With the recent assignment of the last IPv4 /8 address blocks it seemed the time was right to learn about implementing IPv6 on my home LAN. Actually, I blame Andrew Pollockr’s February 1 post on Planet Debian for giving me the idea. Fortunately, since my router is running OpenWRT, a Linux based operating system for home/small office routers and the like that replaces the factory firmware, it seemed like a natural way to be able to integrate IPv6 on my LAN. This won’t be a step-by-step guide but rather pointers to the various resources I used when setting up IPv6.
The first step is to obtain an IPv6 address. Unlike the IPv4 address provided by an ISP, most of us do not get an IPv6 as few ISPs are offering IPv6 addresses to their customers. The alternative used by most early adopters is to register for an IPv6 in an IPv4 tunnel, here after called a 6in4. There are several entities offering 6in4 tunnels. I chose Hurricane Electric’s Tunnel Broker for various reasons, not the least of which is that their service is free of charge and an account can have up to five tunnels available.
After registering and creating a regular tunnel I was ready to go, or so I thought. I started out following the OpenWRT IPv6 Wiki page, but things weren’t matching up. I could find no “6in4” package to install in my 10.03 (Backfire) version of OpenWRT. A query to the OpenWRT forum revealed that a later version of the firmware was required. After upgrading to 10.03rc4 via the Luci Web interface and updating the package download path since it pointed to the old repository as a result of saving my config files, I was able to install the 6in4 package.
To setup IPv6 support I simply followed the Wiki page as a recipe and of particular note, I configured my router for dynamic 6in4 tunneling. Once that was complete I was able to ping6 and resolve IPv6 host names from the router’s shell. Finally I configured the router’s firewall per the version 1 instructions. I now had IPv6 connectivity from the router. Yay!
Next was to serve addresses to the LAN and to do this I installed and configured radvd. Almost like magic my desktop had a global IPv6 address assigned to its Ethernet interface. As on the router, ping6 and IPv6 host name resolution worked perfectly. All was well except that my laptop would not create a global IPv6 address. Something was amiss.
The first order of troubleshooting is to see if the problem occurs in a likewise fashion on similarly configured equipment. After scratching my head for a while and blaming my Linksys WRT55AG router that I use as a Wifi Access Point for not supporting IPv6, I was reminded of that axiom by booting a different laptop and observing, quite by accident (which is how great discoveries are made) that it had configured a global IPv6 address. The Linksys was now off the hook and my attention turned toward the main laptop. It should be noted that all my systems run Debian GNU/Linux except the main laptop which runs Linux Mint Debian Edition which would force me to discover the axiom at the beginning of this paragraph again by accident.
In the process of troubleshooting my laptop a friend booted his LMDE based laptop next to mine and his configured a global IPv6 address! What could be at fault? I had enabled the installed ufw firewall but my friend had not. After disabling the firewall my laptop configured itself a global IPv6 address. Another great discovery almost by accident! UFW was blocking the configuration of IPv6. It was working a bit too well. As my desktop is using the Shorewall iptables configurator, I chose that for my laptop and it functions very well and does not get in the way of address assignment. A caveat for Shorewall users is that IPv6 must be configured separately and is enabled by the shorewall6 package in Debian and friends.
With IPv6 addresses assigned and routing available, I started looking for a way to have the DNSmasq package on my router resolve my machines' host names to their IPv6 addresses as it does for IPv4. While searching I found a page on the Debian Administration site, Running IPv6 in Practice. Most everything in that article was already in place on my router already so no need to duplicate it on the workstations. The key was the section on using Avahi (multi DNS) to resolve local host names. It works very well and will work for new machines or replacement NICs put on the network. It also means that one does not have to commit SLAAC addresses to memory.
IPv6 is working well on my LAN. I found that sshd worked automagically. Other services needed a restart to bind to the new address. Also, each machine now has a globally unique IPv6 address assigned that is routable worldwide. As the machines are not hiding behind a NAT firewall, securing them becomes all the more important. Using nmap to test your firewall rules is an excellent start. Also, your Tunnel Broker account provides an nmap scan to any of your assigned addresses. I have noticed that among applications that Pidgin will use IPv6 when it’s available and Chromium 9.0.X prefers IPv6.
Have fun on the new Internet!