OpenBSD Journal

IPv6 Behind a NAT with OpenBSD and Freenet6

Contributed by sean on from the dept.

Jim writes:
Some time ago daemon news published a paper I wrote about using ipv6 behind a NAT. I have updated it to be current to Freenet6's latest software. You can find it here.

(Comments are closed)


Comments
  1. By Anonymous Coward (12.108.192.181) on

    I read this guy's article from 1996, and it was just as bad as this one. A number of his examples are simply not-applicable to real world network topologies. After spending a lot of time trying to decipher what in the hell he's talking about, I simply gave up and found a much better tutorial in Usenet simply by searching in Google.

    Now that I've been a six-boner for a long enough period of time, this stuff is all old hat. In the boner circles, we've considered this article to be the prime example of how not to accomplish a successful boning from behind a NAT.

    Comments
    1. By krh (207.75.180.45) on

      Maybe you could explain why you dislike his article so much, and perhaps provide a reference to something you like better?

      Comments
      1. By Anonymous Coward (162.40.115.62) on

        I think the guy just liked saying bone. The original article did not come from 96, it was 2k. So it is just someone jacking around.

      2. By Anonymous Coward (12.108.192.181) on

        Perhaps you could bone up on the six-bone before you start questioning the irrefutable facts I've presented. Some people have a hard time handling the bone, or understanding it and what it stands up for. Once you've got your bone up and running, if you use compression, you can squeeze it enough to make it really shoot across the net really well. Getting your bone up the information highway is really big step to take, but it will reward you every time you come online.

        Comments
        1. By kris (66.236.9.30) on

          hah this sounds so dirty ...

  2. By Hugo Villeneuve (24.202.244.230) hugo@EINTR.net on http://EINTR.net

    That's not how I would recommand using Freenet6 with NAT on an OpenBSD firewall. Freenet6 gives free /48 6bone network. This means you can do the freenet6 tunnel directly on the gateway and assign the free /48 on your private address range network. All of your NATed machine would get a IPv6 address not just one. (Well, all the machine with multi-cast capable network card/driver and an IPv6 OS (Mac OS X, *BSD, Linux).) For gateway running NetBSD or FreeBSD with a static IPv4 address, I would recommand using a 6to4 2002::/48 instead of Freenet6. But in any case, Freenet6 and 6to4 are only test method for IPv6. It isn't worth much and It isn't either a good replacement for real IPv6 native connectivity. (With freenet6, all your IPv6 traffic is directed to a single IPv4 machine which just add another possible point of failure and congestion.) (With 6to4, it's a little bit better because you can send directly to any 2002:: address and the default IPv6 gateway (needed to send to 6bone and real address) is available in multiple places and it's the normal internet routing protocols that make you choose the nearest available one (a bit like the F root server run by the ISC). But it's still encapsulation.)

    Comments
    1. By Anonymous Coward (67.70.164.207) on

      Any docs or howto's you can recommend on learning, the basics, of IPv6 and tunneling it in IPv4, etc. Preferably with an emphasis on OpenBSD or similar.

      Comments
      1. By Anonymous Cheese (68.124.163.80) on

        Here is resources I have found within deadly.org archives, benzedrine.cx, and google.com;

        "pf.conf from insomnia.benzedrine.cx"
        http://www.benzedrine.cx/pf.conf

        "How to setup an IPv6 tunnel in 5 minutes..."
        http://www.benzedrine.cx/gif.txt

        "My 6bone router using OpenBSD"
        http://rollcage.bl.echidna.id.au/IPv6/openbsd.html

        "Simple IPv6 tunnel broker"
        http://www.tunnelbroker.com

        "IPv6 protocol stack and IPsec"
        http://www.kame.net/

      2. By jose (204.181.64.2) on http://monkey.org/~jose/

        we have a whole chapter devoted to IPv6 on OpenBSD in our book "Secure Architecturesd with OpenBSD", and we discuss the basics of IPv6 and how to set it up on your openbsd box. at the time i was using this tunnel service to get global IPv6 access from home.

    2. By Jim (216.229.12.133) jameso@elwood.net on

      I don't disagree with you. I just get a /48 for freenet6 myself. This whole article is write up is nothing more then to give the people that have e-mailed me about the old NAT article and the new(er) tsp client. For some reason people wanted to know how to do this, now they can. Honestly, I think what it was is some people are stuck behind NAT gateways they have no control over, but they can get ports opened, etc. For them, this may be the only way to mess around with IPv6. Most of the e-mails I received about this came from people at European colleges for some reason. But you are right, for the average home user, they would not want to do this.

  3. By mirabile (212.185.103.56) on

    This is a howto for SixXS: https://mirbsd.bsdadvocacy.org:8890/?ipv6-sixxs It's not strictly speaking written for OpenBSD, but that's similar enough...

  4. By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity

    Interesting but what about the poor home users behind a NAT'ing DHCP router which they don't control? I have RFC1918 addresses internally and an external dynamic IP address which means that I can't use either freenet6 or 6to4. I know that if I owned the router I could set it to "bypass" mode to an internal OpenBSD box which would then deal with PPPoE & friends meaning that I'd have control over the dynamic routable IP address... but I don't own the router. Are there any smart solutions? The only one I've come up with so far is to run an openvpn tunnel back to my server which is on IPv6 and then setting up a GIF tunnel over it from my internal OpenBSD box. Not exactly elegant...

    Comments
    1. By kcg (3ffe:bc0:8000::4181) on

      I don't agree with you. I have simple SpeedTouch with NAT enabled, one public (dynamic) IP address assigned to the ppp0 interface on DSL router and I'm using Freenet6 happilly. You just need to set your public IP address in TSC's config file. Cheers, Karel

      Comments
      1. By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity

        Mmh, isn't the SpeedTouch a USB-based DSL modem? I have a ZyXEL 650R external DSL router, I connect to it via Ethernet, it feeds me IP addresses via DHCP and that's all I get.
        If I had a USB DSL modem I wouldn't have this problem, agreed wholeheartedly. That's why I called my box a router.

        Comments
        1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on

          The Zyxel 650R can be used in bridge mode, and you can then do NAT on a pf box behind it (and also put a dhcpd and the IPv6 tunnel endpoint there, if you like).

          With a dynamic routable address, you'll need a way to update the nat rule on the pf box when the Zyxel gets a new routable address, but once you have that, the setup will be more flexible than using Zyxel's NAT/SUA in forwarding mode. The Zyxel can syslog over UDP to the pf box, maybe it logs address changes. Or you can query the current address through ZyXEL's telnet interface.

          I'm doing just that (with a 642R), though with a static routable address.

          Comments
          1. By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity

            That's a smart trick but I don't own the actual router (i.e. no password, no access to it) :-(

            For when I change DSL provider: do you bridge everything (i.e. this is the case where you have your internal host doing PPPoE negotiation and everything) or do you just bridge a given protocol using "SUA"?

            Last time the "engineer" configured SUA on the ZyXEL to forward the external port 80 to a suitable internal host the ZyXEL hung and needed a cold reboot and return to NAT only before it was usable again!

            Comments
            1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on

              Ask the DSL provider to change it to bridge mode. They shouldn't care, for them, it doesn't make a difference (unless they're lazy and unflexible, enforcing the same configuration on all clients ;).

              In bridge mode, the modem does just PPPoE, bridging the descapsulated IP traffic to the LAN interface. So what you see there is IP traffic to your external routable address. You assign that address to the pf box behind it (which will then do ARP for that address), and the modem sends all traffic for the external address to it.

              For the pf box, this makes things very simple and elegant, it doesn't know about the PPPoE happening upstream, it looks like it is directly connected to the Internet with the assigned routable address on its external interface. Doing NAT for other local hosts with private address space is dead simple, then.

              I have never done that with dynamic addresses, a smart trick would be to watch for ARP requests for the new address from the modem, then change the IP address on the external interface of the pf box accordingly. With a 'nat on $extif -> ($extif)' rule, you wouldn't even need to reload the ruleset, in that case.

              Comments
              1. By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity

                I'll talk to the DSL provider. Objectively they shouldn't care since the PPPoE authentication & Co. is still being done by their router. Then I can put my trusted OpenBSD box to work.

                I don't think that getting the DHCP lease renewal over syslog is going to work unless it is the last message sent to the old IP address before the change... but listening to the ARP might. I'll look into it. If it works, I'll post a summary.

                Perhaps what is needed is an extension to pf in which the IP address is determined by the interface name when the rule is evaluated? Big performance hit since you'd have to do it on a per-packet basis (you'd have to make it atomic at that level otherwise you could have a nice hole!) but it would make DHCP users happy (and performance is not really an issue on home DSL lines with dynamic IPs).

                Comments
                1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on

                  For syslog, you (or the ISP) specifies a destination IP address to log to. That wouldn't be the dynamic address at all, but some static (unroutable) address, which the pf box does ARP for and accepts packets for. What I don't know is whether the 650R logs address changes. Even if it doesn't, having the logs is useful, if only to document outages (you'll see LCP, CHAP, ICPC level output). When you have logs of LCP succeeding but CHAP failing for hours, that's convincing evidence that the problem is not with your gear or telephone line, but the ISPs gear :)

        2. By kcg (3ffe:bc0:8000::4181) on

          No, it is SpeedTouch 510i so ethernet based. The only needed change was to unbind application processing of 6to4 protocol in NAT, but this can be found by google.com, since I don't remember exactly the instruction. And yes, I have simple 10.0.0.2 IPv4 addr on localhost. Cheers, Karel

    2. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on

      I haven't used Freenet tunnels, but with HE.net, it's sufficient if you can open the encapsulated IPv4 connection in one direction. So, if your NAT appliance can translate the encapsulated traffic (and forwards replies back to the internal host), your tunnel endpoint can be on a local host with an unroutable address. Some crude instructions can be found here.

      We're not talking about NATing IPv6 traffic (I've yet to see someone doing that for any reasonable purpose ;), but NATing the IPv6-in-IPv4 encapsulated traffic, which is inet proto ipv6 (not inet6!) in pf context. The local endpoint then serves as IPv6 default gateway for local hosts, which get assigned real IPv6 addresses from the netblock as usual.

      Comments
      1. By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity

        Thanks for the HE.Net link. I'll give it another try, last time it failed but allegedly my router's firmware has been upgraded which might give me a sporting chance...

        With respect to the discussion I understand the idea - that's why I asked my question which was marginally off-topic. In the examples you assume that you have control over the host doing NAT and hence the issue is getting your 6-in-4 through whereas my question extended this to "what if I don't actually control the NAT box?".

        In any case, thanks again for the pointer to HE.Net.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]