IPv6 router guide

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page IPv6 router guide and the translation is 1% complete.
Other languages:


This guide provides details on setting up IPv6 routing on a Gentoo Linux system.

Basic kernel configuration

Any kernels version v2.6.0 or higher will easily support IPv6 connections. The new USAGI IPv6 stack is integrated to the kernel since Linux v2.6.0.

root #emerge --ask sys-kernel/gentoo-sources

Enter the kernel source directory and begin kernel configuration:

root #cd /usr/src/linux
root #make menuconfig
附注
This assumes the symlink /usr/src/linux points to the sources that will be used as part of this guide.
内核 'make menuconfig' options
Networking support --->
  Networking options --->
    <*> The IPv6 protocol --->
## (The IPv6 options beneath this one can be useful for many other applications,
## but should not be needed for a basic setup)
 
## (This option is only required when using ptrtd for 6to4 conversion)
Device Drivers --->
  Network device support --->
    <*> Universal TUN/TAP device driver support

Testing IPv6 support

After enabling the recommended options, recompile the kernel, then reboot into the new IPv6-enabled kernel.

If the sys-apps/iproute2 package is not yet installed, it is highly recommended to do so before continuing with this guide. iproute2 is a network configuration suite that contains ip, the famous replacement for ifconfig, route, iptunnel and others...

root #emerge --ask sys-apps/iproute2
警告
Use of ifconfig can cause serious headaches with multiple tunnel devices. The tunnels need to be removed in backorder, which means the latest created tunnel must be removed first.

If IPv6 is working, the loopback device should show an IPv6 address:

root #ip -6 addr show lo
1: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
    ## (The above lines show things are working)

Before proceeding any further, make sure to add ipv6 to the list of USE variables in make.conf, so that future emerges of packages will include IPv6 support.

Tunnel configuration

Basic configuration

Most ISPs still do not offer any native IPv6 connections. To get around this limitation, there are several "tunnel brokers" around the globe that offer free IPv6 tunnels. This will allow to tunnel all the IPv6 connections through an IPv4 connection.

Broker Location
Hurricane Electric North America, Europe, Asia

Below is an example for setting up a tunnel with a popular North American tunnel Hurricane Electric.

Hurricane Electric

Hurricane Electric (HE for short) offers free IPv6 tunnels and allocates a /64 block of addresses for each customer. It also allows configuration of reverse DNS. Getting a tunnel from HE is as easy as going to https://www.tunnelbroker.net/ and filling out a one page form.

附注
Registration includes listing information like home address and phone number.

After a tunnel is approved and a /64 block is allocated, start to configure the system. HE provides sample configurations based on ifconfig and the iproute utilities. The following two examples assume that the following configuration is used:

Local IPv4 Address (eth0) 68.36.91.195
HE IPv4 Address 64.71.128.82
Local IPv6 tunnel Address 2001:470:1F00:FFFF::2
Remote IPv6 tunnel Address 2001:470:1F00:FFFF::1
IPv6 Block 2001:470:1F00:296::/64

Using the sys-apps/iproute2 package and the ip command, do the following.

Create a tunnel between the local (eth0) IPv4 and HE's remote IPv4 address:

root #ip tunnel add he6 mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0

Extract the tunneling overhead from the MTU:

root #ip link set he6 mtu 1280

Bring the tunnel up:

root #ip link set he6 up

Assign the IPv6 address to it:

root #ip addr add 2001:470:1F00:FFFF::2 dev he6

Route all global unicast IPv6 addresses through our 'he6' tunnel device:

root #ip route add 2000::/3 dev he6

The following example shows how to establish this at boot time:

代码 netifrc example
iptunnel_he6="mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0"
depend_he6="net.eth0"
config_he6="2001:470:1F00:FFFF::2/64"
routes_he6="default via 2001:470:1F00:FFFF::1 dev he6"
mtu_he6="1280"

To make this device start on boot:

root #cd /etc/init.d
root #ln -s net.lo net.he6
root #rc-update add net.he6 default
附注
If there is no default policy of ACCEPT for the IPv4 iptables then add:
root #iptables -A INPUT -i eth0 -p ipv6 -j ACCEPT

When tunneling IPv6 over IPv4, the packets will first come through the IPv4 chain before being passed to the IPv6 chain.

Testing the connection

Now that the tunnel is configured, test the connection. The easiest way to do this is to use the ping6 utility and try to ping an IPv6 host.

root #emerge --ask iputils
user $ping6 www.kame.net
PING www.kame.net(orange.kame.net) 56 data bytes
64 bytes from orange.kame.net: icmp_seq=1 ttl=52 time=290 ms
64 bytes from orange.kame.net: icmp_seq=2 ttl=52 time=277 ms
64 bytes from orange.kame.net: icmp_seq=3 ttl=52 time=280 ms
64 bytes from orange.kame.net: icmp_seq=4 ttl=52 time=279 ms
64 bytes from orange.kame.net: icmp_seq=5 ttl=52 time=277 ms
 
--- www.kame.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4038ms
rtt min/avg/max/mdev = 277.040/281.041/290.046/4.699 ms

IPv6 support in applications

Re-emerging packages

Unless USE="ipv6" was already set in /etc/portage/make.conf previously, it is probably necessary to re-emerge a bunch of packages to compile in IPv6 support for them. To get a list of all the installed packages which are affected by USE flag changes, use Portage's --newuse (-N) option:

root #emerge -uDNav @world

When many USE flags have been changed, the list could be quite long. It's suggested to keep the system up-to-date, so it won't hurt if all affected packages are rebuilt.

附注
Some packages (erroneously) detect IPv6 support automatically and hence have no ipv6 USE flag. Thus not all packages, which should support IPv6, will support it if they have not been compiled with an IPv6 enabled kernel.

IPv6 specific packages

There are a few packages which specifically deal with IPv6 items. Most of these are located in the net-misc category.

Package Description
net-misc/ipv6calc Converts an IPv6 address to a compressed format
dev-perl/Socket6 IPv6 related part of the C socket.h defines and structure manipulators

DNS setup

IPv6 and DNS

Just as DNS for IPv4 uses A records, DNS for IPv6 uses AAAA records. (This is because IPv4 is an address space of 2^32 while IPv6 is an address space of 2^128). For reverse DNS, the INT standard is deprecated but still widely supported. ARPA is the latest standard. Support for the ARPA format will be described here.

BIND configuration

Recent versions of BIND include excellent IPv6 support. This section will assume at least minimal knowledge about the configuration and use of BIND. We will assume that bind is not running in a chroot. If this assumption is wrong, simply append the chroot prefix to most of the paths in the following section.

First add entries for both forward and reverse DNS zone files in /etc/bind/named.conf.

文件 /etc/bind/named.confnamed.conf entries
## (We allow bind to listen to IPv6 addresses.
## Using 'any' is the only way to do it prior to bind-9.3)
options {
    [...]
    listen-on-v6 { any; }
    [...]
};
## (This will provide the forward DNS for the domain 'ipv6-rules.com':)
zone "ipv6-rules.com" IN {
    type master;
    file "pri/ipv6-rules.com";
};
## (This format for reverse DNS is "bitwise." It's done by taking the IPv6 prefix,
## reversing the order of the numbers and putting a period between each number)
zone "6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
        type master;
        file "pri/rev-ipv6-rules.com.arpa";
};

Now zone files and entries will need added for all hosts:

文件 /etc/bind/pri/ipv6-rules.com
$TTL    2h
@       IN      SOA     ipv6-rules.com. webmaster.ipv6-rules.com.  (
                                2003052501 ; Serial
                                28800      ; Refresh
                                14400      ; Retry
                                3600000    ; Expire
                                86400 )    ; Minimum
                NS      ns1.ipv6-rules.com
 
IN      AAAA    2001:470:1f00:296::1 ; address for ipv6-rules.com
host1   IN      AAAA    2001:470:1f00:296::2 ; address for host1.ipv6-rules.com
host2   IN      AAAA    2001:470:1f00:296::3:3 ; address for host2.ipv6-rules.com
文件 /etc/bind/pri/ipv6-rules.com.arpa
$TTL 3d ; Default TTL (bind 8 needs this, bind 9 ignores it)
@       IN SOA ipv6-rules.com. webmaster.ipv6-rules.com. (
                        2003052501      ; Serial number (YYYYMMdd)
                        24h             ; Refresh time
                        30m             ; Retry time
                        2d              ; Expire time
                        3d )            ; Default TTL
        IN      NS     ns1.ipv6-rules.com.
; IPv6 PTR entries
$ORIGIN 6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.
 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     ipv6-rules.com.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host1.ipv6-rules.com.
3.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host2.ipv6-rules.com.

DJBDNS configuration

There are currently some third-party patches available to the net-dns/djbdns package that allow it to do IPv6 name serving. DJBDNS can be installed with these patches by emerging it with ipv6 in the USE variable.

警告
Not all record types are support yet with these patches. In particular, NS and MX records are not supported.
root #emerge --ask net-dns/djbdns

After djbdns is installed, it can be setup by running tinydns-setup and answering a few questions about which IP addresses to bind to, where to install tinydns, etc.

root #tinydns-setup

Assuming tinydns has been installed into /var/tinydns, edit /var/tinydns/root/data. This file will contain all the data needed to get tinydns handling DNS for the IPv6 delegation.

代码 sample data file
## (*.ipv6-rules.com is authoritatively handled by 192.168.0.1)
.ipv6-rules.com:192.168.0.1:a:259200
## (Authoritative reverse DNS for 2001:470:1f00:296::/64)
.6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa:192.168.0.1:a
## (Specify the IPs for host1 and host2)
6host1.ipv6-rules.com:200104701f0002960000000000000001:86400
6host2.ipv6-rules.com:200104701f0002960000000000000002:86400
## (Point www to host1)
3www.ipv6-rules.com:200104701f0002960000000000000002:86400

Lines prefixed with a 6 will have both an AAAA and a PTR record created. Those prefixed with a 3 will only have an AAAA record created. Besides manually editing the data file, it is possible to use the scripts add-host6 and add-alias6 to add new entries. After changes are made to the data file, simply run make from /var/tinydns/root. This will create /var/tinydns/root/data.cfb, which tinydns will use as its source of information for DNS requests.

IPv6 router

Configure routing

Further configuration is required when using the system as a router for other clients wishing to connect to the outside world with IPv6: the forwarding of IPv6 packets. This can be enabled in one of two ways.

  • Set the value 1 in the forwarding pseudo-file; this change is non-persistent:
root #echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  • Use the sysctl command:
root #sysctl -w net.ipv6.conf.all.forwarding=1
警告
The radvd init script explained in the next chapter enables (and disables) forwarding, making the next step unnecessary.

To enable forwarding at boot, edit /etc/sysctl.conf and add the following line.

代码 sysctl.conf addition
## (When using radvd, this setting is not needed)
net.ipv6.conf.default.forwarding=1

Traffic should now be forwarded from this box through the tunnel we've established with our broker.

To assign IPv6 addresses to clients, the IPv6 specification allows for both stateless and stateful IP assignment. Stateless assignment uses a process called Router Advertisement and allows clients to obtain an IP and a default route by simply bringing an interface up. It is called "stateless" because there is no record of IPs assigned and the host they are assigned to. Stateful assignment is handled by DHCPv6. It is "stateful" because the server keeps a state of the clients who have requested IPs and received them.

Stateless configuration

Stateless configuration is easily accomplished using the Router Advertisement Daemon, or radvd:

root #emerge --ask radvd

After having emerged radvd, create the /etc/radvd/radvd.conf file to contains information to defined what IP block from which to assign IPs. Here is a sample radvd.conf file using the prefix assigned from the tunnel broker.

代码 Sample radvd.conf
interface eth1
{
        ## (Send advertisement messages to other hosts)
        AdvSendAdvert on;
        ## (Fragmentation is bad(tm))
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        ## (IPv6 subnet prefix we've been assigned by our PoP)
        prefix 2001:470:1F00:296::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
        };
};
警告
Make sure the interface on the first line is correct so that router advertisements are broadcasted to the intranet and not to the ISP!

Further information is available in man radvd.conf. radvd can now be started and set it to be enabled at boot.

root #/etc/init.d/radvd start
root #rc-update add radvd default

Stateful configuration

警告
Dibbler project is concluded.

To have a stateful configuration, install and configure net-misc/dibbler.

root #emerge --ask dibbler

Configure the dibbler client by editing /etc/dibbler/client.conf.

代码 Sample dibbler client configuration
iface ppp0 {
	rapid-commit yes
	pd
	option dns-server
}

Now start the dibbler client, and configure it to start at boot:

root #/etc/init.d/dibbler-client start
root #rc-update add dibbler-client default

IPv6 clients

Using radvd

Clients behind this router should now be able to connect to the rest of the net via IPv6. If using radvd, configuring hosts should be as easy as bringing the interface up. (This is probably already done by the net.ethX init scripts).

root #ip link set eth0 up
root #ip addr show eth0
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1400 qdisc pfifo_fast qlen 1000
    link/ether 00:01:03:2f:27:89 brd ff:ff:ff:ff:ff:ff
    inet6 2001:470:1f00:296:209:6bff:fe06:b7b4/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::209:6bff:fe06:b7b4/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever

Should this not work ensure that the IPv6 firewall is allowing ICMPv6 packets through:

root #ip6tables -A INPUT -p icmpv6 -j ACCEPT

External resources

There are many excellent resources online pertaining to IPv6.

On IRC, try the #ipv6 (webchat) channel on Libera.Chat. Connect to the Libera.Chat servers using an IPv6 enabled client by connecting to irc.ipv6.libera.chat.


This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Peter Johanson, Jorge Paulo, Camille Huot, Pasi Valminen, , Markos Chandras (Hwoarang)
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.