How to add IPv6 over IPv4 support to your network behind a NAT router

Firewall+IPv6 Tunnel mini-HOWTO
Hernán Freschi <hjf(at)hjf.com.ar>
version 0.1, 2002-11-27

How to add IPv6 over IPv4 support to your network behind a NAT router.
----------------------------------------------------------------------

Table of Contents


  1. Introduction

     1.1 Copyright
     1.2 Disclaimer
     1.3 Credits
     1.4 Changelog
  
  2. What's IPv6? What can it do for me?

  3. How do I connect to the 6bone?

  4. What should I allow through the firewall?

  5. Configuring the IPv6 machines/routers

  5.1. Linux

  5.2. Windows

    5.2.1 IPv6 stand-alone machine
    5.2.2 IPv6 network
      5.2.2.1 The Router
      5.2.2.2 The clients

  6. Examples
     6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE.
     6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact.

----------------------------------------------------------------------

1. Introduction


1.1 Copyright 

This document is Copyright 2002 by Hernán Freschi. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at www.gnu.org. 


1.2 Disclaimer 
Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk. 

All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. 

Naming of particular products or brands should not be seen as endorsements. 

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals. 



1.3 Credits 

Hernán Freschi <hjf(at)hjf.com.ar>

Microsoft, Windows, 2000, XP, SP1, .NET Server 2003 are all trademarks of Microsoft Corp.

Any comments or suggestions can be mailed to my mail address on: hjf(at)hjf.com.ar

This document is still in beta phase, so errors and omissions may be present. 



1.4 Changelog

0.1 Initial Release.



Getting Started



2. What's IPv6? What can it do for me?

Sorry, that is beyond the scope of this document. This aims to make a iptables firewall to allow incoming traffic from an IPv6 tunnel.



3. How do I connect to the 6bone?

Through a tunnel broker!. Get your account (for free) at:

www.tunnelbroker.net (USA)
tb.ipv6.btexact.com (UK)
tb.ngnet.it (Italy?)

You could also use www.freenet6.net, but they use proprietary software, which doesn't run inside a network. But it's easier to implement and even assigns /48 subnets.



4. What should I allow through the firewall?

Everything that comes from the tunnel address, except ICMP (what for? let the linux box answer, so the packets dont get in the network). The rules I use are this:

iptables -A FORWARD -s <tunnel address> -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to <internal router address>

And that's it. The outgoing packets don't need special treatment.

Note: This, of course, assumes that your Linux firewall doesn't handle the IPv6 packets. It's designed to run on tiny distros like FloppyFW (www.zelow.no/floppyfw) or LRP (www.lrp.org). With this, the firewall doesn't need support for IPv6. These packets are handled in an internal, more powerful (ie: with a hard disk) computer.



5. Configuring the IPv6 machines/routers

5.1 Linux

I don't have a linux box to experiment, you can either
a) Donate a hard disk, so I can install linux again or
b) Write this section for me :)

5.2 Windows (2000/XP/XP-SP1/.NET Server 2003 ONLY! Win9x is UNSUPPORTED).

First of all, you have to install IPv6 support:

C:\> ipv6 install
Installing...

Success.

5.2.1 IPv6 stand-alone machine:

Use your brokers script! If they didn't provide one, use these:

ipv6.exe rtu ::/0 2/::<tunnel address>
ipv6.exe adu 2/<your ipv6 address>

The 2/ is the Interface Index. It's usually 2, but it may vary. If in doubt, type

ipv6 if

and look for a line like this:

Interface 2: Automatic tunnel pseudo-interface

The number, obviously, is the one you are looking for.


5.2.2 IPv6 network

(Note: this applies only to the external network. If you need help setting up the IPv6 lan, read www.microsoft.com/ipv6)

5.2.2.1 The Router

Use your brokers script! If they didn't provide one, use these:

ipv6.exe rtu ::/0 2/::<tunnel address>
ipv6.exe adu 2/<your ipv6 address>
ipv6.exe rtu <your ipv6 subnet>/<your ipv6 netmask> 4 pub life 86400
ipv6.exe ifc 2 forw
ipv6.exe ifc 3 forw
ipv6.exe ifc 4 forw adv

2, 3, 4 are the interface indices. They may vary. To find out, type

ipv6 if

5.2.2.2 The clients

You don't need to do nothing, they are auto configured.



6. Examples:

6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE.

Equipment required:
1 Box capable of running iptables (kernel = 2.4.x)
1 Box running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003.

Tunnel:
1 /127 Allocation from Hurricane Electric

  +---+            +---+           \/\/\/\/\/         +------+          /\/\/\/\/\
  |WIN|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\  6bone /
  +---+            +---+           \/\/\/\/\/         +------+          /\/\/\/\/\
10.42.42.100<->10.42.42.1   <->   209.13.122.2  <->  ipv6.he.net <->   2001:470:1F00:FFFF::xxxx

Configuration:
On the Linux box type:

iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100

On the MS box type:

ipv6 rtu ::/0 2/::64.71.128.82 pub
ipv6 adu 2/2001:470:1F00:FFFF::xxxx

Congratulations. You are set.

Now try pinging to 6bone.net, for example. 


6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact.

Equipment required:
1 Box capable of running iptables (kernel = 2.4.x)
n Boxes running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003.

Tunnel:
1 /64 Allocation from Hurricane Electric


  +---+ +---+ +---+
  |WIN| |WIN| |WIN|
  +---+ +---+ +---+
    +-----+-----+
  +---+            +---+           \/\/\/\/\/         +------+          /\/\/\/\/\
--|WRT|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\  6bone /
  +---+            +---+           \/\/\/\/\/         +------+          /\/\/\/\/\

10.42.42.100<->10.42.42.1   <->   209.13.122.2  <->  193.113.58.80 <-> 2001:618:400::xxxx:xxxx

Configuration:
On the Linux box type:

iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100

On the MS router type:

ipv6.exe rtu ::/0 2/::193.113.58.80
ipv6.exe adu 2/2001:618:400::xxxx:xxxx
ipv6.exe rtu 2001:618:400:xxxx::/64 4 pub life 86400
ipv6.exe ifc 2 forw
ipv6.exe ifc 3 forw
ipv6.exe ifc 4 forw adv

On the other machines type:

Nothing, they are auto configured. If they dont work, try:

ipv6 reset

If that doesn't work, check for a default route (::/0). 

ipv6 rt

If there isn't one, try adding one:

ipv6 rtu ::/0 n/(your routers ipv6 address)

(where n is the interface index of the ethernet board connected to the network, usually 4).

If it works, but the next time you reboot, it does not auto configure, then maybe you are not publishing the default route in the router.

Congratulations. You are set.

Now try pinging to 6bone.net, for example.