Author Topic: HOWTO: IPv6 Tunneling (Did NOT work, first attempt, Zentyal 2.0)  (Read 10755 times)

tekoholic

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +1/-0
    • View Profile
It's been a battle, but I've got a successful tunnel, persistent thru reboots, on eBox (1.3.15, but version should not matter).

My tunnel is a tunnelbroker.net /64 (I have 2x /48's, 2x /64's, but lets keep this simple!).  All IP info, of course, is obscured, and should be replaced by your own.  Also, $LAN will be used to denote internal iface, $WAN to denote external.  This is not complete, by any means.  Please, feel free to add / argue / contradict where appropriate, or just 'cause ya' don't like me!! ;D

My tunnel info:
Code: [Select]
Global Tunnel ID:  12345 Local Tunnel ID: 123
Tunnel Endpoints
Server IPv4 address: 123.456.789.2
Server IPv6 address: 2001:456:abc0:123::1/64
Client IPv4 address: 98.76.54.32
Client IPv6 address: 2001:456:abc0:123::2/64
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /64: 2001:456:abc1:123::/64
And, here's their example config, for linux-route2:
Code: [Select]
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 123.456.789.2 local 98.76.54.32 ttl 255
ip link set he-ipv6 up
ip addr add 2001:456:abc0:123::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

Here's what I did, that worx (please note old and new.  Old way was flaky, as the firewall default DROP policy loads AFTER Network loads, and only permits NEW connections of allowed sort.  Thus, the tunnel being already connected, it is blocked, it seems, much of the time):

OLD WAY:
Code: [Select]
sudo vim /etc/ebox/hooks/network.postsetconfNEW WAY:
Code: [Select]
sudo vim /etc/ebox/hooks/firewall.postsetconfIn that file, I've entered
Code: [Select]
#!/bin/sh
###When I get it all figured out, the following commented lines will automatically update my tunnel endpoint address, when it changes:
#https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID
#$IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client's IP address)
#$MD5PASS = The MD5 Hash of your password
#$USERID = The UserID from the main page of the tunnelbroker (not your username)
#$GTUNID = The Global Tunnel ID from the tunnel_details page
ip tunnel add he-ipv6 mode sit remote 123.456.789.2 local 98.76.54.32 ttl 255
ip link set he-ipv6 up
ip addr add 2001:456:abc0:123::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -6 addr add 2001:456:abc1:123::1/64 dev $LAN
echo "nameserver 2001:470:20::2" >> /etc/resolv.conf
exit 0
Save and exit that file, then:
Code: [Select]
sudo chmod +x /etc/ebox/hooks/firewall.postsetconfAt this point, the next time you make any changes to your network settings, and save them, your tunnel will be created, and every time thereafter.

We're not quite done, tho.  The default firewall settings will not permit tunnelbroker.net to ping our $WAN ip, to verify it's validity, nor will it permit any traffic from the $WAN, over the tunnel.  I'm not sure quite what the correct way to define Protocol 41 for the firewall, so I've simply created rules from "External to eBox" permitting all ICMP from the IP on the IP-Update page (click your "Client IPv4 address:    98.76.54.32"), and ALL traffic from the Server Endpoint IP (Probably NOT the safest thing to do!!).

Voilla!  Next reboot (sorry for the profane language), or next edit/save of network settings, and your tunnel should be golden!  Now, for setting up the network behind it...  To begin with, here:
Code: [Select]
sudo vim /etc/sysctl.confLocate the line that reads
Code: [Select]
#net.ipv6.ip_forward=1, and UN-comment it (remove the #).

On server, as well, install radvd
Code: [Select]
sudo aptitude install radvd
Then,
Code: [Select]
sudo vim /etc/radvd.confand paste this in:
Code: [Select]
interface lan
{
   AdvSendAdvert on;
   MinRtrAdvInterval 3;
   MaxRtrAdvInterval 10;
   prefix 2001:456:abc1:123::/64
   {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
   };
};

Now, eBox will provide IPv6 addresses, to the internal network, hopefully even the VPN clients...

Hope this might help someone out!!  Happy Hackin'!!

edit:  code-snippets don't respect formatting flags...  removed.
edit2:  Added edit to sysctl.conf, to permit forwarding

edit3:  Added radvd.conf, for those who might need it.
« Last Edit: November 25, 2010, 08:12:48 pm by tekoholic »
Zentyal 2.1.xx installed from CD, running on
P4 CPU 3.40GHz / 3GB DDR2/800 / 1x64GB SSD

My Zentyal Feature Wish-List:

IPv6 * LinuxMCE Integration * Blocklist Mgmt
x2go Module * Groups that actually MEAN SOMETHING
Roaming Profiles between Master and Slave Servers

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #1 on: January 27, 2010, 12:08:18 pm »
cool! that's the way to make custom changes persistent over ebox, using network hooks.

keep us updated with your ipv6 progress :)

Ariel Antigua

  • Zen Apprentice
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
    • ariel's weblog
Re: HOWTO: IPv6 Tunneling
« Reply #2 on: January 28, 2010, 03:57:42 am »
 Great... i`m starting the process of migration from m0n0wall (i used it as router) behind a pfsense (love the load balance feature...) to ebox to be able to shutdown a Windows Server 2003 and replace those boxes with one ebox, so the ebox must be able to do routing and no firewall at all.

 The main reason for the m0n0wall on my network is the ipv6 culpability, using this post i will try to start using ebox (i saw it since the first release but never used it...) so a can consolidate service on the network.

 btw... i look at the roadmap and dint find any entry about ipv6...

maybe i can replace the 3 machine with ebox....  :)

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #3 on: January 28, 2010, 01:19:28 pm »
Which IPv6 features would you need ? firewall and tunneling support too ?

tekoholic

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +1/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #4 on: January 28, 2010, 04:20:03 pm »
I would like to see IPv6 supported with all the same features that are available for IPv4, ie:  Firewall, Multi-WAN / Multi-Router, DHCP6, DNS with caching, Web-Proxy, etc...

Of course, in the interim, while we await wider adoption, transitional solutions such as tunneling are a near-must...

It'd be nice to see a page that would permit creation of a tunnel with one of the major providers, or even just links to their sites for creation, and then EZ setup, and once enabled, automatic enabling of the IPv6 counterparts of the current features enabled for v4.

This way, the transition is near-seamless, for the Admin and his Network users.  It's enabled when he chooses, and all other settings are migrated / added to the v6 side, automatically.

Sorry, just my 2 cents, but I see no need to have a separate feature-set for v6.  If it's enabled for one, it is a perfectly reasonable assumption that the Admin would want it enabled for the other, and individually customizable by his choice.
Zentyal 2.1.xx installed from CD, running on
P4 CPU 3.40GHz / 3GB DDR2/800 / 1x64GB SSD

My Zentyal Feature Wish-List:

IPv6 * LinuxMCE Integration * Blocklist Mgmt
x2go Module * Groups that actually MEAN SOMETHING
Roaming Profiles between Master and Slave Servers

Ariel Antigua

  • Zen Apprentice
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
    • ariel's weblog
Re: HOWTO: IPv6 Tunneling
« Reply #5 on: January 28, 2010, 04:39:33 pm »
 As an entry solution (adoption), tunneling is a must. at the moment my tunneling is made from a m0n0wall box, the option on this box for ipv6 are tunneling, ipv6 on each interface and firewalling.

 I think implementing this in ebox are the first step to take.   my 2.c..
« Last Edit: January 29, 2010, 10:24:58 pm by `ariel »

Saturn2888

  • Zen Hero
  • *****
  • Posts: 707
  • Karma: +1/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #6 on: February 07, 2010, 03:53:53 pm »
I was using IPv6 tunneling for a while using wide and some other things. I got my eBox setup as an IPv6 device, but I could never get IPv6 DHCP to work so I ended up scrapping the idea. I'd really like to just mess around with Internet2 outside of w3m for once. It's a whole new world just waiting to be explored!

tekoholic

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +1/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #7 on: February 07, 2010, 08:19:07 pm »
I was using IPv6 tunneling for a while using wide and some other things. I got my eBox setup as an IPv6 device, but I could never get IPv6 DHCP to work so I ended up scrapping the idea. I'd really like to just mess around with Internet2 outside of w3m for once. It's a whole new world just waiting to be explored!

My own is based upon a VERY simple radvd.conf, from most of the howto's available, and of course, I've edited the OP for the necessary change to sysctl.conf, to permit forwarding.

It works well, and I'm satisfied with it's stability (I wasn't, initially), so I'll edit the OP with those details, as well.  I love having my entire network publicly addressable!!  Anyhow, I need to figure out how to protect it, before I do too much more...
Zentyal 2.1.xx installed from CD, running on
P4 CPU 3.40GHz / 3GB DDR2/800 / 1x64GB SSD

My Zentyal Feature Wish-List:

IPv6 * LinuxMCE Integration * Blocklist Mgmt
x2go Module * Groups that actually MEAN SOMETHING
Roaming Profiles between Master and Slave Servers

Svein Wisnaes

  • Zen Samurai
  • ****
  • Posts: 325
  • Karma: +5/-0
  • A Norwegian living in Brazil
    • View Profile
    • Oceanwatcher Media | Svein Wisnaes
Re: HOWTO: IPv6 Tunneling
« Reply #8 on: February 09, 2010, 06:46:13 am »
Which IPv6 features would you need ? firewall and tunneling support too ?

I added a feature request for this a while ago.

Firewall for IPv6 is crucial. I think we will see a lot of people implementing IPv6 in the beginning without giving any thought to protecting their network. Of course, it does not help unless you have the possibility to set up tunneling.

This is a golden opportunity for E-box to "get there first" and become the easy way to transition to IPv6. Why not take advantage of the fact that nobody is offering an easy way to do this today?
Regards,

Oceanwatcher
Do NOT use PM for support. This is a community forum and support is not on a one-on-one basis.
READ BEFORE POSTING - How to make a good post - click here

Saturn2888

  • Zen Hero
  • *****
  • Posts: 707
  • Karma: +1/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #9 on: February 10, 2010, 09:26:02 am »
When I was setting up IPv6, I had it going through a NAT. I know it doesn't support that, but I was trying to set it up where I could have my router  be the main firewall to all the machines.

You are correct Oceanwater. Supporting IPv6 now is like taking the next necessary step. All of us in the world need to move over to it soon so we can start getting on with our IP-space. I can see a lot of people moving to IPv6 server-architecture if it's supported by something like eBox because it's basically install-'n-play by that point.

Svein Wisnaes

  • Zen Samurai
  • ****
  • Posts: 325
  • Karma: +5/-0
  • A Norwegian living in Brazil
    • View Profile
    • Oceanwatcher Media | Svein Wisnaes
Re: HOWTO: IPv6 Tunneling
« Reply #10 on: February 10, 2010, 04:10:11 pm »
My installation has been very smooth. Only hiccups are installing my laserprinter and getting the jabber server to work. I added a topic for the printer problem, but seems nobody is interested in checking it...

As soon as IPv6 is supported in E-box, I am going to switch over.

It would be nice to see E-box lead the way on this - and it would be a HUGE opportunity for business.

As I understand, E-box is trying to make money on support and training. I think IPv6 would make the demand for this go through the roof. It will also mean a fantastic boom for any partners they may have around the world as it will be the only manageable option for small businesses to move to IPv6.

I think the best way to do it would be to add an IPv6 section to all modules/menus that has an IPv4 part. And then add a new module that allow you to set up an IPv6 tunnel.

One example: In the DNS, you have to give the IP address when you add a host. There should just be two boxes - one saying IPv4 address: and one saying IPv6 address. If the rest of the interface was done the same way, there would be no need for making a totally new interface.
Regards,

Oceanwatcher
Do NOT use PM for support. This is a community forum and support is not on a one-on-one basis.
READ BEFORE POSTING - How to make a good post - click here

Gapppy

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling
« Reply #11 on: March 25, 2010, 01:48:18 am »
Help me add this lines in /etc/network/interfaces

auto sixxs

iface sixxs inet6 v4tunnel

  address [Your IPv6 Endpoint]

  netmask [Prefix Length]

  endpoint [PoP IPv4 Endpoint]

  ttl 64

  up ip link set mtu 1280 dev sixxs

  up ip route add default via [PoP IPv6 Endpoint] dev sixxs

and
eth1 inet6 static 
 address 2001:x:X:xX::2
 netmask /64

If add this lines by hand get deleted on next reboot. I know i must use hooks bt do not know how. So please help me. 

Need for tunnel from sixxs.net

thx Gasper


P.S. sorry on english  not my native language 

Tymanthius

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +1/-0
    • View Profile
Re: HOWTO: IPv6 Tunneling (Did NOT work, first attempt, Zentyal 2.0)
« Reply #12 on: April 16, 2012, 09:43:39 pm »
I've used the set up procedure as outlined in the first post, adjusted for new directory structure on 2.2, and my server now has IPv6 connectivity out to the world thru a tunnelbroker.net account.

However, none of my machines on my network do.

My network currently looks like this:

Internet - Zentyal - dumbswitch - linksyswrt120n as wireless AP only - laptop
                                              - logitech revue google tv box

Neither the laptop nor the revue show having ipv6 in  use at ipv6test.google.net.  In addition, while the revue broweses the web fine, if I connect the laptop  (running Mint 12) by wire to the switch I have NO outside connectivity.  Very very strange that.

Thanks for any ideas/help.