Installing a Subnet

From SixXS Wiki
Jump to: navigation, search

Introduction

Once you have installed and have aiccu working for a single computer, you may want to create your own subnet, allowing other computers in your network IPv6 connectivity. The first thing to do is request a subnet from your SixXs home page. Once you have a subnet assigned you will need to configure your aiccu client machine. Some information on this is available in the FAQ, in the section ' Connectivity (Tunnels and Subnets) : How do I give connectivity to other hosts on my subnet'. Further information is documented on this page.

In your SixXS home page you will see a table marked subnet, that looks something like the one below, which you will use as the basis of your configuration.

Details Tunnel Endpoint Subnet Prefix State
R1234 2001:db8:f:49::2 2001:db8:18d::/48 Enabled

Configuration

Linux

Let us assume that IPv6 tunnel is already running, and that you have been granted a routed subnet. If you are not running routing software, such as Quagga, then you can install the radvd package using your distribution's package management tool.

Say you want to slice off the :0000/64 subnet from the /48 you have been granted. Then:

1. Add an IPv6 address to the chosen interface::

ip addr add 2001:db8:18d::1/64 dev eth0

(or)

To preserve across reboots, you can put the following in /etc/network/interfaces

iface eth0 inet6 static
     address 2001:db8:18d::1
     netmask 64

2. Tell radvd to advertise the router on the interface. Write in /etc/radvd.conf:

interface eth0
{
       AdvSendAdvert on;
       prefix 2001:db8:18d::/64
       {
               AdvOnLink on;
               AdvAutonomous on;
               AdvRouterAddr on;
       };
};

3. Start radvd:

/etc/init.d/radvd start

4. Make sure that forwarding is on:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

You're set! Now, you'll probably want to firewall your connection.

MacOS X

The first thing to do is edit the /etc/rtadvd.conf file (which is used by rtadvd). The first value is the interface to which your subnet is connected and the next is your subnet prefix. For example:

en0:\
    :addrs#1:addr="2001:db8:18d::":prefixlen#64:

(Please notice that you have not bound the whole 2001:db:18d::/48 subnet to en0. 2001:db:18d:: is the same thing as 2001:db8:18d:0000::. If your provider is routing 2001:db8:18d::/48 to you, then you can still assign to network interfaces and route 65535 more subnets, from 2001:db8:18d:1::/64 to 2001:db8:18d:ffff::/64.)

Once you have configured this, open the 'system preferences' and configure your IPv6 address to be the subnet prefix, followed by 1. In this case it would be '2001:db8:18d::1'. The route address can be left blank and will default the local host (::1). The follow shows what you should expect to see if you are using MacOS X 10.4:

IPv6 System Preferences

On the command line run the following sequence of commands (assuming aiccu is not running):

sudo sysctl -w net.inet6.ip6.forwarding=1
sudo sysctl -w net.inet6.ip6.redirect=1
aiccu start  
rtadvd -s en0

All the other computers in the subnet the IPv6 settings should be set to automatic.

For the address of the DNS server, which rtadvd does not provide, you will either need to specify it manually or use an IPv4 DHCP server. Note that while DHCPv6 may be an option, it does not come bundled standard with MacOS X and for this reason is not documented here as an option at this time.

The Firewall settings in the "Security" system preferences, in MacOS X 10.5 are IPv6 aware, though if you wish to do more advanced configuration there is ip6fw.

MacOS X 10.6 Server

OS X Snow Leopard Server installs out of the box with IPv6 fully disabled except for loopback in the included ip6fw configuration, meaning, by default, you're pretty much lobotomized on first boot. On the other hand, mail, apache2 and dns come automatically configured to accept IPv6. Go figure.

In spite of the documentation, Server Admin is completely useless in fixing this. How the firewall manages the default state for IPv6 is with the following two keys in the /etc/ipfilter/ip_address_groups.plist file:

 <key>IPv6Mode</key>
 <string>DenyAllExceptLocal</string>
 <key>IPv6Control</key> 
 <true/>

The basic alternate modes are:

 DenyAllExceptLocal -- IPv6 loopback only
 DenyAll -- Everything Disabled
 NoRules -- Turn Off The Firewall Entirely (theoretically)

The default configuration (DenyAllExceptLocal) provides the following ip6fw rules:

 add 1 allow udp from any to any 626 
 add 1000 allow all from any to any via lo0 
 add 1100 allow all from any to ff02::/16 
 65000 deny ipv6 from any to any

The alternate block configuration (DenyAll) is even more draconian:

 65000 deny ipv6 from any to any

Like this wasn't unintuitive enough, even if you do boot with the most permissive setting (NoRules), it comes up with the following rules:

 add allow udp from any to any 626
 add allow ipv6 from any to any via lo0
 add allow ipv6 from any to ff02::/16
 add deny ipv6 from any to any
 65535 allow ipv6 from any to any

Exactly. So, tTo actually get it to a NoRules state, you'll have to flush manually:

 sudo ip6fw flush

This will remove all of Apple's default rules and leave you with:

 65000 deny ipv6 from any to any

I've wrapped my box with a separate IPv6 firewall in front of it for the mean time but once I perform the Apple recommended steps of hacking a script manually into startup sequence, you'll have to wait.

One other thing! Note that any changes you make manually to the system will be lost both at reboot and, in some cases, if you modify the rules for IPv4 via the Server Admin interface. YMMV.

Apple TV

See the article "AppleTV IPv6 Router" (external site), which explains how to configure AppleTV to be an IPv6 router.

DD-WRT

Since version SVN16267 of DD-WRT aiccu is already installed in the bigger builds of DD-WRT and ready to go.

  • Enable IPv6 through the web interface. Configure the radvd likewise, substitute the 2001:DB8::/64 with your subnet. (NOT the tunnel IP's!)
 interface br0
  {
  AdvSendAdvert on;
  prefix 2001:DB8::/64
    {
    };
  };
  • Enable NTP and set to UTC+00, no summer time saving.
  • The adapted config file aiccu.conf goes to /jffs/etc/aiccu.conf.
  • Add a start script to /jffs/etc/config/aiccu.ipup
 #!/bin/sh
 aiccu start /jffs/etc/aiccu.conf
 
 #add subnet addr and routes
 
 ip -6 addr add 2001:DB8::/64 dev br0
 ip -6 route add 2001:DB8::/64 dev br0


For more though outdated info see the 'IPv6 entry' in the DD-WRT Wiki.

Open-WRT

To configure IPv6 on your Open WRT based router see the 'IPv6 How To' in the Open WRT Wiki.

Troubleshooting

The first thing to check, if computers behind your router can't connect to IPv6 sites, is whether you have a firewall running on the the router. If you do then try turning it off and see if makes any difference. If it does then you will need to work out what changes you need to make to allow the hosts to access the internet, without having to turn off the firewall altogether (you should always have a firewall in place).