Having recently watched a couple of talks centered around the current state of IPv4 address space exhaustion I decided to look into setting up an IPv6 tunnel to my home network as my ISP does not seem to offer native IPv6 yet. I checked out a few of the free tunnel brokers available and settled on Hurricane Electric. As someone who knew nothing about IPv6 I found HE’s website to be a helpful resource. Another resource I found helpful was The Second Internet which is a freely available ebook. I also referred to the Linux IPv6 HOWTO. I enabled IPv6 in a couple of steps:
Extras (e.g. Certification Tests and Enable Google IPv6 services)
Router setup was relatively straight forward. First use HE’s web interface to register an account and create a tunnel. You will need to know your local static IPv4 address for this. Once the tunnel appears in your account you can retrieve a list of commands to activate it on various platforms in the dropdown box at the bottom of the page. Linux users have two choices: Linux-route2 or Linux-net-tools. I chose Linux-route2 and simply copied the generated commands. As my router is behind a NAT device I had to replace the local IPv4 address with the address of the NAT device. The NAT device must also forward protocol 41 through to your endpoint. I had no trouble with a consumer level D-Link device. HE mentions both of these items in a bullet point.
Once these commands are executed I was able to use ping6 to ping the tunnel endpoints as well as IPv6 hosts on the internet.
$ ping6 -c 2 ipv6.google.com
PING ipv6.google.com(2404:6800:8004::68) 56 data bytes
64 bytes from 2404:6800:8004::68: icmp_seq=1 ttl=54 time=473 ms
64 bytes from 2404:6800:8004::68: icmp_seq=2 ttl=54 time=473 ms
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 473.126/473.322/473.519/0.715 ms
HE supplies a routed /64 network to use as your LAN subnet. If you require multiple subnets you can request a /48. I only required one subnet so I did not request the /48. As I only wanted one LAN client to have an IPv6 address while I am testing I did not use DHCP6 or radvd and just setup the interfaces manually. This step is not much different to manually setting up an IPv4 lan client except for the IPv6 addresses.
On the router you have to enable IPv6 packet forwarding and give the LAN interface one of the routed /64 IPv6 addresses:
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# ip addr add <<routed /64 prefix>>::1/64 dev eth1
On the LAN client you have to give the LAN interface one of the routed /64 addresses and set a default route:
# ip addr add <<routed /64 prefix>>::2/64 dev eth0
# ip route add ::/0 <<routed /64 prefix>>::1
Once this is done you should have IPv6 connectivity from the LAN client.
Is it working?
While it is easy to check that IPv6 is working via testing with ping6, traceroute6, dig, etc, I wanted to be able to check at a glance how much traffic was going through the IPv6 tunnel. Two tools I was already using on the router were handy to monitor IPv6 usage: bwm-ng and vnstat. bwm-ng gives you a snapshot of throughput of all interfaces while vnstat tracks usage over time.
bwm-ng v0.6 (probing every 0.500s), press 'h' for help
input: /proc/net/dev type: rate
/ iface Rx Tx Total
lo: 0.00 KB/s 0.00 KB/s 0.00 KB/s
eth0: 0.00 KB/s 0.00 KB/s 0.00 KB/s
eth1: 0.13 KB/s 0.31 KB/s 0.44 KB/s
eth2: 0.00 KB/s 0.00 KB/s 0.00 KB/s
he-ipv6: 0.00 KB/s 0.00 KB/s 0.00 KB/s
total: 0.13 KB/s 0.31 KB/s 0.44 KB/s
$ vnstat -d -i he-ipv6
he-ipv6 / daily
day rx | tx | total | avg. rate
02/10/11 0 KiB | 0 KiB | 0 KiB | 0.00 kbit/s
02/11/11 6.97 MiB | 1.79 MiB | 8.76 MiB | 0.83 kbit/s
02/12/11 91.47 MiB | 9.01 MiB | 100.48 MiB | 9.53 kbit/s
02/13/11 91.89 MiB | 10.88 MiB | 102.78 MiB | 9.74 kbit/s
02/14/11 10.17 MiB | 3.26 MiB | 13.43 MiB | 1.52 kbit/s
estimated 11 MiB | 3 MiB | 14 MiB |
Google over IPv6
While Google allows access to Google Search on IPv6 other services are not served over IPv6 by default. Access to Gmail, etc over IPv6 normally requires registering with Google however thanks to HE you just need to use the supplied HE DNS resolvers to automatically gain access to Google’s IPv6 services.
HE offers an IPv6 certification test which takes you through different aspects of IPv6 configuration. I found this fun and educational and learnt quite a bit about IPv6 and DNS.
Having your LAN devices pop up on the internet has obvious security implications. Before enabling IPv6 for all LAN devices I will need to add IPv6 support to my firewall scripts. For the moment I have just made sure that services are only listening on IPv4 sockets and not IPv6.
Once security is taken care of I will install radvd and/or DHCP6 to take care of the LAN side of things.
At the moment I have to create the tunnel manually when I reboot my router. I should add the required stanza to /etc/network/interfaces to automate this.