# How to get Gentoo running as a IPv6 router/firewall.

## GurliGebis

How to get Gentoo running as a IPv6 router/firewall.

First we need some things to be done:

1: You need to have an IPv6 segment (You can get one from http://www.xs26.net or http://ipng.org.uk/) This guide is based on the http://ipng.org.uk/ settings, but it shouldn't be much different with any other one.

2: You will also need to have a reverse DNS set up, look at http://ipng.org.uk/ to see how this is done with BIND.

This all is based on this configuration:

eth0 = external interface of router/firewall

eth1 = internal interface of router/firewall

Ok, lets get to work.

1: Kernel configuration. (Based on gentoo-sources-2.4.20-r2)

Here is what is needed:

In Networking options:

```

[*] Network packet filtering (replaces ipchains)

[*] Socket Filtering

<*>   The IPv6 protocol (EXPERIMENTAL)

```

In Networking options -> IPv6: Netfilter Configuration:

```

<*> Userspace queueing via NETLINK (EXPERIMENTAL)

<*> IP6 tables support (required for filtering/masq/NAT)

<*>   limit match support

<*>   MAC address match support

<*>   Condition variable match support

<*>   HL match support

<*>   Routing header match support (EXPERIMENTAL)

<*>   Hop-by-Hop and Dst opts header match (EXPERIMENTAL)

<*>   Fragmentation header match support (EXPERIMENTAL)

<*>   Multiple port match support

<*>   Owner match support (EXPERIMENTAL)

<*>   netfilter MARK match support

<*>   Packet Length match support

<*>   EUI64 address check (EXPERIMENTAL)

<*>   AH/ESP match support (EXPERIMENTAL)

<*>   EUI64 address check (EXPERIMENTAL)

<*>   Packet Length match support

<*>   IPv6 Extension Headers Match (EXPERIMENTAL)

<*>   Packet filtering

<*>     HL target support

<*>     LOG target support

<*>     REJECT target support

<*>   Packet mangling

<*>     MARK target support

```

Then compile the kernel and copy it to /boot .

BEFORE you reboot, emerge the things that gets messed up by a new kernel (iptables, nvidia-kernel etc.)

reboot to use the new kernel.

2: Obtaining a IPv6 segment

First, go to http://ipng.org.uk/ and click signup, fill in all the required information and submit them.

Now wait about 3 minuttes, and you should be able to log in.

Now you have to submit the address of your reverse DNS, read at the page for how to set this up.

Once this is set up correct, your information will be like this:

Your IPv6 prefix is::        2001:618:4:1234::/64 

Your ipv6 tunnel end ip is::        2001:618:4:2000::1235 

The IPNG ipv6 tunnel end ip is::        2001:618:4:2000::1236 

The IPNG ipv4 tunnel end ip is::        213.253.1.201 

(1234, 1235 and 1236 will be different for you)

If your IPv6 prefix is: ::/64, then you still need to submit your reverse DNS.

If this is done, then congratulation, you just got your own private IPv6 segment  :Smile: 

3: Installing the needed utillities

These utillities is needed, so emerge those you don't have:

```

iptables

iproute

```

4: Making the script to make it work

Here is the init script I use, it is called net.ipv6:

```

#!/sbin/runscript

depend() {

        need net

        before iptables

}

start() {

        ebegin "Starting up IPv6"

        einfo "Setting up tunnel"

        /sbin/ip tunnel add ipng mode sit ttl 64 remote 213.253.1.201

        einfo "Bringing ipng up"

        /sbin/ifconfig ipng up

        einfo "Adding IPv6 address to ipng"

        /sbin/ifconfig ipng add 2001:618:4:2000::1235/128

        einfo "Adding IPv6 address to eth1"

        /sbin/ifconfig eth1 add 2001:618:4:1234::1/64

        einfo "Adding default route"

        /sbin/ip ro add 2000::/3 dev ipng

        eend 0

}

stop() {

        ebegin "Shutting down IPv6"

        einfo "Removing default route"

        /sbin/ip ro del 2000::/3 dev ipng

        einfo "Removing IPv6 address from eth1"

        /sbin/ifconfig eth1 del 2001:618:4:1234::1/64

        einfo "Removing IPv6 address from ipng"

        /sbin/ifconfig ipng del 2001:618:4:2000::1235/128

        einfo "Bringing ipng down"

        /sbin/ifconfig ipng down

        einfo "Removing tunnel"

        /sbin/ip tunnel del ipng

        eend 0

}

```

Save it as /etc/init.d/net.ipv6 and do a:

```
rc-update add net.ipv6 default
```

(It has a little bug when shutting down, but that doesn't do any harm.) (If people doesn't understand what I mean with the (text)/128 , please tell me, and I'll try to explain it a bit better.) (I know the header of the init script i missing, this is because I don't know how to make it "The Gentoo Way"  :Smile:  )

So far, so good. Now we need to edit /etc/conf.d/iptables and enable IPv6 forwarding.

5: Final stuff to be done

It you have an iptables firewall, that by default blocks trafic comming from the outside, u will need to add this one to it:

```
 iptables -A INPUT -i eth0 -p ipv6 -j ACCEPT 
```

 (eth0 = your external interface)

6: Testing it

First, reboot to make sure network and tunnel gets startet with the system, and without errors.

Once the system gets up, goto here: http://ipng.org.uk/lg.cgi and select ping6 as the tool, and write this in the textbox: 2001:618:4:1234::1  .

If everýthing goes well, it will ping you and get answer back.

7: Setting up clients to use the router with IPv6

Since we don't use masquerading, every client will have it's own public IPv6 address, if people wants to firewall trafic it can be done on the router between the ipng and the eth1 interface with the ip6tables command, man ip6tables for more info on this subject.

Well, back to getting the clients up and running.

Windows 2000/XP

Well, somebody might still be using this  :Smile: 

Get a commandprompt and do this:

```

ipv6 install

```

Then do this:

```

ipv6 if

```

Now find your network interface and remeber what number it has (normally 4). (X in the script a bit below is this number)

After doing this, it should have installed the IPv6 stack, now make a .bat file for giving your NIC an IPv6 address.

```

ipv6 rtu 2002::/16 X

ipv6 adu X/2001:618:4:1234::2

ipv6 rtu ::/0 X/2001:618:4:1234::1 pub life 1800

```

Now create a shortcut to this .bat file in your startup folder.

Linux

I haven't yet made a client IPv6 init script, but it only has to run these 2 commands:

```

ifconfig eth0 add 2001:618:4:1234::2/64

route -A inet6 add 2000::/3 gw 2001:618:4:1234::1

```

(eth0 = interface connected to eth1 on the router/firewall)

That should complete this, PLEASE give me feedback on this one

----------

## 69link

Great guide.

I followed it and was up in no-time.

But this is my first experience with ipv6 and i dont know what to do with it yet   :Embarassed: 

----------

## GurliGebis

hehe, I use it to be able to connect directly to my machines behind my router.

----------

## zingit

Followed the guide easily enough, got it working!! yay!

Few pitfalls though:

 :Arrow:  Make sure you put the right numbers in the right places; its very easy to mix up the tunnel IPv6 addresses.

 :Arrow:  When compiling your kernel, be sure to miss out

```
[ ]     IP: IPv6 over IPv4 tunneling support (replaces sitXX devices)
```

 this option, as it will produce errors from the init script like

```
ioctl: No such device
```

 :Arrow:  I seem to be having problems putting the Windows setup lines into a batch file (the first line of script is repeated until Ctrl+C'ed. If anyone has any idea, please post (I'm not that good at windows   :Confused:  )

 :Arrow:  If you're looking at the init script, it really does mean eth1, not eth0. Honest. Don't change it or it won't work. (unless your internal NIC is something else than eth1)

Have fun with IPv6,

zingit

----------

## robbat2

one request for an additional to this.

what DHCP stuff can be done to hand out IPv6 addresses automatically to your internal network?

----------

## GurliGebis

AFAIK none IPv6 stuff can be done over DHCP yet.  :Sad: 

----------

## robbat2

look up neighbour discovery and router discovery for IPv6.

----------

## GurliGebis

hehe, it would be great is ISC's DHCPD could give out IPv6 addresses too, but it might happend some day  :Smile: 

----------

## IWBCMAN

ok -braindead questions.....

does one have to have their own DNS with a static IP to do this(ie. I use dyndns ....) ?

-I am unfortunately so ignorant as to not even know whether this IP4 stuff is necessary to to work with IP6.....

does one have to have their own domain registered on the internet ?

does anybody here wish to elaborate a little on the whole IP6 thing....I have read some stuff about it and hav an ultra vague understanding of what it is about(ie. much larger address space, no need for NAT, coupling IP6/IP4 via a NAT-6:4..) but I am an absolute noob about this stuff...

 :Wink: 

----------

## IWBCMAN

ok I guess my questions were too dumb....

still would love some feedback though.....

----------

## GurliGebis

I have a dynamic IP, I just change it on their website when it changes (happends once og twice a year).

----------

## GurliGebis

About the client script.

Just add the two lines of code to /etc/conf.d/local.start , and it will be executed as the last thing it bootup (Why am I telling you this, people already knows this  :Smile: )

----------

## wlkerboh

Install radvd for ipv6 auto-conf.  Just make sure to edit the conf file to hand out your IP addresses and not someone elses  :Smile: 

----------

## GurliGebis

Does radvd has an option to give a specific ipv6 address to a specific MAC address, like DHCPD has?

----------

## wlkerboh

Not that I've seen.   radvd announces the link global prefix (the network portion of the address).  An ipv6 capable host takes this and the mac address to produce a usable IP address.  Of couse you still have the option of static IP addresses for servers.

----------

## clumsyninja

i understand why ipv6 is being implemented, but i have an additional question (one that i can't seem to find an answer to after spending some time googling around).

are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4? would i carry both an ipv4 address and an ipv6 address? can i go with ipv4 on my internal network (no worries about running out of ip addresses here  :Wink: ) and ipv6 on my external device? wtf happend to ipv5?   :Very Happy: 

i figured asking people who really use it is probably the best way to find out.

thanks in advance for any replies.

----------

## wlkerboh

 *clumsyninja wrote:*   

> 
> 
> are there any performance gains to using ipv6 in your experience? does it play nicely with ipv4? 

 

Haven't done any performance tests.  Feels just as fast as v4.  Might be a few cycles slower due to longer addresses, but nothing that you and I are likely to notice.

 *clumsyninja wrote:*   

> would i carry both an ipv4 address and an ipv6 address? 

 

Each version is a unique network stack. Sort of like running IPX and IP on the same wire.  There are provisions in the spec for a v6-only host to communicate with a v4-only host, but I haven't played with that aspect yet.

 *clumsyninja wrote:*   

> can i go with ipv4 on my internal network and ipv6 on my external device? 

 

Could, but why?  v6 is designed to operate with many IP addresses per interface, each with a different scope: link (aka local) or global.  If you were using v6 internally and only v4 externally (no 6to4 tunnels), your router would have to NAT.  I'm sure this functionality exists somewhere, I haven't bothered looking for it though.

 *clumsyninja wrote:*   

> wtf happend to ipv5?   

 

Already assigned to a now defunct test protocol.  Google for this and you will come up with a more detailed answer.

----------

## depptr0tt

hmm does this share internet ?.

I mean does eth0 give eth1 acess to internet or what should i add in iptables then ?

----------

## Redeeman

theres a tool called radvd that works as a ipv6 replacement for dhcp

----------

## GurliGebis

yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD?

----------

## ryceck

 *GurliGebis wrote:*   

> yap, but is it able to assign a certail ipv6 to a certain MAC like DHCPD?

 

No it isn't but u could take a look at dhcpv6. I wasn't able to compile it myself, but theoretically dhcpv6 should be able to assign ipv6 addresses on a MAC-base

----------

