IPv6 router on Linux

Setting up Linux as an IPv6 router is really easy. Even if your ISP doesn’t do IPv6 yet (like mine), there’s no reason not to get an IPv6 tunnel from Tunnelbroker.net and be IPv6-ready within minutes.

  1. Do a basic install of your favorite Linux distribution.
    Since my server runs Xen, I just did xen-create-image –ip=192.168.200.5 –netmask=255.255.255.0 –gateway=192.168.200.1 –nameserver=192.168.200.23 –mirror=http://ftp.de.debian.org/debian/ –passwd –hostname=router-ipv6 –dist=squeeze –arch=i386 –size=4G –swap=1G –dir=/data/vms/router-ipv6 –memory=64M –role=udev –pygrub and ran ln -s /etc/xen/router-ipv6.cfg /etc/xen/auto to have it automatically start upon reboot. To start the VM, do xm create router-ipv6.cfg
  2. SSH into the virtual machine and configure the LAN and the WAN interface. Since I’m using a tunnel, my WAN interface is a 6in4 interface; if you’re using a physical one you’ll need to manually edit the Xen VM config file to add the physical interface to the VM. So we’re adding the following lines to /etc/network/interfaces
    iface eth0 inet6 static
    address 2001:470:xxxb:xxxx::1
    netmask 64

    auto 6in4
    iface 6in4 inet6 v4tunnel
    address 2001:470:xxxa:xxxx::2
    netmask 64
    endpoint 216.66.80.30
    gateway 2001:470:xxxa:xxxx::1
    up ip route add ::/0 dev 6in4

  3. Next, edit /etc/sysctl.conf and set net.ipv6.conf.all.forwarding=1 by removing the comment sign from the beginning of the line.
  4. apt-get install radvd and then edit /etc/radvd.conf to look like this:
    interface eth0
    {
    AdvSendAdvert on;
    AdvLinkMTU 1280;
    prefix 2001:470:xxxb:xxxx::1/64
    {
    AdvOnLink on;
    AdvAutonomous on;
    };
    RDNSS 2001:470:xxxb:xxx:yyyy:yyyy:yyyy:yyyy
    {
    };

    Most of this is pretty self-explanatory (the prefix line should contain the address of the router’s network interface and everything else just enables router advertisements), however the RDNSS line needs to point to the IPv6 address (it will automatically get one after you finish step 6) of your local DNS forwarder.
  5. Next, you’ll probably want to configure the firewall so that your computers can’t be accessed from outside (remember, with IPv6 every device gets a publicly routable address). apt-get install shorewall6 and then edit the following files to configure it:
    In /etc/default/shorewall6: startup=1 (enables the firewall) and wait_interface="6in4" (your WAN interface)
    In /etc/shorewall6/zones: Add the lines fw firewall, net ipv6 and loc ipv6
    In /etc/shorewall6/interfaces: Add the lines net 6in4 detect and loc eth0 detect
    In /etc/shorewall6/policy: Add the lines net all REJECT notice, loc all ACCEPT, fw all ACCEPT and all all REJECT notice
    In /etc/shorewall6/rules: Configure the firewall rules to your liking. I added Ping(ACCEPT) all all to allow incoming pings (I don’t believe in this security-by-obscurity stuff). I also added ACCEPT all loc:2001:470:xxxb:xxxx:zzzz:zzzz:zzzz:zzzz because that machine has its own IPv6-configured firewall.
  6. Reboot the VM.

All your IPv6-ready clients should start picking up addresses automatically. Linux, Mac OS X and iPhones do as expected and base their IP on the MAC address. Windows 7 does the same, but also makes up a random IP which gets used by default for all outgoing connections due to privacy reasons. On Windows XP, you need to manually add IPv6 to the network protocols in the network connection properties, after which it’ll behave similarly to Windows 7.
The DNS server announced by radvd however only gets picked up by the iPhone. Mac OS X only supports manually-configured IPv6 DNS servers as far as I can tell. Windows automatically configures fec0:0:0:ffff::1, fec0:0:0:ffff::2 and fec0:0:0:ffff::3 as its DNS servers; you could add one of these addresses to your DNS server (and add some other address in the fec0:0:0:ffff::/64 range to your IPv6 router VM’s LAN interface so that clients can actually find a route to it), but unfortunately the site-local prefix fec0::/10 has been deprecated for more than half a decade and should no longer be used. But fear not, it’s perfectly fine to talk to your DNS server using IPv4 – it will still resolve AAAA (IPv6 A) queries without issues. And I expect IPv4 to stay around for at least another decade, so you’re not likely to run into trouble for a long time.

    Leave a Reply

    Your email address will not be published. Required fields are marked *