A while back I did some experimentation with IPv6 on my Cisco 2611xm. I was using a tunnel provided by Hurricane Electric, which worked well, but I had no firewall and that made me a bit nervous. A little while after I got things set up, I procured a Cisco ASA5505 with a 50 client license via eBay. My hope was that I could use the ASA for the firewall and the router to terminate the tunnel. As it turns out, this would have required a second IP address, because the ASA is not able to pass Protocol 41 traffic.
Time Warner’s reluctance to issue me a second IP address meant that I’d have to find another solution. SixXS is another tunnel broker which makes use of a protocol called AYIYA. AYIYA is capable of traversing NAT, so it would work well in my situation. Unfortunately it’s not supported by Cisco, so the 2611 was of no use to me anymore.
After some failed experiments and lost money with open source firmware and Linksys routers, I decided that a full Linux install would be the best route to go. I built a machine out of spare parts that I had laying around and installed Ubuntu 9.10 on it. Once I got everything up and running, I installed the SixXS client (AICCU) and started working on getting the tunnel up and running.
I hit another snag when I found out that the point of presence (the tunnel broker’s endpoint) was down. I jumped to freenet6 in the interest of keeping things moving. They provide a tunnel via TSP, which also traverses NAT. Their nearest POP is all the way over in Montreal, which means big latencies for someone in LA, but I was able to establish a tunnel, which I was satisfied with for the moment. Here’s my config for their client (gw6c):
userid= passwd= #server=broker.freenet6.net # Always use Montreal POP server=montreal.freenet6.net auth_method=any prefixlen=64 template=linux if_tunnel_v6v4=freenet6 if_tunnel_v6udpv4=freenet6 # Assign the v6 address to eth0 if_prefix=eth0 keepalive=yes keepalive_interval=10 host_type=router
Once I’d established my connection and saw what my v6 IP was going to be, I used a v6 subnet calculator to find out what my /64 networks would be and noted them down. I then entered the v6 address into /etc/network/interfaces so that I could add static routes as the interface came up:
# v6 Interface auto eth0 iface eth0 inet6 static #address 169.254.1.2 #netmask 255.255.0.0 address 2001::1 netmask 64 up ip -6 route add 2001:0:0:1::/64 via 2001::2 dev eth0
You may notice the link local v4 address that’s been commented out on the v6 address. The reason for this being there is that gw6c can’t do its magic unless the interface specified is up. Until I had my v6 address, I used this link local address. 2001::2, as specified in the route above, is my ASA, which has had it’s address manually configured. 2001:0:0:1::/64 is the network that I’m using for my LAN. I’ve got 254 more networks that I can make use of if I ever find a reason (2001:0:0:2::/64…2001:0:0:ff::/64).
Configuring the ASA was fairly simple. There’s an outside and an inside interface that need to be configured, then the default route needs to be set:
interface Vlan10 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:0:0:1::1/64 ! interface Vlan30 no forward interface Vlan20 nameif v6tunnel security-level 0 no ip address ipv6 address 2001::2/64 ! ipv6 route v6tunnel ::/0 2001::1
As far as I can tell, there’s really no reason I need to use a second VLAN for the v6 tunnel, so I’m going to eventually try moving it to the outside VLAN, but for now it’s working well, and I don’t need a DMZ at the moment.
Once I configured the ASA properly, it started advertising itself and all of the hosts on my LAN are picking up v6 addresses from it. The problem I’m left with is how to do DNS discovery. Unfortunately there doesn’t seem to be a good answer here. Microsoft seems to be fond of the idea of using DHCPv6, Apple wants to use well-known anycast addresses and I honestly have no idea what’s going on in the Linux world.