• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Howto: Share an IPv6 Tunnel with other machines on your network

Started by dezzanet, May 12, 2010, 11:52:33 AM

Previous topic - Next topic

dezzanet

I'd spent ages trying to find a way to share my IPv6 tunnel with the rest of my network rather than just one machine, and couldn't find any suitable guide, so once I worked out how, I decided to share it in order to help everyone else.

http://www.dezzanet.co.uk/articles/26/2010/05/12/Sharing-an-IPv6-tunnel-from-a-Windows-machine/

I hope this is helpful to people :)

jimb

Good article, a few comments:


  • If you add an IPv6 address from your routed /64 to the LAN interface, as is typical, you won't need to add a route, since this will create a connected route.  You will still have to tell windows to "publish" it (IPv6 RA I presume).
  • RA should advertise the default route, which will also cover the Client/Server IPv6 /64 and allow these to be reachable from the LAN (and thus obviate the need to specifically add a route for it).
  • You may want to make a note that your public IPv4 listed as the "Client IPv4" is not what you use on your router, since you're behind a NAT.
  • Instead of using HE's /32 you may want to use the 2001:db8 documentation prefix for your IPv6 examples, and perhaps one of the IPv4 documentation addresses too (192.0.2.0/24, 198.51.0.0/24, 203.0.113.0/24).

So, perhaps change:

netsh interface ipv6> add route 2001:470:abc2:def::/64 "Local Area Connection" publish=yes

to

netsh interface ipv6> add addr 2001:db8:abc2:def::1/64 "Local Area Connection"

And add:

netsh interface ipv6> set route 2001:db8:abc2:def::/64 "Local Area Connection" publish=yes

That way you'll have an actual public IPv6 address on your router's LAN interface (not strictly necessary, since it will route traffic via the link local, but nice), and publish the prefix (unless there's some windows peculiarity where you can't modify a connected route, in which case I guess u have to add it even though it's already there).

Obviously you should test it before you change your page, since maybe there's some windows oddness that requires you to do it the way you are doing it.

- Jim

dezzanet

Hi Jim,

Thanks for your feedback. I tried the changes you suggested and all seems to work (except I had to omit the /64 at the end of the add addr line). I've made the changes to the article. I had been tinkering around for a while and when I eventually got something working I left it at that, but I had a suspicion that I may have configured more than I needed.

Thanks for your help

Dezza

jimb

Nice. I guess the windows "add address" command presumes a /64.  I don't do that manually very often, as all of my windows boxes autoconfigure.

BTW, did you find that you actually had to add a route for the routed /64 after you added the IPv6 address?  Would it not allow you to use the "set" command and set it to publish?  Or perhaps when the route already exists, it modifies it instead of adding, or replaces a connected route? 

dezzanet

I had to add the route for the routed /64 on the lan interface and publish it, otherwise the other machines in the network wouldn't autoconfigure.

After I had a play about after your suggestions this morning I dropped the route on the tunnel interface. Everything seems to be working: I can ping and load ipv6.google.com, but for some reason http://www.whatismyipv6.net/ is showing my IPv4 address. I have the ShowIP extension on firefox and that is showing it as being IPv6 which is leaving me a little confused. Either it is to do with the 2001:db8:abc1:def::/64 route that I left out or something else that I didn't configure.
I also tried from an IPv6 machine at my university and couldn't ssh into one of my boxes over IPv6. It may be a routing issue - I didn't do a traceroute, but either way I'm not overly fussed about that for now - the firewall provided by the IPv4 router/nat is useless if you can still get in over IPv6.

jimb

That's interesting, because the very act of adding and IPv6 address to the LAN interface should cause that /64 route to appear in the routing table.  For instance, on my autoconfigured XP box:

Publish  Type       Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ----  ------------------------  ---  ---------------------
no       Autoconf    10  2001::/32                   8  Teredo Tunneling Pseudo-Interface
no       Autoconf     8  2001:db8:1234::/64          4  Wireless Network Connection
no       Autoconf   256  ::/0                        4  fe80::250:daff:fe53:6564

(address sanitized)

If you see the 2nd entry, that exists because my wifi interface autoconfigured an IPv6 address in that /64 subnet of my routed /48.  What I was thinking is that to set the public flag on the existing route, you'd use the "netsh int ipv6 set route" command instead of "add route", since the route was already there.  I figured if you didn't it'd give you a duplicate entry error.  But I hadn't tested any of that.  :shrug:

I'm not sure why you're getting that behavior with whatismyipv6.  But the showip extension doesn't actually show the address you are using to actually connect to the site, but basically shows the result of a DNS call and its guess of which address your system would use.  At least that's what others have said and I think I read the same on the homepage of that extension.  I have some evidence that this is the case from a few times where my IPv6 connectivity went down due to something I did, and it still showed the IPv6 in FF even though I was really connecting via IPv4.

As far as not being able to get in from the outside, since you're on a windows box, it's probably windows firewall.  You can probably configure it to let various things in, like SSH.  If you can get to the IPv6 internet from machines behind your tunnel router, you don't have a routing issue.  

dezzanet

It could well be that I'd turned something off/broken something which is why the /64 route didn't come up automatically, but it works *shrugs*

As for whatismyipv6, I ran wireshark while connecting to it, and ipv6.google.com and it revealed that whatismyipv6 didn't respond to the SYNs, but google did.

liuxyon

Quote from: dezzanet on May 12, 2010, 11:52:33 AM
I'd spent ages trying to find a way to share my IPv6 tunnel with the rest of my network rather than just one machine, and couldn't find any suitable guide, so once I worked out how, I decided to share it in order to help everyone else.

http://www.dezzanet.co.uk/articles/26/2010/05/12/Sharing-an-IPv6-tunnel-from-a-Windows-machine/

I hope this is helpful to people :)


thank your share.  Coincidentally, I also configured in accordance with your method.

But other computer in lan can not automatically be IPV6 address.

I have to manually configure the IPv6 address of the other computer. Although this network can access and visit IPV6 web site.

But over time, all computers can't access IPV6.  Perhaps because of the dynamic public IPV4 address update, I  have update the IPv4 to the HE.net  tunnel.
<a href="http://ipv6.he.net/certification/scoresheet.php?pass_name=liuxyon" target="_blank"><img src="http://ipv6.he.net/certification/create_badge.php?pass_name=liuxyon&amp;badge=3" style="border: 0; width: 229px; height: 137px" alt="IPv6 Certification Badge for liuxyon"></img></a>

jimb

That's odd.  Dezza seemed to indicate that RA was working and his machines were auto configuring.

One thing they wont get via RA is a DNS server.  Those still need to be gotten via DHCP or statically configured.  There's provision in RA for DNS server advertisement, but most client platforms don't support it ATM without additional software.

@dezza: can you confirm that your instructions cause hosts on your LAN to configure an IPv6 address and get a default route?

dezzanet

Quote from: jimb on May 15, 2010, 01:54:31 PM
@dezza: can you confirm that your instructions cause hosts on your LAN to configure an IPv6 address and get a default route?

Yes, The machines on the LAN auto configure addresses and default route.

As for DNS, I didn't specify it myself, DNS is still going over IPv4 until I configure 'doze's DHCP server to listen on IPv6 (using DNS on the LAN, so can't just point straight to HE's DNS in my case). It doesn't look overly difficult, but needs some files off the win 2k3 CD which is going to involve copying over from another machine as that server doesn't have an optical drive.

jimb

Quote from: dezzanet on May 15, 2010, 06:10:48 PM
Quote from: jimb on May 15, 2010, 01:54:31 PM
@dezza: can you confirm that your instructions cause hosts on your LAN to configure an IPv6 address and get a default route?

Yes, The machines on the LAN auto configure addresses and default route.

As for DNS, I didn't specify it myself, DNS is still going over IPv4 until I configure 'doze's DHCP server to listen on IPv6 (using DNS on the LAN, so can't just point straight to HE's DNS in my case). It doesn't look overly difficult, but needs some files off the win 2k3 CD which is going to involve copying over from another machine as that server doesn't have an optical drive.

Having your DNS servers listen and query using IPv6 is pretty much trivial.  In BIND, it's just a a single line (listen-on-v6 { any; };).  Obviously you need to configure an IPv6 address on the server's interface(s) first.

But to have your clients configure an IPv6 DNS server to use is a bit annoying, since it requires either DHCVv6, or the RDNSS functionality of IPv6 Route Advertisement (RFC 5006).  Unfortunately, at present most OSes don't pay attention to the RDNSS options without special software running (such as rdnssd) since it's fairly new and deemed "experimental".  And this software can also clash with existing software such as IPv4 dhcp clients over the resolv.conf file.

DHCP is also "verboten" to give out IPv6 addresses for DNS servers.  The "authorities" won't support such an option, requiring one to use DHCPv6 instead for this.

jhunax

@dezzaNet

thank you very much for this guide  ;D I have been looking for a way to use my routed /64

ecoimp0211

ip addr add [Your IPv6 Endpoint]/64 dev he-ipv6 preferred_lft 0

ip -6 addr list dev he-ipv6
11: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1448
    inet6 [Your IPv6 Endpoint]/64 scope global deprecated
       valid_lft forever preferred_lft forever