IPv6 router guide
Contents
Preliminaries
Basic Kernel Configuration
Any of the 2.6 kernel trees available in Gentoo will easily support IPv6 connections. The new USAGI IPv6 stack is integrated to the kernel since Linux 2.6.0.
root #emerge --ask gentoo-sourcesNow we are ready to enter the kernel source directory and begin our actual kernel configuration.
root #cd /usr/src/linux
root #make menuconfigThis assumes the symlink /usr/src/linux points to the sources you will be using.
Networking support ---> Networking options ---> <*> The IPv6 protocol ---> ## (The IPv6 options beneath this one can be useful for many other applications, ## but should not be needed for a basic setup) ## (This option is only required if you are using ptrtd for 6to4 conversion) Device Drivers ---> Network device support ---> <*> Universal TUN/TAP device driver support
Testing IPv6 Support
After enabling the recommended options, recompile your kernel and reboot into your new IPv6-enabled kernel.
If you don't already have iproute2 installed, we urge you to do it now. iproute2 is a network configuration suite that contains ip, the famous replacement for ifconfig, route, iptunnel and others...
root #emerge --ask sys-apps/iproute2Use of ifconfig can cause serious headaches if you have multiple tunnel devices. You have to remove the tunnels in backorder, which means that the latest created must be removed first. You have been warned!
If IPv6 is working, the loopback device should show an IPv6 address:
root #ip -6 addr show lo
1: lo: <LOOPBACK,UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
## (The above lines show things are working)
Before going any further, make sure that you add ipv6 to your list of USE variables in make.conf, so that future emerges of packages will include IPv6 support.
Tunnel Configuration
Basic Configuration
Most ISPs still do not offer any native IPv6 connections. To get around this limitation, there are several "tunnel brokers" around the globe that offer free IPv6 tunnels. This will allow you to tunnel all your IPv6 connections through an IPv4 connection.
| Broker | Location |
|---|---|
| Hurricane Electric | North America, Europe, Asia |
| Freenet6 | US |
| Sixxs | Europe |
| Singnet | Singapore |
| Aarnet | Australia/South Pacific |
Below are two examples for setting up a tunnel with two popular North American tunnels, Hurricane Electric (applies for non-heartbeat tunnels from sixxs.net as well) and Freenet6.
Hurricane Electric
Hurricane Electric (HE for short) offers free IPv6 tunnels and allocates a /64 block of addresses for you. It also allows configuration of reverse DNS. Getting a tunnel from HE is as easy as going to https://www.tunnelbroker.net/ and filling out a one page form.
Registration includes listing information like your address and phone number.
After you have a tunnel approved and have a /64 block allocated, you can configure your Gentoo box. HE provides sample configurations based on ifconfig and the iproute utilities. The following two examples assume you have the following configuration:
| Local IPv4 Address (eth0) | 68.36.91.195 |
| HE IPv4 Address | 64.71.128.82 |
| Local IPv6 tunnel Address | 2001:470:1F00:FFFF::2 |
| Remote IPv6 tunnel Address | 2001:470:1F00:FFFF::1 |
| IPv6 Block | 2001:470:1F00:296::/64 |
Using the iproute2 package and the ip command, you would do the following.
Create a tunnel between the local (eth0) IPv4 and HE's remote IPv4 address:
root #ip tunnel add sixbone mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0Extract the tunneling overhead from the MTU:
root #ip link set sixbone mtu 1280Bring the tunnel up:
root #ip link set sixbone upAssign the IPv6 address to it:
root #ip addr add 2001:470:1F00:FFFF::2 dev sixboneRoute all global unicast IPv6 addresses through our 'sixbone' tunnel device:
root #ip route add 2000::/3 dev sixboneThe following example shows how to establish this at boot time:
iptunnel_he6="mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0" depend_he6="net.eth0" config_he6="2001:470:1F00:FFFF::2/64" routes_he6="default via 2001:470:1F00:FFFF::1 dev he6" mtu_he6="1280"
The device name is 'he6' in the above example instead of 'sixbone'.
To make this device start on boot:
root #cd /etc/init.d
root #ln -s net.lo net.he6
root #rc-update add net.he6 default
If you do not have a default policy of ACCEPT for your IPv4 iptables you may need to add:
root #iptables -A INPUT -i eth0 -p ipv6 -j ACCEPTWhen tunneling IPv6 over IPv4, the packets will first come through the IPv4 chain before being passed to the IPv6 chain.
Freenet6
Freenet6 is another free tunnel broker. Optional registration only requires a username and a valid email address. They have chosen to turn the tunnel management into a client/server setup and have created the gogoCLIENT client. The client is available in Portage. To install it do:
root #emerge --ask net-misc/gogocNow if you chose to connect with authentication, you need to configure gogoCLIENT by editing /etc/gogoc/gogoc.conf. You should only have to change the userid and passwd fields to match those assigned from Freenet6 and change the gateway server. Below is a sample config file.
auth_method=any userid=anonymous passwd=foobar template=linux server=broker.freenet6.net
Testing your connection
Now that your tunnel is configured, you can test your connection. The easiest way to do this is to use the ping6 utility and try to ping an IPv6 host.
root #emerge --ask iputilsuser $ping6 www.kame.netPING www.kame.net(orange.kame.net) 56 data bytes 64 bytes from orange.kame.net: icmp_seq=1 ttl=52 time=290 ms 64 bytes from orange.kame.net: icmp_seq=2 ttl=52 time=277 ms 64 bytes from orange.kame.net: icmp_seq=3 ttl=52 time=280 ms 64 bytes from orange.kame.net: icmp_seq=4 ttl=52 time=279 ms 64 bytes from orange.kame.net: icmp_seq=5 ttl=52 time=277 ms --- www.kame.net ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4038ms rtt min/avg/max/mdev = 277.040/281.041/290.046/4.699 ms
Further work is currently in progress to add better IPv6 support to the network init scripts. If you'd like to know the status of this and/or help out, email latexer@gentoo.org.
IPv6 Support in Applications
Re-emerging packages
Unless you had USE="ipv6" in your /etc/portage/make.conf previously, you probably need to re-emerge a bunch of packages to compile in IPv6 support for them. To get a list of all the installed packages which are affected by USE flag changes, use Portage's --newuse (-N) option:
root #emerge -uDNav @worldIf you have changed a lot of USE flags, the list could be quite long. It's suggested to keep your system up-to-date, so it won't hurt if you recompile all affected packages.
Some packages detect IPv6 support automagically and hence have no ipv6 USE flag. Thus not all packages, which should support IPv6, will support it if you have not compiled it with an IPv6 enabled kernel.
IPv6 Specific Packages
There are a few packages which specifically deal with IPv6 items. Most of these are located in /usr/portage/net-misc.
| Package | Description |
|---|---|
| net-misc/ipv6calc | Converts an IPv6 address to a compressed format |
| net-misc/netcat6 | netcat version that supports IPv6 and IPv4 |
| dev-perl/Socket6 | IPv6 related part of the C socket.h defines and structure manipulators |
DNS setup
IPv6 and DNS
Just as DNS for IPv4 uses A records, DNS for IPv6 uses AAAA records. (This is because IPv4 is an address space of 2^32 while IPv6 is an address space of 2^128). For reverse DNS, the INT standard is deprecated but still widely supported. ARPA is the latest standard. Support for the ARPA format will be described here.
BIND configuration
Recent versions of BIND include excellent IPv6 support. This section will assume you have at least minimal knowledge about the configuration and use of BIND. We will assume you are not running bind in a chroot. If you are, simply append the chroot prefix to most of the paths in the following section.
First you need to add entries for both forward and reverse DNS zone files in /etc/bind/named.conf.
/etc/bind/named.confnamed.conf entries## (We allow bind to listen to IPv6 addresses. ## Using 'any' is the only way to do it prior to bind-9.3) options { [...] listen-on-v6 { any; } [...] }; ## (This will provide the forward DNS for the domain 'ipv6-rules.com':) zone "ipv6-rules.com" IN { type master; file "pri/ipv6-rules.com"; }; ## (This format for reverse DNS is "bitwise." It's done by taking the IPv6 prefix, ## reversing the order of the numbers and putting a period between each number) zone "6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" { type master; file "pri/rev-ipv6-rules.com.arpa"; };
Now we must create those zone files and add entries for all of our hosts:
/etc/bind/pri/ipv6-rules.com$TTL 2h @ IN SOA ipv6-rules.com. webmaster.ipv6-rules.com. ( 2003052501 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum NS ns1.ipv6-rules.com IN AAAA 2001:470:1f00:296::1 ; address for ipv6-rules.com host1 IN AAAA 2001:470:1f00:296::2 ; address for host1.ipv6-rules.com host2 IN AAAA 2001:470:1f00:296::3:3 ; address for host2.ipv6-rules.com
/etc/bind/pri/ipv6-rules.com.arpa$TTL 3d ; Default TTL (bind 8 needs this, bind 9 ignores it) @ IN SOA ipv6-rules.com. webmaster.ipv6-rules.com. ( 2003052501 ; Serial number (YYYYMMdd) 24h ; Refresh time 30m ; Retry time 2d ; Expire time 3d ) ; Default TTL IN NS ns1.ipv6-rules.com. ; IPv6 PTR entries $ORIGIN 6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ipv6-rules.com. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.ipv6-rules.com. 3.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.ipv6-rules.com.
DJBDNS configuration
There are currently some third-party patches to DJBDNS available at http://www.fefe.de/dns/ that allow it to do IPv6 nameserving. DJBDNS can be installed with these patches by emerging it with ipv6 in your USE variables.
Not all record types are support yet with these patches. In particular, NS and MX records are not supported.
root #emerge --ask djbdnsAfter djbdns is installed, it can be setup by running tinydns-setup and answering a few questions about which IP addresses to bind to, where to install tinydns, etc.
root #tinydns-setupAssuming we've installed tinydns into /var/tinydns, we can now edit /var/tinydns/root/data. This file will contain all the data needed to get tinydns handling DNS for your IPv6 delegation.
## (*.ipv6-rules.com is authoritatively handled by 192.168.0.1) .ipv6-rules.com:192.168.0.1:a:259200 ## (Authoritative reverse DNS for 2001:470:1f00:296::/64) .6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa:192.168.0.1:a ## (Specify the IPs for host1 and host2) 6host1.ipv6-rules.com:200104701f0002960000000000000001:86400 6host2.ipv6-rules.com:200104701f0002960000000000000002:86400 ## (Point www to host1) 3www.ipv6-rules.com:200104701f0002960000000000000002:86400
Lines prefixed with a 6 will have both an AAAA and a PTR record created. Those prefixed with a 3 will only have an AAAA record created. Besides manually editing the data file, you can use the scripts add-host6 and add-alias6 to add new entries. After changes are made to the data file, you simply need to run make from /var/tinydns/root. This will create /var/tinydns/root/data.cfb, which tinydns will use as its source of information for DNS requests.
IPv6 Router
Configure routing
Further configuration is required if we want to use our system as a router for other clients wishing to connect to the outside world with IPv6. We need to enable forwarding of IPv6 packets. We can do this in one of two ways.
Either we set the value 1 in the forwarding pseudo-file:
root #echo 1 > /proc/sys/net/ipv6/conf/all/forwardingOr we use the sysctl command:
root #sysctl -w net.ipv6.conf.all.forwarding=1The
radvd init script explained in the next chapter enables (and disables) forwarding, making the next step unnecessary.To enable forwarding at boot, you'll need to edit /etc/sysctl.conf and add the following line.
## (If you will be using radvd, this step is unnecessary) net.ipv6.conf.default.forwarding=1
Traffic should now be forwarded from this box through the tunnel we've established with our broker.
To assign IPv6 addresses to clients, the IPv6 specification allows for both stateless and stateful IP assignment. Stateless assignment uses a process called Router Advertisement and allows clients to obtain an IP and a default route by simply bringing an interface up. It is called "stateless" because there is no record of IPs assigned and the host they are assigned to. Stateful assignment is handled by DHCPv6. It is "stateful" because the server keeps a state of the clients who've requested IPs and received them.
Stateless Configuration
Stateless configuration is easily accomplished using the Router Advertisement Daemon, or radvd.
root #emerge --ask radvdAfter having emerged radvd, we need to create /etc/radvd/radvd.conf that contains information about what IP block to assign IPs from. Here is a sample radvd.conf file using the prefix we've been assigned from our tunnel broker.
interface eth1 { ## (Send advertisement messages to other hosts) AdvSendAdvert on; ## (Fragmentation is bad(tm)) AdvLinkMTU 1280; MaxRtrAdvInterval 300; ## (IPv6 subnet prefix we've been assigned by our PoP) prefix 2001:470:1F00:296::/64 { AdvOnLink on; AdvAutonomous on; }; };
Make sure the interface on the first line is correct so you broadcast router advertisement to your intranet and not to your ISP!
Further information is available in man radvd.conf. We can now start radvd and set it to start at boot.
root #/etc/init.d/radvd start
root #rc-update add radvd defaultStateful Configuration
If you'd like to have stateful configuration, you'll need to install and configure net-misc/dibbler.
root #emerge --ask dibblerNow we must configure the dibbler client by editing /etc/dibbler/client.conf.
iface ppp0 { rapid-commit yes pd option dns-server }
We can now start the dibbler client, and configure it to start at boot.
root #/etc/init.d/dibbler-client start
root #rc-update add dibbler-client defaultIPv6 Clients
Using radvd
Clients behind this router should now be able to connect to the rest of the net via IPv6. If using radvd, configuring hosts should be as easy as bringing the interface up. (This is probably already done by your net.ethX init scripts).
root #ip link set eth0 up
root #ip addr show eth0
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1400 qdisc pfifo_fast qlen 1000
link/ether 00:01:03:2f:27:89 brd ff:ff:ff:ff:ff:ff
inet6 2001:470:1f00:296:209:6bff:fe06:b7b4/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::209:6bff:fe06:b7b4/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
Should this not work ensure that your IPv6 firewall is allowing ICMPv6 packets through:
root #ip6tables -A INPUT -p icmpv6 -j ACCEPTOther Resources
There are many excellent resources online pertaining to IPv6.
| Websites | Resources |
|---|---|
| www.ipv6.org | General IPv6 Information |
| www.linux-ipv6.org/ | USAGI Project |
| www.deepspace6.net | Linux/IPv6 site |
| www.kame.net | *BSD implementation |
#ipv6 on Freenode. You can connect to the Freenode servers using an IPv6 enabled client by connecting to irc.ipv6.freenode.net. This article is based on a document formerly found on our main website gentoo.org.
The following people have contributed to the original document: Peter Johanson, Jorge Paulo, Sven Vermeulen, Camille Huot, Pasi Valminen, nightmorph, hwoarang
They are listed here as the Wiki history does not provide for any attribution. If you edit the Wiki article, please do not add yourself here; your contributions are recorded on the history page.