For my Business Data Communications and Networking class, a group of us are doing a presentation on IPv6 (and PNRP). We thought it would be great to provide IPv6 access using a modified wireless router during the presentation to those who have laptops. Before we talk to the University to see if we can even hook anything up to their wired network, what type of issues might we encounter trying to get IPv6 over their network. What should be asking them or looking into? Of course if we can get this working, we would be happy to mention HE. Thanks!
You're going to need to make sure that they will pass you the protocol 41 traffic, if you're doing a 6in4 tunnel.
If you'll be hooking their gear to the router, make sure their firewalls and AV programs know what IPv6 is and what to do with it; Products that don't know what IPv6 is will often discard it.
Thanks. I was hoping they would be able to just stick us on a DMZ or something. Is there any info we will need to give HE?
You'll need to give them your public IP address (in the tunnel config) which also means that IP has to be ping-able from the outside.
Ok great. Sounds like next we need to talk to the University. Is there going to be an issue with NAT or anything like that if our wireless router is behind another router or firewall? I'm not sure if we will be able to get a direct IP address on the 'net.
Nat will work, but they will need to forward protocol 41 to whatever address you're at. No proc41 = no tunnel.
Ok. Thank you for all your help. Hopefully the University lets us plug in.
You're welcome. There might be something I've over looked, but I'm sure one of the other people on here will correct me.
Just thought I'd update this. I never heard back from the University about plugging in. I did notice that if I create a VPN connection from my laptop to their network, I get a public IP (130.x.x.x). I tried to setup a IPv6 tunnel, but it looks like they are blocking ICMP (can't ping it). Is that a deal breaker?
AFAIK, yes
Quote from: dummptyhummpty on November 17, 2009, 11:17:46 AM
Just thought I'd update this. I never heard back from the University about plugging in. I did notice that if I create a VPN connection from my laptop to their network, I get a public IP (130.x.x.x). I tried to setup a IPv6 tunnel, but it looks like they are blocking ICMP (can't ping it). Is that a deal breaker?
Have you just tried a 6in4 tunnel from the network in question? Most firewalls will simply pass it and set up a temporary connection/nat table entry which forwards incoming proto 41 traffic back to you. As long as no one else is doing 6in4 behind that device (firewall), it should work. And in the case of an HE tunnel, the nat device would have to respond to pings on the public.
Other alternatives include establishing some other sort of tunnel to the outside and using that as a conduit. You could do a GRE tunnel, or establish your own 6in4 tunnel to an outside router you control and statically route part of a HE /48 to your university net (since this wouldn't require ping, but of course depends on the firewall passing 6in4). You could establish a UDP encapsulated IPSEC tunnel to some router on the outside, and run GRE though that, then run 6in4 through that (EDIT: actually, you could just run ipv6 straight over GRE I think, I've never tried that though). Lots of ways to sneak through a firewall. Just requires some creativity and work on your part. :P
Another option would be to use a tunnel from sixxs; They offer dynamic tunnels that do not require the firewall to pass proto41
Quote from: cholzhauer on November 17, 2009, 12:36:16 PM
Another option would be to use a tunnel from sixxs; They offer dynamic tunnels that do not require the firewall to pass proto41
What do they use to pass the data?
Take a look at this
http://en.wikipedia.org/wiki/Anything_In_Anything
Quote from: cholzhauer on November 17, 2009, 12:55:15 PM
Take a look at this
http://en.wikipedia.org/wiki/Anything_In_Anything
Ah ok. It looks like it provides a generic tunnel using UDP (EDIT: well it can also use TCP, etc). So that'd do a good job of FW traversal.
There's actually a Perl script under linux called nat-traverse (http://linide.sourceforge.net/nat-traverse/) which implements a similar strategy, employs UDP hole punching, and allows you run say, a ppp session over IPv4-UDP, on which ppp interface one could add IPv6 addresses, or even run 6in4 through its IPv4 connectivity. :) That'd work if you wanted to DIY and not use SIXXS. IIRC, SIXXS makes you wait to get an IPv6, and jump through some hoops? Been a while since I looked into them.
Quote from: jimb on November 17, 2009, 12:32:56 PM
Have you just tried a 6in4 tunnel from the network in question? Most firewalls will simply pass it and set up a temporary connection/nat table entry which forwards incoming proto 41 traffic back to you. As long as no one else is doing 6in4 behind that device (firewall), it should work. And in the case of an HE tunnel, the nat device would have to respond to pings on the public.
Other alternatives include establishing some other sort of tunnel to the outside and using that as a conduit. You could do a GRE tunnel, or establish your own 6in4 tunnel to an outside router you control and statically route part of a HE /48 to your university net (since this wouldn't require ping, but of course depends on the firewall passing 6in4). You could establish a UDP encapsulated IPSEC tunnel to some router on the outside, and run GRE though that, then run 6in4 through that (EDIT: actually, you could just run ipv6 straight over GRE I think, I've never tried that though). Lots of ways to sneak through a firewall. Just requires some creativity and work on your part. :P
I haven't tried that. I'll give that a try when I'm on campus tomorrow. I'm assuming I connect the tunnel to the school's public IP and once I set everything up on my laptop (private IP over WiFi) I should be ok.
As to your other suggestions, you lost me a bit, but I think I understand. I could connect the tunnel to my router at home and then VPN to my router from school. The only problem is the school blocks VPNs (except their own) over WiFi. So I would have to VPN to the school's network and then VPN through that to my home network, correct? For our in class presentation we are going to use a laptop running Windows Server 2008 (which might be over kill now that I have learned we don't need a DHCP server) and I'm guessing it would go like this:
People In Class >----WiFi----> Windows Server Laptop (with VPN to home router) >----Ethernet----> My Laptop (with VPN to the school's network) ----WiFi----> School's Network
Seems a little complicated. Any better ideas?
yes you do need to jump through some hoops to get set up, but i was able to get a subnet up and running with them in a couple of days. HE is the way to go, but if you cant do static tunnels, youre left with sixxs or gogo6
Quote from: dummptyhummpty on November 17, 2009, 02:12:52 PM
Quote from: jimb on November 17, 2009, 12:32:56 PM
Have you just tried a 6in4 tunnel from the network in question? Most firewalls will simply pass it and set up a temporary connection/nat table entry which forwards incoming proto 41 traffic back to you. As long as no one else is doing 6in4 behind that device (firewall), it should work. And in the case of an HE tunnel, the nat device would have to respond to pings on the public.
Other alternatives include establishing some other sort of tunnel to the outside and using that as a conduit. You could do a GRE tunnel, or establish your own 6in4 tunnel to an outside router you control and statically route part of a HE /48 to your university net (since this wouldn't require ping, but of course depends on the firewall passing 6in4). You could establish a UDP encapsulated IPSEC tunnel to some router on the outside, and run GRE though that, then run 6in4 through that (EDIT: actually, you could just run ipv6 straight over GRE I think, I've never tried that though). Lots of ways to sneak through a firewall. Just requires some creativity and work on your part. :P
I haven't tried that. I'll give that a try when I'm on campus tomorrow. I'm assuming I connect the tunnel to the school's public IP and once I set everything up on my laptop (private IP over WiFi) I should be ok.
As to your other suggestions, you lost me a bit, but I think I understand. I could connect the tunnel to my router at home and then VPN to my router from school. The only problem is the school blocks VPNs (except their own) over WiFi. So I would have to VPN to the school's network and then VPN through that to my home network, correct? For our in class presentation we are going to use a laptop running Windows Server 2008 (which might be over kill now that I have learned we don't need a DHCP server) and I'm guessing it would go like this:
People In Class >----WiFi----> Windows Server Laptop (with VPN to home router) >----Ethernet----> My Laptop (with VPN to the school's network) ----WiFi----> School's Network
Seems a little complicated. Any better ideas?
Well, if you're using windows to do this, I can't provide much guidance, since I've never tried to use windows as an IPv6 router. If the windows VPN allows the routing of IPv6 traffic, then sure, that'd work just fine, provided it could be established through the firewall. If it's an IPSEC VPN with UDP encapsulation, it should work fine. Hopefully it doesn't use something like PPTP though, since that can have issues getting through firewalls also.
Most of my ideas use linux though. You could always run VirtualPC, HyperV or VMWare and run linux under that. I've actually established 6in4 tunnels via linux running under HyperV on a win 2008 server before. :P
My first suggestion is simply to try a 6in4 tunnel from inside and see if the FW will pass it. If you can establish basic IPv6 connectivity to HE via this, then you're halfway there. If you're doing this with windows, I can't really help you in the next steps of setting it up as an IPv6 router. You could also do it on a linux box, or if your wifi router supports it, directly from that. If that can be established, then it should be easy to simply provide the routed /64 to the LAN segment which your wifi router provides. BTW, it'd probably be easier to configure your wifi router to simply bridge the LAN ports and WLAN and not treat them as separate LAN segments, otherwise you'd need another IPv6 LAN (/64) for your WLAN, static routes, etc. This is especially true if u wind up using a separate box as your IPv6 tunnel router.
If using "straight" 6in4 doesn't work, then you need to find some way to get through the firewall. One way is what cholz suggested, using SIXXS, as they use the AYIYA tunneling protocol which will get you through a NAT firewall and give you a IPv6 address. I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.
If it turns out you can't use something like SIXXS or something else which provides simple "turn key" tunneling, then you could do a DIY tunnel setup. To do something like this, first you'd establish a working 6in4 tunnel with HE on some site you have control over, such as your home network. You'd need a routable /48 from HE too, which is as easy as a mouse click. Then, you can use any number of tunnel methods/software to establish a tunnel from your site to the target network, routing a subnet (or two) of the HE /48 through that tunnel to your target network. For the tunnel between your home network and the target net, you could use something like nat-traverse (http://linide.sourceforge.net/nat-traverse/), vtun (http://vtun.sourceforge.net/), tinc (http://www.tinc-vpn.org/examples/ipv6-network/), etc. All these allow generic tunneling of various traffic across IPv4 UDP or TCP connections. The web sites have examples of for instance, tunneling PPP through IPv4-UDP, which would then allow you to push IPv6 through the PPP interface. The whole idea here is to use some tunneling method which will traverse your firewall so that you can "get out".
Obviously the DIY method would require the most planning and configuration, but think of what you could learn! :P
Quote
I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.
yep, they will. They won't give you a single routeable /64 off the bat like HE does...you get the two end points of a tunnel ::1 and ::2 on one /64 and the rest of that /64 is not used. You can then request a routed /48 if you have enough points, but if you have a Linked-in profile, you'll have enough.
Quote from: jimb on November 17, 2009, 03:12:41 PM
Well, if you're using windows to do this, I can't provide much guidance, since I've never tried to use windows as an IPv6 router. If the windows VPN allows the routing of IPv6 traffic, then sure, that'd work just fine, provided it could be established through the firewall. If it's an IPSEC VPN with UDP encapsulation, it should work fine. Hopefully it doesn't use something like PPTP though, since that can have issues getting through firewalls also.
Most of my ideas use linux though. You could always run VirtualPC, HyperV or VMWare and run linux under that. I've actually established 6in4 tunnels via linux running under HyperV on a win 2008 server before. :P
My first suggestion is simply to try a 6in4 tunnel from inside and see if the FW will pass it. If you can establish basic IPv6 connectivity to HE via this, then you're halfway there. If you're doing this with windows, I can't really help you in the next steps of setting it up as an IPv6 router. You could also do it on a linux box, or if your wifi router supports it, directly from that. If that can be established, then it should be easy to simply provide the routed /64 to the LAN segment which your wifi router provides. BTW, it'd probably be easier to configure your wifi router to simply bridge the LAN ports and WLAN and not treat them as separate LAN segments, otherwise you'd need another IPv6 LAN (/64) for your WLAN, static routes, etc. This is especially true if u wind up using a separate box as your IPv6 tunnel router.
If using "straight" 6in4 doesn't work, then you need to find some way to get through the firewall. One way is what cholz suggested, using SIXXS, as they use the AYIYA tunneling protocol which will get you through a NAT firewall and give you a IPv6 address. I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.
If it turns out you can't use something like SIXXS or something else which provides simple "turn key" tunneling, then you could do a DIY tunnel setup. To do something like this, first you'd establish a working 6in4 tunnel with HE on some site you have control over, such as your home network. You'd need a routable /48 from HE too, which is as easy as a mouse click. Then, you can use any number of tunnel methods/software to establish a tunnel from your site to the target network, routing a subnet (or two) of the HE /48 through that tunnel to your target network. For the tunnel between your home network and the target net, you could use something like nat-traverse (http://linide.sourceforge.net/nat-traverse/), vtun (http://vtun.sourceforge.net/), tinc (http://www.tinc-vpn.org/examples/ipv6-network/), etc. All these allow generic tunneling of various traffic across IPv4 UDP or TCP connections. The web sites have examples of for instance, tunneling PPP through IPv4-UDP, which would then allow you to push IPv6 through the PPP interface. The whole idea here is to use some tunneling method which will traverse your firewall so that you can "get out".
Obviously the DIY method would require the most planning and configuration, but think of what you could learn! :P
Well, I just spent the past 4 hours trying to get IPv6 access on my home network. It probably would have saved me 3 hours had I given HE the correct endpoint IP address for the tunnel. Either it changed, or I'm dyslexic. Having spent the time troubleshooting unnecessarily, I now have a better idea of how this works.
I'm going to create a separate tunnel on the laptop and bring it on campus tomorrow to see if it will work. I'll report back in a while when I get the laptop configured correctly. Thanks to all for your help.
Currently on campus at school and I can't get the tunnel to come up. Boo. I ended up putting in a request at SixXS as I think that will be easier. Thanks for all your help, I'll keep you all updated.
Yeh that's one of the reasons I went w/ HE instead of sixxs. They make u wait. And they have some "points" thing which I was like "eh!?" when I saw it. I guess it's supposed to cut down on malicious use of their service by hax0rs or something. That, and the fact I wanted to actually learn more about IPv6, not install a piece of software that practically does it all for you.
I finally got a hold of someone at the University and they are going to look into it for us. That would be great if they could help us out.
Just another update, the University said it was ok to plug in to their network, but they are too busy at the moment (understandable) to help with the firewall problems. It sounded like it was outside of their immediate control. I decided to see if I could create an SSH tunnel to my house by following this (http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CAcQFjAA&url=https%3A%2F%2Fhelp.ubuntu.com%2Fcommunity%2FSSH_VPN&ei=ctwMS6K1MIPQtgOYi8CoAw&usg=AFQjCNH_62vge1xxLaIPNU5-FVNWyTR-rg&sig2=y2KApDiC51G_GlgOz-6-jw) guide, but when everything is configured, it seems as if traffic isn't being correctly routed. Any ideas? I know it's not really related to IPv6, but our presentation is tomorrow and I'd love to have this working.
Can you post your routing tables and the output of a traceroute to that machine?
Heh that's the one thing I forgot to mention, using ssh -w. I've actually used it and had it work myself. I presume you're doing this on linux.
First, you have to make sure the tun/tap driver is loaded (modprobe tun). You also have to make sure that your sshd_config has a line "PermitTunnel yes", then reload sshd (/etc/init.d/ssh reload) Then of course, you need to ssh in as root with -w (something like "ssh -l root -f -w 0 <ip> true"). This will cause tun devices on each end to be "plumbed" through the ssh and sshd on either end.
In the example, the client would use tun0, and the server tun0 also presuming it's not already in use. The tun0 interfaces act as a point-to-point interfaces on the local and remote ends. Now you need to add IP addresses to them (example: "ip addr add 172.16.17.1 peer 172.16.17.2 dev tun0" on the local end, and the reverse on the remote end). Then bring the interfaces up with "ip link set tun0 up" on both ends. At this point you should have IPv4 connectivity between both sides (make sure the iptables firewall isn't blocking stuff).
You should be able to ping, etc. Note that you don't really need IPv4 if you're just doing IPv6.
You can add IPv6 addresses to the tun interfaces with something like this: "ip addr add fdd6:084c:c697::1/64 dev tun0" (use ::2 at the other end of course). In this example I'm using site unique addresses for the tunnel end points. You could use a /64 out of your /48, or whatever. Once this is done you should be able to ping6 either end. (You may have noted that in the case of IPv6, you don't use the "peer" argument.)
The "ip addr" and ifconfig command output should look like this:
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/[65534]
inet 172.16.17.1 peer 172.16.17.2/32 scope global tun0
inet6 fdd6:84c:c697::1/64 scope global
valid_lft forever preferred_lft forever
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.17.1 P-t-P:172.16.17.2 Mask:255.255.255.255
inet6 addr: fdd6:84c:c697::1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:101 errors:0 dropped:0 overruns:0 frame:0
TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:21887 (21.3 KiB) TX bytes:12301 (12.0 KiB)
Now, to get routing up and going, first make sure you have ip forwarding turned on in the kernel on both sides (sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1). Then you can add routes through the tun interfaces. For instance, lets pretend that the site unique prefix "fdd6:084c:c697:1::/64" is a subnet of your public routed /48 and use it for the LAN. On the remote end (home), you'd add a route to that network through the tun0 interface like so: "ip route add fdd6:084c:c697:1::/64 dev tun0" (just make sure you substitute that prefix with your public IPv6 subnet). On the local end (school) you'd add a default route through tun0: "ip route add ::0/0 dev tun0" (or alternatively, "ip route add default via fdd6:084c:c697::1", or whatever IPv6 you used as the tunnel endpoint address on the home end).
Aside from making sure iptables and ip6tables firewalls aren't blocking anything, and presuming you've already established IPv6 connectivity on the home end, it should work.
HTH. :)
jimb,
Thanks so much! I have the laptop at my office and was just able to create the SSH tunnel and forward the IPv6 traffic across. I'm thinking this should work at school as I was able to create an IPv4 SSH tunnel last night, but couldn't forward any traffic. I think it was because I didn't have the routes correct on my home machine. I'll let you know how it goes. Back to work....
Cool. I'd get it all working ahead of time too. If you want to get "fancy", you could even use radvd to have the LAN at school auto configure IPv6 addresses (have it advertise a /64 subnet of your /48 like I mentioned previously). Also, don't be surprised if radvd advertises the link local address of your LAN interface to your LAN. That's what mine does for whatever reason, which is of course no problem. You could also set up DHCPv6 too of course.
You may also want to make sure that DNS works for IPv6. I've noted that some DNS servers, especially ones built into consumer routers, sometimes refuse to return AAAA records even when available (for instance, the Verizon FiOS supplied Westell router on a friends home network doesn't). If it doesn't, you may want to set up BIND on your linux box and use that. Have your IPv4 DHCP server point to it instead of the wifi router or whatever ... I don't think windows or linux pays attention to radvd's RDNSS entries without extra software running, although I'm not sure about windows ... XP doesn't seem to. If you do DHCPv6 obviously this is moot.
jimb,
Thanks for all your help! Our class starts in about 10mins; we hooked everything up and it's working. I ended up setting our "router" (laptop) to use HE's dns servers. I also loaded radvd so thanks for the suggestion!
Also, hanks to cholzhauer and every one else who helped!
Nice. Hope you get a good grade or whatever. :)
Thanks. I hope we do too.