BSD Guides :: Doing Stuff With FreeBSD, NetBSD, OpenBSD, & Mac OS X

Configuring An IPv6 Router And Client
Updated: 07/15/2005


General Information

This is part 1 of our upcoming series on IPv6.  In this article we will explain how to setup and configure a FreeBSD router and client for IPv6.  In upcoming articles you will learn how to configure and setup Windows Clients as well as OpenBSD routers and clients.

What is IPv6?

By now, you've probably heard of the next generation Internet Protocol, IPv6. While it provides many improvements and new capabilities, the driving force behind its adoption is likely to be the much larger (and more flexible) address space that it defines.  Continuing growth in the population of IP enabled devices has already put severe stress on address allocation and the routing infrastructure.  The roll out of new enabling technologies, such as 3G wireless and broadband to the home, will predictably create a new wave of demand.  Now the scope of this article is just going to cover how to setup IPv6 on various BSD platforms.  This is going to be a very basic how-to on getting it setup and properly working.

Now let's learn a little bit about IPv6.  Here's what the FreeBSD Handbook has to say:

"IPv6 (also know as IPng "IP next generation") is the new version of the well known IP protocol (also known as IPv4).  Like the other current *BSD systems, FreeBSD includes the KAME IPv6 reference implementation.  So your FreeBSD system comes with all you will need to experiment with IPv6.  This section focuses on getting IPv6 configured and running."

In the early 1990s, people became aware of the rapidly diminishing address space of IPv4.  Given the expansion rate of the Internet there were two major concerns:
  1. Running out of addresses.  Today this is not so much of a concern anymore since private address spaces (10.0.0.0/8, 192.168.0.0/24, etc.) and Network Address Translation (NAT) are being employed.
  2. Router table entries were getting too large.  This is still a concern today.
IPv6 deals with these and many other issues:
  1. 128 bit address space.  In other words, theoretically there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses available.  This means there are approximately 6.67 * 10<superscript>27</superscript> IPv6 addresses per square meter on our planet.
  2. Routers will only store network aggregation addresses in their routing tables thus reducing the average space of a routing table to 8192 entries.
There are also lots of other useful features of IPv6 such as:
  1. Address autoconfiguration (RFC2462)
  2. Anycast addresses ("one-out-of many")
  3. Mandatory multicast addresses
  4. IPsec (IP security)
  5. Simplified header structure
  6. Mobile IP
  7. IPv4-to-IPv6 transition mechanisms

IPv6 Background Information

There are different types of IPv6 addresses: Unicast, Anycast and Multicast.

Unicast addresses are the well known addresses.  A packet sent to a unicast address arrives exactly at the interface belonging to the address.

Anycast addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces.  The packet destined for an anycast address will arrive at the nearest (in router metric) interface.  Anycast addresses may only be used by routers.

Multicast addresses identify a group of interfaces.  A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group.

Note:  The IPv4 broadcast address (usually xxx.xxx.xxx.255) is expressed by multicast addresses in IPv6.

Reserved IPv6 addresses:

ipv6-address prefixlength(bits) Description Notes
:: 128 bits Unspecified cf. 0.0.0.0 in IPv4 address
::1 128 bits Loopback address cf. 127.0.0.1 in IPv4
::00:xx:xx:xx:xx 96 bits Embedded IPv4 the lower 32 bits are the address IPv4 address.  Also called "IPv4 compatible IPv6 address."
::ff:xx:xx:xx:xx 96 bits IPv4 mapped the lower 32 bits are the IPv6 address IPv4 address.  For hosts which do not support IPv6.
fe80:: - feb:: 10 bits Link-local cf. loopback address in IPv4
fec0:: - fef:: 10 bits Site-local
ff:: 8 bits Multicast
001 (base 2) 3 bits Global unicast.  All global unicast addresses are assigned from this pool.  The first 3 Bits are "001."

Reading IPv6 Addresses

The canonical form is represented as: x:x:x:x:x:x:x:x, each "x" being a 16 Bit hex value.  For example, FEBC:A574:382B:23C1:AA49:4592:4EFE:9982

Often an address will have long substrings of all zeros; therefore, each such substring can be abbreviated by "::".  For example, fe80::1 corresponds to the canonical form fe80:0000:0000:0000:0000:0000:0000:0001

A third form is to write the last 32-bit part in the well known (decimal) IPv4 style with dots "." as separators. For example, 2002::10.0.0.1 corresponds to the (hexadecimal) canonical representation 2002:0000:0000:0000:0000:0000:0a00:0001 which in turn is equivalent to writing 2002::a00:1

By now the reader should be able to understand the following:
# ifconfig

rl0: flags=8943 mtu 1500?inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
ether 00:00:21:03:08:e1
media: Ethernet autoselect (100baseTX )
status: active
fe80::200:21ff:fe03:8e1%rl0 is an auto-configured link-local address.  It includes the enscrambled Ethernet MAC as part of the auto configuration.

For further information on the structure of IPv6 addresses see RFC2373.

Picking Your Broker

Ok so now this is where things get fun.  First of all, let's talk for a second about your choices of tunnel brokers.  You're going to need one of these to get your IPv6 connection going.

Freenet6 is a quick and easy way to get an IPv6 address and establish a tunnel.  What makes it so easy is its Tunnel Setup Protocol (TSP) client.  The program, available here, automatically gets your IPv6 address and establishes a tunnel with the Freenet6 servers.  The program can be run without registering, but registration lets you get a /48 prefix (anonymous connections are given /64 addresses), and it lets you keep the same address, regardless of IPv4 address changes.

he.net tunnel service runs by a Business ISP with 24 x 7 staff at multiple locations and a national US backbone (to find out more about IPv6 at Hurricane Electric visit http://ipv6.he.net/).  Gain the ability to get your own /64 prefix once your tunnel is up and get a full view of the IPv6 BGP4+ routing table.

Now I've played around with both of these tunnel providers.  Although Freenet6 offers a /48 prefix he.net has much better tools.  They also offer usage graphs on their site.  So in this article were going to utilize the he.net service.

So, let's get our account shall we?  Head over to he.net and register down there on the bottom.  Don't forget to tell them you heard about us on bsdhound.com.  Once you get your email back, log back into their servers and you need to tell them your IPv4 address.  This is important since IPv6 is not the current standard you're going to need to embed your 6 packets inside 4 packets.  Once you get your email around the next day or two saying your tunnel is approved you can continue on.  And don't forget to sign up for the /64 prefix.  Your going to need that if you wish to do any kind of routing.

Configuration

Know Your Network

We're going to make a basic 2 computer network here: Your server and your client.
Now we're going to setup the gateway as a nice friendly FreeBSD box and the client we're going to go over setting it up as a FreeBSD client.  In later articles I will cover how to do this in OpenBSD and also setup a Windows 2000 client.

First here's our tunnel information given to us from tunnelbroker:
Server IPv4 address: 111.111.111.111
Server IPv6 address: 2222:222:2222::222/127
Client IPv4 address: 333.333.333.333
Client IPv6 address: 4444:444:4444:444::444/127
Assigned /64: 5555:555:5555:555::/64

Configuring the Gateway on FreeBSD

Now let's start with the fun.  Let's go and edit our /etc/rc.conf so our system knows about our new toy.
#Your Gateway's Hostname Here
hostname="gateway.yourdomain.com"
#The Network Cards in your box
network_interfaces="xl0 xl1 lo0"
##Loopback Interface
ipv6_ifconfig_lo0="::1 prefixlen 128"
##External Interface
ipv6_ifconfig_xl0="4444:444:4444:444::444 prefixlen 128"
ipv6_prefix_xl0="5555:555:5555:555::"
##Internal Interface
ipv6_ifconfig_xl1="5555:555:5555:555::1 prefixlen 64"
#Extra Stuff
ipv6_enable="YES"
ipv6_network_interface="xl0 xl1"
ipv6_default_router="2222:222:2222::222"
rtadvd_enable="YES"
rtadvd_interfaces="xl1"
ipv6_gateway_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipv6_ipfilter_rules="/etc/ipf6.rules"
Now are you confused yet?  I hope not.  Things only get more fun from here.  Let's go ahead and create a script to start the tunnel over to our broker.  Go ahead and edit your /etc/rc.local and add something like this:
echo -n " Establishing HE.NET Tunnel "
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel 333.333.333.333 111.111.111.111
/sbin/ifconfig gif0 inet6 4444:444:4444:444::444 2222:222:2222::222 prefixlen 128
/sbin/route -n add -inet6 default 2222:222:2222::222
/sbin/ifconfig gif0 up
Now we need set a couple of kernel options.  Now edit your /etc/sysctl.conf and add these lines in there:
net.inet6.ip6.accept_rtadv=0
net.inet6.ip6.forwarding=1
This allows you to be a router for IPv6 as you can only be a router or a client.  So, on your other systems these options will be in reverse.  Next in line we need to create our /etc/rtadvd.conf and file it should contain something like the following:
default:
:raflags#0:rltime#3600:
:pinfoflags#64:vltime#360000:pltime#360000:mtu#1500:
ether:
:mtu#1280:tc=default:
# interfaces.
xl1:
:addrs#1:
:addr="5555:555:5555:555::":prefixlen#64:tc=ether:
Ok.. Now we have the networking information setup we still need to tell our firewall what to do with this.  Since IPv6 is a completely different stack we need a second firewall on our box: 1 for IPv4 and 1 for IPv6.

Inside your /etc/ipf.rules you should have a pass our in and out rule for each interface to allow the IPv6 packets.
pass out quick on xl0 proto ipv6 all
pass in quick on xl0 proto ipv6 all
and the same for your internal nic.  Next were going to create a very basic set of rules for our 6 stack.  Create and edit /etc/ipf6.rules
pass out quick all
pass in quick all
Now another important aspect is your /etc/hosts file.  Here we have something like this:
::1                     localhost
127.0.0.1               localhost.my.domain     localhost
5555:555:5555:555::1    server.yourdomain.com   server
333.333.333.333         server.yourdomain.com   server
5555:555:5555:555::aaaa client.yourdomain.com   client
10.0.0.4                client.yourdomain.com   client
Notice how our IPv6 addresses go before the IPv4.  There is a reason for this.  When your system reads the hosts file it's going to take the first address for that host in it.  Since we have our IPv6 address for our client if we try to do something like ssh into the client it will try IPv6 before IPv4.  Now reboot and you should be all configured and ready to go.

When your system comes back online, try pinging and if you get a return response your good to go.  You should see something similar to this:
# ping6 www.6bone.net

PING6(56=40+8+8 bytes) 4444:444:4444:444::444 --> 3ffe:b00:c18:1::10
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=0 hlim=61 time=175.393 ms
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=1 hlim=61 time=179.547 ms
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=2 hlim=61 time=204.748 ms
--- 6bone.net ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 175.393/186.563/204.748/12.970 ms
Congratulations you now have a router.  Now onto the client.

Configuring A FreeBSD IPv6 Client

Now the hard part is done you have a routing IPv6 stack.  So we just need to tell our clients there is an address available and to use it.  First, we need to tell our client to accept RA broadcasts.  Go and edit your /etc/sysctl.conf file and add in the following:
net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.forwarding=0
Next run the following command as root:
# rtsol -D xl0

Note:  Replace xl0 with whatever your NIC is.

You should be presented with an output something like:
checking if xl0 is ready...
xl0 is ready
set timer for xl0 to 0:184944
New timer is 0:00184701
timer expiration on xl0, state = 1
send RS on xl0, whose state is 2
set timer for xl0 to 4:0
New timer is 4:00001235
received RA from XXXX::XXX:XXXXXXXX:XXXX on xl0, state is 2
stop timer for xl0
there is no timer
Congrats, you should now be able to ping6 www.6bone.net from the client.  Now I would suggest you add the rtsol command to your /etc/rc.local to avoid future headache's.  Some other configurations you will need to do are (these are not required but nice to have):
ifconfig_lo0="inet 127.0.0.1"
ipv6_ifconfig_lo0="::1 prefixlen 128"
ipv6_ifconfig_xl0="YOUR GIVEN IPV6 ADDRESS FROM THE GATEWAY prefixlen 64"
ipv6_prefix_xl0="5555:555:5555:555::"
ipv6_default_router="5555:555:5555:555::1"
ipv6_enable="YES"
ipv6_network_interface="xl0"
Reboot and you should have a fully functional IPv6 client.  Please read up on our next article about setting up and configuring your clients on Windows 2000 and XP along with configuring an OpenBSD client and server.

References

Onlamp
Daemon News
FreeBSD Handbook

Author: Leigh Renfrow
soup4you2 at mac dot com