Getting full IPv6 connectivity at home.

One of the things I like to do is play with technologies, tinker with my home network to get it up to perfection and do exactly what I want.

Half a year ago I decided I wanted to have full IPv6 connectivity in my entire home network by the end of 2009, this is a guide on how I (with the help of my housemate Rem) did just that.

Just to make something clear here, I’m assuming the following setup:

• You have one interface in the gateway connected to the internet, eth0
• Another interface to which multiple PC’s are connected that gain connection to the internet through this gateway, eth1

First things first. Ziggo, my current ISP does not support IPv6 yet so the only option I had for IPv6 connectivity was finding a tunnelbroker to create a 6to4 tunnel to my home and then have a subnet routed to my 6to4 tunnel so that I could push IPv6 route advertisements into my network and give all the local clients in my network IPv6 connectivity.

Which is where SixXS comes in. They do exactly that. They are a tunnelbroker for IPv6 with multipe Points of Presence across quite a few countries. I signed up for a SixXS tunnel and selected Leaseweb as my PoP, it was the only one available back then.

I selected a heartbeat-AYIYA tunnel since it is the only one which can function correctly over a connection with a non-static IP provided by your provider. If unsure, just go for the heartbeat-AYIYA tunnel.

NOTE: all commands which are show here are expected to either be run as root or sudo’ed, you will run into problems otherwise.

Once I received my confirmations and had a tunnel assigned to me I installed AICCU on my Debian gateway and configured the tunnel:

apt-get install aiccu


You will be asked a few things by a little ncurses-wizard on the commandline which will create a working aiccu configurationfile and bring up the SixXS tunnel. You should now have a sixxs interface in ifconfig.

One you have collected enough credits by keeping your tunnel online for a while you can request a subnet, a /48, which will be routed to your endpoint. IP’s from inside that subnet you can push to clients on your LAN to give them IPv6 connectivity.

I’m going to assume a few things here:

• Your SixXS IP on the sixxs interface: 2001:xxxx:yyyy:zzzz::2/64
• Your SixXS routed subnet: 2001:aaaa:bbbb::/48

First, we need to configure the LAN interface of our gateway, in my case eth1 with an IPv6 address from the routed subnet. Add something like this to /etc/network/interfaces

iface eth1 inet6 static
address 2001:aaaa:bbbb::
netmask 48
gateway 2001:xxxx:yyyy:zzzz::2


Since we are going to become a router here we need to allow for IPv6 forwarding. To this end, edit /etc/sysctl.conf and add the following entries at the end of the file:

net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1


And reload the sysctl configuration with: sysctl -p
Restart aiccu: invoke-rc.d aiccu restart

Then bring eth1 down and back up again with:

ifdown --force eth1; ifup eth1


Good, now it is time to advertise our /48 to our LAN so clients can pick up an IPv6 address. Since a /48 is huge and I found it unnecessary to advertise the whole /48 I decided to advertise a portion of that network, a /64.

To this purpose we must first install the route advertisement daemon:

apt-get install radvd


Now edit /etc/radvd.conf:

interface eth1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:aaaa:bbbb::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};


Restart radvd with:

invoke-rc.d radvd restart


And we’re done.

If all went well and you replaced the a, b, x, y and z's with the correct numbers and letters from your tunnel and subnet Windows Vista/7, Linux and Mac OS X Tiger and higher clients should now have an IPv6 interface too beginning with 2001:aaaa:bbbb:something:something:something:something:something and be able to connect to IPv6 capable hosts such as http://ipv6.google.com.

There is one slight problem however… We’re not firewalling anything right now so both the gateway and all the clients on our LAN with an IPv6 address are fully exposed to the internet. This might be something you want but generally you don’t.

What I wanted is to be able to connect over IPv6 to my gateway through SSH, accept rtorrent connections to the gateway over IPv6 and make sure no-one from the internet can access the hosts on my LAN over IPv6 except for ping.

Time to create a firewall script which does just that. Note that, in contrary to what people tend to believe, iptables rules which already have been created do not affect IPv6, you need to create separate rules with the ip6tables command.


#!/bin/sh
IP6="/sbin/ip6tables"
PUBIF="sixxs"
LIF="eth1"
SUB="2001:aaaa:bbbb::"
MASK="48"

# First, delete all:
$IP6 -F
$IP6 -X
$IP6 -t mangle -F
$IP6 -t mangle -X

echo "Starting IPv6 Firewall"

# Set the default policy
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT ACCEPT


I named that script firewallv6 and saved it to /etc/network/if-up.d so it will be run whenever an interface is brought up. This just ensures the IPv6 firewall rules are always created.

To make everyone’s life easier, just wget the script like this:

cd /etc/network/if-up.d/
wget http://projectdaenney.org/wp-content/uploads/2009/10/firewallv6


Time to start the firewall, but lets make it executable first:

chmod +x /etc/network/if-up.d/firewallv6
/etc/network/if-up.d/firewallv6


And there you go. Your IPv6 hosts on your local LAN are now safe but they can still access the outside world over IPv6.