May 1st, 2003, 03:06
I'm going to start with what setup I'm using for this and you can adjust where needed. A recent OpenBSD snapshot is what I have running on my firewall but any recent release could be used. I've used FreeBSD, NetBSD, OpenBSD, Windows 2k and XP as ipv6 capable clients behind the firewall. They all worked great except the win2k box seems subpar to me. I know Linux wasn't in that list but I've been doing a lot of playing around and just converted my last "production" machine to FreeBSD-STABLE. I'm reloading Linux on my imac for some testing with MOL( and will give it a go here too. I also didn't mentition my O2 since IRIX just released ipv6 support with 6.5.19 feature release. If anyone wants to send me the 6.5.19 feature overlays then I would be happy to test that too. :roll:

On with the show:

Unless you are some kind of lucky soul then your ISP very likely isn't running native IPv6 and you are going to have to setup a tunnel to a tunnel broker. You are going to need an IPv4 address to tunnel from. If your ISP is firewalling everything off or NATing and giving you a non-public address then you aren't going to be able to do this. :x I chose ( for mine but there are other choices out there especially if you are outside the continental US. Obviously tunneling to a broker before traversing the IPv6 world will add some hops (latency) to your routes. If you thought this was a good way to get the high speeds like on Internet2 then you are mistaken and might want to stop reading if this is your only reason to try this.

I signed up for an account and finally found out after several tries without a response that they somehow got on a email blacklist. I used another address and it was routed around the blacklisted path. I got my email less than an hour later and I logged in to setup my tunnel info. I entered my public IPv4 address, clicked the button to request a /64 block of IPs(IPv6 is 128bit) and added my DNS servers in the appropriate fields. They say it can take up to 24 hours for the tunnel to be approved and become active. I looked at the Tunnel Details in my login and started setting up the router. #This is my public address #This is their server's IP that we connect the tunnel to
2001:470:1F00:FFFF::48B #My assigned IPv6 address for the external address. This is all you get if you don't request a block of IPs
2001:470:1F00:FFFF::48A #Their end IPv6 address that is used for my routing
2001:470:ea7:f00d::/64 #My assigned block of addresses to use

We need to get the OpenBSD firewall setup here.

rtadvd_flags=xl1 #use your internal interface for automatic configuring of clients
route6d_flags=YES #enable ipv6 routing
rtsold_flags=NO #you don't want to accept autoconfiguring since this is the router

inet NONE
inet6 alias 2001:470:ea7:f00d::1 64 #assign the ip for the internal side of the router from your /64 block

Now let's setup the tunnel and default route

/etc/rc.local or where ever you want to start this from
ifconfig gif0 giftunnel #setup tunnel for the IPv4 endpoints
ifconfig gif0 inet6 alias 2001:470:1F00:FFFF::48B 2001:470:1F00:FFFF::48A prefixlen 128 #setup tunnel for the IPv6 endpoints
route -n add -inet6 default 2001:470:1F00:FFFF::48A #gotta let your internal machines know where to get out

Time to setup rtadvd.conf so your firewall automatically hands out IPv6 addresses.

:addrs#1:addr=2001:470:ea7:f00d:::prefixlen#64:tc= ether:

I got on my FreeBSD-STABLE box and entered /stand/sysinstall and went into interface config. It asks if I want to try IPv6 and I say "yes". It scans for the RA server (router announcement) and I'm on IPv6 as slick as can be. I'll talk about other clients later since we are probably starting to get into information overload.

Setting up your pf.conf is going to be almost like with IPv4 with a couple things different. You are going to use inet6 instead of inet and scrub isn't working with IPv6 yet. Another cool thing is you won't need to use NAT since you have a boatload of public IPs to use. We could go on and on about firewall rules here but I will leave that to another post. Check out for some good pf setup tips including IPv6.

Soup4You2 made a similar howto over at BSDHound( with FreeBSD on the firewall and OpenBSD as a client. Hopefullly between these two howto's and a little help from Google, you should be able to get up and running smoothly.

May 1st, 2003, 03:15
I need to talk about IPv6 support with apps and how to use it now. Many apps have IPv6 support built-in and others have seperate versions (ping6, traceroute6, etc.). Some apps need to be recompiled with support (irssi, etc.). There's several ports that have IPv6 versions like apache13+ipv6, wget+ipv6, etc. and most are up to date but some are the last version (wget is 1.7).

You can goto and if the turtle graphic is dancing then your webbrowser is working with ipv6. You can also ping6 to test your connection.

May 1st, 2003, 09:18
Verry nice.......

and if anybody wants to get further confused on ipv6 here's a article i wrote up a bit ago..

mmmm..... cheese.....mmmmm

May 1st, 2003, 10:06
oops you arlready noticed me...hehehe

another thing to add for elmore ...*snickers*

to setup a windows xp client just goto dos and run ipv6 install

and thats it

May 1st, 2003, 10:49
to setup a windows xp client just goto dos and run ipv6 install and thats it

You can add it in the network setup too if you have SP1 installed on XP. While you can add through the GUI, you still have to configure through the cli. Most of us here are comfortable with that but it not documented as nicely as it is with the BSDs.

There's an IPv6 Preview for Windows 2000 and you will need to hack an inf file if you are using anything past SP1

My NetBSD install would try to use the IPv6 address for so I had to export the path as the ipv4 address instead to stop the timeouts. Now I can just let it roll.

May 1st, 2003, 11:52
Arr... yes but the preview for the ipv6 on win2k is setup for sp1 and wont install right away on sp3.. so you gotta extract the setupfile and edit one of the files to tell it the correct windows version then repack it and run the setup..

their preview thing is Gawd Awful though... i consider it complete crap.. and it's funny they need the cygwin library for it to work...hehehe

but once you got the protocol installed for 2k you would do something like this:

C:\ipv6 if 2
Interface 2 (site 0): Tunnel Pseudo-Interface
does not use Neighbor Discovery
link-level address:
preferred address 2001:2e0:xxx::1, infinite/infinite
preferred address, infinite/infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 0ms (base 0ms)
retransmission interval 0ms
DAD transmits 0

Setup Default Route in HKNET Network side.

C:\>ipv6 rtu ::/0 2/::

Use command ping6 in order to confirm the tunneling status.

C:\>ping6 2001:2e0:0:1::80

Pinging 2001:2e0:0:1::80 with 32 bytes of data:

Reply from 2001:2e0:0:1::80: bytes=32 time=35ms
Reply from 2001:2e0:0:1::80: bytes=32 time=26ms
Reply from 2001:2e0:0:1::80: bytes=32 time=26ms
Reply from 2001:2e0:0:1::80: bytes=32 time=27ms

Address Advertisement Setting

C:\>ipv6 adu 4/2001:2e0:4fe::2
C:\>ipv6 ifc 4 forwards advertises

Confirm the Interface Status

"sends Router Advertisements" is stated.
"forwards packets" is stated.

C:\>ipv6 if 4
Interface 4 (site 1): Local Area Connection
uses Neighbor Discovery
sends Router Advertisements
forwards packets
link-level address: 00-c0-4f-0c-c9-72
preferred address 2001:2e0:4fe::2, infinite/infinite
preferred address fe80::2c0:4fff:fe0c:c972, infinite/infinite
multicast address ff02::1, 1 refs, not reportable
multicast address ff02::1:ff0c:c972, 1 refs, last reporter
multicast address ff02::1:ff00:2, 1 refs, last reporter
multicast address ff02::2, 1 refs, last reporter
multicast address ff05::2, 1 refs, last reporter
link MTU 1500 (true link MTU 1500)
current hop limit 128
reachable time 38000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 1


May 1st, 2003, 15:39
Normally after a article has been posted on my site for awhile i like to share them w/ various other forums.. thought i would share one with SE.. Hope you like it.. feel free to comment or add questions..

The Origional Article Link is at:

Configuring An IPv6 Router And Client
Date: Wednesday, April 16 @ 12:59:50 EDT
Topic: Freebsd, OpenBSD, NetBSD

This is part 1 of our upcomming Series on IPv6. In this article we will explain howto setup and configure a FreeBSD router and client for IPv6. In upcomming articles you will learn howto configure and setup Windows Clients as well as OpenBSD routers and clients. Any questions you may visit out forum thread ( this.

Setting up a IPv6 Network

What is IPv6?

By now, you've probably heard of the next generation Internet Protocol, IPv6. While it provides many improvements and new capabilities, the driving force behind its adoption is likely to be the much larger (and more flexible) address space that it defines. Continuing growth in the population of IP enabled devices has already put severe stress on address allocation and the routing infrastructure. The roll out of new enabling technologies such as 3G wireless and broadband to the home will predictably create a new wave of demand. Now the scope of this article is just going to cover how-to setup IPv6 on various BSD platforms. This is going to be a very basic how-to on getting it setup and properly working.

Now lets learn a little bit about IPv6, Hereís what the FreeBSD Handbook has to say:

IPv6 (also know as IPng ``IP next generation'') is the new version of the well known IP protocol (also know as IPv4). Like the other current *BSD systems, FreeBSD includes the KAME IPv6 reference implementation. So your FreeBSD system comes with all you will need to experiment with IPv6. This section focuses on getting IPv6 configured and running

In the early 1990s, people became aware of the rapidly diminishing address space of IPv4. Given the expansion rate of the Internet there were two major concerns:

o - Running out of addresses. Today this is not so much of a concern anymore since private address spaces (,, etc.) and Network Address Translation (NAT) are being employed.

o - Router table entries were getting too large. This is still a concern today

IPv6 deals with these and many other issues:

o - 128 bit address space. In other words theoretically there are 340,282,366,920,938,463,463,374,607,431,768,211,45 6 addresses available. This means there are approximately 6.67 * 10^27 IPv6 addresses per square meter on our planet.

o - Routers will only store network aggregation addresses in their routing tables thus reducing the average space of a routing table to 8192 entries.

There are also lots of other useful features of IPv6 such as:

o - Address autoconfiguration (RFC2462)
o - Anycast addresses (``one-out-of many'')
o - Mandatory multicast addresses
o - IPsec (IP security)
o - Simplified header structure
o - Mobile IP
o - IPv4-to-IPv6 transition mechanisms

IPv6 Background Information

There are different types of IPv6 addresses: Unicast, Anycast and Multicast.

Unicast addresses are the well known addresses. A packet sent to a unicast address arrives exactly at the interface belonging to the address.

Anycast addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces. The packet destined for an anycast address will arrive at the nearest (in router metric) interface. Anycast addresses may only be used by routers.

Multicast addresses identify a group of interfaces. A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group.

Note: The IPv4 broadcast address (usually is expressed by multicast addresses in IPv6.

Reserved IPv6 addresses:

ipv6-address prefixlength(Bits) description Notes

:: 128 Bits unspecified cf. in IPv4 address
::1 128Bits loopback address cf. in IPv4
::00:xx:xx:xx:xx 96 Bits embedded IPv4 The lower 32 bits are the address IPv4 address. Also called ``IPv4 compatible IPv6 address''
::ff:xx:xx:xx:xx 96 Bits IPv4 mapped The lower 32 bits are the IPv6 address IPv4 address. For hosts which do not support IPv6
fe80:: - feb:: 10 Bits link-local cf. loopback address in IPv4
fec0:: - fef:: 10 Bits site-local
ff:: 8 Bits multicast
001 (base 2) 3 Bits global unicast All global unicast addresses are assigned from this pool. The first 3 Bits are ``001''.

Reading IPv6 Addresses

The canonical form is represented as: x:x:x:x:x:x:x:x, each ``x'' being a 16 Bit hex value. For example FEBC:A574:382B:23C1:AA49:4592:4EFE:9982

Often an address will have long substrings of all zeros therefore each such substring can be abbreviated by ``::''. For example fe80::1 corresponds to the canonical form fe80:0000:0000:0000:0000:0000:0000:0001

A third form is to write the last 32 Bit part in the well known (decimal) IPv4 style with dots ``.'' as separators. For example 2002:: corresponds to the (hexadecimal) canonical representation 2002:0000:0000:0000:0000:0000:0a00:0001 which in turn is equivalent to writing 2002::a00:1

By now the reader should be able to understand the following:

($:~)=> ifconfig

xl0: flags=8943 mtu 1500
inet netmask 0xffffff00 broadcast
inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
ether 00:00:21:03:08:e1
media: Ethernet autoselect (100baseTX )
status: active

fe80::200:21ff:fe03:8e1%xl0 is an auto configured link-local address. It includes the enscrambled Ethernet MAC as part of the auto configuration.

For further information on the structure of IPv6 addresses see RFC2373

Picking your broker

Ok so now this is where things get fun. First of all lets talk for a second about your choices of tunnel brokers. Your going to need one of these to get your IPv6 connection going.

Freenet6 ( is a quick and easy way to get an IPv6 address and establish a tunnel. What makes it so easy is its Tunnel Setup Protocol (TSP) client. The program, available here, automatically gets your IPv6 address and establishes a tunnel with the Freenet6 servers. The program can be run without registering, but registration lets you get a /48 prefix (anonymous connections are given /64 addresses), and it lets you keep the same address, regardless of IPv4 address changes. ( tunnel service runs by a Business ISP with 24 x 7 staff at multiple locations and a national US backbone (to find out more about IPv6 at Hurricane Electric visit (, Gain the ability to get your own /64 prefix once your tunnel is up , also get a full view of the IPv6 BGP4+ routing table

Now Iíve played around with both of these tunnel providers. Although Freenet6 ( offers a /48 prefix has a much better tools. They also offer usage graphs on their site. So in this article were going to utilize the (

So Lets get our account shall we. Head over to ( register down there on the bottom. Donít forget to tell then you heard about us on ( Once you get your email back log back into their servers and you need to tell then your IPv4 address. This is important since because IPv6 is not the current standard your going to need to imbed your 6 packets inside 4 packets. Once you get your email around the next day or two saying your tunnel is approved you can continue on. And donít forget to sign up for the /64 prefix. Your going to need that if you wish to do any kind of routing.

Know Your Network

Were going to make a basic 2 computer network here. Your server and your client.

Now were going to setup the Gateway as a nice friendly FreeBSD box, The client were going to go over setting it up as a FreeBSD client. In later articles i will cover howto do this in OpenBSD and also setup a windows 2000 client.

Configuring Your Gateway/Router

First hereís our tunnel information given to us from tunnelbroker:

Server IPv4 address:

Server IPv6 address:

Client IPv4 address:

Client IPv6 address:

Assigned /64:

Configuring the gateway on FreeBSD

Now lets start with the fun. Lets go and edit our /etc/rc.conf so our system knows about our new toy.

#Your Gatewayís Hostname Here

#The Network Cards in your box
network_interfaces="xl0 xl1 lo0"

##Loopback Interface
ipv6_ifconfig_lo0="::1 prefixlen 128"

##External Interface
ipv6_ifconfig_xl0="4444:444:4444:444::444 prefixlen 128"

##Internal Interface
ipv6_ifconfig_xl1="5555:555:5555:555::1 prefixlen 64"

#Extra Stuff
ipv6_network_interface="xl0 xl1"

Now are you confused yet? I hope not. Things only get more fun from here. Lets go ahead and ceate a script to start the tunnel over to our broker. Go ahead and edit your /etc/rc.local and add something like this:

echo -n " Establishing HE.NET Tunnel "
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel 333.333.333.333
/sbin/ifconfig gif0 inet6 4444:444:4444:444::444 2222:222:2222::222 prefixlen 128
/sbin/route -n add -inet6 default 2222:222:2222::222
/sbin/ifconfig gif0 up

Now we need set a couple kernel options. Now edit your /etc/sysctl.conf and add these lines in there:


This allows you to be a router for ipv6 you can only be a router or a client. So on your other systems these options will be in reverse. Next in line we need to create our /etc/rtadvd.conf file it should contain something like the following:

:pinfoflags#64:vltime#360000:pltime#360000:mtu#150 0:
# interfaces.
:addr="5555:555:5555:555::":prefixlen#64:tc=eth er:

Ok.. Now we have the networking information setup we still need to tell our firewall what to do with this. Since IPv6 is a completely different stack we need a second firewall on our box. 1 for IPv4 and 1 for IPv6.

Inside your /etc/ipf.rules you should have a pass our in and out rule for each interface to allow the IPv6 packets.

pass out quick on xl0 proto ipv6 all
pass in quick on xl0 proto ipv6 all

and the same for your internal nic. Next were going to create a verry basic set of rules for our 6 stack. Create and edit /etc/ipf6.rules

pass out quick all
pass in quick all

Now another important aspect is your /etc/hosts file. Here we have something like this:

::1 localhost localhost
5555:555:5555:555::1 server
333.333.333.333 server
5555:555:5555:555::aaaa client client

Notice how our IPv6 addresses go before the IPv4. There is a reason for this. When you system reads the hosts file itís going to take the first address for that hose in it. Since we have out IPv6 address for our client if we try to do something like ssh into the client it will try IPv6 before IPv4. Now reboot and you should be all configured and ready to go.

When your system comes back online try running ping6 and if you get a return response your good to go. You should see something similar to this:

PING6(56=40+8+8 bytes) 4444:444:4444:444::444 --> 3ffe:b00:c18:1::10
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=0 hlim=61 time=175.393 ms
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=1 hlim=61 time=179.547 ms
16 bytes from 3ffe:b00:c18:1::10, icmp_seq=2 hlim=61 time=204.748 ms

--- ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 175.393/186.563/204.748/12.970 ms

Congratulations you now have a router.. Now onto the client.

Configuring A FreeBSD IPv6 Client

Now the hard part is done you have a routing IPv6 stack. So we just need to tell our clients there is a address available and to use it.. So first we need to tell our client to accept RA broadcasts. Go and edit your /etc/sysctl.conf file and add in the following:


Next run the following command as root..

($:~)=> rtsol -D xl0 (your nic)

You should be presented with an output something like:

checking if xl0 is ready...
xl 0 is ready
set timer for xl0 to 0:184944
New timer is 0:00184701
timer expiration on xl0, state = 1
send RS on xl0, whose state is 2
set timer for xl0 to 4:0
New timer is 4:00001235
received RA from XXXX::XXX:XXXXXXXX:XXXX on xl0, state is 2
stop timer for xl0
there is no timer

Congrats you should now be able to ping6 now i would suggest you add the rtsol command to your /etc/rc.local to avoid future headache's Some other configurations you will need to do are (these are not required but nice to have)

ipv6_ifconfig_lo0="::1 prefixlen 128"

ipv6_ifconfig_xl0="YOUR GIVEN IPV6 ADDRESS FROM THE GATEWAY prefixlen 64"


Reboot and you should be fully functional IPv6 Client.. Please readup on out next article about Setting up and configuring your clients on Windows 2000 and XP along with Configuting a OpenBSD client and server..

References Used:

Onlamp ( Daemon News ( : FreeBSD Handbook (

January 10th, 2004, 04:56
Why don't we cover Ciscos while we are at it?

Setting up a Cisco for IPv6 is not as hard as most would think. It's actually quite a simple task.
First off you need a Cisco IOS that supports IPv6. Such Ciscos IOSes include 12.2(14), 12.3,
12.3(4), and 12.3(5).

Next we'll start the IPv6 services.

router(config)# ip cef
router(config)# ipv6 cef
router(config)# ipv6 unicast-routing

Cef, is the Cisco Express Forwarding option that is used with IPv4 and IPv6. If the IPv4 command
is not executed, it will not allow the IPv6 option to work. Unicast-routing allows IPv6 to be sent.

Next, we need to start configuring the interfaces. Let's use a /48 address of 3ffe:ea2:cf41:: for our
network. We will also use two routers. The link between both routers will be Serial 0, and the
outbound interfaces will br ethernet0/0.

router1(config)# int e0/0
router1(config-if)# ipv6 address 3ffe:ea2:cf41:a1::2/128
router1(config-if)# int s0
router1(config-if)# ipv6 address 3ffe:ea2:cf41:a2::1/128

router2(config)# int e0/0
router2(config-if)# ipv6 address 3ffe:ea2:cf41:a3::1/128
router2(config-if)# int s0
router2(config-if)# ipv6 address 3ffe:ea2:cf41:a2::2/128

Now that we have setup our addresses let's view the networks we have made.

ethernet0/0 3ffe:ea2:cf41:a1::2
network 3ffe:ea2:cf41:a1::
serial0: 3ffe:ea2:cf41:a2::1
network 3ffe:ea2:cf41:a2::

ethernet0/0 3ffe:ea2:cf41:a3::1
network 3ffe:ea2:cf41:a3::
serial0 3ffe:ea2:cf41:a2::2
network 3ffe:ea2:cf41:a2::

As you can see from the 4th word of the IP, each interface is on a seperate network from the
others on each router. Both serial ports are configured on the same network since they are
connected together. Let continue on by making our routes.

router1(config)# ipv6 route 3ffe:ea2:cf41:a3::/64 serial 0

router2(config)# ipv6 route 3ffe:ea2:cf41:a1::/64 serial 0

From this we accomplished giving both routers communication through the serial link. Try
pinging on of the interfaces from the opposing router.

router1# ping 3ffe:ea2:cf41:a3::1

If you cannot ping always check your routes to make sure they are directed correctly.
Remember, the route could be wrong on either end. If both side do not have routes to
each other, they will not communicate.

router# sh ipv6 route

If you cannot ping a certain host, you might have to add a static route to the host.

router1(config)# ipv6 route 3ffe:ea2:cf41:a3::cb3/128 serial 0

If you can ping from one side to the other, you are ready to add hosts, VLANs, and various
other devices.

July 15th, 2005, 07:36
I'm already running it, but (not only thanks for asking, also) I'm always interested in additional information an different sights. :icon_smil

July 31st, 2005, 11:58
I had a paper on IPv6 a quarter or two back.