diff --git a/documentation/content/en/books/handbook/config/_index.adoc b/documentation/content/en/books/handbook/config/_index.adoc --- a/documentation/content/en/books/handbook/config/_index.adoc +++ b/documentation/content/en/books/handbook/config/_index.adoc @@ -49,7 +49,7 @@ After reading this chapter, you will know: * The basics of [.filename]#rc.conf# configuration and [.filename]#/usr/local/etc/rc.d# startup scripts. -* How to configure and test a network card. +* How to configure and test a network interface. * How to configure virtual hosts on network devices. * How to use the various configuration files in [.filename]#/etc#. * How to tune FreeBSD using man:sysctl[8] variables. @@ -415,7 +415,7 @@ W32DRIVER_SYS_load="YES" .... -=== Configuring the Network Card +=== Configuring the Network Interface for IPv4 Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8]. @@ -515,6 +515,191 @@ ==== +=== Configuring the Network Interface for IPv6 +IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# so IPv4 configuration is unaffected by all this. + +These examples assume that your ISP connection ends with an Ethernet cable plugged into interface "em0" on your FreeBSD machine. + +==== Simple Client Configuration +First we will set up the machine as a simple IPv6 client, by enabling IPv6 and starting rtsold(8) to takes care of getting an IPv6 number and the routes your ISP wants you to use. + +To do this, add the following to [.filename]#/etc/rc.conf# + +[.programlisting] +.... +ipv6_cpe_wanif=em0 +rtsold_enable=yes +rtsold_flags="em0" +ipv6_activate_all_interfaces=yes +.... + +To test IPv6 configuration, restarting the netif and routing services is necessary: + +[source,bash] +.... +# service netif restart && service routing restart +.... + +Once the netif and routing services have been restarted, the configuration can be tested: + +[source,bash] +.... +% ping -6 -c 3 freebsd.org +PING6(56=40+8+8 bytes) 2001:db8::18ff:fe0a:74a6 --> 2610:1c1:1:606c::50:15 +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=0 hlim=51 time=88.404 ms +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=1 hlim=51 time=88.037 ms +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=2 hlim=51 time=87.954 ms +.... + +If you look at your Ethernet interface, you will see two IPv6 addresses: + +[source,bash] +.... +% ifconfig em0 +em0: flags=8863 metric 0 mtu 1500 + options=[…] + ether 00:53:00:0a:7a:a6 + inet […] + inet6 fe80::230:18ff:fe0a:74a6%em0 prefixlen 64 scopeid 0x1 + inet6 2001:db8::18ff:fe0a:74a6 prefixlen 64 autoconf + media: […] + status: active + nd6 options=23 +.... + +The last three bytes of the interface MAC address are reused in the IPv6 addresses, here 00:53:00:0a:7a:a6, this is part of the auto-configuration rtsold(8) does. + +You will not see `2001:db8::` but instead what your ISP's IPv6 prefix is, for your end of their network. Similarily, `prefixlen` may also be different. + +The `fe80::…` address is a default "link-local" address which is used by the autoconfiguration protocols. + +You should now have some IPv6 routes: + +[source,bash] +.... +% netstat -rn -6 +Routing tables +Internet6: +Destination Gateway Flags Netif Expire +::/96 ::1 UGRS lo0 +default fe80::92e2:baff:fe37:d760%em0 UG em0 +::1 link#7 UH lo0 +::ffff:0.0.0.0/96 ::1 UGRS lo0 +2001:db8::/64 link#1 U em0 +2001:db8::18ff:fe0a:74a6 link#1 UHS lo0 +fe80::/10 ::1 UGRS lo0 +fe80::%igb0/64 link#1 U em0 +fe80::230:18ff:fe0a:74a6%em0 link#1 UHS lo0 +fe80::%lo0/64 link#7 U lo0 +fe80::1%lo0 link#7 UHS lo0 +ff02::/16 ::1 UGRS lo0 +.... + +It is important that your default route is correct, otherwise traffic will not leave the peer and enter the upstream network. + +==== Distributing IPv6 addresses in your entire network +IPv6 provides auto-configuration methods which allow a gateway to distribute an ISP provided IPv6 prefix to the rest of the network. + +Using your ISP provided prefix has the downside that your devices will change IPv6 addresses if your ISP changes your prefix, this may happen as often as every time your gateway restarts. + +Like RFC1918 addresses for IPv4, RFC4193 defines private IPv6 networks, and if you follow the instructions and use random numbers, you are unlikely to ever see another network using the same addresses as you did. + +In this example we will use RFC4193 addresses internally and use NAT to hide everything behind the single IPv6 address we got from the ISP. + +First we create our very own RFC4193 address: + +[source,bash] +.... +% dd if=/dev/random bs=5 count=1 | hexdump -C +00000000 PP QQ RR SS TT |.....| +00000005 +.... + +Your RFC4193 compliant IPv6 network then becomes: + +[.programlisting] +.... +fdPP:QQRR:SSTT:: +.... + +Next assign a static address to the internal interface of the gateway, and there is a neat trick available here: + +If the internal `em1` is configured for IPv4 like this in [.filename]#/etc/rc.conf#: + +[.programlisting] +.... +ifconfig_em1="192.168.10.102/24" +.... + +We can configure it for IPv6 like that in [.filename]#/etc/rc.conf#: + +[.programlisting] +.... +ifconfig_em1_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.102/120" +.... + +Unfortunately this does not work everywhere, but here it does. + +The math behind `/120` is `/(128 - (32 - 24))`, in case you used a different netmask for you internal network. + +We want the machine to act as a gateway through [.filename]#/etc/rc.conf# + +[.programlisting] +.... +ipv6_gateway_enable=yes +.... + +We need to start rtadvd(8) to answer the rtsold(8) requests from the machines on the inside via [.filename]#/etc/rc.conf# + +[.programlisting] +.... +rtadvd_enable=yes +rtadvd_interfaces="em1" +.... + +And finally we need to tell pf(4) to NAT everything onto the IPv6 address we got from our ISP via [.filename]#/etc/pf.conf# + +[.programlisting] +.... +if_ext="em0" +[…] +nat on $if_ext inet6 from !($if_ext) -> ($if_ext:0) +.... + +(A bug in FreeBSD-12 prevents this from working, you will have to enter the actual address on your `em0` interface, and change it if/when your ISP changes their address-layout.) + +Restart the netif and routing services again: + +[source,bash] +.... +# service netif restart && service routing restart +.... + +Then configure a test machine on the internal network via [.filename]#/etc/rc.conf#: + +[.programlisting] +.... +ifconfig_em0_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.81/120" +ipv6_cpe_wanif=em0 +rtsold_enable=yes +rtsold_flags=em0 +ipv6_activate_all_interfaces=yes +.... + +Reboot the test machine and try testing whether IPv6 works: + +[source,bash] +.... +% ping -6 -c 3 freebsd.org +PING6(56=40+8+8 bytes) 2001:db8::18ff:fe0a:74a6 --> 2610:1c1:1:606c::50:15 +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=0 hlim=51 time=88.042 ms +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=1 hlim=51 time=88.037 ms +16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=2 hlim=51 time=87.954 ms +.... + +You do not need to configure a `defaultrouter` for IPv6, rtadvd(8) and rtsold(8) takes care of that. + + [[config-network-testing]] === Testing and Troubleshooting