FreeBSD: IPv6 setup

Украдено отсюда:

This brief guide uses pf and ezjail.

Basic setup

First off, we enable IPv6 and add one address to our interface.

# /etc/rc.d/network_ipv6 onestart
# ifconfig $nic inet6 $ipv6/128

Next we configure pf to let Router Advertisement Messages and other nice things pass through our firewall.

pass in on $host inet6 proto icmp6 icmp6-type {routeradv,echoreq,neighbrsol,neighbradv}

Now we're able to use rtsol to retrieve our defaultrouter's address.

# rtsol -d $nic

We add everything to our rc.conf and we're done.

ipv6_ifconfig_sis0="$ipv6 prefixlen 128"

Note: You may need to postfix your defaultrouter's address with %$nic.

IPv6 with Hetzner

You can request a /64-v6-Subnet for free in the webinterface of Hetzner. Shortly after that you will receive an email with the IPs of your new subnet. The first weird thing I found out was that I cannot use the first IP of my range. I asked about it and the answer from Hetzner was, that they want to reserve the first IP in case of routing changes. So be it… Another weird thing is that you get a /64 subnet but you have to configure your IPs with a prefixlen of 59 (prefix of your v6-gateway). I also asked about that and Hetzner said that it just works that way. Never mind, I can handle this.

rtsol doesn't seem to work on the Hetzner network. So we'll just configure everything by hand.

I started configuring everything in rc.conf.

# Enable IPv6
# Here we put our v6-address we want to use. Remember to use prefixlen 59 instead of 64
# You may also have to use another interface here!
# Now we configure the route. I don't know if this is the best way to do this, but it works fine for me
# The IP of the router comes along in the mail with the information about your subnet
ipv6_route_gw="2a01:4f8:62:6180::1 -prefixlen 59 -iface re0"

We should now be able to fire our interface up with v6! In case you don't want to reboot (which I presume) you should manually add the IP to your primary network interface

$ /etc/rc.d/network_ipv6 onestart
$ ifconfig re0 inet6 2a01:4f8:62:6181::1:1/59

You can now add a pf-rule like above to allow pings to this address. You can test your connecting by pinging an IPv6-only address like this:

$ ping

IPv6 with Strato

Setting up IPv6 is kind of a mess. All networking at Strato is configured via DHCP. But the FreeBSD dhcpclient cannot handle the special Strato configuration. You also cannot use rtsol to get your router's address. You have to use a static route on your external interface. This is not much work, but I didn't figured this out myself and it was hard work to finally get it running. I think you can mostly copy&paste this code to your /etc/rc.conf.

# enable for local routing
# this is the primary IPv6 you get from Strato
ipv6_ifconfig_em0="2a01:238:42a0:b000:fc67:cd74:ecb4:5e49 prefixlen 56"
# set a static local interface-route

After you pasted this into your etc/rc.conf you should be able to do /etc/rc.d/network_ipv6 start. Finally test it as above.

Jail setup

There are two options, either a jail gets its own separate IPv6 address or we utilize NAT and Port forwarding. The first is useful for virtual servers while the latter is required for service jails, if we want everything to be reachable under one domain name.

Separate IPv6

We just add the address to our interface

# ifconfig $nic inet6 alias $ipv6/128
rc.conf: ipv6_ifconfig_$nic_alias0="$ipv6 prefixlen 128"

and jail start script at /usr/local/etc/ezjail/.

export jail_$jailname_ip="$ipv4,$ipv6"

Note: No space, just one comma.

Shared IPv6

For a better overview we begin by creating a separate interface for our internal addresses.

# ifconfig lo1 create
rc.conf: cloned_interfaces="lo1"

Now we can add private IPv6 addresses to this interface, assign these addresses to our jails and translate them accordingly using pf's NAT and Redirect.

nat on $host from $jail_ipv6 to any -> $host_ipv6
rdr pass on $host proto tcp from any to $host_ipv6 port $port -> $jail_ipv6
freebsd/ipv6_setup.txt · Last modified: 2015/11/06 00:30 by rybario
About this template
CC Attribution-Share Alike 4.0 International
Powered by PHP Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 Valid HTML5