DæmonNews: News and views for the BSD community
Daemon News Ezine BSD News BSD Mall BSD Support Forum BSD Advocacy BSD Updates

IPv6 Behind a NAT

by Jim O'Gorman <jameso@elwood.net>

With IPv6 stacks in FreeBSD and OpenBSD now, I thought it might be a good time to try it out. The best place to do this is the 6bone (http://www.6bone.net). The 6bone was started as a way to test IPv6 deployment. It is a great place to get familiar with how to use IPv6 and the way it works among other things. Before you think about putting IPv6 on your network, you will want to spend some time on the 6bone.

When starting out with IPv6, the quickest and easiest way to get started is to go through Freenet6 (http://www.freenet6.net). Freenet6 has a nice little web interface that you can use to setup a IPv6 through IPv4 tunnel to get on the 6bone. All you have to do is fill out a web form with a nickname for your box and your public IP. They then configure their end of the tunnel and give you a perl script that you run as root to configure your end. Works quick and painless and really is the best place to start getting IPv6 experience.

The problem with Freenet6 is it does not work without changes from behind a NAT. With a little bit of tweaking however, you can make it work. In this article I will talk about how to get it working from behind an IPFilter NAT/Firewall with your box having a static NAT. The end host in my example is a FreeBSD 4.0-Stable box. The concepts that I use in this paper can be applied to almost any other system, just consult your docs for the steps for your system.

First thing you have to do is check the setup of your NAT/Firewall. On the NAT, make sure you have a static NAT for your box. NAT can work two ways: a many to one or a one to one NAT. You need to have a static one to one NAT.

Next we deal with the tunnel. To do that, go to the Freenet6 website and fill out the web form. When you fill it out, give them the public IP that you have on the NAT. Freenet6 will then send you a perl script that you run as root on your local host. When you receive this script you have to make a few changes before you run it.

One of the changes that you have to make is pretty simple. All you have to do is replace your public IP with your private IP on the line that sets your gifconfig. For example, you will change the line that reads:

system(`gifconfig $if public.routeable.IP 206.123.31.102`);
and change it to:
system(`gifconfig $if private.nonrouteable.IP 206.123.31.102`);

That is the only change you will need to make. When you run the script, the output will be wrong (it will read the public IP where it outputs "Your IP v4 address is") it will still configure everything right. If you want the output from the script to read right simply change every entry of your public interface in the script to your private interface.

Once you have the script changed, all you have to do is run it as root. Your tunnel is now made on your local host.

Once that is done, all you have to do is add a couple of firewall rules.

For the firewall rules we will assume that you are using rule groups on IPFilter. The groups are as follows:

100 - Inbound on fxp0
150 - Outbound on fxp0
200 - Inbound on fxp1
250 - Outbound on fxp1

With fxp0 attached to the public Internet, and fxp1 attached to your private LAN, there are four firewall rules that you will need to add. While describing each of these rules below; $YOURPPRIVATEIP represents the ip of your box on the private LAN and $YOURPEERSPUBLICIP is the IP of your peer as given to you in the output of the script that Freenet6 gave you. We will also assume that you are using a default deny policy, so we have to allow flows by hand; passing packets from you to your peer when the protocol is IPv6.

pass in quick proto ipv6 from $YOURPEERSPUBLICIP to $YOURPPRIVATEIP group 100

This allows your peer to send packets to your private IP in from the public Internet.

pass out quick proto ipv6 from $YOURPPRIVATEIP to $YOURPEERSPUBLICIP group 150

This allows your private IP to route to your peer through the external interface.

pass in quick proto ipv6 from $YOURPPRIVATEIP to $YOURPEERSPUBLICIP group 200

This allows packets to go from your local host to your peer through the internal interface.

pass out quick proto ipv6 from $YOURPEERSPUBLICIP to $YOURPPRIVATEIP group 250

This allows your peer to route packets to your local host through the internal interface.

Once that is all done, you just have to reload your rule set on the Firewall and then test it out. Try to do a ping6 www.kame.net and see what happens.

I don't claim to be an expert on IPv6. I am still learning at this point. But this has worked for me, and should for you as well. Have fun, and see you on the 6bone.

Google
Web daemonnews.org

More Articles
  • Interview with Jan Schaumann
  • Interview with Theo de Raadt
  • Book Review: Virtualization with VMware ESX Server
  • Editorial: Not Quite Dead Yet
  • The Design of OpenBGPd
  • Interview with der Mouse
  • Letter to Steve Jobs
  • Interview with Manuel Bouyer on Xen
  • Apple and Open Source
  • BSDCan 2006
  • BSD Certification Survey Results
  • Lab in a Box
  • Ike Notes on BSDCan 2005
  • BSDCan 2005 Photos
  • FreeBSD Developer Summit Pictures

    • Advertisements



    Author maintains all copyrights on this article.
    Images and layout Copyright © 1998-2006 Dæmon News. All Rights Reserved.