These instructions are for those who want to use their Bering-uClibc system not only as an IPv4 router/firewall but also as an IPv6 router/firewall. This document assumes that you already have a some knowledge about Bering-uClibc.
A good start for more information on IPv6 is the Linux IPv6 HOWTO and Peter Bieringer's IPv6 & Linux - HowTo.
Depending on the other packages and modules that you have installed on your system, one floppy may offer you enough disk space to put it all together. Check the Bering user's guide section about "Booting Bering from different boot-media" for tips on e.g. a two-floppy setup or other solutions.
You can use your Bering-uClibc IPv6 router for stand-alone networks without additional requirements. However, if you want to connect to the Internet using IPv6 you need an IPv6 link to the Internet. Most of us currently don't have a native IPv6 connection to the Internet, but you can get access via an IPv6 tunnelbroker. In that case you establish an IPv4 tunnel with the tunnelbroker. The IPv6 traffic is sent through this tunnel from your network to the tunnelbroker and vice-versa. To setup this tunnel most tunnelbrokers require that you have a static IPv4 address assigned to you by your ISP.
Examples of tunnelbrokers are Freenet6, XS26, SixXS and Hurricane Electric.
Freenet6 uses the Tunnel Setup Protocol (TSP) to establish a tunnel between your IPv6 tunnel endpoint and their endpoint. A Bering-uClibc package with the TSP client is available. For more information check the chapter on freenet6.lrp.
In order to have IPv6 working, you need to have IPv6 support
enabled through the appropriate kernel module:
kernel/net/ipv6/ipv6.o. There are two ways to do
this:
Use the modules_ipv6.lrp package
Manually add the module to your existing
modules.lrp package
if you are starting with fresh installation of Bering-uClibc or
if you haven't heavily modified the modules package of you're system,
this is probably the easiest approach. Rename this package to
modules.lrp and replace the original package with
this one. if you need more information on how to add/replace modules
on your system, check the Bering-uClibc
Installation Guide.
Now reboot your system.
The kernel module for IPv6 can be found in the kernel module tarball. This tarball can be downloaded from the Sourceforge FRS. Information on how to add a kernel module to your system can be found in the Bering-uClibc Installation Guide.
The size of this module is about 90Kb after compression in
the package. Make sure that you have that much free space on the
disk with the modules.lrp package.
To configure your module, go to the LEAF Packages configuration
menu and choose modules. Enter 1) to edit the
/etc/modules file and enter the following
information:
(...) # IPv6 support ipv6 (...)
Backup the modules.lrp package and
reboot your system.
After installing modules_ipv6.lrp or
manually adding ipv6.o you can check if the
module works by giving the following command:
Bering-uClibc -root-
# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP>> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:95:1a:14:f4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.120/24 brd 10.0.0.255 scope global eth0
inet6 fe80::240:95ff:fe1a:14f4/10 scope link
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:95:1a:14:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
inet6 fe80::240:95ff:fe1a:1470/10 scope link
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
Copy the the following packages to one of your floppies:
radvd.lrp
ip6table.lrp
6wall.lrp
These packages are provided in the IPv6 drop-in tarball which can be downloaded from the Sourceforge FRS.
Detailed information on how to add packages to your system can be found in the Bering-uClibc Installation Guide.
Modify the lrpkg.cfg file to load the new
packages.
root,etc,local,modules,ppp,dnscache,weblet,iptables,shorwall,radvd,ip6table,6wall
If all worked well, you should have seen some IPv6 addresses (inet6) appear on your interfaces in previous step. All these addresses have scope "local", this means that these are link-local addresses and can only be used on the network segment to which the interface is connected. But since you're working with a Bering-uClibc router it's highly unlikely that your network consists only of one segment, but rather of two or more.
If you want hosts on different segments to communicate with each other using IPv6, you need to assign these hosts either site-local or global addresses. global addresses need to be assigned to you by an ISP and site-local addresses are your to use freely within your own network (like the RFC1918 addresses for IPv4). Therefore, we'll start using site-local addresses first. If you have global addresses and don't want to use site-local addresses, you can skip this section and go directly to Step 6: Configure a 6to4 tunnel.
The prefixes used in this example are:
eth0 - fec0:1::/64
eth1 - fec0:2::/64
Invoke lrcfg and choose 1) Network configuration and then 1) Network Interfaces. In the interface file add an IPv6 address for your each of your interfaces that corresponds with the prefix for the interface.
(...)
iface eth0 inet6 static
address fec0:1::1
masklen 64
iface eth1 inet6 static
address fec0:2::1
masklen 64
(...)
Next, within lrcfg choose 2) Network options
file. In this config file IPv6 forwarding can be enabled, which is nice
for a router ;-).
(...)
ipv6_forward=yes
(...)
The effect of this configuration item is that on start-up the command echo 1 > /proc/sys/net/ipv6/conf/all/forwarding is given.
Backup the etc.lrp package.
One of the features of IPv6 is the router advertisement mechanism. When a router advertises the network prefix to be used on a network segment, hosts on that segment can use the advertised prefix to automagically configure an IPv6 address. The router advertisement messages are also used by the hosts to configure the gateway address.
The radvd.lrp package contains a router
advertisement daemon for Bering-uClibc. The configuration of the daemon
is very straight forward. If in our example we want to use router
advertisement on eth1, edit the /etc/radvd.conf
file as follows:
interface eth1
{
AdvSendAdvert on;
prefix fec0:2::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
Backup the radvd.lrp package and reboot
the system.
Check the ip addresses and the routing table with the following commands:
Bering-uClibc -root-
# ip -6 addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 fec0:1::1/64 scope site
inet6 fe80::240:95ff:fe1a:14f4/10 scope link
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 fec0:2::1/64 scope site
inet6 fe80::240:95ff:fe1a:1470/10 scope link
Bering-uClibc -root-
# ip -6 route
fe80::/10 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
fec0:1::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
fec0:2::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440
unreachable default dev lo metric -1 error -101
Bering-uClibc -root-
# cat /proc/sys/net/ipv6/conf/all/forwarding
1
Now an IPv6 capable system (how to configure IPv6 on Win XP) in one segment of your network should now be able to ping6 another IPv6 system in another segment connected to the router. Both should also be able to ping6 the router.
Ping6 is the IPv6 equivalent of ping and is provided by the
initrd.lrp package.
In the most luxurious case you have a native IPv6 connection to the internet. In that case you can follow Step 4 and 5 and substitute the site-local addresses used with your global addresses. if you're not that lucky, IPv6 access to the Internet can be achieved via a tunnelbroker (see Section - Prerequisites). You will get the necessary global addresses and prefix(es) from the tunnelbroker. This is what will be described below.
When connecting via a tunnelbroker, an IPv6-to-IPv4 (6to4) tunnel is established between your gateway and the tunnelbroker. To setup this tunnel you need the following information (imaginary information is given for the example):
IPv4 address for the tunnel end-point of the tunnelbroker -
202.143.23.6
IPv6 address of the tunnelbroker -
3ffe:8280:0:2001::1
IPv6 address assigned to you -
3ffe:8280:0:2001::2
IPv6 prefix assigned to you (for use on your network) -
3ffe:8280:10:8560::/60
Edit /etc/network/interfaces as
follows:
(...)
#
# Definition of the Ipv6-to-IPv4 tunnel interface
#
#auto tun6to4
iface tun6to4 inet6 v4tunnel
address 3ffe:8280:0:2001::2
netmask 64
gateway 3ffe:8280:0:2001::1
endpoint 202.143.23.6
ttl 254
(...)
Backup the etc.lrp package.
At this stage the auto tun6to4 statement
is commented-out. This is because no IPv6 firewall is active yet, so
the tunnel is best brought up only when necessary and as soon as
possible be brought down again. This can be done with the commands
ifup tun6to4 and ifdown
tun6to4
The gateway statement in the tunnel definition causes a default route to be created. However, it turns out that this is not working (maybe a bug in Linux IPv6 support). To solve this problem a route to the global address space (2000::/3) is added explicitly.
You need to allow the 6to4 tunnel traffic from the Bering-uClibc Firewall to the tunnelbroker. This traffic uses IP protocol 41.
With Shorewall 1.4.3 and later you can add a 6to4 tunnel
definition in the /etc/shorewall/tunnels file. In
the examples below it is assumed that your firewall zone is called
"fw" and the Internet zone
"net".
#TYPE ZONE GATEWAY GATEWAY ZONE
(...)
6to4 net 202.143.23.6
(...)
More information on Shorewall and 6to4 tunnels can be found in the Shorewall documentation.
For versions older than 1.4.3 you can add some rules in the
/etc/shorewall/rules file.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
(...)
#
# Accept 6to4 tunnel traffic from the firewall to tunnelbroker
#
ACCEPT fw net:202.143.23.6 41
ACCEPT net:202.143.23.6 fw 41
(...)
Backup the shorwall.lrp package.
After restarting Shorewall, you should be able to ping6 or traceroute6 to IPv6 accessible hosts on the Internet. Some hosts that you could try are:
www.ipv6.surfnet.nl
www.linux-ipv6.org
www.kame.net
In the following it is assumed that your local network is connected to eth1 and that the connection to the internet (over which the 6to4 tunnel will be established) goes via eth0.
Based on the information from your tunnelbroker, select the prefix
of /64 to be used on the network segment connected to eth1. Then edit
/etc/network/interfaces as follows:
(...)
iface eth1 inet6 static
address fec0:2::1
masklen 64
up ip addr add 3ffe:8280:10:8560::1/64 dev eth1
(...)
To define a second IPv6 address on an interface, don't use a second "iface" statement. This is not supported by ifupdown, use the "up" statement within the existing iface statement instead.
To advertise the selected global prefix as well as the site-local
prefix from Step 4, edit the /etc/radvd.conf file
as follows:
interface eth1
{
AdvSendAdvert on;
prefix fec0:2::/64
{
AdvOnLink on;
AdvAutonomous on;
};
prefix 3ffe:8280:10:8560::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
Backup the etc.lrp and the
radvd.lrp packages.
After restarting the Router Advertisement daemon, any systems running on your local network that support autconfiguration for IPv6, they should be getting a global IPv6 address. If not, maybe the system needs to be rebooted first.
When a system on the local network has configured a global IPv6 address, it should now also be able to ping6 and traceroute6 to the hosts mentioned in Step 7.
Keep in mind that at this moment there is still no IPv6 firewall active. This will be done in the next step. Everybody has free access to all your systems with global addresses on the local network. So, only have the 6to4 tunnel up when you are doing some tests. After testing, bring down the tunnel as soon as possible.
6wall is for IPv6 what Shorewall is for IPv4.
6wall is an IPv6 firewall which is derived from Shorewall version 1.4. So if you're familiar with Shorewall you should have no problem configuring 6wall. The best way to start is to read-up on Tom Eastep's excellent Shorewall documentation. After that, check the 6wall documentation where specific issues for 6wall are described.
When you're done reading, you can configure 6wall. Go to the packages menu and select 6wall. The following menu will appear:
6wall configuration files
1) Zones Partition the network into Zones
2) Ifaces 6wall Networking Interfaces
3) Hosts Define specific zones
4) Policy Firewall high-level policy
5) Rules Exceptions to policy
6) Maclist MAC verification
7) Config 6wall Global Parameters
8) Blacklist Blacklisted hosts
9) SiteLocal Defines 'nositelocal' interface option
10) Common Common rules
11) Init Commands executed before [re]start
12) Start Commands executed after [re]start
13) Stop Commands executed before stop
14) Stopped Commands executed after stop
q) quit
----------------------------------------------------------------------------
Selection:
The configuration files that can be edited via the menu above are
located in the /etc/6wall/ directory. Below is the
default configuration of some of these files.
The zones for IPv6 are described in
zones6:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
The interfaces for IPv6 are described in
interfaces6:
#ZONE INTERFACE OPTIONS
net tun6to4 nositelocal
loc eth1
The policies for IPv6 are described in
policy6:
#SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
net all DROP info
all all DROP info
The rules for IPv6 are described in
rules6:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Allow ping6 from the firewall
#
ACCEPT fw all icmpv6 echo-request
#
#
# Allow ping6 from the local network to the firewall
#
ACCEPT loc fw icmpv6 echo-request
This configuration should get you started and you can modify these or other configuration files to suit your needs.
Backup the modules.lrp,
6wall.lrp and etc.lrp
packages.
Now reboot your system and enjoy safe surfing on the IPv6 Internet !!