Routing Windows 2000 IPv6 traffic with OpenBSD

(Last modified: 06/03/01)


Setting up an IPv6 tunnel from a host to a broker was one thing. But I wanted to use IPv6 from my desktop. The dancing KAME was my goal. After years of procrastination, I finally got to see her dance. Here's how.

If you have any questions or comments, feel free to drop me a note.

Note that I've written most of this document from memory. It appears to be correct; if I've missed something, let me know.

Described Network

Here's my network set up:

                                (( Internet ))
                              | OpenBSD firewall |
                                ( Windows 2000 )
I will describe the setup on the OpenBSD firewall, and the Windows 2000 desktop machine.

Initial Setup

To start, make sure you are running a recent version of OpenBSD. The latest available at the time of this writing is 2.9-current. OpenBSD natively supports IPv6 and the generic interface ( gif(4) ), required for tunneling.

You'll need to download and install the IPv6 Technology Preview from Microsoft for Windows:

Remember to bind the IPv6 protocol to the NIC. This is discussed in the Technology Preview install docs.

For the purposes of this discussion, the router's external addresses are and 1:1:1:1::2, and the internal addresses are and 1:2:1:1::1. The Windows external addresses will be and 1:2:1:1::2.

Turning on IPv6 Routing

Make sure the router will forward IPv6 packets:
sysctl -w net.inet6.ip6.forwarding=1
You can turn this option on permanently by adding "net.inet6.ip6.forwarding=1" to /etc/sysctl.conf.

Requesting a Tunnel

There are a number of IPv6 brokers. See for a list. I use Hurricane Electric. Most require you to register for an account.

When prompted, enter your firewall's external IP. Hurricane will provide you with information similar to the following:

Broker IPv4 tunnel address:
Broker IPv6 link address: 1:1:1:1::1/127

Your IPv4 tunnel address:
Your IPv6 link address: 1:1:1:1::2/127
Next, you'll want to request a /64. This is a bit of an overkill, but it's fun to look at.

Your IPv6 network prefix: 1:2:1:1::/64
Now you're ready to set up the tunnel.

Configuring the Router -> Broker Tunnel

Using the values provided by the broker, configure the tunnel from the router to the broker. You'll want to do something like:
ifconfig gif0 giftunnel
ifconfig gif0 inet6 1:1:1:1::2 1:1:1:1::1 prefixlen 128 alias
route -n add -inet6 default 1:1:1:1::1
HE provides lines similar to the above. Substitute your IP addresses where appropriate.

Configuring the Router LAN Interface

Using the network prefix provided, configure the LAN interface for IPv6:

ifconfig xl1 inet6 1:2:1:1::1 prefixlen 64 alias
Some people may prefer to use the current IPv4 address as an identifier, instead of the ::1 used above. This is more or less dependent on the address space assigned to you (though in our case it would work), and may make the IPv4 -> v6 conversion a little easier to maintain. E.g. we might have configured xl1 as 1:2:1:1::

Interestingly, OpenBSD and Windows have already configured their interfaces, deriving a "link local" address from the ethernet addresses on the cards. This address is used below when configuring the default IPv6 route under Windows.

Configuring the Windows LAN Interface

Assign a default route and IP to the "Local Area Connection" Windows interface:

ipv6 rtu ::/0 5/fe80::260:97ff:fea0:ebe5 pub
ipv6 adu 5/1:2:1:1::2
In this case, the LAC interface number is 5 (denoted by the 5/ above). To determine your LAC interface, type "ipv6 if" from a DOS prompt. Also note that if you named your network interface something other than the default "Local Area Connection", that name will be used in its place in the "ipv6 if" output.

Note that we are setting the default route to the "link local" address of the router. This address can be determined with "ifconfig xl1" on the router. The address will start with fe80::.

Testing IPv6

From the router, ping the broker's end point:

ping6 1:1:1:1::1
From the Windows machine, ping the router:

ping6 1:2:1:1::1
Finally, load up IE and open If all is well, the turtle should be "dancing". If you scroll to the bottom of the page, you should see your Windows 2000 machine's IPv6 address: 1:2:1:1::2. Cheers!

Additional Notes

- Windows 2000 SP2 requires a few tweaks to the IPv6 install package before it will work. See their FAQ at the download center for more info.

- PGP Desktop Security's PGPnet caused trouble with the Windows interface. IPv6 wouldn't run natively (i.e. without a tunnel). Once the service was unbound from the ethernet interface, I was able to use the interface as expected.

- Hurricane Electric will periodically check to see if your tunnel is still active. I believe they remove it from their database if it's not.

- You might want to place the above configuration options in the respective OS boot scripts to ensure your configuration survives a reboot.

- Remember to configure ipf to protect your new IPv6 network. I'm not sure of its current status w/r/t IPv6, though it is worth looking into. In the mean time, you can prevent all IPv6 traffic from entering your network with a rule similar to "block in on xl0 proto ipv6 from any to any" on the router.


Microsoft's IPv6 research page:

Hurricane Electric's IPv6 page:

KAME Project:

IPv6 News and Links (lots of info):

K-Elite IPv6 (this page will tell you if you're using IPv4/v6):


Written by Robert Mooney (rjmooney\@impetus\.us).

Copyright (c) 2001 Robert Mooney, All rights reserved.

This document may be freely distributed and modified, so long as the original author is credited.

If you are inclined, you can leave me a tip with PayPal. Sign up for it.

 Return to the Main index