Routing Windows 2000 IPv6 traffic with OpenBSD|
(Last modified: 06/03/01)
If you have any questions or comments, feel free to drop me a note.
Note that I've written most of this document from memory. It appears to be correct; if I've missed something, let me know.
(( Internet )) | ------------------ | OpenBSD firewall | ------------------ | ( Windows 2000 )I will describe the setup on the OpenBSD firewall, and the Windows 2000 desktop machine.
You'll need to download and install the IPv6 Technology Preview from Microsoft for Windows:
Remember to bind the IPv6 protocol to the NIC. This is discussed in the Technology Preview install docs.
For the purposes of this discussion, the router's external addresses are 10.1.1.1 and 1:1:1:1::2, and the internal addresses are 10.2.1.1 and 1:2:1:1::1. The Windows external addresses will be 10.2.1.2 and 1:2:1:1::2.
sysctl -w net.inet6.ip6.forwarding=1You can turn this option on permanently by adding "net.inet6.ip6.forwarding=1" to /etc/sysctl.conf.
When prompted, enter your firewall's external IP. Hurricane will provide you with information similar to the following:
Broker IPv4 tunnel address: 126.96.36.199 Broker IPv6 link address: 1:1:1:1::1/127 Your IPv4 tunnel address: 10.1.1.1 Your IPv6 link address: 1:1:1:1::2/127Next, you'll want to request a /64. This is a bit of an overkill, but it's fun to look at.
Your IPv6 network prefix: 1:2:1:1::/64Now you're ready to set up the tunnel.
ifconfig gif0 giftunnel 10.1.1.1 188.8.131.52 ifconfig gif0 inet6 1:1:1:1::2 1:1:1:1::1 prefixlen 128 alias route -n add -inet6 default 1:1:1:1::1HE provides lines similar to the above. Substitute your IP addresses where appropriate.
ifconfig xl1 inet6 1:2:1:1::1 prefixlen 64 aliasSome people may prefer to use the current IPv4 address as an identifier, instead of the ::1 used above. This is more or less dependent on the address space assigned to you (though in our case it would work), and may make the IPv4 -> v6 conversion a little easier to maintain. E.g. we might have configured xl1 as 1:2:1:1::10.2.1.1.
Interestingly, OpenBSD and Windows have already configured their interfaces, deriving a "link local" address from the ethernet addresses on the cards. This address is used below when configuring the default IPv6 route under Windows.
ipv6 rtu ::/0 5/fe80::260:97ff:fea0:ebe5 pub ipv6 adu 5/1:2:1:1::2In this case, the LAC interface number is 5 (denoted by the 5/ above). To determine your LAC interface, type "ipv6 if" from a DOS prompt. Also note that if you named your network interface something other than the default "Local Area Connection", that name will be used in its place in the "ipv6 if" output.
Note that we are setting the default route to the "link local" address of the router. This address can be determined with "ifconfig xl1" on the router. The address will start with fe80::.
ping6 1:1:1:1::1From the Windows machine, ping the router:
ping6 1:2:1:1::1Finally, load up IE and open http://www.kame.net/. If all is well, the turtle should be "dancing". If you scroll to the bottom of the page, you should see your Windows 2000 machine's IPv6 address: 1:2:1:1::2. Cheers!
- PGP Desktop Security's PGPnet caused trouble with the Windows interface. IPv6 wouldn't run natively (i.e. without a tunnel). Once the service was unbound from the ethernet interface, I was able to use the interface as expected.
- Hurricane Electric will periodically check to see if your tunnel is still active. I believe they remove it from their database if it's not.
- You might want to place the above configuration options in the respective OS boot scripts to ensure your configuration survives a reboot.
- Remember to configure ipf to protect your new IPv6 network. I'm not sure of its current status w/r/t IPv6, though it is worth looking into. In the mean time, you can prevent all IPv6 traffic from entering your network with a rule similar to "block in on xl0 proto ipv6 from any to any" on the router.
Hurricane Electric's IPv6 page:
IPv6 News and Links (lots of info):
K-Elite IPv6 (this page will tell you if you're using IPv4/v6):
Copyright (c) 2001 Robert Mooney, All rights reserved.
This document may be freely distributed and modified, so long as the original author is credited.
If you are inclined, you can leave me a tip with PayPal. Sign up for it.
Return to the Main index|