Why using IPv6 Tunnels anyway?
Today, most Internet access providers are IPv6 enabled. However, unfortunately the majority of them do not provide a static /64 prefix, you will get it dynamically assigned. Some providers can assign you a static prefix for a surcharge.
That’s useless if you want to ensure end-to-end connectivity with your Gadgets at home.
Choosing a tunnel provider
Since 2004 I had my own IPv6 prefix from SixXS. Pretty sad that they are shutting down its services on 2017-06-06.
Time to look for an alternative. Wikipedia has a list of public tunnel brokers. Most brokers are providing only PoP’s in one country. For most users, the only option left is Hurricane Electric which offers tunnels to PoP’s on three continents in various cities.
Setup in Fedora
The whole setup is rather simple, there is just one thing you should keep in mind. The provided Client IPv6 Address is not in the same subnet as the Routed /64. You easily copy-paste the wrong address and you will end up in a nice routing loop. The difference is i.e. 2001:470:6c:something vs. 2001:470:6d:something, only the one character of difference. It was taking me more that an hour to figure out 😉
Create a new interface for the tunnel.
cat >>/etc/sysconfig/network-scripts/ifcfg-he-ipv6 <<EOF DEVICE=he-ipv6 TYPE=sit BOOTPROTO=none ONBOOT=yes IPV6INIT=yes # The IPv4 address depends on the PoP you choose IPV6TUNNELIPV4=18.104.22.168 # That is the IPv6 address of the client, not from the routed prefix IPV6ADDR=2001:db8:dead:beef::2/64 EOF
LAN interface configuration
In my case I use a bridge to be able to provide IPv6 connectivity not only for the LAN but for Wifi and VPN as well.
cat >>/etc/sysconfig/network-scripts/ifcfg-br0 <<EOF DEVICE=br0 ONBOOT=yes TYPE=Bridge BOOTPROTO=none IPADDR=192.168.100.1 NETMASK=255.255.255.0 IPV6_AUTOCONF=no IPV6INIT=yes IPV6TO4INIT=no # That is a random IP from your routed /64 prefix. Usually just use the first one IPV6ADDR=2001:db8:cafe:1::1/64 EOF
Enable IPv6 routing
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
Setting the default device for IPv6 routing
echo "IPV6_DEFAULTDEV=he-ipv6" >> /etc/sysconfig/network
Setting up the Route Advertisement Daemon (RADVD
There are several ways of how to configure the clients with an IPv6 address. DHCP6, Static manual configuration and the most easy way is to use RADVD which tells the clients which prefix to use (prefix + fffe + MAC). The client itself adds the MAC address on top of the prefix.
Your clients will always get the same IPv6 address, this may be a privacy problem for you or not. In contrary to SixXS, Hurricane Electric does not provide your name and address to whois, only the city and the ZIP code is made public.
Install radvd if not yet done
router:~# dnf install radvd router:~# systemctl enable radvd.service
Configuration for the example of the prefix 2001:db8:cafe:1/64
cat >> /etc/radvd.conf <
After restarting your network your done, have fun with IPv6 🙂
Setting up DNS
I’m not going into the details here. I’m using FreeIPA for DNS management, DNS entries are created automatically when you enroll your clients. The only thing you need to do is adding the prefix to be able to do reverse lookups.
[root@ipa1 ~]# ipa dnszone-add --name-from-ip=2001:db8:cafe::/64 --dynamic-update=true Zone name [0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.]: Zone name: 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. Active zone: TRUE Authoritative nameserver: ipa1.example.com. Administrator e-mail address: hostmaster SOA serial: 1490512663 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@ipa1 ~]#
Reverse DNS delegation
Hurricane Electric allows you to delegate DNS lookups of your prefix to your DNS server(s). Make use of that is good practice.
- Hurricane Electric Tunnel broker https://tunnelbroker.net
- IPv6 Tutorial https://www.tutorialspoint.com/ipv6/
- List of Tunnel public brokers https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
If you finished setting up all your services such as DNS, HTTP, SMTP etc. with IPv6, get “certified” at https://ipv6.he.net/certification/cert-main.php and get a fancy batch like this:
Have fun! 🙂