Hurricane Electric's IPv6 Tunnel Broker Forums

I have a Cisco 871W router set up with a tunnel to Hurricane Electric.  I can use IOS commands on the Cisco router to reach HE and verify the tunnel is working.

Now that I have a tunnel, I'd like to have an OS X client (Snow Leopard) access ipv6.google.com and other ipv6 servers.  I'm new to this and having trouble understanding how to set up the OS X client so it will work with the Cisco router to use the tunnel.  There don't seem to be examples of the setups needed to get OS X to work.

So if someone has been successful with this type of configuration - is the setup documented somewhere that I can read?

Some questions about areas that I'm trying to learn and understand:

-  Do I have to turn off ipv4 on the Mac if I'm using ipv6?
-  HE provided the following:

2001:470:7:444::2/64 as the Client IPv6 address for the tunnel endpoint
2001:470:e068::/48  for routed /48
2001:470:8:444::/64 for routed/64

In the Mac OS X Systems Preferences "network" panel, Configure IPv6 settings should I use "Automatically" or "Manually"?

Does the CISCO have to be enabled with "ipv6 unicast-routing" for OS X "Automatically" to work?

If OS X does not support DHCPv6 how does one handle DNS on OS X?

DO I add a DNS entry for ipv6?  Should I add both the available DNS Resolvers that NE provided?   to the OS X DNS servers?

How does "Protocol 41" fit into the picture.  Do I need to do anything to my Cisco 871 to support Protocol 41?  To OS X?

With the Cisco tunnel endpoint of 2001:470:7:444::2/64  if I am to assign a manual address to the OS X client, what IPv6 address do I assign to the OS X client?  Would it be an address in the range of 2001:470:e068::1 to 2001:470:e068::48?  is that the range available to me or is the range 2001:470:8:444::1 to 2001:470:8:444::64?   Is the correct "prefix length" 48 or 64?  How do I know which is correct?

If someone has a working OS X client configuration for HE setup I would be grateful if you could share your configuration settings with me so I could learn how this works from a working configuration rather than experimenting with all the possibilities and not getting very far.

Thanks!

QuoteDo I have to turn off ipv4 on the Mac if I'm using ipv6?

Nope.  You can, but you'll probably want to run dual stack.

QuoteHow does "Protocol 41" fit into the picture.  Do I need to do anything to my Cisco 871 to support Protocol 41?  To OS X?

You only need that between your router and HE.  The Mac doesn't see any proto-41 traffic

QuoteDoes the CISCO have to be enabled with "ipv6 uniast-routing" for OS X "Automatically" to work?

Possibly, but I don't know for sure..Someone else like JimB would know for sure. My Cisco ASA can do Router Advertisement...can your router?  If so, and you don't need any other special options that DHCPv6 can do, I suggest that you use that.  Just make sure you use either your routed /64 or pick a /64 out of your routed /48

I have Macs here that work great with IPv6.  If you use RA, they'll pick up an address automatically (leave that setting you mentioned set to auto)

QuoteDO I add a DNS entry for ipv6?

For name lookups or for local name lookups (ie you can refer to your computer as computer.domain.com) As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

/48 and /64 do not mean how many IPs per block, they are block sizes, with a single /64 having 18 quintillion IPv6 addresses, and a /48 has 65536 /64 subnet allocations.

you'll want ipv6 unicast-routing enabled.

I think if you simply put like 2001:470:8:444::1/64 on your LAN facing interface on the cisco, that it will automatically start to use RA to get your LAN machines configured. I believe you have to explicitly set "ipv6 nd suppress-ra" or similar on that LAN facing interface to not use RA.

Quote from: broquea on December 08, 2009, 01:11:00 PM
/48 and /64 do not mean how many IPs per block, they are block sizes, with a single /64 having 18 quintillion IPv6 addresses, and a /48 has 65536 /64 subnet allocations.

you'll want ipv6 unicast-routing enabled.

I think if you simply put like 2001:470:8:444::1/64 on your LAN facing interface on the cisco, that it will automatically start to use RA to get your LAN machines configured. I believe you have to explicitly set "ipv6 nd suppress-ra" or similar on that LAN facing interface to not use RA.

LOL.  So on a Cisco, you have to explicitely tell it to route ipv6 (even though it's a router), but explicitly tell it NOT to do router advertisements on an IPv6 configured interface for it not to do it?  Please tell me it wont do RA unless you enable routing at least?  (haven't done much IPv6 on Ciscos, obviously)  :P

my asa will route ipv6 traffic automatically as long as ipv6  is enabled on the interface.  as for RA, the asa will advertise on an interface unless you tell it not to

Quote from: jimb on December 08, 2009, 03:13:29 PM
LOL.  So on a Cisco, you have to explicitely tell it to route ipv6 (even though it's a router), but explicitly tell it NOT to do router advertisements on an IPv6 configured interface for it not to do it?  Please tell me it wont do RA unless you enable routing at least?  (haven't done much IPv6 on Ciscos, obviously)  :P

Actually this has been the behavior on both Cisco and Brocade/Foundry, if you ipv6 enable an interface, and don't explicitly configure it to suppress RA, it will do it based on the /64 you assign an IP onto that interface. And with at least Brocade/Foundry, it will do it for all /64s configured on that interface, unless you specifically configure it only to RA 1 specific /64. Needless to say anytime I put IPv6 on an interface my first two commands are

ipv6 enable
ipv6 nd suppress-ra

Ah.  Good to know.   8)

Will it advertise itself as an IPv6 default router if IPv6 unicast routing isn't enabled?  Or just advertise the prefix (if RA even does one without the other, which I'm not sure)?

Quote from: cholzhauer on December 08, 2009, 11:58:59 AM

QuoteDO I add a DNS entry for ipv6?

As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

I use opendns.  I put 2001:470:20::2 into the OS X DNS list for the MacBook and with ipv4 and ipv6 enabled on OS X, a browser request to http://ipv6.he.net/ goes over port 80 instead of the tunnel...

I turn ipv4 off and it seems OS X ipv6 "automatic" doesn't find the router.  I did add "ipv6 unicast-routing" to the Cisco 871.


I'm still confused about the configuration settings.  Can someone maybe try to explain (without too many acronyms) what is going on here?  When OS X is in IPv6 "automatic" mode how does the client get an ipv6 IP address?  Is the IP traffic sent as lower level packets to the router which sends the traffic down the tunnel and the IP address of the router is used?  So is the OS X client and the router both using IP address "2001:470:7:444::2" in my configuration?

In the tunnelbroker.net suggested configuration for CISCO routers in the suggested IOS commands.  Why isn't the command "ipv6 unicast-routing" included as part of the suggested configuration for ipv6 listed here:

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:7:444::2/64
tunnel source 208.37.99.227
tunnel destination 216.66.22.2
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end
write
"

Quote from: derby on December 08, 2009, 05:11:59 PM

Quote from: cholzhauer on December 08, 2009, 11:58:59 AM

QuoteDO I add a DNS entry for ipv6?

As for DNS, what are you using to provide DNS?  I use MSDNS and I need to manually insert the IP addresses into my DNS server (both v4 and v6)

For external lookups, you can just give OSx the address of your local dns server (v4 or v6) or use DNS from HE (in that case, yes, use both addresses)

I use opendns.  I put 2001:470:20::2 into the OS X DNS list for the MacBook and with ipv4 and ipv6 enabled on OS X, a browser request to http://ipv6.he.net/ goes over port 80 instead of the tunnel...

I turn ipv4 off and it seems OS X ipv6 "automatic" doesn't find the router.  I did add "ipv6 unicast-routing" to the Cisco 871.


I'm still confused about the configuration settings.  Can someone maybe try to explain (without too many acronyms) what is going on here?  When OS X is in IPv6 "automatic" mode how does the client get an ipv6 IP address?  Is the IP traffic sent as lower level packets to the router which sends the traffic down the tunnel and the IP address of the router is used?  So is the OS X client and the router both using IP address "2001:470:7:444::2" in my configuration?

In the tunnelbroker.net suggested configuration for CISCO routers in the suggested IOS commands.  Why isn't the command "ipv6 unicast-routing" included as part of the suggested configuration for ipv6 listed here:

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:7:444::2/64
tunnel source 208.37.99.227
tunnel destination 216.66.22.2
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end
write
"

The commands the HE page gives are only for setting up the 6in4 tunnel itself.  In order to use IPv6 on LAN machines, you must use IPs out of your routed /64 on your inside LAN.  You must configure an IPv6 address on the LAN interface of your Cisco router.  So for instance, using your routed /64, you would do something like:

conf t
interface fastethernet0
 ipv6 enable
 ipv6 address 2001:470:8:444::1/64
end
write

This will put an address out of your routed /64 onto your LAN interface, and should enable route advertisement (RA) on that interface.

Your machines on your LAN (including OSX) will pick up the IPv6 addresses and default route via the RA announcements which the router will send, and will automatically configure IPv6 addresses.  Alternatively, you can statically configure IPv6 addresses, or even set up a DHCPv6 server (presuming OSX supports it).  Just use an IPv6 out of your 2001:470:8:444::/64 network for static assignments, or for your DHCPv6 scope (e.g. 2001:470:8:444::100-1000/64 ... you can use the entire range of 2001:0470:0008:0444:0000:0000:0000:0001 - 2001:0470:0008:0444:ffff:ffff:ffff:ffff to assign IPv6s on your LAN)

RA can also support setting the DNS server via RDNSS announcements, but I don't think many OSes support it natively at this point (I know linux requires a script/daemon to pick these up and use them).  So most use the DNS servers either manually configured, or, if running dual stack, the IPv4 DNS servers serve as DNS for the machines.  Note that DNS servers can return IPv6 AAAA records and ip6.arpa RDNS records over either IPv4 or IPv6.

Also note that some DNS servers seem to filter AAAA responses.  So you may want to manually configure the HE one, or hand out the HE IPv4 DNS server as one of the servers in your IPv4 DHCP setup.

HTH

JimB,

Thank you so much!  I'll give this a try tomorrow and maybe I'll be able to connect to the outside via ipv6.  Eventually I'm going to have to deal with ipv6 migration at work where I'm part of a small group, so we don't have a lot of specialized people, just a few "generalists".  I configured the 871W I use at home as my "learning lab" a couple of years ago and it has run splendidly with no attention.  Now time to relearn IOS with the IPv6 additional commands.    I'm grateful to have a place to learn this from people that are helpful!

Thanks!

I finally have some time to try to get my Cisco 871 configured to route IPV6 from my home LAN out to the internet.

The 871W has 4 LAN interfaces...

interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable


And an interface BVI1 that handles the LAN traffic:

interface BVI1
ip address 10.6.18.204 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
ipv6 address 2001:470:8:444::1/64
ipv6 enable

The OS X clients aren't showing IPV6 addresses nor doe a connection to ipv6.google.com work.

Any ideas to help get this going would be appreciated.

I don't know about the routers, but with the Cisco firewalls, you need to tell it to do RA

Are you getting an address on the Mac?

I'm getting an IPv6 address assigned to a Mac running OS X Snow Leopard server that is connected to the LAN via ethernet.  The OS X clients that connect to the LAN via 802.11n Airport Express WiFi access points are not getting IPv6 addresses.  This Airport Express is set up for bridging mode.  It doesn't do NAT or any routing.  Any suggestions on how to configure the AirPort so that WiFi clients can pass IPv6 traffic to/from the Cisco 87x router?

I haven't worked with an Airport extreme, so I wouldn't even know where to start, sorry.

Quote from: derby on December 18, 2009, 06:24:50 AM
I'm getting an IPv6 address assigned to a Mac running OS X Snow Leopard server that is connected to the LAN via ethernet.  The OS X clients that connect to the LAN via 802.11n Airport Express WiFi access points are not getting IPv6 addresses.  This Airport Express is set up for bridging mode.  It doesn't do NAT or any routing.  Any suggestions on how to configure the AirPort so that WiFi clients can pass IPv6 traffic to/from the Cisco 87x router?

That's odd.  If it's doing simple bridging to the LAN, it should just work.  Are you sure it's bridging the traffic and not routing?  Are there any settings on the Airports which restrict multicasts, or some type of layer 2 firewall?  If so, turn that off.  I have IPv6 going on two wifi networks using two diff linksys access points (wap54g and a wrt610n [set up as a bridge]), and it works fine for me.

I'm running ipv6 over a Procurve access point without any problems.  My boss says that the airport's are supposed to support it...I'll get a chance to look at one this week..if you still have the problem, I'll post back then.

Yeah.  As long as the Wifi box isn't routing, and is just bridging, IPv6 should be no issue.  Shouldn't have to "support" it.  It just has to not actively block it.  :P  I wonder if it's doing something dumb like dropping packets with the IPv6 ethertype (0x86DD)?

The Apple Airport Express, under the "Advanced" settings has an IPv6 tab where you can choose:

-  Link-local only
-  Node
-  Tunnel

I've chosen Link-local only hoping that would result in IPv6 traffic just moving through as a bridge connection to the Cisco 871W.  Of course Apple has little documentation on what these settings actually do (or I don't know where to find the documentation).

Someone at this web site http://newsgroups.derkeiler.com/Archive/Uk/uk.comp.sys.mac/2008-01/msg03804.html (http://newsgroups.derkeiler.com/Archive/Uk/uk.comp.sys.mac/2008-01/msg03804.html) claims that

QuoteThe "Link-local only" setting means that IPv6 can only be used between
computers on your local network, and IPv6 traffic will not pass through
the Airport Extreme to or from the Internet. All attempted outgoing or
incoming IPv6 traffic will be completely blocked.

Anyone successfully passing IPv6 bridged traffic through an Apple Airport Express?

Node sounds like what you want.  Probably just means it'll bridge IPv6, and configure itself for an IPv6 address also (management).

You might also want to look into making sure it's running the latest firmware in case there's some bug.

After a break, I'm still trying to get IPV6 to work.  Seems that RA is not working from the CISCO 871W.  None of the Mac OS X Snow Leopard clients are picking up IPv6 addresses.

Here are some details:

The version of IOS on the Cisco 871W:
Cisco IOS Software, C870 Software (C870-ADVENTERPRISEK9-M), Version 12.4(12.13)T, INTERIM SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Sat 20-Jan-07 01:55 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE


The ipv6 related settings:



ipv6 unicast-routing

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:7:444::2/64
ipv6 enable
tunnel source 208.37.xx.yy
tunnel destination 216.66.22.2
tunnel mode ipv6ip


interface BVI1
ip address 10.6.18.204 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
ipv6 address 2001:470:8:444::1/64
ipv6 enable

ipv6 route ::/0 Tunnel0


And if I ssh to the router, I can successfully ping the other side of the tunnel:


cisco#ping ipv6 2001:470:7:444::2   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:7:444::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
cisco#ping ipv6 2001:470:8:444::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:8:444::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
cisco#



Anyone see anything amiss in my settings?

Two of the Macs are hardwired to the same subnet as the CISCO.  One Mac is connected via an Airport Express, 802.11n with IPv6 set to "Node"

None of the 3 self assign an IPv6 address.

Maybe on that particular version of IOS you have to turn on RA?  Try "ipv6 ?" and poke around.  :)

Maybe you missed it in the copy and paste segment, but somewhere you need to tell the router what prefix to announce.

On the Cisco 871W the LAN connections are grouped together as BVI1.  Here is what IOS reports for ipv6 for BVI1:

cisco# show ipv6 interface BVI1
BVI1 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::216:C8FF:FE31:39F9
 No Virtual link-local address(es):
 Global unicast address(es):
   2001:470:8:444::1, subnet is 2001:470:8:444::/64
 Joined group address(es):
   FF02::1
   FF02::2
   FF02::1:FF00:1
   FF02::1:FF31:39F9
 MTU is 1500 bytes
 ICMP error messages limited to one every 100 milliseconds
 ICMP redirects are enabled
 ICMP unreachables are sent
 ND DAD is not supported
 ND reachable time is 30000 milliseconds
 Hosts use stateless autoconfig for addresses.

The tunnel interface details from IOS:

cisco#show ipv6 interface Tunnel0
Tunnel0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::D025:63E3
 No Virtual link-local address(es):
 Description: Hurricane Electric IPv6 Tunnel Broker
 Global unicast address(es):
   2001:470:7:444::2, subnet is 2001:470:7:444::/64
 Joined group address(es):
   FF02::1
   FF02::2
   FF02::1:FF00:2
   FF02::1:FF25:63E3
 MTU is 1480 bytes
 ICMP error messages limited to one every 100 milliseconds
 ICMP redirects are enabled
 ICMP unreachables are sent
 ND DAD is enabled, number of DAD attempts: 1
 ND reachable time is 30000 milliseconds
 Hosts use stateless autoconfig for addresses.


And here are the IPV6 routes reported by the 871:


cisco#show ipv6 route
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via ::, Tunnel0
C   2001:470:7:444::/64 [0/0]
     via ::, Tunnel0
L   2001:470:7:444::2/128 [0/0]
     via ::, Tunnel0
C   2001:470:8:444::/64 [0/0]
     via ::, BVI1
L   2001:470:8:444::1/128 [0/0]
     via ::, BVI1
L   FF00::/8 [0/0]
     via ::, Null0


The Cisco web site documentation that I've found on their web site claims RA is automatic.  I don't see an IOS command to explicitly cause RA to occur or I would add it.

I suspect there is something missing that "binds" the 4 LAN ports grouped as Interface BVI1 together to the IPV6 Tunnel.  But I am totally new to IPV6 and am trying to learn, time permitting.  I'm sure I've messed up some fundamental setting that is keeping this from working.

I have a cisco 871w and am just coming to grips wit a HE tunnel as well at the moment. I read somewere online (can't recall where) that you can't put your IPv6 config in the BV1 interface, that it has to be in wither your vlan or dot11radio sub interface...

here's my ios config, which is working...:

service password-encryption
hostname abc.local
enable secret xxxxxx
enable password xxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip http server
ip http secure-server
line con 0
password xxxxxx
line vty 0 4
password xxxxxx
username admin privilege 15 password xxxxxx

snmp-server location A
snmp-server contact B
snmp-server community xxxxxx RO

logging buffered 4096 debugging

ip domain name abc.local
   ip name-server 216.146.35.35
   ip name-server 216.146.36.36
   ip name-server 2001:470:20::2
ntp server time.windows.com

ip ddns update method tunnelbroker
HTTP
  add http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  remove http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  exit
interval maximum 0 1 0 0
interval minimum 0 0 30 0
exit

ip dhcp excluded-address 192.168.2.1 192.168.2.99
service dhcp
ip dhcp pool Internal-net
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   import all
   domain-name abc.local
   lease 4
   dns-server 216.146.35.35 216.146.36.36

ipv6 dhcp pool test
dns-server 2001:470:20::2
domain-name abc.local
prefix-delegation pool test lifetime 3600 3600

access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet4 overload

interface FastEthernet4
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1460
ip nat outside
no cdp enable
ip ddns update tunnelbroker
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ipv6 unicast-routing
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
bridge irb
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
ssid cisco871w
    vlan 1
    authentication open
    infrastructure-ssid
    authentication key-management wpa
    guest-mode
    wpa-psk ascii xxxxxxx
channel 1

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

interface Vlan1
description Internal Network
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
ipv6 address 2001:470:xxxx:xxx::/64 eui-64
ipv6 rip 1 enable
ipv6 dhcp server test

interface BVI1
description Bridge to Internal Network
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
bridge 1 route ip

interface tunnel 0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:xxxx:xxx::2/64
tunnel source 192.168.1.1
tunnel destination 216.66.80.26
tunnel mode ipv6ip
ipv6 route ::/0 tunnel 0

int f0
no shut
int f1
no shut
int f2
no shut
int f3
no shut
int f4
no shut
int dot11Radio 0
no shut
int dot11Radio 0.1
no shut
router rip
network 192.168.1.0
network 192.168.2.0
version 2
interface vlan 1 ip split-horizon

HobbesIE,

Thank you!  This is a HUGE help.  I can see a number of places where your working config differs from my non-working config.  For starts, you are tunneling from HE to your LAN IP address.  I'm tunneling from HE to my WAN IP address, so that is probably why my LAN clients can't get to the tunnel.

I'll redo my config following your approach and see how it goes.  Is your configuration working completely?  You implied in your posting, "coming to grips with an HE tunnel", that maybe all isn't working as you expect? 

Paul

Quote from: derby on January 18, 2010, 04:22:02 AM
HobbesIE,

Thank you!  This is a HUGE help.  I can see a number of places where your working config differs from my non-working config.  For starts, you are tunneling from HE to your LAN IP address.  I'm tunneling from HE to my WAN IP address, so that is probably why my LAN clients can't get to the tunnel.

I'll redo my config following your approach and see how it goes.  Is your configuration working completely?  You implied in your posting, "coming to grips with an HE tunnel", that maybe all isn't working as you expect? 

Paul

Hi there - glad if I am any help!

Regarding the tunnel end points - my cisco is behind a netopia cayman router which is my DSL modem - so the tunnel endpoint address from the cisco's perspective is the lan ipv4 address given to it by the netopia. I have to use another means to let HE know what my wan ipv4 address is, which is why I am experimenting with using the dynamic dns update function of the cisco & hurricane electric to keep HE updated as to my WAN IPv4 addres:

ip ddns update method tunnelbroker
HTTP
  add http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  remove http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=xxxx&user_id=xxxx&tunnel_id=xxxx
  exit
interval maximum 0 1 0 0
interval minimum 0 0 30 0
exit


Just have a look at: http://ipv4.tunnelbroker.net/ipv4_end.php for details of how to form up your details here if necessary - you have to calculate the hash versions of your password etc.

A problem I'm currently experiencing is that while my LAN clients are getting an IPv6 address and are able to route in & out no problem, at present they are not getting their dns server assigned over dhcpv6.... It's no huge problem if the clients run as dual stack-they can just do their dns lookup over ipv4...but I would prefer to be able to run ipv6 single stack, and not have to manually type the dnsv6 address into each lan client.

The other problem  I'm experiencing is setting an IPv6 address to the dot11radio0.1 interface - any time I type one in, it claims that I am conflicting with the address already assigned to vlan1...I suspect I need to investigate this further!

If your wireless and ethernet interfaces are bridged together, and part of vlan 1, shouldn't all your inside IPv4 and IPv6 addresses logically be on the vlan1 interface?

Is dhcpv6 actually handing out the DNS servers?  Do you think the client OS is just ignoring this component?

Also, why are you NATing if you're behind a Netopia which is presumably doing NAT for you?

Well, I'm getting closer to this working, I think.

Using HobbesIE's sample IOS file as I guide I made changes to my IOS.  I was unable to get a tunnel to work from my LAN IP address to Hurricane Electric. I was able to ping ipv6 the tunnel server's ipV6 address from the Cisco 871w if I use my WAN address in the tunnel, not the LAN address.  So I am using the WAN address for the client address on the tunnel.

Mac clients are now getting ipV6 addresses assigned automatically on both the wireless Airport Express connections and Ethernet connections....  hooray!

But there are routing issues. I can't ping6 either ipv6.google.com or 2001:470:7:444::1 from a Mac client.  Probably getting from the LAN side to the WAN side.

I'm really not too good at IOS and rusty with the little knowledge I have.  Here's most of my Cisco config file.  Anyone see anything obviously wrong here?



cisco#wr t
Building configuration...

Current configuration : 8808 bytes
!
! Last configuration change at 18:30:07 EST Mon Jan 18 2010 by pderby
! NVRAM config last updated at 18:30:16 EST Mon Jan 18 2010 by pderby
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot system flash:c870-adventerprisek9-mz.124-12.13.T
boot system flash:c870-advsecurityk9-mz.124-9.T.bin
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$VQ9E$XXN/SDUM5go21JJDIQR2m.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network vpngroup local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.6.18.1 10.6.18.20
ip dhcp excluded-address 10.6.18.1 10.6.18.25
!
ip dhcp pool dhcppool
  network 10.6.18.0 255.255.255.0
  dns-server 10.6.18.7 10.6.18.201
  default-router 10.6.18.204
!

!
!
no ip bootp server
ip domain name test.com
ip name-server 10.6.18.201
ip name-server 207.155.183.72
ipv6 unicast-routing
ipv6 dhcp pool test
prefix-delegation pool test lifetime 3600 3600
dns-server 2001:470:20::2
domain-name abc.local
!
!
multilink bundle-name authenticated
!

archive
log config
!
!

!
!

!
bridge irb
!
!
!        
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:xxx:yyy::2/64
ipv6 enable
tunnel source aaa.bbb.ccc.ddd
tunnel destination 216.66.22.2
tunnel mode ipv6ip
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
ip address aaa.bbb.ccc.ddd 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map vpnmap
!
interface Dot11Radio0
no ip address
!

!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
ipv6 address 2001:470:8:444::/64 eui-64
ipv6 dhcp server test
ipv6 rip 1 enable
bridge-group 1
!
interface BVI1
ip address 10.6.18.204 255.255.255.0
ip access-group 199 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!        
ip local pool clientpool 192.168.106.1 192.168.106.6
ip route 0.0.0.0 0.0.0.0 208.37.99.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 10.6.18.204 5190 interface FastEthernet4 5190
ip nat inside source route-map natmap interface FastEthernet4 overload

!
ip access-list extended nat
deny   ip 10.6.18.0 0.0.0.255 192.168.106.0 0.0.0.7
permit ip 10.6.18.0 0.0.0.255 any
ip access-list extended split
permit ip 10.6.18.0 0.0.0.255 192.168.106.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.6.18.0 0.0.0.255
access-list 199 permit ip host 10.6.18.201 any log
access-list 199 permit ip any any
no cdp run
ipv6 route ::/0 Tunnel0
ipv6 router rip 1
!
!
!
!
route-map natmap permit 10
match ip address nat
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175090
ntp server 24.172.8.162
ntp server 66.250.45.2
ntp server 207.188.193.83
end

cisco#


Try using a real IPv6 address on the vlan1 interface.  You can't use zero as a host address..

Change ipv6 address 2001:470:8:444::/64 eui-64 to ipv6 address 2001:470:8:444::1/64 eui-64.

You may also want to lose the eui-64, since it's not an (m)eui-64 although I can't say I'm familiar with what this option is supposed to do.

success - finally!

the problem I was running into was that I was assigning a /64 address to the vlan1 interface, and the same to the dot11radio0.1 sub-interface. Cisco doesn't like this - so I got a /48 allocation from HE, and gave vlan1 & dot11radio0.1 /64 addresses from the /48 range. Here's the relevant config:

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
ipv6 enable
ipv6 address 2001:xxx:xxxx:2::/64
ipv6 rip 1 enable
ipv6 dhcp server test

interface Vlan1
description Internal Network
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
ipv6 enable
ipv6 address 2001:xxx:xxxx:1::/64
ipv6 rip 1 enable
ipv6 dhcp server test

and voila it worked!

I think it is quite wasteful to not just split my existing /64 down further, but when I tried the same technique as above but setting the /64 address as xxxx:xxxx:xxxx:xxxx:1::/80 didn't work...I reckon that as MAC addresses are xxxx:xxxx:xxxx:xxxx it wouldn't leave enough space in the ipv6 address for it...

Let me know how you get on!

Don't use prefix lengths > 64.  There's some debate over using things like /126s on p-t-p and /128s on loopbacks, but in general stick to /64s.  Thinking that /64s are wasteful is "IPv4 thinking".  :p  You may want to check out RFC 4291 (http://tools.ietf.org/html/rfc4291#section-2.5.1), and RFC 3627 (http://tools.ietf.org/html/rfc3627).

What's with the all-zeros host type addresses (2001:xxx:xxxx:1::/64) ?  When given one of those, does the cisco generate a meui-64 address on the interface or something?  Otherwise, do you realize you're not supposed to use that?

Also, have you now split your wifi and wired LANs into separate LANs?

Actually, for the router, an all-zeros host segment isn't an error, and in fact is something the router should be doing already.  RFC4291, 2.6.1 notes the following:
2.6.1. Required Anycast Address

   The Subnet-Router anycast address is predefined.  Its format is as
   follows:

   |                         n bits                 |   128-n bits   |
   +------------------------------------------------+----------------+
   |                   subnet prefix                | 00000000000000 |
   +------------------------------------------------+----------------+

   The "subnet prefix" in an anycast address is the prefix that
   identifies a specific link.  This anycast address is syntactically
   the same as a unicast address for an interface on the link with the
   interface identifier set to zero.

   Packets sent to the Subnet-Router anycast address will be delivered
   to one router on the subnet.  All routers are required to support the
   Subnet-Router anycast addresses for the subnets to which they have
   interfaces.

   The Subnet-Router anycast address is intended to be used for
   applications where a node needs to communicate with any one of the
   set of routers.


By specifying the all-zeros, he's likely just not giving the router a unicast address.

Quote from: kcochran on January 19, 2010, 08:00:18 PM
Actually, for the router, an all-zeros host segment isn't an error, and in fact is something the router should be doing already.  RFC4291, 2.6.1 notes the following:

Code Select Expand

2.6.1. Required Anycast Address

   The Subnet-Router anycast address is predefined.  Its format is as
   follows:

   |                         n bits                 |   128-n bits   |
   +------------------------------------------------+----------------+
   |                   subnet prefix                | 00000000000000 |
   +------------------------------------------------+----------------+

   The "subnet prefix" in an anycast address is the prefix that
   identifies a specific link.  This anycast address is syntactically
   the same as a unicast address for an interface on the link with the
   interface identifier set to zero.

   Packets sent to the Subnet-Router anycast address will be delivered
   to one router on the subnet.  All routers are required to support the
   Subnet-Router anycast addresses for the subnets to which they have
   interfaces.

   The Subnet-Router anycast address is intended to be used for
   applications where a node needs to communicate with any one of the
   set of routers.


By specifying the all-zeros, he's likely just not giving the router a unicast address.

Hrm.  I was under the impression that the subnet-router anycast was an address that routers would answer for with ND automatically, and not an address that's configured on the actual interface.  For instance, when I ping that address on my LAN, my router answers, with its unicast address:

{root@gts/pts/5}~# ping6 -n -c3 2001:db8:1234::
PING 2001:db8:1234::(2001:db8:1234::) 56 data bytes
64 bytes from 2001:db8:1234::1: icmp_seq=1 ttl=64 time=0.522 ms
64 bytes from 2001:db8:1234::1: icmp_seq=2 ttl=64 time=0.501 ms
64 bytes from 2001:db8:1234::1: icmp_seq=3 ttl=64 time=0.501 ms

--- 2001:db8:1234:: ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.501/0.508/0.522/0.009 ms

But I guess it's "legal" to not give your router a unicast address at all?  It'd make it sort of difficult to get to the router to log in or whatever, if there were multiple routers on the LAN, no?  Unless there was a management interface w/ a unicast or something I guess.  :shrug:

My cisco 1811 let me use a zero address, but complained:

%Vlan1: Warning: 2001:470:E0EC:1::/64 is a Subnet Router Anycast

So, I am led to wonder if this is a best practice.  I am OK with the fact that in ipv6 thinking, most sites will be assigned a /48, perhaps with residential users assigned a /56.

I am able to connect to ipv6.google.com, www.ipv6.org, and www.whatismyipv6.net, so the configuration is working.

Quote from: mlksoft on January 22, 2010, 06:47:59 PM
My cisco 1811 let me use a zero address, but complained:

%Vlan1: Warning: 2001:470:E0EC:1::/64 is a Subnet Router Anycast

So, I am led to wonder if this is a best practice.  I am OK with the fact that in ipv6 thinking, most sites will be assigned a /48, perhaps with residential users assigned a /56.

I am able to connect to ipv6.google.com, www.ipv6.org, and www.whatismyipv6.net, so the configuration is working.

Yeh I don't think it's good practice IMHO.  :P  Use ::1.

Addressing plans will depend largely on the ISP's own policies.  But the IAB outlines recommendations in RFC3177 (http://tools.ietf.org/html/rfc3177).  Basically it says that end users should get either a /64 if they have a single LAN, or a /48 if they have multiple LANs.  Businesses will also get /48s (one or multiple).  ISPs get /32s.  Also, just the currently assigned global unicast range, 2000::/3 (2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) contains ~537 million /32s (2^29 /32s).  So running out of /32s for ISPs won't happen any time soon.  And every /32 has 64Ki /48s, which in turn has 64Ki /64s, each of which have 2^64 - 1 interface addresses.   :)