Adding IPv6 to B3, got it to almost work

[eramoli]

Hi,

I added IPv6 support to my B3, the problem is that it only worked after the install. When I re-booted the computer (was forced to move the power plug) it did not come up again.

I used https://www.sixxs.net/ as an IPv6 provider and followed the instructions on http://madduck.net/docs/ipv6/.

In the instructions I did not understand the following section

At this moment, I suggest that you add pre-up headers to the iface stanzas of all interfaces to be sure:
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra_defrtr
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra_pinfo
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra_rtr_pref

So I just skipped it, it worked as long as I didi not reboot the B3. Regardless if this is the reason for the IPv6 to work after the reboot or not I would like to know how I am supposed to do what is described in the text.

I am quite a newcommer to Debian and linux and unfortunately the instruction site assumes that the person reading the site knows more than I do.

Best Regards,
Morgan

[Ubi]

these pre-up commands write a number to a /proc/ file, which really isnt a file but a socket. So whatever you echo to it will be lost upon reboot, and these commands must be entered into a startup script.

what these commands do is documented here: http://www.mjmwired.net/kernel/Document ... sysctl.txt. Your echo command basically sets a switch. Only thing to change is to alter $IFACE to the interface you are configuring, or better, to first set a IFACE=<name of your interface> prior to these commands. Then just run these commands from a script or from the shell.

[eramoli]

Hi and thanks Ubi,

My understanding is however that pre-up is not a normal shell command, or am I missing a package?

In the interfaces file /etc/network/interfaces there are however rows starting with pre-up.

Code: Select all

pre-up ip6tables-restore < /etc/network/ip6tables

Should I place these rows in this file under the "iface sixxs inet6 v4tunnel" block or should they be places in another file?

In this file there is also a row with the following content

Code: Select all

up ip link set mtu 1280 dev $IFACE

Does that mean that I do not have to change the $IFACE into a value if placed under the "iface sixxs inet6 v4tunnel" block or is a special case?

Best Regards,
Morgan

[Ubi]

ah yes I wasn't thinking properly. I've reread your recipe a few times now.

Should I place these rows in this file under the "iface sixxs inet6 v4tunnel" block

yes, I think you should do exactly this.

Should I place these rows in this file under the "iface sixxs inet6 v4tunnel"

It does certainly appear so. ALthough the recipe states you should add these configs to all the interfaces, not just the tunnel. I would start with just the tunnel and see if that trows any errors at you.

Does that mean that I do not have to change the $IFACE into a value if placed under the "iface sixxs inet6 v4tunnel" block

Again, i would say yes.


Your proposed solutions seem accurate. Have a go with it and see if it works. the logs will tell you if they do not like it. Or the whole network stack drops, but you make backups of the config files and you have a USB boot stick handy right?

[wayfarer]

So I can share how I have setup my B3 to restart a SIXXS tunnel, get the firewall up before v6 comes up, get routing to work and using Router Advertisement on you LAN side to give v6 to your LAN.

So before doing this you need to have the following information.

You SIXXS username and password
Your SIXXS Tunnel ID: TYYYYYY

If you are going to enable v6 on your LAN you also need a Prefix that is related to the tunnel. This will be a prefix of the form 2001:16d8:xxxx/48.

So first start with install the packages you need. You will need "aiccu" for the tunnel and "radvd" for the router advertisements.

Code: Select all

apt-get update
apt-get install aiccu radvd

Input your user details for aiccu upon request. Note that radvd will fail at this stage as we need to insert a bit of configuration first.

Now when you have the software packages installed and AICCU configured we take the next steps to ensure that things will be configured on restart and also interfaces going up and down.

IPv6 firewall configuration:
Create a IPv6 configuration file and place it in /etc/nework/ip6tables.conf
I have a very basic one which is based on maddox's but I also added rules for allow to receive HTTP requests over v6. I take no responsibility for how safe this is. When it comes to iptables I am still a relative newbie.

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in-new - [0:0]

### INPUT chain

# allow all loopback traffic
-A INPUT -i lo -j ACCEPT

# RT0 processing is disabled since 2.6.20.9
#-A INPUT -m rt --rt-type 0 -j REJECT

# allow all ICMP traffic
-A INPUT -p icmpv6 -j ACCEPT

# packets belonging to an establish connection or related to one can pass
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# packets that are out-of-sequence are silently dropped
-A INPUT -m state --state INVALID -j DROP
# new connections unknown to the kernel are handled in a separate chain
-A INPUT -m state --state NEW -j in-new

# pass SYN packets for SSH
-A in-new -p tcp -m tcp --dport 22 --syn -j ACCEPT

# allow in HTTP request
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -j ACCEPT

# log and reject everything else
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT6]: "
-A INPUT -j REJECT

### OUTPUT chain

# RT0 processing is disabled since 2.6.20.9
#-A OUTPUT -m rt --rt-type 0 -j REJECT

# allow outgoing traffic, explicitly (despite chain policy)
-A OUTPUT -j ACCEPT

### FORWARD chain

# RT0 processing is disabled since 2.6.20.9
#-A FORWARD -m rt --rt-type 0 -j REJECT

# disallow forwarded traffic, explicitly (despite chain policy)
-A FORWARD -j ACCEPT

COMMIT

I have chosen to make the enabling of the v6 happening as the interface the tunnel uses becomes available. Thus I modify my /etc/network/interfaces file. In the stanza for eth0 which at least on my machine is the WAN interface and uses DHCP to get its external IP address I add the following:

Code: Select all

         pre-up ip6tables-restore < /etc/network/ip6tables.conf
         up aiccu start
         down aiccu stop

So what this do is that as eth0 is about to come up the ip6tables configuration will be loaded. When the interface is up aiccu is stated. There is little point in bring aiccu up prior to eth0 being up as this is the interface it tunnels over. If the interface goes down, I also bring down aiccu.

If you are connected to the B3 over the lan interface you can in fact now do, but if you are connected over eth0 the first command will disconnect you from the b3 (might happen if you use DNS names to the external side, rather than you IPv4 gateway address to connect to it:

Code: Select all

ifdown eth0
ifup eht0
ifconfig

The last command should now display that you have an interface called SIXXS which has an IPv6 address. To check that you ip6tables rules has loaded successfully do "ip6tables --list"
You should also be able to do "ping6 ipv6.google.com" and get responses.

If your goal was to get IPv6 only to the b3 then you can stop here.

If you want to enable IPv6 to your LAN also you need to continue.
So lets start with with configuring your RADVD demon. That is done by modifying your /etc/radvd.conf file.
The interface the RA are going to be sent out on is your LAN interface, i.e. eth1 unless you done something to your setup.

Code: Select all

interface eth1
{
  AdvSendAdvert on;
  prefix 2001:16d8:xxxx::1/64
  {
  };
};

So the above tells the RADVD to announce on eth1 a IPv6 64 bit prefix which is 2001:16d8:xxxx:0000 to your LAN side. As you get a /48 prefix from SIXXS you can in fact select any of the 65536 prefixes you have been provisioned with. But this uses all 0 in bits 49-64 of the prefix.

Then we need to configure eth1 to actually know about the addresses used on the interface. We also needs to ensure that IPv6 forwarding really is enabled. Thus we add an IPv6 stanza for the eth1 interface in the etc/network/interfaces file

Code: Select all

iface eth1 inet6 static
	address 2001:16d8:xxxx::1
	netmask 64
	pre-up echo 1 >/proc/sys/net/ipv6/conf/all/forwarding

So the address parts configures the interface with the ::1 address of the prefix. Then we also tell the interface that the prefix is in fact the top 64 bits of the address.

The pre-up ensures that prior to bringing up this IPv6 interface we have enabled IPv6 forwarding.

NOTE: You must change the xxxx in the prefixes to what prefix you got from SIXXS. Please verify that all the initial part of the prefix also matches, I have assumed in this that you will get an v6 prefix from the same /32 as I have.

You can't do ifdown eth1 followed by an ifup eth1 if you are in fact doing the configuration of the b3 over that interface, which is likely if you use it as home router. You will in fact have to restart the machine to verify that this worked, "shutdown -r now". But before doing this please ensure that you don't have any valuable data on the b3 that you don't have additional copies of. This as if you screw up something in worst case your network interfaces will not come up, not even for v4. Thus preventing you from accessing the machine.

Log into the b3 again and verify:

• * That you have v6 addresses assigned to the eth1 interface
  * That the SIXXS interface has come up
  * That your ip6tables rules have loaded
  * That you can ping6 ipv6.google.com
  * From a computer on the LAN that it has gotten an IPv6 address
  * From a computer on the LAN that you can ping6 ipv6.google.com

If that all works you are done.

If there are some issue with this description please comment.