Difference between revisions of "Bering-uClibc 7.x - User Guide - IPv6 Networking - External Network Connections"

Latest revision as of 19:58, 11 June 2021

Native IPv6

Ethernet (e.g. Cable Modem or ISP-supplied ADSL Router)

If you are fortunate enough to be using Bering-uClibc as a router / firewall with an ISP who provides a native IPv6 connection, or you are using Bering-uClibc as a client (rather than a router) on an IPv6-enabled network then external IPv6 networking will work on Bering-uClibc Release 5.2 onwards. (A relatively recent version of dhcpcd is required to enable DHCPv6 support, and 5.2 will be the first release to incorporate a suitable version.)

By default, file /etc/dhcpcd.conf is set for IPv4-only DHCP behaviour and the configuration file entry ipv4only needs to be commented-out (for dual-stack IPv4 & IPv6) or replaced with ipv6only if DHCPv4 is not required.

Take care to configure Shorewall6 (assuming you are using it) to enable DHCP on the external interface, specifying dhcp in file /etc/shorewall6/interfaces.

There are a significant number of configurable options for DHCPv6 in file /etc/dhcpcd.conf, for example if you wish to configure RFC 3633 IPv6 address Prefix Delegation. See the dhcpcd documentation for further details.

PPPoE

Using IPv6 with a PPPoE connection requires a combination of multiple tools. With IPv4 the PPP Link Control Protocol (LCP) takes care of communicating the IPv4 address, the details of DNS servers etc. to the PPP client but the IPv6 Control Protocol (IPV6CP) described in RFC 2472 will only configure a Link-Local IPv6 address for the PPP client. An alternative mechanism (typically DHCPv6) needs to be used to communicate the other details so it is necessary to run a DHCPv6 client like dhcpcd or dibbler-client on the PPP link and to configure this for IPv6 only to stop it interfering with the IPv4 settings which are typically set using LCP. (It's then also necessary to use a further tool like dnsmasq or radvd to communicate Router Advertisement details to internal networks, if you are running an IPv6 router.)

PPP Configuration

The following assumes an already-working IPv4 PPPoE configuration. As long as your PPP provider supports IPv6 and IPV6CP, the minimal requirement is to switch on IPV6CP support in pppd by adding the following line to file /etc/ppp/options:

+ipv6

Without this you will get error messages like the following in file /var/log/ppp.log:

Unsupported protocol 'IPv6 Control Protocol' (0x8057) received

Unlike IPv4, bringing up an IPv6 PPP connection does not create a default route automatically. This can be done by creating a script which runs whenever an IPv6 PPP connection is established. Assuming that Package pppscrpt.lrp has been loaded, create a script called e.g. /etc/ppp/ipv6-up.d/10-defaultroute containing the following:

#!/bin/sh
/sbin/ip -6 route add default via ${PPP_REMOTE} dev ${PPP_IFACE}

and another called e.g. /etc/ppp/ipv6-down.d/90-defaultroute containing:

#!/bin/sh
/sbin/ip -6 route del default via ${PPP_REMOTE} dev ${PPP_IFACE}

which should ensure that default routes are created and removed automatically, as required.

DHCPCD Configuration

The following assumes that dhcpcd is not being used for other purposes (in particular not for IPv4) and that you want to grab a block of IPv6 addresses via Prefix Delegation to assign to other networks connected to a router.

Edit /etc/dhcpcd.conf to read something like the following:

# Turn off IPv4 support
ipv6only

# Generate an RFC 4361-compliant DHCP Unique IDentifier, or read it from /etc/dhcpcd.duid
duid

# Turn on Rapid Commit support
option rapid_commit

# Request details of DNS Servers
option domain_name_servers

# A ServerID is required by RFC2131
require dhcp_server_identifier

# We provide a hook script to lookup the hostname if not set by the DHCP
# server, but we should not run it by default
nohook hostname


# Only operate on the listed interfaces
allowinterfaces ppp0 eth1 eth2

# Turn off IPv6 Router Solicitation globally (so it can be turned back on selectively for individual interfaces)
noipv6rs

# Subsequent lines apply only to interface ppp0
interface ppp0
    # Turn IPv6 Router Solicitation back on for this interface
    ipv6rs

    # Request an address using DHCPv6 for interface ppp0, using iaid 1
    ia_na 1

    # Request a block of IPv6 addresses using DHCPv6 Prefix Delegation via ppp0 (using iaid 2) and
    # allocate a portion of the allocated address range to eth1 (which has sla_id 1) and another portion to eth2 (which has sla_id 2)
    ia_pd 2 eth1/1 eth2/2

IAID stands for Interface Association IDentifier and is a unique way to identify each Interface on a Host (in conjunction with the DUID). SLA_ID stands for Site-Level Aggregation IDentifier and is a unique way to identify each separate subnet at a site (in conjunction with the DUID).

By configuring Router Solicitation on ppp0, this should mean that Router Advertisement packets are requested and - once received - used to configure routing on the ppp0 interface. However there are differences of opinion about whether it is correct to send RA packets on a PPP link, so some ISPs don't, and hence it is best to configure a default route a described in the PPP section above.

It is of course necessary to start and stop dhcpcd when the PPP interface is brought up and taken down, which can be achieved using further scripts in the /etc/ppp/ipv6-up.d/ and /etc/ppp/ipv6-down.d/ directories.

DNSMASQ Configuration

The final link in the chain is to have a Router Advertisement daemon tell clients connected to the various internal networks about the allocated address ranges. Either dnsmasq or radvd can be used to do this. Assuming you already have dnsmasq running for other reasons (IPv4 DHCP, DNS etc.) that is normally the best choice.

Simply add lines like the following to /etc/dnsmasq.conf:

# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses from DHCPv4 leases
dhcp-range = ::1,constructor:eth1, ra-stateless, ra-names, 4h
dhcp-range = ::1,constructor:eth2, ra-stateless, ra-names, 4h

The "constructor" syntax means that dnsmasq looks at the addresses assigned to the specified interface (by dhcpcd) and advertises routing based on those.

Tunnel from IPv6 Tunnelbroker

SixXS

AICCU Package

If you use SixXS as your IPv6 tunnelbroker, you will probably want to install the aiccu.lrp Package, which provides AICCU, the Automatic IPv6 Connectivity Client Utility.

AICCU makes it easy for users to get IPv6 connectivity. After having requested an account, tunnel and optionally a subnet, AICCU can be used to automatically configure the tunnel. AICCU supports TIC (Tunnel Information & Control protocol), which it uses for retrieving the tunnel configuration information, AYIYA, which allows tunnels to be created even behind firewalls and NAT's.

The procedure to configure Bering-uClibc 7.x is as follows:

• Make sure you have the tun kernel Module loaded. Note that this relies on the crc32 kernel Module, which should be automatically loaded in most setups anyway.
• Configure Shorewall to accept the SixXS tunnel traffic. Add the following to /etc/shorewall/rules:

SixXS(ACCEPT)   fw      net

• Install the aiccu.lrp Package and configure it using lrcfg.
  • Specify your own username and password.
  • Specify the relevant protocol and server. For example:

protocol tic
server tic.sixxs.net

• Start the aiccu daemon:

svi aiccu start

• Check for error messages in /var/log/syslog
• If all is well, you should have a new network interface called "sixxs" which is effectively the IPv6 equivalent of your external IPv4 interface (e.g. eth0 or ppp0).
• In the event of problems you may find the "test" mode of the "aiccu" command useful for diagnosis.

Workaround for Fast-Changing Public IPv4 Addresses

Although AICCU supports tunnels via non-static IPv4 addresses, we have found that tunnels via DSL-providers (like T-DSL connections in Germany), that change the IP address in an 24-hour-interval, do not work reliably. A workaround is to add the script below, named as 0aiccu, to /etc/ppp/ip-up-d. It restarts aiccu after ppp has re-established the pppoe connection.

#!/bin/sh
if pidof aiccu
       then /etc/init.d/aiccu stop
fi
while  pidof aiccu ; do
  sleep 15;                                                                 
  pidof aiccu;
done
/etc/init.d/aiccu start

IPv6 DNS Servers

Most IPv4 DNS servers will happily serve out IPv6 "AAAA" address records, so normally it is adequate to use IPv4 for DNS even when using IPv6 for other protocols. However, in case some sites only provide full IPv6 DNS services over IPv6 it can be useful to include some IPv6 DNS servers, usually alongside IPv4 DNS servers.

SixXS provide a recursive DNS cache service over IPv6 as detailed on the SixXS website.

Note: As per the warning on the SixXS site, the AICCU utility needs to resolve the IPv4 address of tic.sixxs.net at startup, which will not be possible if your only DNS servers are only accessible via the AICCU tunnel (unless you have a static, public IPv4 address and a static tunnel).

There are three separate DNS cache servers, one for each continent:

• nscache.eu.sixxs.net - Europe
• nscache.us.sixxs.net - United States
• nscache.ap.sixxs.net - Asia Pacific

An entry for the IPv6 address(es) of the relevant local resolver (found using e.g. dig AAAA nscache.eu.sixxs.net can either be added directly to /etc/resolv.conf or, if you are using the dhcpcd Package, it can be added to /etc/resolv.conf.head so that it is included at the start of the automatically-generated /etc/dhcpc/resolv.conf which is then typically referenced by the dnsmasq Package as described on the dnsmasq page. An example of suitable contents for /etc/resolv.conf.head for a system located in Europe might be:

nameserver 2001:14b8:0:3401::6
nameserver 2001:7b8:3:4f:202:b3ff:fe46:bec

Since the Bering-uClibc 4.0 release, file /etc/resolv.conf.head is backed up automatically when the configuration is saved so this no longer needs to be added to the "local" Package.

Hurricane Electric

TODO