subject: Reply with quote

theres a tool called radvd that works as a ipv6 replacement for dhcp
_________________
Sandberg Enterprises
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed Jun 09, 2004 2:01 pm    Post subject: Reply with quote

yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
ryceck
Apprentice
Apprentice


Joined: 13 Jan 2004
Posts: 195

PostPosted: Thu Jun 24, 2004 2:58 pm    Post subject: Reply with quote

GurliGebis wrote:
yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD?

No it isn't but u could take a look at dhcpv6. I wasn't able to compile it myself, but theoretically dhcpv6 should be able to assign ipv6 addresses on a MAC-base
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum