|
|
|
|
|
|
Routing Windows 2000 IPv6 traffic
By Robert Mooney <rjmooney@aboveground.cx>
Note that I've written most of this document from memory. It appears to be correct; if I've missed something or if you have any questions or comments, feel free to drop me a note.
Described NetworkHere's my network setup: (( Internet ))| ------------------ | OpenBSD firewall | ------------------ | ( Windows 2000 ) I will describe the setup on the OpenBSD firewall, and the Windows 2000 desktop machine.
Initial SetupTo start, make sure you are running a recent version of OpenBSD. The latest available at the time of this writing is 2.9-current. OpenBSD natively supports IPv6 and the generic interface ( gif(4) ), required for tunneling.You'll need to download and install the IPv6 Technology Preview from Microsoft for Windows: http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp Remember to bind the IPv6 protocol to the NIC. This is discussed in the Technology Preview install docs. For the purposes of this discussion, the router's external addresses are 10.1.1.1 and 1:1:1:1::2, and the internal addresses are 10.2.1.1 and 1:2:1:1::1. The Windows external addresses will be 10.2.1.2 and 1:2:1:1::2.
Turning on IPv6 RoutingMake sure the router will forward IPv6 packets:sysctl -w net.inet6.ip6.forwarding=1You can turn this option on permanently by adding "net.inet6.ip6.forwarding=1" to /etc/sysctl.conf. Requesting a TunnelThere are a number of IPv6 brokers. See http://www.hs247.com/ for a list. I use Hurricane Electric. Most require you to register for an account.When prompted, enter your firewall's external IP. Hurricane will provide you with information similar to the following: Broker IPv4 tunnel address: 64.71.128.26 Broker IPv6 link address: 1:1:1:1::1/127 Your IPv4 tunnel address: 10.1.1.1 Your IPv6 link address: 1:1:1:1::2/127Next, you'll want to request a /64. This is a bit of an overkill, but it's fun to look at.
Your IPv6 network prefix: 1:2:1:1::/64Now you're ready to set up the tunnel.
Configuring the Router -> Broker TunnelUsing the values provided by the broker, configure the tunnel from the router to the broker. You'll want to do something like:ifconfig gif0 giftunnel 10.1.1.1 64.71.128.26 ifconfig gif0 inet6 1:1:1:1::2 1:1:1:1::1 prefixlen 128 alias route -n add -inet6 default 1:1:1:1::1HE provides lines similar to the above. Substitute your IP addresses where appropriate.
Configuring the Router LAN InterfaceUsing the network prefix provided, configure the LAN interface for IPv6:
ifconfig xl1 inet6 1:2:1:1::1 prefixlen 64 aliasSome people may prefer to use the current IPv4 address as an identifier, instead of the ::1 used above. This is more or less dependent on the address space assigned to you (though in our case it would work), and may make the IPv4 -> v6 conversion a little easier to maintain. E.g. we might have configured xl1 as 1:2:1:1::10.2.1.1. Interestingly, OpenBSD and Windows have already configured their interfaces, deriving a "link local" address from the ethernet addresses on the cards. This address is used below when configuring the default IPv6 route under Windows.
Configuring the Windows LAN InterfaceAssign a default route and IP to the "Local Area Connection" Windows interface:
ipv6 rtu ::/0 5/fe80::260:97ff:fea0:ebe5 pub ipv6 adu 5/1:2:1:1::2In this case, the LAC interface number is 5 (denoted by the 5/ above). To determine your LAC interface, type "ipv6 if" from a DOS prompt. Also note that if you named your network interface something other than the default "Local Area Connection", that name will be used in its place in the "ipv6 if" output. Note that we are setting the default route to the "link local" address of the router. This address can be determined with "ifconfig xl1" on the router. The address will start with fe80::.
Testing IPv6From the router, ping the broker's end point:
ping6 1:1:1:1::1From the Windows machine, ping the router:
ping6 1:2:1:1::1Finally, load up IE and open http://www.kame.net/. If all is well, the turtle should be "dancing". If you scroll to the bottom of the page, you should see your Windows 2000 machine's IPv6 address: 1:2:1:1::2. Cheers!
Additional Notes- Windows 2000 SP2 requires a few tweaks to the IPv6 install package before it will work. See their FAQ at the download center for more info.- PGP Desktop Security's PGPnet caused trouble with the Windows interface. IPv6 wouldn't run natively (i.e. without a tunnel). Once the service was unbound from the ethernet interface, I was able to use the interface as expected. - Hurricane Electric will periodically check to see if your tunnel is still active. I believe they remove it from their database if it's not. - You might want to place the above configuration options in the respective OS boot scripts to ensure your configuration survives a reboot. - Remember to configure ipf to protect your new IPv6 network. I'm not sure of its current status w/r/t IPv6, though it is worth looking into. In the mean time, you can prevent all IPv6 traffic from entering your network with a rule similar to "block in on xl0 proto ipv6 from any to any" on the router.
ReferencesMicrosoft's IPv6 research page:http://research.microsoft.com/msripv6/ Hurricane Electric's IPv6 page: KAME Project: IPv6 News and Links (lots of info):
CreditsWritten by Robert Mooney (rjmooney@aboveground.cx).Copyright (c) 2001 Robert Mooney, All rights reserved. This document may be freely distributed and modified, so long as the original author is credited.
Other articles by Robert Mooney
Current Rating: [ 5.5 / 10 ]
Number of Times Rated: [ 10 ]
|
|
|
© 1998-2004 FreeOS Technologies (I) Pvt. Ltd. All rights reserved.
[Privacy Policy]
 |
