• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Providing IPv6 Access During a Class IPv6 Presentation

Started by dummptyhummpty, October 29, 2009, 07:23:04 PM

Previous topic - Next topic

dummptyhummpty

Quote from: jimb on November 17, 2009, 12:32:56 PM
Have you just tried a 6in4 tunnel from the network in question?  Most firewalls will simply pass it and set up a temporary connection/nat table entry which forwards incoming proto 41 traffic back to you.  As long as no one else is doing 6in4 behind that device (firewall), it should work.  And in the case of an HE tunnel, the nat device would have to respond to pings on the public.

Other alternatives include establishing some other sort of tunnel to the outside and using that as a conduit.  You could do a GRE tunnel, or establish your own 6in4 tunnel to an outside router you control and statically route part of a HE /48 to your university net (since this wouldn't require ping, but of course depends on the firewall passing 6in4).  You could establish a UDP encapsulated IPSEC tunnel to some router on the outside, and run GRE though that, then run 6in4 through that (EDIT: actually, you could just run ipv6 straight over GRE I think, I've never tried that though).  Lots of ways to sneak through a firewall.  Just requires some creativity and work on your part.  :P

I haven't tried that. I'll give that a try when I'm on campus tomorrow. I'm assuming I connect the tunnel to the school's public IP and once I set everything up on my laptop (private IP over WiFi) I should be ok.

As to your other suggestions, you lost me a bit, but I think I understand. I could connect the tunnel to my router at home and then VPN to my router from school. The only problem is the school blocks VPNs (except their own) over WiFi. So I would have to VPN to the school's network and then VPN through that to my home network, correct? For our in class presentation we are going to use a laptop running Windows Server 2008 (which might be over kill now that I have learned we don't need a DHCP server) and I'm guessing it would go like this:

People In Class >----WiFi----> Windows Server Laptop (with VPN to home router) >----Ethernet----> My Laptop (with VPN to the school's network) ----WiFi----> School's Network

Seems a little complicated. Any better ideas?

cholzhauer

yes you do need to jump through some hoops to get set up, but i was able to get a subnet up and running with them in a couple of days.  HE is the way to go, but if you cant do static tunnels, youre left with sixxs or gogo6

jimb

Quote from: dummptyhummpty on November 17, 2009, 02:12:52 PM
Quote from: jimb on November 17, 2009, 12:32:56 PM
Have you just tried a 6in4 tunnel from the network in question?  Most firewalls will simply pass it and set up a temporary connection/nat table entry which forwards incoming proto 41 traffic back to you.  As long as no one else is doing 6in4 behind that device (firewall), it should work.  And in the case of an HE tunnel, the nat device would have to respond to pings on the public.

Other alternatives include establishing some other sort of tunnel to the outside and using that as a conduit.  You could do a GRE tunnel, or establish your own 6in4 tunnel to an outside router you control and statically route part of a HE /48 to your university net (since this wouldn't require ping, but of course depends on the firewall passing 6in4).  You could establish a UDP encapsulated IPSEC tunnel to some router on the outside, and run GRE though that, then run 6in4 through that (EDIT: actually, you could just run ipv6 straight over GRE I think, I've never tried that though).  Lots of ways to sneak through a firewall.  Just requires some creativity and work on your part.  :P

I haven't tried that. I'll give that a try when I'm on campus tomorrow. I'm assuming I connect the tunnel to the school's public IP and once I set everything up on my laptop (private IP over WiFi) I should be ok.

As to your other suggestions, you lost me a bit, but I think I understand. I could connect the tunnel to my router at home and then VPN to my router from school. The only problem is the school blocks VPNs (except their own) over WiFi. So I would have to VPN to the school's network and then VPN through that to my home network, correct? For our in class presentation we are going to use a laptop running Windows Server 2008 (which might be over kill now that I have learned we don't need a DHCP server) and I'm guessing it would go like this:

People In Class >----WiFi----> Windows Server Laptop (with VPN to home router) >----Ethernet----> My Laptop (with VPN to the school's network) ----WiFi----> School's Network

Seems a little complicated. Any better ideas?
Well, if you're using windows to do this, I can't provide much guidance, since I've never tried to use windows as an IPv6 router.  If the windows VPN allows the routing of IPv6 traffic, then sure, that'd work just fine, provided it could be established through the firewall.  If it's an IPSEC VPN with UDP encapsulation, it should work fine.  Hopefully it doesn't use something like PPTP though, since that can have issues getting through firewalls also.

Most of my ideas use linux though.  You could always run VirtualPC, HyperV or VMWare and run linux under that.  I've actually established 6in4 tunnels via linux running under HyperV on a win 2008 server before.  :P

My first suggestion is simply to try a 6in4 tunnel from inside and see if the FW will pass it.  If you can establish basic IPv6 connectivity to HE via this, then you're halfway there.  If you're doing this with windows, I can't really help you in the next steps of setting it up as an IPv6 router.  You could also do it on a linux box, or if your wifi router supports it, directly from that.  If that can be established, then it should be easy to simply provide the routed /64 to the LAN segment which your wifi router provides.  BTW, it'd probably be easier to configure your wifi router to simply bridge the LAN ports and WLAN and not treat them as separate LAN segments, otherwise you'd need another IPv6 LAN (/64) for your WLAN, static routes, etc.  This is especially true if u wind up using a separate box as your IPv6 tunnel router.

If using "straight" 6in4 doesn't work, then you need to find some way to get through the firewall.  One way is what cholz suggested, using SIXXS, as they use the AYIYA tunneling protocol which will get you through a NAT firewall and give you a IPv6 address.  I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.

If it turns out you can't use something like SIXXS or something else which provides simple "turn key" tunneling, then you could do a DIY tunnel setup.  To do something like this, first you'd establish a working 6in4 tunnel with HE on some site you have control over, such as your home network.  You'd need a routable /48 from HE too, which is as easy as a mouse click.  Then, you can use any number of tunnel methods/software to establish a tunnel from your site to the target network, routing a subnet (or two) of the HE /48 through that tunnel to your target network.  For the tunnel between your home network and the target net, you could use something like nat-traverse, vtun, tinc, etc.  All these allow generic tunneling of various traffic across IPv4 UDP or TCP connections.  The web sites have examples of for instance, tunneling PPP through IPv4-UDP, which would then allow you to push IPv6 through the PPP interface.  The whole idea here is to use some tunneling method which will traverse your firewall so that you can "get out".

Obviously the DIY method would require the most planning and configuration, but think of what you could learn!  :P

cholzhauer

Quote
I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.

yep, they will.  They won't give you a single routeable /64 off the bat like HE does...you get the two end points of a tunnel ::1 and ::2 on one /64 and the rest of that /64 is not used.  You can then request a routed /48 if you have enough points, but if you have a Linked-in profile, you'll have enough.

dummptyhummpty

#19
Quote from: jimb on November 17, 2009, 03:12:41 PM
Well, if you're using windows to do this, I can't provide much guidance, since I've never tried to use windows as an IPv6 router.  If the windows VPN allows the routing of IPv6 traffic, then sure, that'd work just fine, provided it could be established through the firewall.  If it's an IPSEC VPN with UDP encapsulation, it should work fine.  Hopefully it doesn't use something like PPTP though, since that can have issues getting through firewalls also.

Most of my ideas use linux though.  You could always run VirtualPC, HyperV or VMWare and run linux under that.  I've actually established 6in4 tunnels via linux running under HyperV on a win 2008 server before.  :P

My first suggestion is simply to try a 6in4 tunnel from inside and see if the FW will pass it.  If you can establish basic IPv6 connectivity to HE via this, then you're halfway there.  If you're doing this with windows, I can't really help you in the next steps of setting it up as an IPv6 router.  You could also do it on a linux box, or if your wifi router supports it, directly from that.  If that can be established, then it should be easy to simply provide the routed /64 to the LAN segment which your wifi router provides.  BTW, it'd probably be easier to configure your wifi router to simply bridge the LAN ports and WLAN and not treat them as separate LAN segments, otherwise you'd need another IPv6 LAN (/64) for your WLAN, static routes, etc.  This is especially true if u wind up using a separate box as your IPv6 tunnel router.

If using "straight" 6in4 doesn't work, then you need to find some way to get through the firewall.  One way is what cholz suggested, using SIXXS, as they use the AYIYA tunneling protocol which will get you through a NAT firewall and give you a IPv6 address.  I'm not sure if SIXXS will provide a routable /64 subnet, or a /48 if you need multiple subnets, like HE does, or just a single IPv6.

If it turns out you can't use something like SIXXS or something else which provides simple "turn key" tunneling, then you could do a DIY tunnel setup.  To do something like this, first you'd establish a working 6in4 tunnel with HE on some site you have control over, such as your home network.  You'd need a routable /48 from HE too, which is as easy as a mouse click.  Then, you can use any number of tunnel methods/software to establish a tunnel from your site to the target network, routing a subnet (or two) of the HE /48 through that tunnel to your target network.  For the tunnel between your home network and the target net, you could use something like nat-traverse, vtun, tinc, etc.  All these allow generic tunneling of various traffic across IPv4 UDP or TCP connections.  The web sites have examples of for instance, tunneling PPP through IPv4-UDP, which would then allow you to push IPv6 through the PPP interface.  The whole idea here is to use some tunneling method which will traverse your firewall so that you can "get out".

Obviously the DIY method would require the most planning and configuration, but think of what you could learn!  :P

Well, I just spent the past 4 hours trying to get IPv6 access on my home network. It probably would have saved me 3 hours had I given HE the correct endpoint IP address for the tunnel. Either it changed, or I'm dyslexic. Having spent the time troubleshooting unnecessarily, I now have a better idea of how this works.

I'm going to create a separate tunnel on the laptop and bring it on campus tomorrow to see if it will work. I'll report back in a while when I get the laptop configured correctly. Thanks to all for your help.

dummptyhummpty

Currently on campus at school and I can't get the tunnel to come up. Boo. I ended up putting in a request at SixXS as I think that will be easier. Thanks for all your help, I'll keep you all updated.

jimb

Yeh that's one of the reasons I went w/ HE instead of sixxs.  They make u wait.  And they have some "points" thing which I was like "eh!?" when I saw it.  I guess it's supposed to cut down on malicious use of their service by hax0rs or something.  That, and the fact I wanted to actually learn more about IPv6, not install a piece of software that practically does it all for you.


dummptyhummpty

I finally got a hold of someone at the University and they are going to look into it for us. That would be great if they could help us out.

dummptyhummpty

Just another update, the University said it was ok to plug in to their network, but they are too busy at the moment (understandable) to help with the firewall problems. It sounded like it was outside of their immediate control. I decided to see if I could create an SSH tunnel to my house by following this guide, but when everything is configured, it seems as if traffic isn't being correctly routed. Any ideas? I know it's not really related to IPv6, but our presentation is tomorrow and I'd love to have this working.

cholzhauer

Can you post your routing tables and the output of a traceroute to that machine?

jimb

Heh that's the one thing I forgot to mention, using ssh -w.  I've actually used it and had it work myself.  I presume you're doing this on linux.

First, you have to make sure the tun/tap driver is loaded (modprobe tun).  You also have to make sure that your sshd_config has a line "PermitTunnel yes", then reload sshd (/etc/init.d/ssh reload)  Then of course, you need to ssh in as root with -w (something like "ssh -l root -f -w 0 <ip> true").  This will cause tun devices on each end to be "plumbed" through the ssh and sshd on either end.  

In the example, the client would use tun0, and the server tun0 also presuming it's not already in use.  The tun0 interfaces act as a point-to-point interfaces on the local and remote ends.  Now you need to add IP addresses to them (example:  "ip addr add 172.16.17.1 peer 172.16.17.2 dev tun0" on the local end, and the reverse on the remote end).  Then bring the interfaces up with "ip link set tun0 up" on both ends.  At this point you should have IPv4 connectivity between both sides (make sure the iptables firewall isn't blocking stuff).  

You should be able to ping, etc.  Note that you don't really need IPv4 if you're just doing IPv6.

You can add IPv6 addresses to the tun interfaces with something like this:  "ip addr add fdd6:084c:c697::1/64 dev tun0" (use ::2 at the other end of course).  In this example I'm using site unique addresses for the tunnel end points.  You could use a /64 out of your /48, or whatever.  Once this is done you should be able to ping6 either end.  (You may have noted that in the case of IPv6, you don't use the "peer" argument.)

The "ip addr" and ifconfig command output should look like this:

17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
   link/[65534]
   inet 172.16.17.1 peer 172.16.17.2/32 scope global tun0
   inet6 fdd6:84c:c697::1/64 scope global
      valid_lft forever preferred_lft forever

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:172.16.17.1  P-t-P:172.16.17.2  Mask:255.255.255.255
         inet6 addr: fdd6:84c:c697::1/64 Scope:Global
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:101 errors:0 dropped:0 overruns:0 frame:0
         TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:500
         RX bytes:21887 (21.3 KiB)  TX bytes:12301 (12.0 KiB)


Now, to get routing up and going, first make sure you have ip forwarding turned on in the kernel on both sides (sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1).  Then you can add routes through the tun interfaces.  For instance, lets pretend that the site unique prefix "fdd6:084c:c697:1::/64" is a subnet of your public routed /48 and use it for the LAN.  On the remote end (home), you'd add a route to that network through the tun0 interface like so:  "ip route add fdd6:084c:c697:1::/64 dev tun0" (just make sure you substitute that prefix with your public IPv6 subnet).  On the local end (school) you'd add a default route through tun0:  "ip route add ::0/0 dev tun0" (or alternatively, "ip route add default via fdd6:084c:c697::1", or whatever IPv6 you used as the tunnel endpoint address on the home end).

Aside from making sure iptables and ip6tables firewalls aren't blocking anything, and presuming you've already established IPv6 connectivity on the home end, it should work.

HTH.  :)

dummptyhummpty

jimb,

Thanks so much! I have the laptop at my office and was just able to create the SSH tunnel and forward the IPv6 traffic across. I'm thinking this should work at school as I was able to create an IPv4 SSH tunnel last night, but couldn't forward any traffic. I think it was because I didn't have the routes correct on my home machine. I'll let you know how it goes. Back to work....

jimb

Cool.  I'd get it all working ahead of time too.  If you want to get "fancy", you could even use radvd to have the LAN at school auto configure IPv6 addresses (have it advertise a /64 subnet of your /48 like I mentioned previously).  Also, don't be surprised if radvd advertises the link local address of your LAN interface to your LAN.  That's what mine does for whatever reason, which is of course no problem.  You could also set up DHCPv6 too of course.

You may also want to make sure that DNS works for IPv6.  I've noted that some DNS servers, especially ones built into consumer routers, sometimes refuse to return AAAA records even when available (for instance, the Verizon FiOS supplied Westell router on a friends home network doesn't).  If it doesn't, you may want to set up BIND on your linux box and use that.  Have your IPv4 DHCP server point to it instead of the wifi router or whatever ... I don't think windows or linux pays attention to radvd's RDNSS entries without extra software running, although I'm not sure about windows ... XP doesn't seem to.  If you do DHCPv6 obviously this is moot.

dummptyhummpty

jimb,

Thanks for all your help! Our class starts in about 10mins; we hooked everything up and it's working. I ended up setting our "router" (laptop) to use HE's dns servers. I also loaded radvd so thanks for the suggestion!

Also, hanks to cholzhauer and every one else who helped!

jimb

Nice.  Hope you get a good grade or whatever.    :)