IPV6 And Freebox

From Gentoo Linux Wiki

Jump to: navigation, search
Please format this article according to the Style Guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article.

Reason(s):

Contents

[edit] Introduction

This page will help you configure IPv6 if your ISP is Free.fr, and your network configuration is: 

Freebox ---[eth1]- Linux Router -[eth0]----- LAN

In this guide, the LAN interface is eth0, the interface connected to the Freebox (WAN interface) is eth1.

Your IPv6 prefix is 2a01:e3x:xxxx:xxx0::/64 (in the early days, it used to be 2a01:5d8:xxxx:xxxx::/64) where xxxx:xxxx is your freebox's public ipv4 in hex notation.

NB: you actually get 2a01:e3x:xxxx:xxx0::/60, but the freebox router just advertises the /64.

[edit] Problem

Freebox delivers all IPv6 to your /64 packets locally on its LAN interface, so everything which is not on the same network segment does not receive IPv6 packets.

The idead behing this configuration is:

  • not to use bridging and BROUTE
  • let the clients autoconfigure themselves (however, the router needs configuration for every client; see "add proxy" below)

[edit] Interfaces configuration

First, you need to enable IPv6 routing :

sysctl -w net.ipv6.conf.all.forwarding=1

The Freebox side of your router, as Freebox's ipv6 is 2a01:e3x:xxxx:xxx0::1, the only choice is the size of the subnet.

ip -6 addr add 2a01:e3x:xxxx:xxx0::2/126 dev eth1

All other addresses goes to LAN side

ip -6 addr add 2a01:e3x:xxxx:xxx0:1::1/64 dev eth0

[edit] radvd configuration

Make the client on the LAN think they are on a classic /64

File: /etc/radvd.conf
interface eth0
{
       AdvSendAdvert on;
       prefix 2a01:e3x:xxxx:xxx0::/64
       {
               AdvOnLink on;
               AdvAutonomous on;
               AdvRouterAddr on;
       };
};

[edit] Proxy NDP

Kernel 2.6.19 required

sysctl -w net.ipv6.conf.all.proxy_ndp=1

or add in /etc/sysctl.conf:

net.ipv6.conf.all.proxy_ndp = 1

I'm not sure if it is necessary, but i got strange things sometimes without promiscuous mode

ip link set eth1 promisc on

You must run this command for each host on the lan to allow the router to pick up packets on the WAN interface for each host

ip -6 neigh add proxy <client's global IPv6 address> dev eth1

This will allow you to ping your freebox from your LAN

ip -6 neigh add proxy 2a01:e3x:xxxx:xxx0::1 dev eth0

[edit] Security

Now, every host in your network with IPv6 address can be reached from the Internet !

So use ip6tables. Here is a BASIC security for your hosts ! 

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -i eth0 -s 2a01:e3x:xxxx:xxx0::/64 -j ACCEPT
ip6tables -A FORWARD -j DROP

And don't forget to protect your linux box with the INPUT chain.

[edit] Tips

If your OS uses temporary IPv6, it probably won't work, because you need to add these IP to the NDP proxy every time they change.

However, this can be modified in Windows XP (and maybe Vista, someone confirms ?) by runnig in a cmd :

netsh interface ipv6 set privacy state=disabled


[edit] Contact

You can use any IRC client to join #ipv6 on irc.freenode.net for help. Once your IPv6 connection is working, you can make first use of your new connectivity by connecting to freenode using irc.ipv6.freenode.net

[edit] Links

IPV6 and Freebox using broute may be more convenient for people who do not know in advance the ip addresses used on the LAN.

Another newer guide (fr) using ndp, allowing more than 1 lan network, but without /64 subnet is available link here

Retrieved from "http://en.gentoo-wiki.com/wiki/IPV6_And_Freebox"
Personal tools