Differential D28622 Diff 83774 documentation/content/en/books/handbook/config/_index.adoc

Changeset View

Standalone View

documentation/content/en/books/handbook/config/_index.adoc

Show First 20 Lines • Show All 409 Lines • ▼ Show 20 Lines

To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. Then, add the following line to [.filename]#/boot/loader.conf#: To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. Then, add the following line to [.filename]#/boot/loader.conf#:

[.programlisting] [.programlisting]

.... ....

W32DRIVER_SYS_load="YES" W32DRIVER_SYS_load="YES"

.... ....

=== Configuring the Network Card === Configuring the Network Card for IPv4

thjUnsubmitted

Done

I think this and the one below for v6 should be "Network Interface" rather than card

thj: I think this and the one below for v6 should be "Network Interface" rather than card

Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8]. Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8].

To display the NIC configuration, enter the following command: To display the NIC configuration, enter the following command:

[source,bash] [source,bash]

.... ....

% ifconfig % ifconfig

▲ Show 20 Lines • Show All 82 Lines • ▼ Show 20 Lines

[source,bash] [source,bash]

.... ....

# echo 'defaultrouter="your_default_router"' >> /etc/rc.conf # echo 'defaultrouter="your_default_router"' >> /etc/rc.conf

# echo 'nameserver your_DNS_server' >> /etc/resolv.conf # echo 'nameserver your_DNS_server' >> /etc/resolv.conf

.... ....

==== ====

=== Configuring the Network Card for IPv6

IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# so whatever you have there to configure IPv4 is unaffected by all this.

thjUnsubmitted

Done

IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# IPv4 configuration is unaffected by IPv6.

thj: IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# IPv4…

thjUnsubmitted

Done

=== Configuring the Network Card for IPv6

- IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# so whatever you have there to configure IPv4 is unaffected by all this.

+ IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# IPv4 configuration is unaffected by IPv6.

These examples assume that your ISP connection ends with an Ethernet cable plugged into interface "ed0" on your FreeBSD machine.

thj:

bcrUnsubmitted

Not Done

s/all this/all of this/

bcr: s/all this/all of this/

These examples assume that your ISP connection ends with an Ethernet cable plugged into interface "ed0" on your FreeBSD machine.

==== Simple Client Configuration

First we will set up the machine as a simple IPv6 client, by enabling IPv6 and starting rtsold(8) to takes care of getting an IPv6 number and the routes your ISP wants you to use.

bcrUnsubmitted

Not Done

We discourage the use of 'you', so you could write at the end: ... and the ISP routes to use.

bcr: We discourage the use of 'you', so you could write at the end: ... and the ISP routes to use.

ceriUnsubmitted

Not Done

s/takes/take/

ceri: s/takes/take/

To do this, add the following to [.filename]#/etc/rc.conf#

[.programlisting]

....

ipv6_cpe_wanif=ed0

rtsold_enable=yes

rtsold_flags="ed0"

ipv6_activate_all_interfaces=yes

....

If the lofty promises of IPv6 auto-configuration holds, a reboot should connect you to the Internet Of The Future (est. 1995):

thjUnsubmitted

Done

This is not helpful language.

Here you should explain how to restart networking without a reboot. Sadly there is not a v6 only service restart netif.

Reboot should be suggested as a way to 'validate' the persisent config only

thj: This is not helpful language. Here you should explain how to restart networking without a…

ceriUnsubmitted

Not Done

Do we also need to start rtsold? It doesn't seem to get started by the routing service.

ceri: Do we also need to start rtsold? It doesn't seem to get started by the routing service.

[source,bash]

....

% ping6 -c 3 freebsd.org

thjUnsubmitted

Done

....

- % ping6 -c 3 freebsd.org

+ % ping -6 -c 3 freebsd.org

PING6(56=40+8+8 bytes) 2001:db8::18ff:fe0a:74a6 --> 2610:1c1:1:606c::50:15

ping now has the -6 flag

thj: ping now has the -6 flag

freebsd_igalic.coUnsubmitted

Done

ping6 has been merged into ping, so we should use ping -6 here, unless we want to be really daring and set ip6addrctl_policy=“ipv6_prefer"

freebsd_igalic.co: ping6 has been merged into ping, so we should use ping -6 here, unless we want to be really…

PING6(56=40+8+8 bytes) 2001:db8::18ff:fe0a:74a6 --> 2610:1c1:1:606c::50:15

16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=0 hlim=51 time=88.404 ms

16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=1 hlim=51 time=88.037 ms

16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=2 hlim=51 time=87.954 ms

....

If you look at your ethernet interface, you will see two IPv6 addresses:

[source,bash]

....

% ifconfig ed0

melifaroUnsubmitted

Done

Didn't we deprecate ed? Maybe it's worth grabbing em as that's the common interface used in physical servers/VMs?

melifaro: Didn't we deprecate `ed`? Maybe it's worth grabbing `em` as that's the common interface used in…

ed0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=[…]

ether […]:0a:7a:a6

melifaroUnsubmitted

Done

Maybe we can use mac documentation prefix 00-53-00 and IPv4 documentation prefix 192.0.2.0/24 to make it easier to grasp?

melifaro: Maybe we can use mac documentation prefix [00-53-00](https://www.iana.org/assignments/ethernet…

debdrupAuthorUnsubmitted

Done

I changed the MAC prefix as requested, but since IPv4 and IPv6 configuration aren't really linked, I would prefer leaving the ellipsis for IPv4 as there's no way to know what blocks or VLSM is used.

debdrup: I changed the MAC prefix as requested, but since IPv4 and IPv6 configuration aren't really…

bcrUnsubmitted

Not Done

Another use of 'you' here.

bcr: Another use of 'you' here.

inet […]

inet6 fe80::230:18ff:fe0a:74a6%ed0 prefixlen 64 scopeid 0x1

inet6 2001:db8::18ff:fe0a:74a6 prefixlen 64 autoconf

media: […]

status: active

nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

....

The last three bytes of the interface MAC address are reused in the IPv6 addresses, here `0a:7a:a6`, this is part of the magic autoconfiguration-sauce rtsold(8) does.

thjUnsubmitted

Done

....

- The last three bytes of the interface MAC address are reused in the IPv6 addresses, here `0a:7a:a6`, this is part of the magic autoconfiguration-sauce rtsold(8) does.

+ The last three bytes of the interface MAC address are reused in the IPv6 addresses, here 0a:7a:a6, this is part of the autoconfiguration rtsold(8) does.

You will not see `2001:db8::` but whatever your ISP's IPv6 prefix is for your end of their network, the `prefixlen` may also be different.

thj:

You will not see `2001:db8::` but whatever your ISP's IPv6 prefix is for your end of their network, the `prefixlen` may also be different.

thjUnsubmitted

Done

The last three bytes of the interface MAC address are reused in the IPv6 addresses, here `0a:7a:a6`, this is part of the magic autoconfiguration-sauce rtsold(8) does.

- You will not see `2001:db8::` but whatever your ISP's IPv6 prefix is for your end of their network, the `prefixlen` may also be different.

+ You will not see `2001:db8::` but your ISP's IPv6 prefix for your network, the `prefixlen` may also be different.

The `fe80::…` address is an automatic "link-local" address which is used by the autoconfiguration protocols.

thj:

The `fe80::…` address is an automatic "link-local" address which is used by the autoconfiguration protocols.

thjUnsubmitted

Done

You will not see `2001:db8::` but whatever your ISP's IPv6 prefix is for your end of their network, the `prefixlen` may also be different.

- The `fe80::…` address is an automatic "link-local" address which is used by the autoconfiguration protocols.

+ The `fe80::…` address is a default "link-local" address which is used by the autoconfiguration protocols.

You will also have a pile of IPv6 routes now:

which autoconfiguration protocol? A name will help people do more research and understand

thj: which autoconfiguration protocol? A name will help people do more research and understand

You will also have a pile of IPv6 routes now:

thjUnsubmitted

Done

The `fe80::…` address is an automatic "link-local" address which is used by the autoconfiguration protocols.

- You will also have a pile of IPv6 routes now:

+ You should now have IPv6 routes:

[source,bash]

thj:

ceriUnsubmitted

Not Done

man:rtsold[8]

ceri: man:rtsold[8]

[source,bash]

....

bcrUnsubmitted

Not Done

And 'you' again.
2001:db8:: will not appear here, but the assigned ISP's IPv6 prefix endpoint instead.

bcr: And 'you' again. `2001:db8::` will not appear here, but the assigned ISP's IPv6 prefix…

% netstat -rn -f inet6

melifaroUnsubmitted

Done

probably worth considering showing shortcut syntax (-6 instead of -f inet6) ?

melifaro: probably worth considering showing shortcut syntax (`-6` instead of `-f inet6`) ?

Routing tables

Internet6:

Destination Gateway Flags Netif Expire

bcrUnsubmitted

Not Done

Some IPv6 routes are available now:

bcr: Some IPv6 routes are available now:

::/96 ::1 UGRS lo0

default fe80::92e2:baff:fe37:d760%ed0 UG ed0

::1 link#7 UH lo0

::ffff:0.0.0.0/96 ::1 UGRS lo0

2001:db8::/64 link#1 U ed0

2001:db8::18ff:fe0a:74a6 link#1 UHS lo0

fe80::/10 ::1 UGRS lo0

fe80::%igb0/64 link#1 U ed0

fe80::230:18ff:fe0a:74a6%ed0 link#1 UHS lo0

fe80::%lo0/64 link#7 U lo0

fe80::1%lo0 link#7 UHS lo0

ff02::/16 ::1 UGRS lo0

....

The important one is obviously the default route.

thjUnsubmitted

Done

....

- The important one is obviously the default route.

+ It is important that your default route is correct, otherwise traffic will not leave the peer and enter the upstream network.

==== Spreading IPv6 to your entire network

thj:

freebsd_igalic.coUnsubmitted

Done

drop obviously.

freebsd_igalic.co: drop obviously.

==== Spreading IPv6 to your entire network

thjUnsubmitted

Done

The important one is obviously the default route.

- ==== Spreading IPv6 to your entire network

+ ==== Distributing IPv6 addresses in your entire network

The IPv6 world has autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 subnet to the rest of the network, but not all ISPs support that.

thj:

melifaroUnsubmitted

Done

Maybe we could consider laying out multiple approaches from IPv6 BCPs like RFC 7381 and explain how to configure them.
It will be up to the user to actually decide what approach suits best for him.

melifaro: Maybe we could consider laying out multiple approaches from IPv6 BCPs like [RFC 7381](https…

phkUnsubmitted

Done

That would be wonderful, I spent quite some time looking for precisely that kind of document, which is why I ended up doing this write-up.

phk: That would be wonderful, I spent quite some time looking for precisely that kind of document…

debdrupAuthorUnsubmitted

Done

This seems supplemental and can be added in a later commit by a subject matter domain expert (which I am not, despite 20-odd years of being a network admin), if and when a phrasing can be worked out.

debdrup: This seems supplemental and can be added in a later commit by a subject matter domain expert…

The IPv6 world has autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 subnet to the rest of the network, but not all ISPs support that.

thjUnsubmitted

Done

==== Spreading IPv6 to your entire network

- The IPv6 world has autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 subnet to the rest of the network, but not all ISPs support that.

+ IPv6 provides autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 prefix to the rest of the network.

Even if your ISP support it, it has the downside that your devices will change IPv6 addresses if your ISP feels like it, which can mean as often as your gateway restarts.

please check that prefix is correct. I think ipv6 subnet is almost always wrong

thj: please check that prefix is correct. I think ipv6 subnet is almost always wrong

Even if your ISP support it, it has the downside that your devices will change IPv6 addresses if your ISP feels like it, which can mean as often as your gateway restarts.

thjUnsubmitted

Done

The IPv6 world has autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 subnet to the rest of the network, but not all ISPs support that.

- Even if your ISP support it, it has the downside that your devices will change IPv6 addresses if your ISP feels like it, which can mean as often as your gateway restarts.

+ Using your ISP provided prefix has the downside that your devices will change IPv6 addresses if your ISP changes your prefix, this may happen as often as every time your gateway restarts.

For normal consumers that is probably fine, but if, like me, you have your own servers etc, that gets old soon.

thj:

freebsd_igalic.coUnsubmitted

Done

should this be:

Even if your ISP *supports* it

freebsd_igalic.co: should this be: Even if your ISP *supports* it ?

For normal consumers that is probably fine, but if, like me, you have your own servers etc, that gets old soon.

thjUnsubmitted

Done

Even if your ISP support it, it has the downside that your devices will change IPv6 addresses if your ISP feels like it, which can mean as often as your gateway restarts.

- For normal consumers that is probably fine, but if, like me, you have your own servers etc, that gets old soon.

Like RFC1918 addresses for IPv4, RFC4193 defines private IPv6 networks, and if you follow the instructions and use random numbers, you are unlikely to ever see another network using the same addresses as you did.

delete

thj: delete

bcrUnsubmitted

Not Done

s/your/the/

bcr: s/your/the/

thjUnsubmitted

Done

I am not sure about the advice in everything below this point.

I think it is an 'advanced' topic, the information in chapter 32.9 is clear and the resource I use when I have to manually setup v6.

https://docs.freebsd.org/en_US.ISO8859-1/books/handbook/network-ipv6.html

That chapter really isn't advanced networking, but that is a different review.

thj: I am not sure about the advice in everything below this point. I think it is an 'advanced'…

debdrupAuthorUnsubmitted

Done

Equivalent instructions aren't provided, so unless you're volunteering to move the instructions to that file, I'm happy to leave them as they are.

One advantage of this is also that this will match the expectations non-advanced users have about how IPv4 is configured (ie. where NAT is almost-ubiquitous.

debdrup: Equivalent instructions aren't provided, so unless you're volunteering to move the instructions…

bcrUnsubmitted

Not Done

s/your/the/

bcr: s/your/the/

In this example we will use RFC4193 addresses internally and use NAT to hide everything behind the single IPv6 address we got from the ISP.

bcrUnsubmitted

Not Done

s/your/the/g

bcr: s/your/the/g

First we create our very own RFC4193 address:

bcrUnsubmitted

Not Done

s/and if you follow/and when following/
s/and use random numbers/and random numbers are used/
s/you are/it is/
s/as you did//

bcr: s/and if you follow/and when following/ s/and use random numbers/and random numbers are used/…

[source,bash]

....

% dd if=/dev/random bs=5 count=1 | hexdump -C

00000000 PP QQ RR SS TT |.....|

00000005

....

Your RFC4193 compliant IPv6 network then becomes:

[.programlisting]

....

fdPP:QQRR:SSTT::

....

bcrUnsubmitted

Not Done

/Your/This/

bcr: /Your/This/

ceriUnsubmitted

Not Done

What this is doing is really unclear. Could the text please explain that we're just trying to generate five random hex chars (and not use P through T, because they aren't)?

ceri: What this is doing is really unclear. Could the text please explain that we're just trying to…

Next assign a static address to the internal interface of the gateway, and there is a neat trick available here:

If the internal `ie0` is configured for IPv4 like this in [.filename]#/etc/rc.conf#:

melifaroUnsubmitted

Done

Probably worth considering em instead of ie (was the latter 10Mbit/s driver)?

melifaro: Probably worth considering `em` instead of `ie` (was the latter 10Mbit/s driver)?

phkUnsubmitted

Done

Please see the Note at the bottom :-)

phk: Please see the Note at the bottom :-)

debdrupAuthorUnsubmitted

Done

I changed ed0 and ie0 to em0 and em1, because ed0 is deprecated and ie(4) has no manual page.

debdrup: I changed ed0 and ie0 to em0 and em1, because ed0 is deprecated and ie(4) has no manual page.

freebsd_igalic.coUnsubmitted

Done

now we're using ie0 instead of ed0?
oh, this is for internal LAN.
maybe we should announce this on top, too

freebsd_igalic.co: now we're using ie0 instead of ed0? oh, this is for internal LAN. maybe we should announce…

[.programlisting]

....

ifconfig_ie0="192.168.10.102/24"

....

We can configure it for IPv6 like that in [.filename]#/etc/rc.conf#:

[.programlisting]

....

ifconfig_ie0_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.102/120"

....

ceriUnsubmitted

Not Done

this

ceri: this

Unfortunately the does not work everywhere, but here it does.

freebsd_igalic.coUnsubmitted

Done

the does not -> that does not

freebsd_igalic.co: the does not -> that does not

The math behind `/120` is `/(128 - (32 - 24))`, in case you used a different netmask for you internal network.

We want the machine to act as a gateway through [.filename]#/etc/rc.conf#

ceriUnsubmitted

Not Done

What?

ceri: What?

[.programlisting]

....

bcrUnsubmitted

Not Done

s/you used a different netmask for you internal network/a different netmask for the internal network is used/

bcr: s/you used a different netmask for you internal network/a different netmask for the internal…

ipv6_gateway_enable=yes

....

ceriUnsubmitted

Not Done

configure

ceri: configure

We need to start rtadvd(8) to answer the rtsold(8) requests from the machines on the inside via [.filename]#/etc/rc.conf#

[.programlisting]

....

rtadvd_enable=yes

rtadvd_interfaces="ie0"

....

And finally we need to tell pf(4) to NAT everything onto the IPv6 address we got from our ISP via [.filename]#/etc/pf.conf#

[.programlisting]

....

if_ext="ed0"

[…]

nat on $if_ext inet6 from !($if_ext) -> ($if_ext:0)

....

(A bug in FreeBSD-12 prevents this from working, you will have to enter the actual address on your `ed0` interface, and change it if/when your ISP changes their address-layout.)

Reboot the gateway, and then configure a test machine on the internal network via [.filename]#/etc/rc.conf#:

[.programlisting]

....

bcrUnsubmitted

Not Done

Long sentence, probably better to split it in two to also kill the 'you':
(A bug in FreeBSD-12 prevents this from working. Enter the actual address ... on the em0 interface and change it in case the ISP changes...)

bcr: Long sentence, probably better to split it in two to also kill the 'you': (A bug in FreeBSD-12…

ifconfig_ie0_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.81/120"

ipv6_cpe_wanif=ie0

rtsold_enable=yes

rtsold_flags=ie0

ipv6_activate_all_interfaces=yes

....

Reboot the test machine and try if "ping6 freebsd.org" works.

You do not need to configure a `defaultrouter` for IPv6, rtadvd(8) and rtsold(8) takes care of that.

[NOTE]

=====

The choice of 'ed0' and 'ie0' interface names commemorates the two of the most important ethernet drivers in FreeBSD, when IPv6 was rushed into existence 25 years ago.

=====

[[config-network-testing]] [[config-network-testing]]

=== Testing and Troubleshooting === Testing and Troubleshooting

Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. Alternatively, apply the settings to the networking system with this command: Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. Alternatively, apply the settings to the networking system with this command:

[source,bash] [source,bash]

.... ....

# service netif restart # service netif restart

.... ....

[NOTE] [NOTE]

==== ====

If a default gateway has been set in [.filename]#/etc/rc.conf#, also issue this command: If a default gateway has been set in [.filename]#/etc/rc.conf#, also issue this command:

[source,bash] [source,bash]

bcrUnsubmitted

Not Done

s/You do not need/There is no need/

bcr: s/You do not need/There is no need/

.... ....

# service routing restart # service routing restart

.... ....

==== ====

Once the networking system has been relaunched, test the NICs. Once the networking system has been relaunched, test the NICs.

▲ Show 20 Lines • Show All 980 Lines • Show Last 20 Lines