This blog article records the progress of setting up IPv6 tunnel to Hurricane Electric at home where my ISP has no plan in sight to provide prefix-delegated IPv6 access over a PPPoE.
Shorthands and Assumptions in This Note
eth0connects to the Internet via IPv4. This note shall also apply to encapsulated interfaces, e.g.vlan15@eth0,lte0orpppoe0.eth1connects to local LAN. Similar as above, the process shall be the same when LAN side is a VLAN or bridge (or both).tun0denotes thesittunnel interface created in this step.- A line beginning with
#denotes comments in the configuration notes.
Setting up the Tunnel Interface on ER-X
If registered correctly on TunnelBroker, it should provide the following information:
- Logical address at local endpoint, e.g.
2001:444:111:222::2/64 - Logical address at remote endpoint, e.g.
2001:444:111:222::1/64 - IPv4 address at remote endpoint where encapsulated traffic is sent, e.g.
66.220.18.42, the HE tunneling endpoint in Paris. - A routable prefix for client side delegation, e.g.
2001:444:112:222::/64. This is usually different from the v6 addresses for the endpoint, and HE will show segments of the prefix in bold.
Now fill ER-X configuration nodes with corresponding information and default routing for IPv6:
interfaces:
tunnel:
tun0:
address: [Fill logical v6 address in CIDR at endpoint]
description: [Give a name to this tun]
encapsulation: sit
local-ip: [Fill in IPv4 address at eth0]
remote-ip: [Fill in IPv4 address at tunneling endpoint]
protocols:
static:
interface-route6:
::/0:
next-hop-interface: tun0
# This creates a default IPv6 routing table entry that
# routes all non-link-local address to the tunnel.
At this point, one should be able to ping any IPv6 address from the ER-X. If this is working, continue to instruct the LAN interface to delegate the prefix
interface:
<path-to-interface-config-node>:
ipv6:
dup-addr-detect-transmits: 1
# Stateless SLAAC configuration might produce identical
# IP addresses. This allow the network to detect whether
# a stateless address already exists.
address:
autoconf
# Set autoconf to allow stateless delegation by SLAAC
router-advert:
prefix:
[Fill routable delegated prefix here]:
autonomous-flag: true
# Instructs computers on this network to auto
# discover DNS servers
on-link-flag: true
# Indicates that this prefix exists on the
# same Ethernet link, i.e. these addresses
# does not require routing
IPv6 enabled devices shall now receive globally unique IPv6 address assigned via SLAAC and prefix delegation.
Subsequent Steps
- Confirm IPv6 assignment on LAN devices
$ ip addr
<------ MORE INTERFACES REDACTED ------>
2: eno1: mtu 1480 qdisc fq_codel state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet 192.168.5.4/24 brd 192.168.5.255 scope global dynamic noprefixroute eno1
valid_lft 80444sec preferred_lft 80444sec
inet6 2001:470:d:XXXX:XXXX:XXXX:XXXX:dfd3/64 scope global dynamic noprefixroute
valid_lft 2591976sec preferred_lft 86376sec
inet6 fe80::be40:XXXX:XXXX:XXXX/64 scope link noprefixroute
valid_lft forever preferred_lft forever
<------ MORE INTERFACES REDACTED ------>
- Trace IPv6 connections to an IPv6 enabled website
$ traceroute -6 ac.cth451.me -n traceroute to ac.cth451.me (2606:4700:30::681c:1b16), 30 hops max, 80 byte packets 1 2001:470:d:XXXX:XXXX:XXXX:XXXX:XXXX 0.415 ms 0.533 ms 0.624 ms 2 2001:470:c:XXXX::1 185.353 ms * 203.802 ms 3 2001:470:0:9d::1 178.603 ms 167.001 ms 189.255 ms 4 2001:504:0:3:0:1:3335:1 196.520 ms 179.737 ms 196.117 ms 5 2400:cb00:12:1024::6ca2:d61d 185.036 ms 2400:cb00:12:1024::6ca2:d614 175.573 ms 2400:cb00:12:1024::6ca2:d608 185.263 ms
- It is advisable to setup network wide firewall on the router, as addresses can be reached by any other IPv6 connected devices from the Internet.
Further Notes
- The
sittunnel shall also work if setup correctly on any other router or even a personal computer with public IPv4 address. I am unable to replicate the settings on a Linux router via raw commands as I do not own a linux machine with public IPv4 address. - I am not sure if the method would work if the local endpoint is behind NAT. This scenario will be experimented on after I return to campus.