One Bad Pixel
42.
«
»

Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker)

Following along in my series of Vyatta articles, we left off in with a functional system that is serving our IPv4 network, supplying DHCP, and doing some NAT translation. In this part, we are going to add IPv6 support so that you can start using IPv6 websites without relying on 6to4 or Toredo transition services.

For this setup, we will be using a free account from Hurricane Electric, one of the best tunnel brokers known to man. They will give you a free /64, and upon request (the click of a link), a /48 of IPv6 address space, which is more than you probably will ever need. I would like to remind you, their service is absolutely free. There is no secret agenda, they are just that awesome.

To get started, head over to and register for a free account. For this article, I am going to assume that you have a static address of 10.1.1.2. Since Vyatta doesn’t have Hurricane Electric’s Dynamic DNS supported out of the box, you won’t be able to use your DynDNS without some additional work-arounds (which I will cover later).

Once you have your account on TunnelBroker, login and click the “Create Regular Tunnel” link on the menu at the left. You will need to enter your public address in the IPv4 Endpoint box. This is the outside WAN address of your router.
You will also be presented with a list of available tunnel servers. Pick one that is geographically (or better, logically) close to you. Since I am in Michigan, I chose to use the Chicago tunnel server, which is only about 18ms from me, so tunneling my IPv6 traffic here doesn’t add very much latency.
After choosing a server, click the “Create Tunnel” button. You should be directed back to a page that shows the details of your tunnel, but if not, click on “Main Page” in the left sidebar, and your tunnel should be listed at the bottom. Click it to see the details.

The important information on this page is as follows:

  • Server IPv4 Address – This is the IPv4 address of the HE Tunnel Server that handles your tunnel.
  • Server IPv6 Address – This is the IPv6 address of the HE end of your tunnel.
  • Client IPv4 Address – This is the IPv4 WAN address of your router.
  • Client IPv6 Address – This is the IPv6 WAN address of your router.
  • Routed /64 – This is the subnet they have given you.
  • Routed /48 – If you click this link, they will give you a /48 also.

Now that we are finished setting up our account, let’s configure our Vyatta router with a new tunnel to handle this connection.


edit interfaces tunnel tun0
set address /64
set description "HE.NET IPv6 Tunnel"
set encapsulation sit
#if you have a dhcp assigned public address, use local-ip 0.0.0.0
set local-ip 10.1.1.2
set remote-ip 
top
commit
save

This should get your tunnel working, you can double-check by exiting out of config mode and issuing the command “show interfaces tunnel tun0 brief”. You should see the S/L column say “u/u”, which means “Admin Status UP, Link Status UP”.


vyatta@OneBadPixel-Vyatta:~$ show interfaces tunnel tun0 brief
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
tun0             x:x:x:x::2/64                     u/u  HE.NET IPv6 Tunnel

At this point, from the router, you should be able to ping the Server IPv6 address, which will be something like 2001:470:1f10:xxx::1.

Next, we need to setup our LAN interface with our routed network, and create a route to send all IPv6 traffic to our tunnel.


#note the 3rd hextet is 1f11 for routed network
set interfaces ethernet eth1 address 2001:470:1f11:xxx::1/64
#this sends ::/0 (everything) to tun0
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit
save

Now, our client workstations on the LAN network should get autoconfigure addresses, but you probably want to setup DHCPv6 to assign out some v6 capable DNS servers and stuff. Lets create a new DHCPv6 Pool for this now.


edit service dhcpv6-server shared-network-name ETH1_V6POOL
#if we want to assign addresses using DHCPv6, use the following line
#but we really prefer to use Router Advertisements (RA) to do this instead
#set subnet 2001:470:1f11:xxx::/64 start 2001:470:1f11:xxx::100 stop 2001:470:1f11:xxx::200
#lets set our domain search suffix
set subnet 2001:470:1f11:xxx::/64 domain-search onebadpixel.local
#this is Hurricane Electrics anycasted IPv6 nameserver
set subnet 2001:470:1f11:xxx::/64 name-server 2001:470:20::2
#we can also set sip-server-name, sip-server-address, and sntp-server
#set subnet 2001:470:1f11:xxx::/64 sntp-server 2001:470:1f11:xxx::1
top
commit
save

That does it for our DHCPv6 server to assign a DNS.. We can also assign out an SNTP server here, just as with the name-server.

*NOTE: I still have something not quite right with my configuration.. My client systems are not detecting the default gateway properly.. They seem to work if I manually add a gateway of 2001:470:1f11:xxx::1. Once I figure this out, I will update this article accordingly.

I fixed the issue where the autoconfiguration wasn’t working right.. Basically, IPv6 Router Advertisements are disabled by default. You need to enable the stuff on your LAN interface.


#if you are assigning addresses from DHCPv6, skip this command
#this tells the system to use DHCPv6 only for additional info, but not for autoconfiguring
set interfaces ethernet eth1 dhcpv6-options parameters-only
#this sets up the router advertisements
edit interfaces ethernet eth1 ipv6
set dup-addr-detect-transmits 1
set router-advert cur-hop-limit 64
set router-advert default-preference high
set router-advert link-mtu 0
set router-advert managed-flag false
set router-advert max-interval 600
set router-advert other-config-flag true
set router-advert prefix 2001:470:1f11:xxx::/64 autonomous-flag true
set router-advert prefix 2001:470:1f11:xxx::/64 on-link-flag true
set router-advert prefix 2001:470:1f11:xxx::/64 valid-lifetime 2592000
set router-advert reachable-time 0
set router-advert retrans-timer 0
set router-advert send-advert true
top
commit
save

At this point, from your client, renew your addresses and you should get link-local addresses (fe80:), as well as public (2001:470:1f11:xxx:). You should have connectivity now, so do a quick “ping -6 google.com” and make sure it works. I found in Windows 7, the default firewall rules blocked ALL IPv6 traffic.. I disabled windows firewall temporarily for testing. After that, head over to IPv6-Test.com to test it out.

Next: Load Balancing, Failover, OpenVPN, L2TP VPN, IPSec VPN, or something.. Let me know what you want.

 

7 Responses for “Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker)”

  1. Updating HE TunnelBroker endpoint for dynamic address on Vyatta | One Bad Pixel Says:

    […] Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker) | One Bad Pixel on Part 6: Vyatta Firewall Groups […]

  2. FlakeB Says:

    Hi and thanks for this very helpful blog post! Helped me very much, during the configuration of my new ERL. Maybe you can share some experience with L2TP remote access to the router?

  3. Jim Says:

    FlakeB: I will post a new article shortly on setting up L2TP Remote Access on an EdgeMax ERL. Stay tuned!

  4. L2TP/IPSec on a Ubiquiti EdgeMax | One Bad Pixel Says:

    […] Jim on Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker) […]

  5. Jordi Says:

    Yeah. Your posts are very good!
    I would be interested in IPsec VPN and LoadBalancing. Thank you very much.

  6. FlakeB Says:

    Hi. Thanks for these perfect guides. They are very helpful! Maybe you can show us how to configure IPv6 if the provider gives you a native range?

  7. Wallarick Says:

    Thanks for the quick and comprehensive guide.
    Running on EdgeOS v1.7.0alpha2 a few settings became available for the HE DynDNS setup, so it should be a bit simpler now.
    Fort me the DNS entries had to be moved outwards one indent (to the network name instead of the subnet. Could be an EdgeOS specific or just an unpatched bug in this Alpha release):
    ……..
    dhcpv6-server {
    shared-network-name ETH1_V6POOL {
    name-server 2001:470:20::2
    name-server 2001:4860:4860::8888
    subnet 2001:470:xx:xx::/64 {
    address-range {
    }
    domain-search xxx.xxx
    }
    }
    }

    I recommend everyone to make sure they also have at least a basic FW ruleset to govern incoming transactions on the tunnel.
    Mine looks like:
    firewall {
    ….
    ipv6-name wan_in {
    default-action drop
    description “Internet to internal networks”
    enable-default-log
    rule 1 {
    action accept
    description “allow established/related”
    log disable
    state {
    established enable
    related enable
    }
    }
    rule 2 {
    action drop
    description “drop invalid”
    log enable
    state {
    invalid enable
    }
    }
    rule 5 {
    action accept
    description “allow icmpv6”
    log enable
    protocol icmpv6
    }
    }
    ipv6-name wan_local {
    default-action drop
    description “Internet to router”
    enable-default-log
    rule 1 {
    action accept
    description “allow established/related”
    log disable
    state {
    established enable
    related enable
    }
    }
    rule 2 {
    action drop
    description “drop invalid”
    log enable
    state {
    invalid enable
    }
    }
    rule 5 {
    action accept
    description “allow icmpv6”
    log enable
    protocol icmpv6
    }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ………..
    tunnel tun0 {
    address 2001:470:xx:xx::2/64
    description “HE.NET IPv6 Tunnel”
    encapsulation sit
    firewall {
    in {
    ipv6-name wan_in
    }
    local {
    ipv6-name wan_local
    }
    }
    local-ip 0.0.0.0
    multicast disable
    remote-ip 216.66.38.58
    ttl 255
    }

Leave a comment!