IPv6
I’ve spent part of the last two days setting up IPv6 on my home network, using 6to4 on my Debian based router/server/firewall to enable the outgoing traffic (my lousy ISP doesn’t have full IPv6 support).
I had most of it up and running already yesterday, but hadn’t configured iptables correctly so that some sites, like IETF and releases.mozilla.org were unreachable. It turned out that traffic from those sites, unlike all the other ones I tested, were sent as IPv4 packets directly to me and not coming in through the tunnel interface (update: see the comments section for an explanation why). A simple
iptables -A [CHAIN-NAME] -p ipv6 -j ACCEPT
solved that (don’t worry, though, all those IPv6 packets still go through your ip6tables setup, I tried and verified it).
I’m amazed about how well radvd and the underlying systems work. Just change its config and reload it, and all your client immediately have corrected IP numbers. That’s a bit better than DHCP…
A few useful references for configuring were:
- IPv6 6to4 config generator for Debian
- How to get IPv6 running with Debian Linux
- ipv6only.se (for testing and verifying)
- nostrad, a friend of mine, and his scripts (mostly himself) were a lot of help!
I also made a few scripts along the way, e.g. one to handle change of IP(v4) address (my external IP is configured with DHCP, but it’s been the same for about two years now), but probably won’t release them (at least not right now) due to code smell (or rather stench)…
Of course, since the server now has IPv6, firetech.nu (including Firelog) now has an AAAA pointer in DNS, which, among other things, means that firetech.nu/ip now shows your IPv6 address (instead of IPv4) if you have one. :)
Set up IPv6 and go greet the future (and my server) today, it won’t take long!
—
Update (2009-05-29):
The AAAA pointer is now updated to point to my SixXS tunnel interface, since that IP is static. My intentions are to migrate to the SixXS tunnel once I’m able to request a subnet for it. The reason? 1) Entirely static IP addresses! 2) My brother-in-law has had a few problems with 6to4 and its inconsistency of place where the IPv6 to IPv4 conversion is made (which is by design, nevertheless).
May 27th, 2009 at 4:31
“It turned out that traffic from those sites, unlike all the other ones I tested, were sent as IPv4 packets directly to me and not coming in through the tunnel interface.”
The problem you encountered is that not all 6to4 packets arrive with a source address of 192.88.99.1. 6to4 uses anycast in both directions: 192.88.99.0/24 for v4->v6, and 2002::/16 for v6->v4. So, it’s mostly unpredictable which v6->v4 gateway your return packets will come through. Some of them set their source address to 192.88.99.1, but some use a “real” IPv4 address, and that difference will confuse your IPv4 firewall.
Your solution is correct, though.
May 27th, 2009 at 7:16
So THAT’s how it’s working!
I wondered when the traffic back to me was converted, and got a little confused there. Thanks for the heads up! :)
I also saw you posted your comment from an IPv6 address, the IPv6 Internet has a few hosts anyway. :)