Setting up IPv6 at home
By Jeroen van Nieuwenhuizen
I wanted to experiment with IPv6 for a long time. However I never had the time and thought
it would involve changing a lot of settings. Then I found out about Sixxs an
IPv6 Deployment & Tunnel Broker where you can sign up for free.
First of all I had to sign up with Sixxs. First I created a 6BONE handle to be able to sign-up.
After that I went through the sign-up process of Sixxs. When my sign up was approved
I logged in to the secure website and requested a tunnel, which was assigned in a very short
time. Because Heimdall my core router (I do have a backup router at home) gets its IP address by DHCP
I decided to choose a tunnel with heartbeat.
Setting up the router
The first thing I had to do when configuring the router (OpenBSD 3.3) was to
create a tunnel over IPv4. This was done by the following command:
ifconfig gif0 tunnel <localip> <remoteip>
After that IPv6 IPs needed to be assigned to this tunnel which was still straightforward:
ifconfig gif0 inet6 <localipv6ip> <remoteipv6ip> prefixlen 128
Now I had created the tunnel. But of course I also need a default route for the
IPv6 packets. Hence route add -inet6 default <remoteipv6ip> was entered at the prompt
which gave me the needed default route.
Now the only thing needed to do was to configure heartbeat. First I downloaded the
source and ran a make. After that I downloaded the configuration file from my tunnel settings page.
The only thing needed to be adjusted was the OS type, which by default is set to Linux.
After changing this to OpenBSD I ran heartbeat-client heartbeat.conf as root, which should
activate the tunnel.
Checking the IPv6 tunnel with ping6 proved that the setup had succeeded. Now the only thing
left to do is setting up a subnet on my local network. But before you can get a subnet
from sixxs you first have to have a IPv6 tunnel for 1 week, hence at this point I was
forced to wait.
Well a few weeks later my credits still had not increased, so I decided to
take a look in my firewall logs. I found out that I blocked incoming ipv6 echo
requests. So time to search why. I expected that my firewall did allow icmp6
packets. But because I am tunneling ipv6 over ipv4 that is not the case. So I
had to change my firewall to allow ipv6 traffic from my POP to reach
gif0 (note ne1 is my external interface). This was done by adding the following
2 rules to my firewall configuration
pass in on ne1 inet proto ipv6 from <POP.IPV4> to (ne1) keep state
pass out on ne1 inet proto ipv6 from (ne1) to <POP.IPV4> keep state
Of course we need to filter on gif0 after that to have a firewall on IPV6. This was done by adding
the following firewall rules:
block drop in on gif0 all
pass out on gif0 all
pass in on gif0 inet6 proto ipv6-icmp all keep state
Setting up the subnet
After having received a subnet (2001:838:3c6::/48) I had to start using it on my internal network.
The first step was configuring my router to act as a routing advertising daemon. After that I needed
to configure the hosts.
This was done by first giving the router an IPv6 address on the internal interface by
ifconfig ne0 inet6 2001:838:3c6::1 prefixlen 48
After that I had
to enable IPv6 forwarding and disable the acccept_rtadv. This
was done by
After that I had to edit /etc/rtadvd.conf.
After that it was only a matter of starting rtadvd with
the ne0 option (rtadvd ne0).
Supplemental: After a reboot this did not work anymore.
The problem was that rtadvd can not advertise IPv6 ips with
a prefixlen op 48. Setting it to 64 using only a part of my IPv6 space
solves this problem.
Setting up the FreeBSD hosts is simple. Adding
ipv6_network_interfaces="auto" to /etc/rc.conf does the trick.
Furthermore you have to issue
on the hosts in the internal network.
The only thing left to do now was run rtsold <interface> to avoid a reboot.
Although the above looks very simple, I ran into problems on one host
with messages like network not available and no route to host. After an hour or so
I found out that this was caused by the default block policy of the firewall of this host.
After accepting ipv6 icmp packets in the firewall configuration this problem was solved and
this host had an ipv6 address also.