I finally managed to get the IPv6 tunnel working through my router to PCs on my LAN. Turns out to have been two head-slappers with the addressing of the router's interface that was causing all of the ailments. Unlike the Hurricane Electric certification implies, I'm not quite a sage at IPv6; but I have prepared my systems thoroughly with IPv6.

A little set-up, then some geeky discussion. If you're not interested in the geeky discussion, you can stop reading now, and just share in the geeky elation that goes with knowing another technology has just been added to my repertoire.

On to that geeky stuff.

I started tinkering with IPv6 to get more IP addresses for my web servers to host SSL. Of course, IPv6 isn't a viable solution until more ISPs dole out IPv6 to end-users, and until more end-users get equipment configured to use IPv6. Regardless, I thought I should do what I can to get started. I mean, it's only been 15 years since the technology was introduced and started making its way into operating systems.

I've been waiting for my ISP to follow through on its commitment to turn on IPv6 for everyone (http://www.worldipv6launch.org/), and while they are working on it, it hasn't happened yet. I even prepared my router by adding a firmware that supports IPv6 (and other things I wanted that it didn't support originally, like multiple wireless networks), from http://www.dd-wrt.com.

Recently I learned about the 6to4 (or 6in4 if you prefer) tunneling. There are a number of providers, but in a tutorial and discussions on the router firmware site, Hurricane Electiric seemed like an easy one to use and they don't require any additional software--just sign up and give 'em your IP address so they can associate it with the tunnel.

Basically what the way a tunnel works is that the IPv6 traffic on one end is broken apart and sent over the Internet using IPv4, and on the other end is reassembled into IPv6 traffic and sent on the way to its IPv6 destination. The idea is that my LAN can be configured with IPv6, hit the router which will tunnel the traffic through to the Hurricane Electric endpoint, where it will be converted back into IPv6 Internet traffic; and vice-versa. It's a little bit of a band-aid, but since I'm stuck behind IPv4 at my ISP's router, it's what has to be done until I get IPv6 to my door.

I have two confurations I need to get working. One is a directly-connected server called "Paradox" and then the dd-wrt router needs to handle IPv6 traffic for the LAN. Since I don't have direct access to the common ISP-provided router, I chose to request two tunnels from Hurricane Electric. When you request a tunnel they give you a configuration with the endpoints and a routed /64 address range.

Let's pause to compare this to what I have now. My ISP-provided address range is a /29, which is technically a network of 8 nodes, but you lose one for the definition, one for the broadcast, and one for the gateway (which really technically is a choice, but since my network goes somewhere else it has to b e done); this leaves the 5 addresses I get to use. The /64 range I've been given by Hurricane Electric gives me about 18 million nodes. Fair enough, there's a number of those that go into defining the network (as with the IPv4 definintion and address), but even if it was half (which it isn't) that'd still leave 9 million nodes--heck, even if it took a 9-1 overhead to work IPv6 it'd still leave almost 2 million nodes.

To be sure...I'm looking at using about 10 or 20 or so right now...

I started with the server, named "Paradox" (I chose this name because althoug it doesn't show in the diagram, it's dual-homed, and it gave me some trouble initially getting my LAN to get to it through the right interface...). Really I started with the router, but it was trickier, so I focused on the server and got it working first.

Quite handily, after you request a tunnel there's a nice configuration guide that covers a lot of devices and operating systems. Neatly, it provides the exact configuration needed to add to the right file in the server to configure it to use the addresses of the tunnel, too, so it's arguablhy a no brainer. Copying the file into place and rebooting or using the command-line to activate the newly defined interface (I did the latter first and then the former to make sure it stuck) and the Internet-facing interface of the server was working. Without any further changes I was able to ping6 IPv6 addresses and hit http://ip6.me and http://test-ipv6.com with my browsers and my IPv6 configuration was confirmed. A tweaky little bit was added to my BIND and HTTPD configurations and my first IPv6 web site worked. Go ahead, if you're IPv6-enabled, hit http://ipv6.twistedpair.net and you'll see for yourself.

Server...for the first bit...done.

The router was a little more difficult. On the previously mentioned tutorial page there's a script that works for some. It didn't work for me. First, on my router the bridge interface is named br0 instead of vlan1 or whatever was in their file; easy fix. Also, there was some cruft in there to try to determine dynamic IPv4 addresses, but since I'm using a static IP address I don't need all of that stuff.

After just those changes I was able to do the ping6 to IPv6 hosts by name from the router, and it seemed that the router was handing out addresses correctly to LAN machines, and while they could ping each other, they couldn't ping the router or anything on the Internet. I did some searching on forums and found tweaks and changes to the script, but they didn't work, either.

Then I found a pair of dumb mistakes I'd apparently made when copying or editing the file.

The first involved giving the LAN interface an IPv6 address; the address needs to come from the routed /64 range, but the script was instead appending to the tunnel addresses. Correcting this put the LAN interface of the router on the same network as the other LAN computers, and that should have been that, but I still couldn't ping between the router and LAN machines.

The second involved the later assignment of this address on the interface. Somehow in the editing I'd missed the /64 that goes with it, so the interface was being assigned to a single-node network. Adding the /64 to the line that assigns the address allowed the router to participate with the rest of the machines on the LAN.

Rebooting the router and toggling the interfaces on my test workstation showed that it worked, finally! I was able to ping6 by IPv6 address, but I couldn't get names to resolve. I checked and found my router was using itself as the DNS server it when it handed out addresses, but then its server was the DNS server on my LAN. It seemed that the router DNS wasn't responding to IPv6 requests or with IPv6 information. A quick change to send the DHCP response with the DNS of the LAN server instead and I was able to ping6 IPv6 hosts by name and browse to IPv6 sites.

Here's the script I finally ended up with:

SERVER_IP4_ADDR="---FROM HURRICANE ELECTRIC---"
ROUTED_IP6_ADDR="---FROM HURRICANE ELECTRIC---"
SERVER_IP6_ADDR="---FROM HURRICANE ELECTRIC---"
CLIENT_IP6_ADDR="---FROM HURRICANE ELECTRIC---"
LAN_IP6_ADDR="${ROUTED_IP6_ADDR}1"

STARTUP_SCRIPT_LOG_FILE="/jffs/ipv6.log"
RADVD_CONFIG="/jffs/radvd.conf"

echo "HE IPv6 Script started" > $STARTUP_SCRIPT_LOG_FILE

insmod ipv6
sleep 10

WANIP=$(nvram get wan_ipaddr);
echo `date` >> $STARTUP_SCRIPT_LOG_FILE
echo "WAN IPv4 detected as: ${WANIP}" >> $STARTUP_SCRIPT_LOG_FILE
echo "Server IP4 ${SERVER_IP4_ADDR}" >> $STARTUP_SCRIPT_LOG_FILE
echo "Server IPv6 ${SERVER_IP6_ADDR}" >> $STARTUP_SCRIPT_LOG_FILE
echo "Client IPv6 ${CLIENT_IP6_ADDR}" >> $STARTUP_SCRIPT_LOG_FILE
echo "LAN IPv6 ${LAN_IP6_ADDR}" >> $STARTUP_SCRIPT_LOG_FILE
echo "Routed /64 ${ROUTED_IP6_ADDR}" >> $STARTUP_SCRIPT_LOG_FILE

if [ -n $WANIP ]
then
  echo "configuring tunnel" >> $STARTUP_SCRIPT_LOG_FILE

  ip tunnel add he-ipv6 mode sit remote $SERVER_IP4_ADDR local $WANIP ttl 255
  ip link set he-ipv6 up
  ip -6 addr add $CLIENT_IP6_ADDR dev he-ipv6
  ip -6 addr add ${LAN_IP6_ADDR}/64 dev br0
  route -A inet6 add ::/0 dev he-ipv6

  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

  iptables -I INPUT 2 -p ipv6 -i eth1 -j ACCEPT
  iptables -t nat -A POSTROUTING --proto ! 41 -o eth0 -j MASQUERADE

  echo "Open DNS ipv6 enabled" >> $STARTUP_SCRIPT_LOG_FILE
  grep -v 2620 /tmp/resolv.dnsmasq > /jffs/resolv.dnsmasq
  cp /jffs/resolv.dnsmasq /tmp/resolv.dnsmasq
  echo "nameserver 2620:0:ccc::2" >> /tmp/resolv.dnsmasq
  echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
  cat /tmp/resolv.dnsmasq >> $STARTUP_SCRIPT_LOG_FILE

  echo "creating radvd conf" >> $STARTUP_SCRIPT_LOG_FILE
  echo "interface br0 {" >> $RADVD_CONFIG
  echo "AdvSendAdvert on;" >> $RADVD_CONFIG
  echo "prefix ${ROUTED_IP6_ADDR}/64 {" >> $RADVD_CONFIG
  echo "AdvOnLink on;" >> $RADVD_CONFIG
  echo "AdvAutonomous on;" >> $RADVD_CONFIG
  echo "AdvRouterAddr on;" >> $RADVD_CONFIG
  echo "};" >> $RADVD_CONFIG
  echo "};" >> $RADVD_CONFIG

  cat $RADVD_CONFIG >> $STARTUP_SCRIPT_LOG_FILE

  echo "starting radvd" >> $STARTUP_SCRIPT_LOG_FILE
  radvd -C $RADVD_CONFIG
fi

Next Steps

Security, surely is high on my list. I've confidently firewalled my server to accept only the desired services (SSH, HTTP(S), and those related to e-mail) from the world at large. That's on IPv4, though. I'm doing simple port filtering now, and the server isn't doing any IPv6 routing, so I think that tunnel's /64 ends at the endpoint. The router has a simple "enable 1pv6" button I can click to turn off (or on) that interface; I don't know if the router firewall (the one configured through the GUI, anyway) affects IPv6 traffic.

After I get the security worked out, I need to get the server hosting more IP addresses. These will all come from its routed /64, and I'll probably change the one that's configured now, too, so that the tunnel address doesn't actually do anything but tunnel. I need to make sure that my logging and log analyzers can handle the IPv6 addresses. I need to make sure all of the servers in use (SSH, web, and e-mail) are functioning (and secured).

Then I need to get SSL certs working for those hosts and configured to serve my millions of websites. Ok...dozens.

Probably around this time I'll get IPv6 service from my ISP. That should be OK. I can give the tunnel back, reconfigure my networks and servers, and start using my new address range.

Then I need to wait for the rest of the world to catch up and do IPv6. Although if that ISP bit happens first, maybe more will be IPv6 than are now.