ipv6 confusion

[Bob Johnson]

On 11/5/07, Aryeh M. Friedman <aryeh.friedman at gmail.com> wrote:
> I want to set my machine up to be on both IPv4 and IPv6.   I have read
> the stuff on 6over4 and such and still a little confused on a few things:
>
> 1. The machine I want to do the tunneling on is behind a NAT'ed firewall
> how do I reliabelly obtain the external IP of the firewall (dhcp
> assigned from cable company)?

Probably the easiest method is to go to a web site that tells you what
IP you are coming from, e.g. http://www.go6.net (just below the top
banner). Or if you log in to your firewall it will be able to tell you
its external IP number.

>
> 2. If the machine I want to do the tunneling with is the DMZ host for
> the above FW do I need to add anything special to the FW's routing tables?

6to4 tunneling uses IP protocol type 41, so you need to tell your FW
to permit protocol 41 traffic. TCP, UDP, ICMP, etc. are all different
protocol types, so the syntax used to allow TCP traffic might work if
you use "41" instead of "TCP". You may also need a way to tell your
firewall to route all protocol 41 traffic to your IPv6 gateway system
so it can receive all of your incoming IPv6 traffic.

>
> 3. I am a little confused on how to pick the other end of the tunnel and
> how do I configure it once the first 2 items are solved?... The
> confusion comes from how is an arbitary (by me [with in the restrictions
> in stf(4)]) selected IPv6 IP supposed to be routable when IPv4 forces
> me to use the one assigned to me by my upstream router?

Pick the tunnel with the least delay!

The other restrictions only mean that if you have more than one IPv6
system on your local network, they must have unique IPv6 addresses. At
least, I think that's what they mean. This is the part of IPv6 over
IPv4 that I haven't directly experimented with yet, so I can tell you
what I think I understand, not what I've proven I understand, but here
it is:  You will run stf(4) on only one system on your LAN. That
system becomes your gateway to the IPv6 world. Other systems on your
LAN get other IPv6 addresses, all with the same initial 48 bits (I.E.
they all use the same IPv4 address to construct their IPv6 address,
but the rest of the address has to be different for each system in
your LAN). Outside systems will send traffic for your LAN to the
gateway system (the one running stf) and it will forward it
accordingly. You will need to tell the stf system that it is supposed
to perform that role, which for FreeBSD I think is accomplished by
adding rtadvd_enable="YES" to /etc/rc.conf. You may (or may not) find
it informative to read rtadvd(8). On all the other systems in your
LAN, you just need to enable IPv6, and they will talk to rtadvd and
configure themselves appropriately. At least, that's my understanding.

So far I have not used stf -- instead I have used tunneling via the
gw6c client and Freenet6 (i.e. http://www.go6.net). First install the
net/gateway6 port. Edit /usr/local/etc/gw6c.conf and change the
appropriate parts for an anonymous connection (the comments explain
them - in fact that may be the default). Also set gw6c.conf so your
system will be a router if you have other IPv6 systems on your LAN.
Then run gw6c and it will set up the tunnel, and run rtadvd for you if
appropriate. That should be all you have to do. Again, this is needed
only on your gateway system, so all the other systems on your network
need only have IPv6 enabled. It should also be obvious that both of
these methods completely bypass your existing IPv4 firewall, so every
system on your LAN will have unfirewalled exposure to the Internet,
unless you run an IPv6 firewall as well.

One advantage of using gw6c is that it can build a tunnel over
protocol 41, over TCP, or over UDP. So if your firewall prevents you
from getting a 6to4/stf tunnel working, try  gw6c. I also found it
easier to set up than figuring out what I needed to make stf work, but
I'm about to set up an stf system so I can directly compare the two.

If you like the gw6c method, go to http://www.go6.net and register for
a free account. Then edit gw6c.conf with your account info and other
appropriate changes, and restart it. You will be issued a permanent
IPv6 address tied to your account, so that if your external IPv4
address changes your IPv6 addresses do not change.


- Bob