mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-29 09:38:51 +01:00
703 lines
25 KiB
XML
703 lines
25 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>6to4 and 6in4 Tunnels</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Eric</firstname>
|
|
|
|
<surname>de Thouars</surname>
|
|
</author>
|
|
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2003-2004</year>
|
|
|
|
<year>2008</year>
|
|
|
|
<year>2009</year>
|
|
|
|
<holder>Eric de Thouars and Tom Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
|
to another IPv6 network over an IPv4 infrastructure. It can also allow you
|
|
to experiment with IPv6 even if your ISP doesn't provide IPv6
|
|
connectivity.</para>
|
|
|
|
<para>More information on Linux and IPv6 can be found in the <ulink
|
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
|
|
Details on how to setup a 6to4 tunnels are described in the section <ulink
|
|
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
|
of 6to4 tunnels</ulink>.</para>
|
|
|
|
<section id="FeetWet">
|
|
<title>Getting your Feet Wet with IPv6, by Tom Eastep</title>
|
|
|
|
<para>6to4 tunnels provide a good way to introduce yourself to IPv6.
|
|
<ulink url="IPv6Support.html">Shorewall6</ulink> was developed on a
|
|
network whose only IPv6 connectivity was an 6to4 Tunnel; that network is
|
|
described in the remainder of this section. What is shown here requires
|
|
Shorewall6 4.2.4 or later.</para>
|
|
|
|
<section>
|
|
<title>Configuring IPv6 using my script</title>
|
|
|
|
<para>I have created an init <ulink
|
|
url="/pub/shorewall/contrib/IPv6/ipv6">script</ulink> to make the job of
|
|
configuring your firewall for IPv6 easier.</para>
|
|
|
|
<para>The script is installed in /etc/init.d and configures ipv6,
|
|
including a 6to4 tunnel, at boot time. Note that the script is included
|
|
in the Shorewall6 distribution but is not installed in /etc/init.d by
|
|
default. The RPMs from shorewall.net, install the file in the package
|
|
documentation directory.</para>
|
|
|
|
<para>The script works on OpenSuSE 11.0 and may need modification for
|
|
other distributions. On OpenSuSE, the script is installed by copying it
|
|
to <filename>/etc/init.d/</filename> then running the command 'chkconfig
|
|
--add ipv6'.</para>
|
|
|
|
<para>At the top of the script, you will see several variables:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SIT - The name of the tunnel device. Usually 'sit1'</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>INTERFACES - local interfaces that you want to configure for
|
|
IPv6</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>ADDRESS4 - A static IPv4 address on your firewall that you
|
|
want to use for the tunnel.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SLA - The identity of the first local sub-network that you
|
|
want to assign to the interfaces listed in INTERFACES. Normally one
|
|
(0001).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>GATEWAY - The default IPv6 gateway. For 6to4, this is
|
|
::192.88.99.1.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Here is the file from my firewall:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>SIT="sit1"
|
|
ADDRESS4=206.124.146.180
|
|
INTERFACES="eth2 eth4"
|
|
SLA=1
|
|
GATEWAY=::192.88.99.1</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para>eth2 is the interface to my local network (both wired and
|
|
wireless). eth4 goes to my DMZ which holds a single server. Here is a
|
|
diagram of the IPv4 network:</para>
|
|
|
|
<graphic align="center" fileref="images/Network2009.png" />
|
|
|
|
<para>Here is the configuration after IPv6 is configured; the part in
|
|
bold font is configured by the /etc/init.d/ipv6 script.</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>gateway:~ # ip -6 addr ls
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
|
inet6 ::1/128 scope host
|
|
valid_lft forever preferred_lft forever
|
|
1: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
inet6 fe80::202:e3ff:fe08:484c/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:1::1/64 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
inet6 fe80::202:e3ff:fe08:55fa/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
3: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2::1/64 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
inet6 fe80::2a0:ccff:fed2:353a/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
4: sit1@NONE: <NOARP,UP,LOWER_UP> mtu 1480
|
|
<emphasis role="bold"> inet6 ::206.124.146.180/128 scope global
|
|
valid_lft forever preferred_lft forever
|
|
inet6 2002:ce7c:92b4::1/128 scope global
|
|
valid_lft forever preferred_lft forever</emphasis>
|
|
gateway:~ # ip -6 route ls
|
|
<emphasis role="bold">::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
|
<emphasis role="bold">2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
|
2002:ce7c:92b4:1::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
2002:ce7c:92b4:2::/64 dev eth4 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 dev eth1 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev eth4 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
|
|
<emphasis role="bold">default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
|
|
gateway:~ # </programlisting></para>
|
|
</blockquote>
|
|
|
|
<para>You will notice that sit1, eth2 and eth4 each have an IPv6 address
|
|
beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
|
|
significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
|
|
ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
|
|
the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
|
|
case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
|
|
interface in INTERFACES, a subnet of 2<superscript>64</superscript>
|
|
addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.</para>
|
|
|
|
<para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
|
|
the firewall to allow hosts conntected to eth2 and eth4 to automatically
|
|
perform their own IPv6 configuration. Here is my
|
|
<filename>/etc/radvd.conf</filename> file:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>interface eth2 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 3;
|
|
MaxRtrAdvInterval 10;
|
|
prefix 2002:ce7c:92b4:1::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
|
AdvRDNSSOpen on;
|
|
AdvRDNSSPreference 2;
|
|
};
|
|
};
|
|
|
|
interface eth4 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 3;
|
|
MaxRtrAdvInterval 10;
|
|
prefix 2002:ce7c:92b4:2::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
|
|
AdvRDNSSOpen on;
|
|
AdvRDNSSPreference 2;
|
|
};
|
|
};</programlisting></para>
|
|
</blockquote>
|
|
|
|
<note>
|
|
<para>radvd terminates immediately if IPv6 forwarding is not enabled.
|
|
So it is a good idea to include this in<filename>
|
|
/etc/sysctl.conf</filename>:</para>
|
|
|
|
<programlisting>net.ipv6.conf.all.forwarding = 1</programlisting>
|
|
|
|
<para>That way, if radvd starts before Shorewall6, it will continue to
|
|
run.</para>
|
|
|
|
<para>An alternative is to modify
|
|
<filename>/etc/init.d/radvd</filename> so that radvd starts after
|
|
Shorewall6:</para>
|
|
|
|
<programlisting># Should-Start: shorewall6</programlisting>
|
|
</note>
|
|
|
|
<para>Here is the automatic IPv6 configuration on my server attached to
|
|
eth4:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 addr ls
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
|
|
inet6 ::1/128 scope host
|
|
valid_lft forever preferred_lft forever
|
|
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic
|
|
valid_lft 2591995sec preferred_lft 604795sec</emphasis>
|
|
inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 route ls
|
|
<emphasis role="bold">2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
<emphasis role="bold">default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
|
|
webadmin@lists:~/ftpsite/contrib/IPv6> </programlisting></para>
|
|
</blockquote>
|
|
|
|
<para>You will note that the public IPv6 address of eth2
|
|
(2002:ce7c:92b4:2:2a0:ccff:fedb:31c4) was formed by concatenating the
|
|
prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) and the lower 64
|
|
bits of the link level address of eth2 (2a0:ccff:fedb:31c4). You will
|
|
also notice that the address 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 appears
|
|
in the RDNSS clauses in radvd.conf; that causes my server to be
|
|
automatically configured as a DNS server.</para>
|
|
|
|
<para>The default route is described using the link level address of
|
|
eth2 on the firewall (fe80::2a0:ccff:fed2:353a).</para>
|
|
|
|
<para>On my laptop, ursa:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>ursa:~ # ip -6 addr ls dev eth0
|
|
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
|
<emphasis role="bold"> inet6 2002:ce7c:92b4:1:21a:24ff:fecb:2bcc/64 scope global dynamic
|
|
valid_lft 2591996sec preferred_lft 604796sec</emphasis>
|
|
inet6 fe80::21a:73ff:fedb:8c35/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
ursa:~ # ip -6 route ls dev eth0
|
|
<emphasis role="bold">2002:ce7c:92b4:1::/64 proto kernel metric 256 expires 2592160sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
|
|
fe80::/64 metric 256 expires 21314573sec mtu 1500 advmss 1440 hoplimit 4294967295
|
|
<emphasis role="bold">default via fe80::202:e3ff:fe08:55fa proto kernel metric 1024 expires 28sec mtu 1500 advmss 1440 hoplimit 64</emphasis>
|
|
ursa:~ #</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para>Here is the resulting simple IPv6 Network:</para>
|
|
|
|
<graphic align="center" fileref="images/Network2009b.png" />
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuring IPv6 the Debian Way</title>
|
|
|
|
<para>In May 2009, I rebuilt the above firewall using Debian GNU/Linux
|
|
and decided to configure IPv6 using the
|
|
<filename>/etc/network/interfaces</filename> file.</para>
|
|
|
|
<para>When I installed Debian Lenny on the system, the network
|
|
interfaces were reunmbered as follows:</para>
|
|
|
|
<table frame="void">
|
|
<title>Interface Renaming</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Old
|
|
Configuration</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">New
|
|
Configuration</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>eth0 (Avvanta Interface)</entry>
|
|
|
|
<entry>eth3</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>eth3 (Comcast Interface)</entry>
|
|
|
|
<entry>eth0</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>eth2 (Local Interface)</entry>
|
|
|
|
<entry>eth1</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>eth4 (DMZ Interface)</entry>
|
|
|
|
<entry>eth2</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>So the IPv4 network was transformed to this:</para>
|
|
|
|
<graphic align="center" fileref="images/Network2009a.png" />
|
|
|
|
<para>To implement the same IPv6 network as described above, I used this
|
|
/etc/shorewall/interfaces file:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>auto lo
|
|
iface lo inet loopback
|
|
|
|
auto eth0
|
|
iface eth0 inet dhcp
|
|
hwaddress ether 00:11:85:89:da:9b
|
|
|
|
auto eth1
|
|
iface eth1 inet static
|
|
address 172.20.1.254
|
|
netmask 255.255.255.0
|
|
network 172.20.1.0
|
|
broadcast 172.20.1.255
|
|
|
|
<emphasis role="bold">iface eth1 inet6 static
|
|
address 2002:ce7c:92b4:1::1
|
|
netmask 64 </emphasis>
|
|
|
|
auto eth2
|
|
iface eth2 inet static
|
|
address 206.124.146.176
|
|
netmask 255.255.255.255
|
|
up ip route add 206.124.146.177/32 dev eth2
|
|
|
|
<emphasis role="bold">iface eth2 inet6 static
|
|
address 2002:ce7c:92b4:2::1
|
|
netmask 64
|
|
</emphasis>
|
|
auto eth3 eth3:0 eth3:1 eth3:2
|
|
iface eth3 inet static
|
|
address 206.124.146.176
|
|
netmask 255.255.255.0
|
|
network 206.124.146.0
|
|
broadcast 206.124.146.255
|
|
|
|
iface eth3:0 inet static
|
|
address 206.124.146.178
|
|
netmask 255.255.255.0
|
|
broadcast 206.124.146.255
|
|
|
|
iface eth3:1 inet static
|
|
address 206.124.146.179
|
|
netmask 255.255.255.0
|
|
broadcast 206.124.146.255
|
|
|
|
iface eth3:2 inet static
|
|
address 206.124.146.180
|
|
netmask 255.255.255.0
|
|
broadcast 206.124.146.255
|
|
|
|
<emphasis role="bold">auto sit1
|
|
iface sit1 inet6 v4tunnel
|
|
address 2002:ce7c:92b4::1
|
|
netmask 64
|
|
endpoint 192.88.99.1
|
|
local 206.124.146.180
|
|
gateway ::192.88.99.1
|
|
post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding</emphasis></programlisting></para>
|
|
</blockquote>
|
|
|
|
<para>That file produces the following IPv6 network.</para>
|
|
|
|
<graphic align="center" fileref="images/Network2008c.png" />
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuring Shorewall</title>
|
|
|
|
<para>We need to add an entry in /etc/shorewall/tunnels and restart
|
|
Shorewall:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>#TYPE ZONE GATEWAY GATEWAY
|
|
# ZONE
|
|
6to4 net
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting></para>
|
|
</blockquote>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuring Shorewall6</title>
|
|
|
|
<para><emphasis role="bold">STOP</emphasis> -- If you have followed the
|
|
instructions above, you should have a completely functional IPv6
|
|
network. Try:</para>
|
|
|
|
<programlisting><emphasis role="bold">ping6 www.kame.net
|
|
ping6 ipv6.chat.eu.freenode.net</emphasis>
|
|
</programlisting>
|
|
|
|
<para>If neither of those work from your firewall and from any local
|
|
IPv6 systems that you have behind your firewall, do not go any further
|
|
until one of them does work. If you ask for help from the Shorewall
|
|
team, the first question we will ask is 'With Shorewall6 cleared, can
|
|
you ping6 kame or freenode?'.</para>
|
|
|
|
<para>The Shorewall6 configuration on my firewall is a very basic
|
|
three-interface one.</para>
|
|
|
|
<para>Key entry in
|
|
<filename>/etc/shorewall6/shorewall6.conf</filename>:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>IP_FORWARDING=On</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
fw firewall
|
|
net ipv6
|
|
loc ipv6
|
|
dmz ipv6
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net sit1 detect tcpflags,forward=1,nosmurfs
|
|
loc eth0 detect tcpflags,forward=1
|
|
dmz eth2 detect tcpflags,forward=1
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
|
net all DROP info
|
|
loc net ACCEPT
|
|
dmz net ACCEPT
|
|
all all REJECT info</programlisting></para>
|
|
</blockquote>
|
|
|
|
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
|
|
|
<blockquote>
|
|
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
|
# PORT PORT(S) DEST LIMIT GROUP
|
|
#
|
|
# Accept DNS connections from the firewall to the network
|
|
#
|
|
DNS(ACCEPT) $FW net
|
|
#
|
|
# Accept SSH connections from the local network for administration
|
|
#
|
|
SSH(ACCEPT) loc $FW
|
|
#
|
|
# Allow Ping everywhere
|
|
#
|
|
Ping(ACCEPT) all all
|
|
|
|
#
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
</programlisting></para>
|
|
</blockquote>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="SixInFour">
|
|
<title>6in4 Tunnel</title>
|
|
|
|
<para>6in4 is very similar to 6to4:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Both Tunnel IPv6 traffic over IPv4 using Protocol 41</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Both allow you access to the IPv6 network even though your ISP
|
|
doesn't offer native IPv6 connectivity.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The differences are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>6in4 gives you a /64 prefix outside of the 2002::0/16
|
|
network</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You have a dedicated fixed endpoint for the tunnel rather than
|
|
the nebulous anycast endpoint 192.88.99.1. This is:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Much more reliable</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Much easier to troubleshoot (there is ONE host and one
|
|
company to call on the other end of the tunnel rather than an
|
|
indefinite cloud with noone in charge)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>I converted to a 6in4 Tunnel from <ulink
|
|
url="http://tunnelbroker.net/">Hurricane Electric</ulink> in April of
|
|
2010. Converting from the 6to4 tunnel configuration above to a 6in4 tunnel
|
|
from HE took less than an hour.</para>
|
|
|
|
<para>When I signed up for a tunnel with HE, I received these
|
|
assignments:</para>
|
|
|
|
<blockquote>
|
|
<para>Server IPv4 address: 216.218.226.238</para>
|
|
|
|
<para>Server IPv6 address: 2001:470:a:227::1/64</para>
|
|
|
|
<para>Client IPv4 address: 206.124.146.180 (Same as the 6to4
|
|
tunnel)</para>
|
|
|
|
<para>Client IPv6 address: 2001:470:a:227::2/64 </para>
|
|
</blockquote>
|
|
|
|
<para>I also took advantage of their offer for a /48 prefix routed via
|
|
2001:470:a:227::2. The prefix I was assigned is</para>
|
|
|
|
<blockquote>
|
|
<para>2001:470:e857::/48</para>
|
|
</blockquote>
|
|
|
|
<para>Here are the key changes:</para>
|
|
|
|
<para><filename>/etc/network/interfaces:</filename></para>
|
|
|
|
<programlisting>iface eth1 inet6 static
|
|
address <emphasis role="bold">2001:470:e857:1::1</emphasis>
|
|
netmask 64
|
|
|
|
auto eth2
|
|
...
|
|
iface eth2 inet6 static
|
|
address 2<emphasis role="bold">001:470:e857:2::1</emphasis>
|
|
netmask 64
|
|
|
|
auto sit1
|
|
iface sit1 inet6 v4tunnel
|
|
address <emphasis role="bold">2001:470:a:227::2</emphasis>
|
|
netmask 64
|
|
endpoint <emphasis role="bold">216.218.226.238 </emphasis>
|
|
local 206.124.146.180
|
|
gateway <emphasis role="bold">2001:470:a:227::1</emphasis>
|
|
post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
|
|
|
</programlisting>
|
|
|
|
<para><filename>/etc/radvd.conf (I'm currently not using RDNSS so I've
|
|
simply commented out the existing entries)</filename>:</para>
|
|
|
|
<programlisting>interface eth1 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 60;
|
|
MaxRtrAdvInterval 600;
|
|
AdvDefaultLifetime 9000;
|
|
prefix <emphasis role="bold">2001:470:e857:1</emphasis>::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
route ::/0 {
|
|
AdvRouteLifetime infinity;
|
|
};
|
|
|
|
<emphasis role="bold"># RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
|
|
# AdvRDNSSOpen on;
|
|
# AdvRDNSSPreference 2;
|
|
# };</emphasis>
|
|
};
|
|
|
|
interface eth2 {
|
|
AdvSendAdvert on;
|
|
MinRtrAdvInterval 60;
|
|
MaxRtrAdvInterval 600;
|
|
prefix <emphasis role="bold">2001:470:e857:2</emphasis>::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr off;
|
|
};
|
|
|
|
<emphasis role="bold"># RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
|
|
# AdvRDNSSOpen on;
|
|
# AdvRDNSSPreference 2;
|
|
# }; </emphasis>
|
|
};
|
|
</programlisting>
|
|
</section>
|
|
|
|
<section id="Tunnel6to4">
|
|
<title>Connecting two IPv6 Networks, by Eric de Thouars</title>
|
|
|
|
<para>Suppose that we have the following situation:</para>
|
|
|
|
<graphic fileref="images/TwoIPv6Nets1.png" />
|
|
|
|
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
|
communicate with the systems in the 2002:488:999::/64 network. This is
|
|
accomplished through use of the
|
|
<filename>/etc/shorewall/tunnels</filename> file and the <quote>ip</quote>
|
|
utility for network interface and routing configuration.</para>
|
|
|
|
<para>Unlike GRE and IPIP tunneling, the
|
|
<filename>/etc/shorewall/policy</filename>,
|
|
<filename>/etc/shorewall/interfaces</filename> and
|
|
<filename>/etc/shorewall/zones</filename> files are not used. There is no
|
|
need to declare a zone to represent the remote IPv6 network. This remote
|
|
network is not visible on IPv4 interfaces and to iptables. All that is
|
|
visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
|
|
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
|
|
this traffic.</para>
|
|
|
|
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
|
|
the following:</para>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
6to4 net 134.28.54.2</programlisting>
|
|
|
|
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
|
|
firewall so that the IPv6 encapsulation protocol (41) will be accepted
|
|
to/from the remote gateway.</para>
|
|
|
|
<para>Use the following commands to setup system A:</para>
|
|
|
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
|
|
><command>ip link set dev tun6to4 up</command>
|
|
><command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
|
|
><command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
|
|
|
|
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
|
|
B we have:</para>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
6to4 net 206.191.148.9</programlisting>
|
|
|
|
<para>And use the following commands to setup system B:</para>
|
|
|
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
|
|
><command>ip link set dev tun6to4 up</command>
|
|
><command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
|
|
><command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
|
|
|
|
<para>On both systems, restart Shorewall and issue the configuration
|
|
commands as listed above. The systems in both IPv6 subnetworks can now
|
|
talk to each other using IPv6.</para>
|
|
</section>
|
|
</article>
|