My 6bone router using OpenBSD
Jan Jungnickel <jj@carmunity.com> did a translation of this
page to Deutch (German), see here
to see what this looks like in German.
I am using OpenBSD 2.9-RELEASE (was using 2.7 and 2.8 with the same config) on an i386
box (Toshiba Satelite
Pro 420 CDT laptop) with a 3com PCMCIA ethernet card and a Hayes Optima
28.8k modem as my dialup link.
Since originally doing this article, I have made the router into a
firewall, see here for how.
This is how I have it set up to be my IPv6 tunnel endpoint
I have been allocated the IPv6 address space 3ffe:8001:0005::/48
from Trumpet.com.au (Thanks Peter!).
My tunnel endpoint details were provided by Peter as :
3ffe:8000:ffff:1005::100/64 Tunnel to Carl Brewer (Trumpet end)
203.5.119.58
3ffe:8000:ffff:1005::101/64 Tunnel to Carl Brewer (My (carl) end)
203.6.241.1
The IPv4 address of my external gateway is 203.6.241.1
This is what it looks like :
In /etc/rc.local I have this :
echo -n ' setting up IPv6 to Trumpet'
ifconfig gif0 giftunnel 203.6.241.1 203.5.119.58
ifconfig gif0 inet6 3ffe:8000:ffff:1005::101
route add -inet6 3ffe:8000:ffff:1005::100 -prefixlen 64 3ffe:8000:ffff:1005::101
route add -inet6 default 3ffe:8000:ffff:1005::100
route6d
And for my internal (ethernet) interface, I have this in /etc/hostname.ep1
% more /etc/hostname.ep*
inet 203.6.241.130 255.255.255.192 NONE
inet6 alias 3ffe:8001:0005:0002::1 64
I used 3ffe:8001:0005:0002::1 instead of letting it autoconfigure, it's
a router, it's not allowed to autoconfigure.
I also set up rtadvd :
/etc/rtadvd.conf
ep1:\
:addrs#1:addr="3ffe:8001:5:2::":prefixlen#64:tc=ether:
And enable it in /etc/rc.conf (I want it to serve addresses for my
network hanging off ep1)
rtadvd_flags=ep1 # for normal use: list of interfaces
So it autoconfigures hosts on my ethernet to be in the IPv6 network
3ffe:8001:5:2::/64
In /etc/sysctl.conf I have this :
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
net.inet6.ip6.accept_rtadv=0 # 1=Permit IPv6 autoconf (forwarding must be 0)
You'll note that I have not allowed IPv6 autoconf on this box.
You can't run autoconfigure on a router (it wouldn't make much sense!).
And, that's it.
My ifconfig reveals :
% ifconfig -a
lo0: flags=8009 mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008 mtu 32972
ep1: flags=8863 mtu 1500
media: Ethernet 10baseT
inet 203.6.241.130 netmask 0xffffffc0 broadcast 203.6.241.191
inet6 fe80::2a0:24ff:feab:9cda%ep1 prefixlen 64 scopeid 0x1
inet6 3ffe:8001:5:2::1 prefixlen 64
sl0: flags=c010 mtu 296
sl1: flags=c010 mtu 296
ppp0: flags=8051 mtu 1500
inet 203.6.241.1 --> 203.16.200.5 netmask 0xffffffc0
ppp1: flags=8010 mtu 1500
tun0: flags=10 mtu 3000
tun1: flags=10 mtu 3000
enc0: flags=0<> mtu 1536
enc1: flags=0<> mtu 1536
enc2: flags=0<> mtu 1536
enc3: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
gre0: flags=8010 mtu 1450
gif0: flags=8011 mtu 1280
physical address inet 203.6.241.1 --> 203.5.119.58
inet6 fe80::2a0:24ff:feab:9cda%gif0 -> :: prefixlen 64 scopeid 0x11
inet6 3ffe:8000:ffff:1005::101 -> :: prefixlen 64
gif1: flags=8010 mtu 1280
gif2: flags=8010 mtu 1280
gif3: flags=8010 mtu 1280
And my routing tables :
% netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 203.16.200.5 UG 1 57258 1500 ppp0
127/8 127.0.0.1 UGRS 0 0 32972 lo0
127.0.0.1 127.0.0.1 UH 1 19 32972 lo0
203.6.241.128/26 link#1 UC 0 0 1500 ep1
203.6.241.132 8:0:20:18:a8:7d UHL 0 27 1500 ep1
203.6.241.133 8:0:20:18:a8:7d UHL 0 7 1500 ep1
203.6.241.134 8:0:20:18:a8:7d UHL 3 259268 1500 ep1
203.6.241.158 0:0:39:11:ec:9 UHL 0 1 1500 ep1
203.6.241.192/26 203.6.241.134 UGS 0 3616 1500 ep1
203.16.200.5 203.6.241.1 UH 1 0 1500 ppp0
224/4 127.0.0.1 URS 0 0 32972 lo0
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/104 ::1 UGRS 0 0 32972 lo0 =>
::/96 ::1 UGRS 0 0 32972 lo0 =>
default 3ffe:8000:ffff:1005::100 UGS 0 10 1280 gif0
::1 ::1 UH 12 0 32972 lo0
::127.0.0.0/104 ::1 UGRS 0 0 32972 lo0
::224.0.0.0/100 ::1 UGRS 0 0 32972 lo0
::255.0.0.0/104 ::1 UGRS 0 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
2002::/24 ::1 UGRS 0 0 32972 lo0
2002:7f00::/24 ::1 UGRS 0 0 32972 lo0
2002:e000::/20 ::1 UGRS 0 0 32972 lo0
2002:ff00::/24 ::1 UGRS 0 0 32972 lo0
3ffe:8000:ffff:1005::/64 3ffe:8000:ffff:1005::101 UGS 1 0 1280 gif0
3ffe:8000:ffff:1005::101 ::1 UH 1 0 32972 lo0
3ffe:8001:5:2::/64 link#1 UC 0 0 1500 ep1
3ffe:8001:5:2::1 ::1 UH 0 0 32972 lo0
3ffe:8001:5:2:a00:20ff:fe11:48b7 link#1 UHL 1 0 1500 ep1
3ffe:8001:5:2:a00:20ff:fe18:a87d 8:0:20:18:a8:7d UHL 0 21 1500 ep1
3ffe:8001:5:3::/64 fe80::a00:20ff:fe18:a87d%ep1 UG 0 0 1500 ep1
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%ep1/64 link#1 UC 0 0 1500 ep1
fe80::2a0:24ff:feab:9cda%ep1 0:a0:24:ab:9c:da UHL 0 1 1500 lo0
fe80::a00:20ff:fe18:a87d%ep1 8:0:20:18:a8:7d UHL 1 4 1500 ep1
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
fe80::%gif0/64 link#17 UC 0 0 1280 gif0
fe80::2a0:24ff:feab:9cda%gif0 ::1 UH 0 1 32972 lo0
fec0::/10 ::1 UGRS 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%ep1/32 link#1 UC 0 0 1500 ep1
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
ff02::%gif0/32 link#17 UC 0 0 1280 gif0
Encap:
Source Port Destination Port Proto SA(Address/SPI/Proto)
And I can ping hosts on my internal network using IPv6 :
% ping6 -v clunker.bl.echidna.id.au (FreeBSD 4.0-RELEASE)
PING6(56=40+8+8 bytes) 3ffe:8001:5:2::1 --> 3ffe:8001:5:2:260:8ff:fe34:4929
32 bytes from 3ffe:8001:5:2:260:8ff:fe34:4929: Neighbor Advertisement
16 bytes from 3ffe:8001:5:2:260:8ff:fe34:4929, icmp_seq=0 hlim=64 dst=3ffe:8001:5:2::1%1 time=645.209 ms
16 bytes from 3ffe:8001:5:2:260:8ff:fe34:4929, icmp_seq=1 hlim=64 dst=3ffe:8001:5:2::1%1 time=4.931 ms
% ping6 www.sharks.org.au (Solaris 8)
PING6(56=40+8+8 bytes) 3ffe:8001:5:2::1 --> 3ffe:8001:5:2:a00:20ff:fe18:a87d
16 bytes from 3ffe:8001:5:2:a00:20ff:fe18:a87d, icmp_seq=0 hlim=255 time=2.229 ms
16 bytes from 3ffe:8001:5:2:a00:20ff:fe18:a87d, icmp_seq=1 hlim=255 time=7.804 ms
And I can see the outside world :
% traceroute6 www.kame.net
traceroute to kame212.kame.net (3ffe:501:4819:2000:5054:ff:fedc:50d2), 30 hops max, 12 byte packets
1 3ffe:8000:ffff:1005::100 267.044 ms 269.293 ms *
2 pc1.losangeles.wide.ad.jp 621.829 ms 621.569 ms 629.542 ms
3 pc7.otemachi.wide.ad.jp 719.124 ms 732.745 ms 711.343 ms
4 pc3.nezu.wide.ad.jp 729.925 ms 759.793 ms 821.277 ms
5 paradise.v6.kame.net 707.127 ms 751.83 ms 737.642 ms
6 pine.v6.kame.net 739.935 ms 759.207 ms 773.658 ms
And I can see the outside world from hosts inside my
network :
{807} : traceroute www.kame.net
traceroute: Warning: Multiple interfaces found; using 3ffe:8001:5:2:a00:20ff:fe18:a87d @ le0:1
traceroute to kame212.kame.net (3ffe:501:4819:2000:5054:ff:fedc:50d2), 30 hops max, 60 byte packets
1 shag6.bl.echidna.id.au (3ffe:8001:5:2::1) 19.571 ms 2.221 ms 1.760 ms
2 3ffe:8000:ffff:1005::100 259.353 ms * 251.194 ms
3 pc1.losangeles.wide.ad.jp (3ffe:501:0:4401:200:f8ff:fe03:db34) 630.987 ms 632.118 ms 606.662 ms
4 pc7.otemachi.wide.ad.jp (3ffe:501:0:1802:2e0:18ff:fe98:a28d) 713.810 ms 715.759 ms 721.673 ms
5 3ffe:501:0:1c01:200:f8ff:fe03:d9c0 720.049 ms 914.868 ms 767.260 ms
6 paradise.v6.kame.net (3ffe:501:4819:2000:2e0:18ff:fe98:f19d) 730.100 ms 784.013 ms 783.334 ms
7 pine.v6.kame.net (3ffe:501:4819:2000:5054:ff:fedc:50d2) 1257.317 ms 760.332 ms 806.871 ms
Finally, I have IPFilter running on the OpenBSD box, and this is
my firewall rule to let all IPv6 tunnel traffic through :
# IPv6 tunnel ...
pass in quick proto 41 from any to any
pass out quick proto 41 from any to any
I know IPFilter can do proper IPv6 firewalling, but I haven't set it up
yet.
Further info on my network, inside I have a Sun SPARC 10 running Solaris
8 which has BIND9 as an IPv6 DNS server, Sendmail 8.12.0 beta12, and
Kame patched Apache 1.3.12, so you can get to our web pages over the
6bone.
I use the Solaris 8 box to backup the OpenBSD box for autoconfigures,
and also it's a router to another internal network, routing IPv6
natively.
The Solaris IPv6 setup is really simple, it's a router and an autoconf
host :
in /etc/ I have an empty hostname6.le0 and hostname6.le1 file,
and in /etc/inet I have this :
rollcage# more ndpd.conf
ifdefault AdvSendAdvertisements true
#
prefix 3ffe:8001:5:3::0/64 le1
#
# le0 is a duplicate .. it should also get this from shag/ring
prefix 3ffe:8001:5:2::0/64 le0
And that's prettymuch it. It's running /usr/lib/inet/in.ripngd -s
so it gets routes from shag (my OpenBSD router).
I have also set up Solaris as a 6bone tunnel endpoint and also FreeBSD,
FreeBSD was almost identical to OpenBSD, they're both KAME
implementations.
If putting those setups here would be useful to anyone,
email me!.