joeka
Posts: 6
Joined: Tue Jul 03, 2012 9:12 am

rpi as an IPv6 router using a sixxs tunnel and arch

Sat Dec 15, 2012 8:52 am

I decided that I want IPv6 for devices in my network and invested several hours to figure out how I can achieve this, using my raspberry pi as a router.

In case someone wants to do something similar, here is what I've done:
[I'm using arch linux arm, a sixxs tunnel with aiccu, radvd, ufw, systemd]

1. Get an IPv6 over IPv4 tunnel
My ISP doesn't provide me with an IPv6 address, so the first step is to get one. I chose sixxs for no particular reason. You can sign up for an account on their website and later for a tunnel with a /64 subnet.

2. Install aiccu
aiccu is a tool for (and by) sixxs, so it's only useful if you use sixxs, but if you do, it makes setting up IPv6 as easy as editing a few lines in one config file and running it.

If you are using arch you can install it from the AUR:

Code: Select all

yaourt -S aiccu
2.1 Setup aiccu
You only have to edit /etc/aiccu.conf and fill in your user data and a few basic settings:

Code: Select all

username <SIXXS-USERNAME>
password <SIXXS-PASSWORD>
protocol tic
server tic.sixxs.net
tunnel_id <YOUR_TUNNEL_ID>
ipv6_interface sixxs
That should be all. If you are using systemd run

Code: Select all

systemctl start aiccu
and to enable it on startup

Code: Select all

systemctl enable aiccu
And you should have an IPv6 address (and route etc.) for your rpi. Check:

Code: Select all

ip addr
3. Install radvd
radvd is an IPv6 router advertisement daemon, thanks to this feature you won't have to set up your other devices. If your router is set up correctly and is doing router advertisement, IPv6's auto configuration will handle IP settings, routes etc. for your clients.

Again if using arch just do:

Code: Select all

pacman -S radvd
3.1. Configuring radvd
You have to tell radvd which subnet belongs to your router. The important part of /etc/radvd.conf should look like this:

Code: Select all

    prefix <YOUR_SUBNET_PREFIX>/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        };
<YOUR_SUBNET_PREFIX>/64 is the subnet you got from e. g. sixxs. If you have a /48 subnet or something else, don't put /64 there :)

Start (and enable) it:

Code: Select all

systemctl start radvd
systemctl enable radvd
4. Enable forwarding
Right now your rpi wouldn't forward any packets from you to computers in the internet and back, you have to activate this.

The correct way to do this is to set

Code: Select all

net.ipv6.conf.all.forwarding = 1
in /etc/sysctl.conf (EDIT: in Arch /etc/sysctl.d/<something>.conf)
(If you use ufw you have to set it in /etc/ufw/sysctl.conf)

5. Set a static IP using systemd
There are probably prettier ways to do this, but as the method to enable packet forwarding described in 4. doesn't work for me, I use one systemd unit file to set a static IP and enable forwarding. I have to set a static IP because auto configuration doesn't work, if forwarding is activated and I need an IP in my subnet for my local network adapter.

For why the method in 4. doesn't work: I'm not sure. I tried setting it in unit files -> with systemd and I can't set /proc/sys/net/ipv6/conf/all/forwarding if my unit is started to early. That's why I use After=network.target in the unit file bellow. This could be related.

My example file is /etc/systemd/system/ipv6forwarding

Code: Select all

[Unit]
Description=Enable IPv6 forwarding
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/sysctl net.ipv6.conf.all.forwarding=1
ExecStart=/sbin/ip addr add <IP_IN_YOUR_SUBNET>/64 dev eth0

ExecStop=/sbin/sysctl net.ipv6.conf.all.forwarding=0
ExecStop=/sbin/ip addr del <IP_IN_YOUR_SUBNET>/64 dev eth0

[Install]
WantedBy=multi-user.target
Of course the subnet size and the device name should match yours.
You can enable and start this like the other systemd services above.

6. Firewall
You probably want to use a firewall because your devices will be directly accessible (through the tunnel -> The NAT/Firewall of your home router is not in the way). I'm using ufw for this.
(If using arch - you know the drill...)

The aim for me was to get something I am used to: I want everything to get out and only answers or stuff on explicitly enabled ports to get in.

First set up some basic rules

Code: Select all

ufw default deny
I'm not interested in connections from the interent to my rpi.

Code: Select all

ufw allow from <LOCAL_IPv4_SUBNET>
ufw allow from fe80::/1
ufw allow from <OWNED_IPv6_SUBNET>
But I want my local clients to be able to access it. I don't know if you can make network adapter specific rules through ufw, that could make it easier and you can use iptable rules in /etc/ufw/*.rules if you want to do this.

In /etc/default/ufw IPv6 support should be enabled and I set the DEFAULT_FORWARD_POLICY to drop, so that not everything is routed.

Code: Select all

IPV6=yes
DEFAULT_FORWARD_POLICY="DROP"
Now comes the important part: In /etc/ufw/before6.rules I enable forwarding for all outgoing packets (don't forget to change the device name to yours) and the second rule should allow me to get "answers". Conntrack tracks connections :D and therefore knows which packets it should let back in.

Code: Select all

# forward all ourgoing
-A ufw6-before-forward -i eth0 -j ACCEPT

# and forward replies / established / related packages
-A ufw6-before-forward -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
You will have to set additional rules for incoming traffic or applications that try to use additional incoming ports.

When starting (and enabling) ufw for the first time you have to enable it through the ufw interface too:

Code: Select all

ufw enable
Please tell me what I did wrong or what would improve this setup!
Last edited by joeka on Tue Sep 17, 2013 3:43 pm, edited 1 time in total.

DOSSTONED
Posts: 14
Joined: Wed Sep 19, 2012 2:47 pm

Re: rpi as an IPv6 router using a sixxs tunnel and arch

Mon Dec 17, 2012 12:25 pm

Have you tried the settings with real IPv6 access? My ISP has IPv6 support and RPi get IPv6 address automatically, and I can access IPv6 sites. I installed pptpd to VPN access, radvd intended to give IPv6 access through VPN. I can access IPv4 sites, but IPv6 seems not routed.

forward settings are changed already.
Does radvd support to bridge all the traffic from eth0 to ppp0?

joeka
Posts: 6
Joined: Tue Jul 03, 2012 9:12 am

Re: rpi as an IPv6 router using a sixxs tunnel and arch

Tue Dec 18, 2012 11:21 pm

No, I only have the tunnel.

You want to share your IPv6 connection with other devices through a vpn?
Is your vpn connection established on the same device as radvd?
Does your other device(through the vpn) get an IPv6 address from your subnet?

Have you set up the prefix in /etc/radvd.conf?
When I think about it, I'm not even sure if that can work, as you have two routers for the same prefix in your lan?
Does radvd support to bridge all the traffic from eth0 to ppp0?
I think radvd does nothing like this. It only does router advertisement. The question should rather be, does the vpn device route stuff like router advertisement.

If your device gets an IP in the correct subnet but your connection doesn't work, you should check if /proc/sys/net/ipv6/conf/all/forwarding is really set.

Sorry that I can't help you much.

Edit:
I guess it could work through pptp.
How exactly are you managing your subnet? I guess you have a regular home router? Can you set it to advertise only a part of your subnet, so that your second router can advertise the other part?
Btw. does your pptp device have a correct IPv6 address? You probably have to manually set it?

So many questions :D

jonls
Posts: 1
Joined: Thu Apr 11, 2013 1:54 pm

Re: rpi as an IPv6 router using a sixxs tunnel and arch

Thu Apr 11, 2013 3:22 pm

Hi, Thank you very much for writing this guide. I have been followed it (although using raspian) to setup an IPv6 tunnel through SixXS with success and I've managed to configure forwarding so that the other computers on the local network can use the IPv6 tunnel. I have a few notes to add:

Setup IPv6 tunnel through SixXS: Registering for the account and for the tunnel takes a while because the registration is handled manually. Expect to wait at least a couple of hours, maybe even days.

radvd configuration: I had to specify some more options in the config file to make it work:

Code: Select all

interface eth0 {
        AdvSendAdvert on;
        prefix 2001:XXXX:YYYY:ZZZZ::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        };
};
Very important: The prefix is the subnet prefix which is found by logging into SixXS. It is not just the first part of your IPv6 address! I didn't pay attention to this at first and I spent a lot of time trying to figure out what was wrong. If the prefix is not correctly set up the tunnel will silently drop packets from the other clients on the local network.

Static IP configuration: Apparently linux will not forward packets if the local raspi interface does not have a global IPv6 address. This can be added statically in raspian by adding the following lines to /etc/network/interfaces:

Code: Select all

iface eth0 inet6 static
        address 2001:XXXX:YYYY:ZZZZ::1
        netmask 64
Notice again that this address should be a valid address in the subnet.

After these steps the other clients on the local network automatically detects the IPv6 router and starts routing data through it.

User avatar
pi3g
Authorised Reseller
Authorised Reseller
Posts: 147
Joined: Mon Nov 05, 2012 9:58 pm
Location: Germany
Contact: Website

quick hint to save you loads of time

Wed Jul 03, 2013 10:24 pm

I had been struggling for a very long time, trying to get IPv6 (as a router for the home network) working.

I'll sum up the necessary building blocks in my blog post over time:
http://blog.pi3g.com/2013/07/ipv6-setup/

Just a quick hint to some who may also be hitting a wall:
If your other (networked) machines are getting global IPv6 adresses (check with ip -6 addr show), as assigned by radvd on your router-Raspberry, but NO ping6 ipv6.google.com is going through, it may be that your router-Raspberry does NOT send BACK traffic the way it should to your network.
This may happen even if you set up a static network adress for your router-Raspberry.

Adding a routing rule on your router-Raspberry will solve that problem:

Code: Select all

ip route add 2001:db8:384e:8888::/64 dev br0
Aaah, take care that my device is br0, not eth0 - as I also have a bridged setup. If in doubt, use eth0 or wlan0 here.


(Assuming you are using the subnet 2001:db8:384e:8888::/64 for your local network).

If you are still stuck, try
tcpdump -w /tmp/traffic.dmp
and analyse the dump contents with WireShark. In my case, I was seeing ping requests coming in from the other Raspberries in the network, but no answers to them ... and finally came up with the routing solution.

HTH,
M.
picockpit.com - tools to make your life with the Pi a little bit easier

Return to “Networking and servers”