[Originally posted Mar 22, 2012 12:46 PM by Antti Uitto [ updated Mar 23, 2012 6:17 AM ]]
My previous experiences with Sixxs service have been very positive but this time I used Freenet6 for no other reason but just to try out another one. And like Sixxs, this one seems to be well done. Setup was easy with two minor hiccups. (I will elaborate later in the text)
This site has a little LAN with an IPv4 Internet access through many-to-one NAT, via wireless router. My plan was to use the old desktop machine and install Virtualbox on it. Then I would create a new virtual host with Ubuntu Server as OS and use this as my IPv6 router.
- Installed Ubuntu server (new virtual host)
- Enabled routing for IPv6
- Installed Gogo-client gogoc.
- Modified gogoc’s configuration
- Connected and pinged around
- Wrote ip6tables firewall rules
- Made things persist over reboots
I installed Ubuntu Server to be my router. Nothing special here; bridged networking to host systems eth0, SSH server, static IPv4 address from our private network.
Because this machine is going to act as IPv6 router for other machines in the LAN I enabled IPv6 routing by editing file
I then applied this change by rebooting the host.
You can also apply by running command
sudo /sbin/sysctl -q -p
On Ubuntu router
sudo apt-get install gogoc
The config file for gogoc is at
userid=MyUserName passwd=MyPasswd auth_method=any host_type=router prefixlen=56 if_prefix=eth0 tunnel_mode=v6udpv4
if_prefix means the interface on which I want my prefix to be advertised. This would be the interface facing the LAN with the client computers.
tunnel_mode The mode i chose is the one meant for hosts that are unfortunate enough to connect from behind NAT.
After modifying the gogoc config file, I attempted to connect. Here was a minor issue. I could make the connection to work if I changed the config to use anonymous connection. Connecting authenticated would not work. After wondering about for a while I found out (by running the client on foreground) that while attempting authenticated connection the client’s script was asking Yes/No question about wether or not I want to accept a servers key. I once accepted it and after that running client on background produced a working connection.
Run Gogo-client by commanding
Then check that you have a new tunnel interface with an IPv6 address and a globally valid-looking IPv6 address in your LAN interface.
Sometimes the connecting seems to take a while. Be patient and if you lose faith, check the log to see what is going on.
tail -F /var/log/gogoc/gogoc.log
You can increase logging verbosity by adjusting values in gogoc.conf.
Since I got connected after few tries, I was then able to ping and trace around
ping6 ipv6.google.com traceroute6 ipv6.google.com
Here is my ip6tables firewall config.
Save it for example to /home/admin/firewall6 and apply it by saying
sudo ip6tables-restore < /home/admin/firewall6
user@host:~$ cat /home/admin/firewall6
# Generated by ip6tables-save v1.4.10 on Thu Mar 22 17:55:32 2012 *filter :INPUT DROP [7697:530851] :FORWARD DROP [53871:37157829] :OUTPUT ACCEPT [8129:2157811] # # == INPUT ===== # # Allow anything on the local link -A INPUT -i lo -j ACCEPT # # Allow Link-Local addresses -A INPUT -s fe80::/10 -j ACCEPT # # Allow multicast -A INPUT -d ff00::/8 -j ACCEPT # # Allow ICMPv6 everywhere -I INPUT -p icmpv6 -j ACCEPT # # Allow established -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Allow SSH -I INPUT -p tcp --dport 22 -j ACCEPT # # Log -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables input denied: " --log-level 7 # # == FORWARD ===== # -A FORWARD -m state --state NEW -i eth0 -o tun -s <my_ipv6_prefix>/56 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p tcp --dport 22 -j ACCEPT -I FORWARD -p icmpv6 -j ACCEPT # # Log -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables forwarding denied: " --log-level 7 COMMIT
In order to make my connections come up and firewall rules to be applied after reloading the system, I put these in /etc/rc.local
mkdir /var/run/gogoc &&
ip6tables-restore < /home/admin/firewall6
That mkdir -command is there because of the second issue I experienced.
Every time I rebooted my host, gogoc would not connect because of missing
This is my quick and very dirty fix to that. You may want to try if you get it rolling without such ridiculous trick.
Everything works now the way I was hoping. Client computers can access Internet hosts with both IPv4 and IPv6. The configurations on my Linux router persist over reloads. Client computers use for now only IPv4-based name server.