Project V6: Making an IPv6 Gateway with Vyatta (10 pts.)

What You Need

A Vyatta router connected to the IPv6 Internet, either native IPv6 or some sort of tunnel. I used a Vyatta virtual machine running on my Mac OS X computer.
A routed block of public IPv6 addresses to assign to the devices on your LAN, such as those assigned by Hurricane Electric free tunnel users

An end device to connect to the IPv6 Internet via the Vyatta virtual router. The end device can be almost anything, such as a PC, Mac, Linux computer, smartphone, or iPad. So far the instructions below only cover these devices explicitly:

Windows 7
Linux
Mac OS X

Purpose

This is what every home and small business LAN needs to distribute IPv6 to end devices--the "last mile". You should get as fast and efficient at this process as you are configuring a typical IPv4 LAN.

Testing your Vyatta Router's IPv6 Connection

On your Vyatta Router, execute this command:

ping6 google.com

You should see replies, as shown below:

Press Ctrl+C to stop the pings.

Selecting the Distribution Interface

On your Vyatta Router, execute this command:

show interfaces

Choose an interface to be used as the Default Gateway on your LAN.

In my example, the correct interface to use is eth0, as shown below:

Determining an IPv6 Range to Distribute

Whoever is providing your IPv6 addresses should have given you a block of addresses to use.

If you are using a Hurricane Electric tunnel, do this to get a "Routed /48"--the standard allocation of IPv6 addresses.

This is a large enough allocation for 65,000 subnets, each containing 16 billion billion addresses. You won't have to go ask for more any time soon.

At the bottom of the page, click on your tunnel.

In the "Tunnel Details", in the "Routed IPv6 Prefixes" section, in the "Routed /48" line, click the "Assign /48" link.

Your prefix appears. Mine is 2001:470:8273::/48, as shown below:

Since we are only allocating addresses for a single LAN now, we'll only need one /64 subnet. To get that, add a :1 after your /48 prefix, to get a /64 range, like this:

2001:470:8273:1::/64

Enabling IPv6 Forwarding

On your Vyatta router, execute this command:

show ipv6 forwarding

You should see a message saying "ipv6 forwarding is on", as shown below:

If it's not on, enable it with these commands:

configure

delete system ipv6 disable-forwarding

commit

save

exit

Distributing IPv6 Addresses on eth0

The commands below configure these results:

Assign the first address in your Routed /64 subnet to eth0
Send Router Advertisements on eth0 every ten seconds, which tell clients:
- Autoconfigure an address with SLAAC (Vyatta's default)
- Autoconfigure the default gateway to point to the Vyatta
- Autoconfigure non-address information also (this is the optional DNS server information delivered over dhcpv6)

On your Vyatta router, execute these commands, using your subnet prefix, not mine:

configure

set interfaces ethernet eth0 address 2001:470:8273:1::1/64

set interfaces ethernet eth0 ipv6 router-advert send-advert true

set interfaces ethernet eth0 ipv6 router-advert max-interval 10

set interfaces ethernet eth0 ipv6 router-advert prefix 2001:470:8273:1::/64

set interfaces ethernet eth0 ipv6 router-advert other-config-flag true

set interfaces ethernet eth0 ipv6 router-advert default-preference true

set interfaces ethernet eth0 ipv6 router-advert managed-flag true

commit

save

exit

Adding a Static Route to the Vyatta OpenVPN Server

If your connection to the Internet is through a tunnel to another router, you must add a route to that remote router so it knows where your /48 is.

In my case, I am using an Amazon E2C Vyatta virtual machine.

On that device, execute these commands, using thesr values:

The first address is your routed /48 from Hurricane Electric
The second address is the vtun2 IPv6 address on your Vyatta OpenVPN Client

your subnet prefix, not mine, for the routed /48, and :

configure

set protocols static route6 2001:470:8273::/48 next-hop 2001:470:1f05:7a9::2

commit

save

exit

Choosing a Client Device

To complete this project, you need to connect one client, and use traceroute top prove that it has autoconfigured both the IPv6 address and IPv6 default route.

So choose the section below for your client.

Connecting a Windows 7 Client
Start a Windows 7 computer, connected to the same LAN as your Vyatta's interface sending out Router Advertisements.
On the Windows 7 client, in a Command Prompt window, execute this command:
ping -6 google.com
You should see replies, as shown below:

On the Windows 7 client, in a Command Prompt window, execute this command:
tracert -6 google.com
You should see the first hop to your routed/48, and the second to your routed/64, as shown below:

Saving the Screen Image
Make sure the first two hops have addresses starting with 2001:470
Save a screen shot of this image with the filename
Proj V6 from Your Name

Connecting a Linux Client
Start a Linux computer, connected to the same LAN as your Vyatta's interface sending out Router Advertisements.
I used a BackTrack 5 R2 virtual machine.
In the Linux client, in a Terminal window, execute these commands:
dhclient ping6 google.com
You should see replies, as shown below:

In the Linux client, in a Terminal window, execute this command:
traceroute6 google.com
You should see the first hop to your routed/48, and the second to your routed/64, as shown below:

Saving the Screen Image
Make sure the first two hops have addresses starting with 2001:470
Save a screen shot of this image with the filename
Proj V6 from Your Name

Connecting a Mac OS X Client
Start a Mac OS X computer, connected to the same LAN as your Vyatta's interface sending out Router Advertisements.
I used a MacBook Air running Lion, 10.7.4.
In the Mac OS X client, in a Terminal window, execute this command:
ping6 google.com
You should see replies, as shown below:
Troubleshooting
I had some problems making this work reliably. Here are things that made it work better:
If the Vyatta is in a VM, use Bridged networking, not NAT
To clear any old IPv6 configuration and renew it on the Mac's en0 interface, enter these two commands to disable IPv6 on that interface and then re-enable it again:
sudo ip6 -d en0 sudo ip6 -u en0
Test the network; make sure the OpenVPN tunnel is connected. It works best to use a good, reliable underlying IPv4 network, not a busy wireless LAN.
In the Mac OS X client, in a Terminal window, execute this command:
traceroute6 google.com
You should see the first hop to your routed/48, and the second to your routed/64, as shown below.
For some reason, the Mac doesn't show any additional hops. :

Saving the Screen Image

Make sure the first two hops have addresses starting with 2001:470

Save a screen shot of this image with the filename

Proj V6 from Your Name

Turning In your Project

Email the image to cnit.60@gmail.com with a subject line of

Proj V6 from Your Name

Notes

To configure Vyatta to distribute DNS server IPv6 addresses, use these commands:

set service dhcpv6-server shared-network-name lan subnet 2001:470:8273:1::/64 name-server '2620:0:ccc::2' 

set service dhcpv6-server shared-network-name lan subnet 2001:470:8273:1::/64 name-server '2620:0:ccd::2'

You don't really need them now, because virtually every client can resolve DNS over IPv4.

Sources

http://ebook.cna.ilkom.unsri.ac.id/vyatta/Vyatta_IPv6_R6.0_v03.pdf

Last modified 6:28 pm 10-22-12