At Home With IPv6 and FreeBSD

Blog

Mon, 06/06/2011 - 10:10
Jun 6th, 2011
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

A few years ago, CiscoWorks LAN Management Solution introduced support for IPv6.  I figured that was a good enough excuse to learn IPv6.  After all, that is the future of the Internet.  I had a collection of FreeBSD machines at home, and I knew they had wonderful support for IPv6.  While chatting on IRC, I learned that Hurricane Electric offered a free IPv6 tunnel service complete with your own /64.  Who wouldn’t want 18 quintillion IP addresses (you never know when you will have to address a small galaxy)? 


My main router/firewall is a FreeBSD box, and Hurricane Electric made it easy to get the incoming IPv6 connection working.  HE provided a simple sample config.  Getting the tunnel interface up was just the first step, though.  If I were going to be able to view the Kame dancing turtle (which was the geek’s way of testing IPv6 back then), I would need to provide IPv6 addresses to my other machines on my intranet.  I decided to take my /64 and make the last octet of the address be the same as my last IPv4 octet.  For example, my main workstation had an IPv4 address of 192.168.1.4.  So its IPv6 became 2001:470:1f00:2464::4.  That made things easy to remember.


Next up was satisfying the hosts that used IPv4 DHCP.  I didn’t want to go with full-blown IPv6 DHCP.  Stateless address autoconfiguration (SLAAC) was fine for me.  I configured my main firewall/router to run rtadvd to hand out IPv6 addresses to my various laptops and other DHCP hosts.


I had all of the addressing setup, but I was unable to connect to the Kame site and see the dancing turtle.  Turns out I forgot to enable IPv6 forwarding on the FreeBSD router.  After setting the net.inet6.ip6.forwarding sysctl, I had a dancing turtle!



The last thing I had to take care of is the firewall.  When one is used to using RFC1918 addresses with NAT at home, it could be easy to forget that all of this /64 block is directly reachable on the v6 Internet.  It’s critical that you protect your /64 just as you would your main IPv4 interface.  I used the IPFW firewall, and there is a lot of documentation available to configure this firewall to meet your needs.


For your reference, here is the /etc/rc.conf config from my FreeBSD firewall/router showing all of the IPv6 network parameters I setup.  I look forward to seeing your IPv6 in my web server access log.


ipv6_enable="YES"

# These next four lines come straight out of the Hurricane

# Electric sample config for FreeBSD

gif_interfaces="gif0"

gifconfig_gif0="24.172.16.118 64.71.128.82"

ipv6_ifconfig_gif0="2001:470:1F00:FFFF::1279/127"

ipv6_defaultrouter="2001:470:1F00:FFFF::1278"

# This next line is critical to provide IPv6 switching

# services

ipv6_gateway_enable="YES"

ipv6_ifconfig_bge0="2001:470:1F00:2464::1 prefixlen 64"

# Don't forget to enable the firewall!

ipv6_firewall_enable="YES"

ipv6_firewall_type="/etc/ip6fw-rules.sh"

ipv6_firewall_flags="-p /bin/sh"

# Enable SLAAC on the intranet interface.

rtadvd_enable="YES"

rtadvd_interfaces="bge0"

Loading.

Actions

This Blog