Installing a Subnet
Contents
Introduction
Once you have installed and have aiccu working for a single computer, you may want to create your own subnet, allowing other computers in your network IPv6 connectivity. The first thing to do is request a subnet from your SixXs home page. Once you have a subnet assigned you will need to configure your aiccu client machine. Some information on this is available in the FAQ, in the section ' Connectivity (Tunnels and Subnets) : How do I give connectivity to other hosts on my subnet'. Further information is documented on this page.
In your SixXS home page you will see a table marked subnet, that looks something like the one below, which you will use as the basis of your configuration.
| Details | Tunnel Endpoint | Subnet Prefix | State |
|---|---|---|---|
| R1234 | 2001:db8:f:49::2 | 2001:db8:18d::/48 | Enabled |
Configuration
Linux
Let us assume that IPv6 tunnel is already running, and that you have been granted a routed subnet. If you are not running routing software, such as Quagga, then you can install the radvd package using your distribution's package management tool.
Say you want to slice off the :0000/64 subnet from the /48 you have been granted. Then:
1. Add an IPv6 address to the chosen interface::
ip addr add 2001:db8:18d::1/64 dev eth0
(or)
To preserve across reboots, you can put the following in /etc/network/interfaces
iface eth0 inet6 static
address 2001:db8:18d::1
netmask 64
2. Tell radvd to advertise the router on the interface. Write in /etc/radvd.conf:
interface eth0
{
AdvSendAdvert on;
prefix 2001:db8:18d::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
3. Start radvd:
/etc/init.d/radvd start
4. Make sure that forwarding is on:
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
You're set! Now, you'll probably want to firewall your connection.
MacOS X
The first thing to do is edit the /etc/rtadvd.conf file (which is used by rtadvd). The first value is the interface to which your subnet is connected and the next is your subnet prefix. For example:
en0:\ :addrs#1:addr="2001:db8:18d::":prefixlen#64:
(Please notice that you have not bound the whole 2001:db:18d::/48 subnet to en0. 2001:db:18d:: is the same thing as 2001:db8:18d:0000::. If your provider is routing 2001:db8:18d::/48 to you, then you can still assign to network interfaces and route 65535 more subnets, from 2001:db8:18d:1::/64 to 2001:db8:18d:ffff::/64.)
Once you have configured this, open the 'system preferences' and configure your IPv6 address to be the subnet prefix, followed by 1. In this case it would be '2001:db8:18d::1'. The route address can be left blank and will default the local host (::1). The follow shows what you should expect to see if you are using MacOS X 10.4:
On the command line run the following sequence of commands (assuming aiccu is not running):
sudo sysctl -w net.inet6.ip6.forwarding=1 sudo sysctl -w net.inet6.ip6.redirect=1 aiccu start rtadvd -s en0
All the other computers in the subnet the IPv6 settings should be set to automatic.
For the address of the DNS server, which rtadvd does not provide, you will either need to specify it manually or use an IPv4 DHCP server. Note that while DHCPv6 may be an option, it does not come bundled standard with MacOS X and for this reason is not documented here as an option at this time.
The Firewall settings in the "Security" system preferences, in MacOS X 10.5 are IPv6 aware, though if you wish to do more advanced configuration there is ip6fw.
MacOS X 10.6 Server
OS X Snow Leopard Server installs out of the box with IPv6 fully disabled except for loopback in the included ip6fw configuration, meaning, by default, you're pretty much lobotomized on first boot. On the other hand, mail, apache2 and dns come automatically configured to accept IPv6. Go figure.
In spite of the documentation, Server Admin is completely useless in fixing this. How the firewall manages the default state for IPv6 is with the following two keys in the /etc/ipfilter/ip_address_groups.plist file:
<key>IPv6Mode</key> <string>DenyAllExceptLocal</string> <key>IPv6Control</key> <true/>
The basic alternate modes are:
DenyAllExceptLocal -- IPv6 loopback only DenyAll -- Everything Disabled NoRules -- Turn Off The Firewall Entirely (theoretically)
The default configuration (DenyAllExceptLocal) provides the following ip6fw rules:
add 1 allow udp from any to any 626 add 1000 allow all from any to any via lo0 add 1100 allow all from any to ff02::/16 65000 deny ipv6 from any to any
The alternate block configuration (DenyAll) is even more draconian:
65000 deny ipv6 from any to any
Like this wasn't unintuitive enough, even if you do boot with the most permissive setting (NoRules), it comes up with the following rules:
add allow udp from any to any 626 add allow ipv6 from any to any via lo0 add allow ipv6 from any to ff02::/16 add deny ipv6 from any to any 65535 allow ipv6 from any to any
Exactly. So, tTo actually get it to a NoRules state, you'll have to flush manually:
sudo ip6fw flush
This will remove all of Apple's default rules and leave you with:
65000 deny ipv6 from any to any
I've wrapped my box with a separate IPv6 firewall in front of it for the mean time but once I perform the Apple recommended steps of hacking a script manually into startup sequence, you'll have to wait.
One other thing! Note that any changes you make manually to the system will be lost both at reboot and, in some cases, if you modify the rules for IPv4 via the Server Admin interface. YMMV.
Apple TV
See the article "AppleTV IPv6 Router" (external site), which explains how to configure AppleTV to be an IPv6 router.
DD-WRT
Since version SVN16267 of DD-WRT aiccu is already installed in the bigger builds of DD-WRT and ready to go.
- Make your DD-WRT writable by enabling the jffs according to 'Journalling Flash File System' in the DD-WRT Wiki.
- Enable IPv6 through the web interface. Configure the radvd likewise, substitute the 2001:DB8::/64 with your subnet. (NOT the tunnel IP's!)
interface br0
{
AdvSendAdvert on;
prefix 2001:DB8::/64
{
};
};
- Enable NTP and set to UTC+00, no summer time saving.
- The adapted config file aiccu.conf goes to /jffs/etc/aiccu.conf.
- Add a start script to /jffs/etc/config/aiccu.ipup
#!/bin/sh aiccu start /jffs/etc/aiccu.conf #add subnet addr and routes ip -6 addr add 2001:DB8::/64 dev br0 ip -6 route add 2001:DB8::/64 dev br0
For more though outdated info see the 'IPv6 entry' in the DD-WRT Wiki.
Open-WRT
To configure IPv6 on your Open WRT based router see the 'IPv6 How To' in the Open WRT Wiki.
Troubleshooting
The first thing to check, if computers behind your router can't connect to IPv6 sites, is whether you have a firewall running on the the router. If you do then try turning it off and see if makes any difference. If it does then you will need to work out what changes you need to make to allow the hosts to access the internet, without having to turn off the firewall altogether (you should always have a firewall in place).
