2018.17.11 - Jeffrey Forman
I remember using he.net year ago for their IPv6 tunnels years ago, and have painful memories of configuring it, both on the router and to share to the subnets on my home LAN. Not this time. Years ago, I had Comcast Business Internet service, which along with providing a static IPv4 address, provided IPv6 connectivity. Not only just a single /128, but a whole /56 if you asked for it. After spending days/weeks configuring both dhcp client and servers for prefix delegation, and slaac/rtadvd to hand out addresses to my various LAN segments, I was in business. Flash forward to 2018, and I’m on a residential Verizon Fios connection, which provides a single dynamic IPv4 address, and no IPv6. Really, no IPv6 connectivity in 2018. Not here. Or here. Or here. Not here either. Your only option is to check out one of the IPv6 tunnel providers out there to wrap your IPv6 in IPv4 and go that direction.
Hurricane Electric (HE) is a popular one both in the US and abroad, and so I went that direction. Below is how I configured it. I run OpenBSD on my firewall/router, with one physical interface out to the Internet (em0), and a couple of physical interfaces (vlan10 is on em1) plus some VLANs which share an interface (vlan12,13,254 on em3). HE provides you with command line examples to run to set up your tunnel. I’ve taken those and stuffed them into /etc/hostname.gif0:
tunnel MYIPV4PUBLICIP 220.127.116.11 !ifconfig gif0 inet6 alias 2001:470:1f06:1c0::2 2001:abcd:88f8:1c0::1 prefixlen 128 !route -n add -inet6 default 2001:abcd:88f8:1c0::1
The only additions to my pf configuration I made were:
block in log inet6 pass out on $inet6tun_if inet6 pass in on $int_wired_if inet6 pass out on $int_wired_if inet6 pass in on $inet6tun_if inet6 proto tcp from any to ($inet6tun_if) port $ext_tcp_services flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)
Block by default, pass out by default. Allow all IPv6 traffic from my wired VLAN (essentially just my desktop at this point, which surprised me.) The last piece of the puzzle is rtadvd (to be succeeded by rad in OpenBSD). This process provides router advertisements and network prefixes for clients on the L2 segment configured for autoconfiguration to connect out to the Internet.
And with that, from my desktop:
$ traceroute6 www.google.com traceroute to (2607:f8b0:4006:80f::2004) from 2001:470:88f8:10:8487:53c9:1b64:3146, 30 hops max, 24 byte packets 1 2001:abcd:88f8:1c0:10::1 (2001:abcd:88f8:1c0:10::1) 0.505 ms 0.58 ms 0.615 ms 2 tunnel490560.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:1c0::1) 14.435 ms 15.029 ms 11.93 ms 3 ve422.core1.nyc4.he.net (2001:470:0:5d::1) 8.646 ms 8.588 ms 8.504 ms 4 core1-0-0-8.lga.net.google.com (2001:504:f::27) 8.512 ms 8.351 ms 8.051 ms 5 2001:4860:0:1125::1 (2001:4860:0:1125::1) 10.246 ms 10.246 ms 9.363 ms 6 2001:4860:0:1::1081 (2001:4860:0:1::1081) 8.792 ms 8.54 ms 8.97 ms 7 lga25s41-in-x04.1e100.net (2607:f8b0:4006:80f::2004) 8.251 ms 8.35 ms 9.452 ms
Gotchas: If you run the Iked VPN daemon iked(8), you will want to add the ‘-6’ flag to the daemon list of flags. This was a silent killer for many hours for me, as I saw traffic go through my OpenBSD router, and come back to the router, but never get passed back to my desktop. Nothing showed up in pf’s blocked packets, which was what had me so confused. Restarting iked with ‘-6’, cured all what ails me.
Next on the list:
- An IPv6-only VLAN. I want to see how hard it is taking IPv4 completely out of the mix locally.
- Graphs in Grafana of IPv4 vs IPv6 traffic to/from the Internet. (If only telegraf worked on OpenBSD). I’m curious how much of my traffic shifts as I move over each VLAN.
What I’d love to see: Fios providing IPv6 alongside IPv4 service, just like Comcast did, and does, for serveral years running. I’m not holding my breath though.