Sometimes you just have to know something exists before you look into it. IPv6 tunnels may well be a good example. Many ISPs are stuck in the dark ages, what with their archaic attitudes and red tape procedures longer than a trip to Mars.
It’s dead simple to get IPv6 working at home via an IPv6 tunnel broker.
I guess this is somewhat ironic, given their 90’s style logo and website, but these guys provide the tools you need to get your Internet connection this side of the new millennium. Guess what – it’s FREE!
An IPv6 tunnel essentially ‘tunnels’ the IPv6 IP protocol over your existing 1970’s IPv4 Internet connection. It does this using a ‘tun’ interface which is connected to one of their endpoint routers located all over the globe.
First thing’s first, there are some prerequisites. Your existing router must allow ICMP packets inbound. Most routers, even if not allowed by default, will allow this to happen – usually hidden away in the firewall settings somewhere. ICMP and Ping are probably good things to look for in its over complicated UI. The exact requirement is that your router responds to ICMP ECHO REQUEST and understands, or at least can forward, IP protocol 41 (which describes an encapsulated IPv6 packet).
A second requirement is you sign up for a free account at TunnelBroker.net. This service is run by HE.net who are a serious transit provider running core links of the Internet. They usually only deal with B2B but the tunnel service is available to anyone, did I mention it’s also free?
Once you have an account go ahead and log in. You will be able to create the tunnel from the main page.
It will ask for your IPv4 address and perform an ICMP check to make sure it is suitable for the tunnel. If this fails you will either need to go re-fudge your firewall settings or at worst case buy a decent router.
Because they need to know your IPv4 address you might be thinking how will this work with my dynamic IP? Well, they sort that out for you too. To quote verbatim from the FAQ’s:
My IPv4 endpoint address is dynamic. Can I still create a tunnel? If yes, what do I need to do when my IP address changes?
Yes, you can still create a tunnel even if you are using a dynamic IPv4 endpoint address. If your IPv4 endpoint address changes, you can either login to the tunnelbroker.net page and update your IPv4 endpoint address or use https://ipv4.tunnelbroker.net/nic/update which is designed to be used to update your IPv4 endpoint address.
Excellent, glad that’s sorted. There any many ways to terminate your tunnel and they are kind enough to provide examples for many different operating systems. I personally use an EdgeRouter Lite which is a fantastic little router capable of almost anything the big boys can do, albeit with slightly less grunt.
Here’s the example for the EdgeRouter/VyOS/Vyatta/Yada Yada Yada.
interface
tunnel tun0 {
address ::2/64
description "HE.NET IPv6 Tunnel"
encapsulation sit
firewall {
local {
ipv6-name ipv6-local
}
}
local-ip 0.0.0.0
multicast disable
remote-ip xxx.xxx.xxx.xxx
ttl 255
}
}
The ‘address’ and ‘remote-ip’ are from the’Tunnel Details’ page of your account under the heading ‘IPv6 Tunnel Endpoints’.
You will notice I also have a local firewall configured here. This can look something like:
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
destination {
port 22
}
protocol tcp
}
rule 30 {
action accept
destination {
}
protocol ipv6-icmp
}
That in itself should be enough to ‘up’ the IPv6 tunnel. Next you will find the ‘Routed IPv6 Prefixes’ on the same page. This is the subnet which clients on your network will pick and choose IP addresses from.
This next part configures the Internal network port on your router, the one connected to the LAN side.
interfaces ethernet eth1
address ::1/64
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
radvd-options "RDNSS ::1/64 { AdvRDNSSPreference 8; AdvRDNSSOpen off; };"
reachable-time 0
retrans-timer 0
send-advert true
}
}
The part ‘::1/64’ is the ‘Routed /64’ prefix under ‘Routed IPv6 Prefixes’ with a ‘1’ on the end.
For example if it says:
Routed IPv6 Prefixes Routed /64: 2002:460:1e1d:1a1::/64
Then you would specify ‘2002:460:1e1d:1a1::1/64’.
Now this is important. You are probably used to having to NAT everything behind a lonely single dynamic IP address configured on the external interface on your router. Because there are so many addresses available in IPv6 you now have enough addresses for every piece of dust in your house.
The /64 you have just been assigned are Public IP Addresses, this means no NAT, no automatic firewalling, internet addressable IPs. You therefore need to ensure you have a default firewall in place to take care of that.
interface ethernet eth1
firewall {
in {
}
local {
ipv6-name localLANipv6
}
out {
ipv6-name lan-ipv6
}
}
You need to firewall both the router’s local IP (the ::1) and everything behind it – your workstations etc. For the local firewall, the same as the previous example can be used and for the local LAN you probably want to use a different template as it’s more than likely after you’ve calmed the excitement that you now have 18,446,744,073,709,551,616 public IPv6 addresses at your disposal, that you’ll want to make something available on the Inernets. So, something like this:
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
destination {
address
port 80
}
protocol tcp
}
You may be wondering how automatic IP assignment is performed with v6. Well, there is DHCPv6 but that is a nasty pile of crap. The way it actually works best is with SLAAC, which is a fancy way of saying ‘let the clients work it out amongst themselves’. It’s built into the protocol and uses the MAC address of your ethernet interface to calculate an IPv6 address. There’s layers on top of that such as privacy extensions but you’ll find that out in due course. In short clients should ‘just work’ and sort themselves out.
The part of the configuration above which takes care of router announcements is:
radvd-options "RDNSS ::1/64 { AdvRDNSSPreference 8; AdvRDNSSOpen off; };"
(The, ::1/64 part will be substituted by you as per above.) What this does it tell the router to advertise itself as the default gateway. It also advertises DNS. If you need to know more about these options try Googling for ‘radvd’.
If you are going to a web server or whatever, which needs a static IP address (for both DNS and firewall purposes) you can assign an easy IP out out the range, such as ::2 (remember the router is ::1) and simply statically define that on the server just like you would a v4 address. IPv6 is not much different really except DHCP has gone and there are loads more IP addresses.
HE also offer a free IPv6 certification course which is well worth doing. Not least because you get to learn how this new thing you’ve got actually works but also because this unblocks IRC access and you get a free T-Shirt. What’s not to like about that?