IPv6 is not “coming”, it’s here!
In this document, this is example data and this is data to be entered at the keyboard
To use IPv6 on my network, as the ISP doesn’t yet provide IPv6, I designate a machine to act as 6to4 router. Users could also used configured 6in4 tunnelling but that involves interaction with a third party and won’t be quite as fast, but does allow the use of more advanced features like reverse DNS and multicast. 6to4 is probably the fastest for sites without pure ipv6 access.
6to4 gives each IPv4 machine rather large range of IPv6 addresses to play with. The upper 48 bits contain the 6to4 identifier, and the IPv4 address
of that machine, so other computers on the Internet know where to send the replies. The remaining bits are yours to do with as you please. Usually the
lower 64 bits contain a variation of a machine’s ethernet address when used on an ethernet subnet, leaving 16 bits to identify which subnet, or use
you are putting the addresses to. If you have multiple machines to choose from, best use the one that is closest
to the Internet.
You first will have to enable ipv6, usually by loading its module. Then you could add some lines to /etc/network/interfaces
Originally the following can be used, it also works for the DMZ host behind a NAT, when routerip is altered to return the NAT public IP address. How to do this varies from NATbox to NATbox, but often you can script a screenscrape of a NATbox web page or telnet session.
iface sit0 inet6 static
address `printf "2002:%02x%02x:%02x%02x::" \`routerip | tr "." " "\``
netmask 16
gateway ::192.88.99.1
Newer systems that are not behind any NAT can also use the following:
iface tun6to4 inet manual
up /sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local $(routerip)
up /usr/local/sbin/6to4guard
up /sbin/ip link set dev tun6to4 up
up /sbin/ip -6 addr add `printf "2002:%02x%02x:%02x%02x::" \`routerip | tr "." " "\``/16 dev tun6to4
up /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
# up /sbin/ip -6 route add 2000::/3 via ::$(friendip) dev tun6to4 metric 1
down /sbin/ip -6 route flush dev tun6to4
down /sbin/ip link set dev tun6to4 down
down /sbin/ip tunnel del tun6to4
This program determines your IP. Put it in /usr/local/sbin/ called routerip. You need the debian packages iproute, grep and sed for this to be useful.
#!/bin/sh
interface=`/sbin/ip route list match 192.88.99.1 | sed \{s\/\[\[\:print\:\]\]\\\\+\\dev\\ \/\/g\}`
ip=`/sbin/ifconfig $interface | grep "inet addr:" | cut -d : -f 2 | cut -d " " -f 1`
echo $ip
Normally I would not be using IP tables as applications can take care of security, however nothing else can protect you from being used as an anonymous IP forwarder. Exceptionally, you may need this behaviour if a trustworthy friend’s 192.88.99.1 node is broken and they need you to be their IPv6 gateway! Here follows the contents of the script 6to4guard mentioned above. Here I have 2 local interfaces using IPv6 addresses, and block data from tun6to4 from turning round and falling back in. You can edit it to your needs.
Otherwise you may route packets that look like this, following the route REJECTED below.
#!/bin/bash # beware computer will be very slow while it times out to IPv4 for loopback # when tables are flushed ip6tables -F ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -i eth0 -j ACCEPT ip6tables -A FORWARD -i eth0 -o tun6to4 -j ACCEPT ip6tables -A FORWARD -i tun6to4 -o eth0 -j ACCEPT ip6tables -A OUTPUT -o eth0 -j ACCEPT #ip6tables -A INPUT -i eth1 -j ACCEPT #ip6tables -A FORWARD -i eth1 -o tun6to4 -j ACCEPT #ip6tables -A FORWARD -i tun6to4 -o eth1 -j ACCEPT #ip6tables -A OUTPUT -o eth1 -j ACCEPT ip6tables -A INPUT -i tun6to4 -j ACCEPT #ip6tables -A FORWARD -i eth0 -o eth1 -j ACCEPT #ip6tables -A FORWARD -i eth1 -o eth0 -j ACCEPT ip6tables -A OUTPUT -o tun6to4 -j ACCEPT # Change this if a friend needs to use you as a 192.88.99.1 node # DROP instead of REJECT as IPv4 sender could make up the source address.... ip6tables -A FORWARD -i tun6to4 -o tun6to4 -j DROP ip6tables -t filter -P INPUT DROP ip6tables -t filter -P OUTPUT DROP ip6tables -t filter -P FORWARD DROP
Then, provided you start 6to4 after your internet connection, you have IPv6. If the system shares a machine with Windows XP, you may substitute 2002:%02x%02x:%02x%02x:: for 2002:%02x%02x:%02x%02x::%02x%02x:%02x%02x and echo $ip for echo $ip.$ip to generate the same address as that OS will give itself. There are also other ways
Although you could setup 6to4 on all your LAN if you are graced with a public v4 subnet, it’s easier in the long run to just use the same arrangement that NAT users would have to, and leave 6to4 on your Internet gateway. All other machines will then configure themselves via parameters provided by that machine. It would make migrating to proper IPv6 easier and let you experiment with native ipv6 locally easier too.
First, your internal ethernet interface, or bridge for internal interfaces gets configured with a portion of your 6to4 space and its interface. Add these lines under gateway ::192.88.99.1:, assuming you want to use 1 as your subnet number.
up ifconfig $IFACE add `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f
2-4`:1:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64
down ifconfig $IFACE del `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f 2-4`:1:
`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64
Your machine has to tell the others to use it as gateway. To do this, you install radvd which acts a bit like DHCP but for IPv6 in that it tells other machines their addresses, and who to use as gateway to the Internet.
radvd requires a configuration file to say which addresses to give out. You can generate this automatically from your sit0 address, if you don’t have a fixed public IP address. You could generate a config file as follows, assuming your internal interface is eth0 and that it’s already configured with it’s own public v6 address as above, then start radvd up with /etc/init.d/radvd start. Multiple ethernet interfaces could also be handled separately by giving each their own interface block in radvd.conf if you prefer that, instead of bridging them together as here.
If not using native IPv6, you may need to limit to a MTU of 1480 if your IPv4 tunnel or 6to4 is limited to an MTU of 1500. If using native IPv6, then an AdvLinkMTU of 1500 or more is likely to be possible. If it is not set then TCP or UDP find their too-large packets are thrown away rather than knowing not to send them, and do not work as well as they could.
#!/bin/sh
IFACE=eth0
NET=`ifconfig $IFACE | grep "inet6 addr: 2002" | cut -d : -f 2-5`
echo 'interface '$IFACE'
{
AdvLinkMTU 1480;
AdvSendAdvert on;
prefix '$NET'::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};' > /etc/radvd.conf
radvd only gives your computers their IP address, and not DNS configuration details, although it can provide the internet address of nameservers, which may well be sufficient. For additional configuration you want the wide-dhcpv6-server installed, and wide-dhcpv6-client an your clients. It can also give nodes IP addresses, although I have configured it to give nodes the same addresses that radvd does. It may need patching to support serving on more than one network interface though.
Another thing, DHCPv6 client will by default fight with DHCP for control of your resolv.conf file leaving either the IPv6 or IPv4 address of your nameserver in place. Drop something like the following in Debian’s /etc/default/wide-dhcpv6-client to allow them to co-exist.
if [ "$RESOLVCONF" != "" ]
then
INTERFACES="sit0"
else
INTERFACES="eth0"
fi
It’s useful to create a reverse DNS zone on your nameservers so that machines can have DNS names, even for 6to4 users. They can set up reverse dns delegation as well.
Users of this service have to use the supplied Netgear ADSL router, and it changes IP address periodically. Users may set a DMZ machine in its configuration, and its inbuilt DHCP server can be set to fix the IP allocation for this machine and others by MAC Address. This machine can provide 6to4 service to the other computers.
iface sit0 inet6 static
up /usr/local/sbin/6to4guard
up /sbin/ifconfig eth0 add $(/usr/local/sbin/lanip)
up /etc/init.d/radvd reload
down /sbin/ifconfig eth0 del $(ifconfig eth0 | grep "inet6 addr: 2002" | tr -s " " | cut -d" " -f4)
address `printf "2002:%02x%02x:%02x%02x::" \`routerip | tr "." " "\``
netmask 16
gateway ::192.88.99.1
#!/bin/sh
# sky router screenscraper
while test -z "${IP2}"
do
IP=$(wget -O - --user=admin --password=sky -q http://192.168.0.1/s_status.htm | grep -A 2 "IP Address" | head -2 | tail -1)
IP2=$(cut -d$'>' -f2 <<<"${IP}" | cut -d$'<' -f1)
sleep 1
done
echo $IP2
LAN=$(/sbin/ifconfig sit0 | grep 2002 | tr -s " " | cut -d" " -f4 | cut -d":" -f1-3)
IP=:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig eth0)`/64
echo ${LAN}$':1'${IP}
echo -ne $'interface eth0\n{
AdvSendAdvert on;\n
prefix '${LAN}$':1'${IP}$'\n{AdvOnLink on;\nAdvAutonomous on;\nAdvRouterAddr on;\n};\n};' > /etc/radvd.conf
Users may use the same 6to4guard script as above.
Some extra info for trying IPv6 on Windows XP