Changeset View
Standalone View
documentation/content/en/books/handbook/config/_index.adoc
Show First 20 Lines • Show All 409 Lines • ▼ Show 20 Lines | |||||||||||
To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. Then, add the following line to [.filename]#/boot/loader.conf#: | To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. Then, add the following line to [.filename]#/boot/loader.conf#: | ||||||||||
[.programlisting] | [.programlisting] | ||||||||||
.... | .... | ||||||||||
W32DRIVER_SYS_load="YES" | W32DRIVER_SYS_load="YES" | ||||||||||
.... | .... | ||||||||||
=== Configuring the Network Card | === Configuring the Network Card for IPv4 | ||||||||||
thj: I think this and the one below for v6 should be "Network Interface" rather than card | |||||||||||
Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8]. | Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8]. | ||||||||||
To display the NIC configuration, enter the following command: | To display the NIC configuration, enter the following command: | ||||||||||
[source,bash] | [source,bash] | ||||||||||
.... | .... | ||||||||||
% ifconfig | % ifconfig | ||||||||||
▲ Show 20 Lines • Show All 82 Lines • ▼ Show 20 Lines | |||||||||||
[source,bash] | [source,bash] | ||||||||||
.... | .... | ||||||||||
# echo 'defaultrouter="your_default_router"' >> /etc/rc.conf | # echo 'defaultrouter="your_default_router"' >> /etc/rc.conf | ||||||||||
# echo 'nameserver your_DNS_server' >> /etc/resolv.conf | # echo 'nameserver your_DNS_server' >> /etc/resolv.conf | ||||||||||
.... | .... | ||||||||||
==== | ==== | ||||||||||
=== Configuring the Network Card for IPv6 | |||||||||||
IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# so whatever you have there to configure IPv4 is unaffected by all this. | |||||||||||
thjUnsubmitted Done Inline ActionsIPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# IPv4 configuration is unaffected by IPv6. thj: IPv6 configuration is separated from IPv4 configuration in [.filename]#/etc/rc.conf# IPv4… | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
Not Done Inline Actionss/all this/all of this/ bcr: s/all this/all of this/ | |||||||||||
These examples assume that your ISP connection ends with an Ethernet cable plugged into interface "ed0" on your FreeBSD machine. | |||||||||||
==== Simple Client Configuration | |||||||||||
First we will set up the machine as a simple IPv6 client, by enabling IPv6 and starting rtsold(8) to takes care of getting an IPv6 number and the routes your ISP wants you to use. | |||||||||||
Not Done Inline ActionsWe discourage the use of 'you', so you could write at the end: ... and the ISP routes to use. bcr: We discourage the use of 'you', so you could write at the end: ... and the ISP routes to use. | |||||||||||
Not Done Inline Actionss/takes/take/ ceri: s/takes/take/ | |||||||||||
To do this, add the following to [.filename]#/etc/rc.conf# | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
ipv6_cpe_wanif=ed0 | |||||||||||
rtsold_enable=yes | |||||||||||
rtsold_flags="ed0" | |||||||||||
ipv6_activate_all_interfaces=yes | |||||||||||
.... | |||||||||||
If the lofty promises of IPv6 auto-configuration holds, a reboot should connect you to the Internet Of The Future (est. 1995): | |||||||||||
thjUnsubmitted Done Inline ActionsThis is not helpful language. Here you should explain how to restart networking without a reboot. Sadly there is not a v6 only service restart netif. Reboot should be suggested as a way to 'validate' the persisent config only thj: This is not helpful language.
Here you should explain how to restart networking without a… | |||||||||||
Not Done Inline ActionsDo we also need to start rtsold? It doesn't seem to get started by the routing service. ceri: Do we also need to start rtsold? It doesn't seem to get started by the routing service. | |||||||||||
[source,bash] | |||||||||||
.... | |||||||||||
% ping6 -c 3 freebsd.org | |||||||||||
thjUnsubmitted Done Inline Actions
ping now has the -6 flag thj: ping now has the -6 flag | |||||||||||
freebsd_igalic.coUnsubmitted Done Inline Actionsping6 has been merged into ping, so we should use ping -6 here, unless we want to be really daring and set ip6addrctl_policy=“ipv6_prefer" freebsd_igalic.co: ping6 has been merged into ping, so we should use ping -6 here, unless we want to be really… | |||||||||||
PING6(56=40+8+8 bytes) 2001:db8::18ff:fe0a:74a6 --> 2610:1c1:1:606c::50:15 | |||||||||||
16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=0 hlim=51 time=88.404 ms | |||||||||||
16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=1 hlim=51 time=88.037 ms | |||||||||||
16 bytes from 2610:1c1:1:606c::50:15, icmp_seq=2 hlim=51 time=87.954 ms | |||||||||||
.... | |||||||||||
If you look at your ethernet interface, you will see two IPv6 addresses: | |||||||||||
[source,bash] | |||||||||||
.... | |||||||||||
% ifconfig ed0 | |||||||||||
melifaroUnsubmitted Done Inline ActionsDidn't we deprecate ed? Maybe it's worth grabbing em as that's the common interface used in physical servers/VMs? melifaro: Didn't we deprecate `ed`? Maybe it's worth grabbing `em` as that's the common interface used in… | |||||||||||
ed0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 | |||||||||||
options=[…] | |||||||||||
ether […]:0a:7a:a6 | |||||||||||
melifaroUnsubmitted Done Inline ActionsMaybe we can use mac documentation prefix 00-53-00 and IPv4 documentation prefix 192.0.2.0/24 to make it easier to grasp? melifaro: Maybe we can use mac documentation prefix [00-53-00](https://www.iana.org/assignments/ethernet… | |||||||||||
debdrupAuthorUnsubmitted Done Inline ActionsI changed the MAC prefix as requested, but since IPv4 and IPv6 configuration aren't really linked, I would prefer leaving the ellipsis for IPv4 as there's no way to know what blocks or VLSM is used. debdrup: I changed the MAC prefix as requested, but since IPv4 and IPv6 configuration aren't really… | |||||||||||
Not Done Inline ActionsAnother use of 'you' here. bcr: Another use of 'you' here. | |||||||||||
inet […] | |||||||||||
inet6 fe80::230:18ff:fe0a:74a6%ed0 prefixlen 64 scopeid 0x1 | |||||||||||
inet6 2001:db8::18ff:fe0a:74a6 prefixlen 64 autoconf | |||||||||||
media: […] | |||||||||||
status: active | |||||||||||
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> | |||||||||||
.... | |||||||||||
The last three bytes of the interface MAC address are reused in the IPv6 addresses, here `0a:7a:a6`, this is part of the magic autoconfiguration-sauce rtsold(8) does. | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
You will not see `2001:db8::` but whatever your ISP's IPv6 prefix is for your end of their network, the `prefixlen` may also be different. | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
The `fe80::…` address is an automatic "link-local" address which is used by the autoconfiguration protocols. | |||||||||||
thjUnsubmitted Done Inline Actions
which autoconfiguration protocol? A name will help people do more research and understand thj: which autoconfiguration protocol? A name will help people do more research and understand | |||||||||||
You will also have a pile of IPv6 routes now: | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
Not Done Inline Actionsman:rtsold[8] ceri: man:rtsold[8] | |||||||||||
[source,bash] | |||||||||||
.... | |||||||||||
Not Done Inline ActionsAnd 'you' again. bcr: And 'you' again.
`2001:db8::` will not appear here, but the assigned ISP's IPv6 prefix… | |||||||||||
% netstat -rn -f inet6 | |||||||||||
melifaroUnsubmitted Done Inline Actionsprobably worth considering showing shortcut syntax (-6 instead of -f inet6) ? melifaro: probably worth considering showing shortcut syntax (`-6` instead of `-f inet6`) ? | |||||||||||
Routing tables | |||||||||||
Internet6: | |||||||||||
Destination Gateway Flags Netif Expire | |||||||||||
Not Done Inline ActionsSome IPv6 routes are available now: bcr: Some IPv6 routes are available now: | |||||||||||
::/96 ::1 UGRS lo0 | |||||||||||
default fe80::92e2:baff:fe37:d760%ed0 UG ed0 | |||||||||||
::1 link#7 UH lo0 | |||||||||||
::ffff:0.0.0.0/96 ::1 UGRS lo0 | |||||||||||
2001:db8::/64 link#1 U ed0 | |||||||||||
2001:db8::18ff:fe0a:74a6 link#1 UHS lo0 | |||||||||||
fe80::/10 ::1 UGRS lo0 | |||||||||||
fe80::%igb0/64 link#1 U ed0 | |||||||||||
fe80::230:18ff:fe0a:74a6%ed0 link#1 UHS lo0 | |||||||||||
fe80::%lo0/64 link#7 U lo0 | |||||||||||
fe80::1%lo0 link#7 UHS lo0 | |||||||||||
ff02::/16 ::1 UGRS lo0 | |||||||||||
.... | |||||||||||
The important one is obviously the default route. | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
freebsd_igalic.coUnsubmitted Done Inline Actionsdrop obviously. freebsd_igalic.co: drop obviously. | |||||||||||
==== Spreading IPv6 to your entire network | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
melifaroUnsubmitted Done Inline ActionsMaybe we could consider laying out multiple approaches from IPv6 BCPs like RFC 7381 and explain how to configure them. melifaro: Maybe we could consider laying out multiple approaches from IPv6 BCPs like [RFC 7381](https… | |||||||||||
phkUnsubmitted Done Inline ActionsThat would be wonderful, I spent quite some time looking for precisely that kind of document, which is why I ended up doing this write-up. phk: That would be wonderful, I spent quite some time looking for precisely that kind of document… | |||||||||||
debdrupAuthorUnsubmitted Done Inline ActionsThis seems supplemental and can be added in a later commit by a subject matter domain expert (which I am not, despite 20-odd years of being a network admin), if and when a phrasing can be worked out. debdrup: This seems supplemental and can be added in a later commit by a subject matter domain expert… | |||||||||||
The IPv6 world has autoconfiguration methods which allow a gateway to distribute an ISP provided IPv6 subnet to the rest of the network, but not all ISPs support that. | |||||||||||
thjUnsubmitted Done Inline Actions
please check that prefix is correct. I think ipv6 subnet is almost always wrong thj: please check that prefix is correct. I think ipv6 subnet is almost always wrong | |||||||||||
Even if your ISP support it, it has the downside that your devices will change IPv6 addresses if your ISP feels like it, which can mean as often as your gateway restarts. | |||||||||||
thjUnsubmitted Done Inline Actions
thj: | |||||||||||
freebsd_igalic.coUnsubmitted Done Inline Actionsshould this be: Even if your ISP *supports* it ? freebsd_igalic.co: should this be:
Even if your ISP *supports* it
? | |||||||||||
For normal consumers that is probably fine, but if, like me, you have your own servers etc, that gets old soon. | |||||||||||
thjUnsubmitted Done Inline Actions
delete thj: delete | |||||||||||
Not Done Inline Actionss/your/the/ bcr: s/your/the/ | |||||||||||
Like RFC1918 addresses for IPv4, RFC4193 defines private IPv6 networks, and if you follow the instructions and use random numbers, you are unlikely to ever see another network using the same addresses as you did. | |||||||||||
thjUnsubmitted Done Inline ActionsI am not sure about the advice in everything below this point. I think it is an 'advanced' topic, the information in chapter 32.9 is clear and the resource I use when I have to manually setup v6. https://docs.freebsd.org/en_US.ISO8859-1/books/handbook/network-ipv6.html That chapter really isn't advanced networking, but that is a different review. thj: I am not sure about the advice in everything below this point.
I think it is an 'advanced'… | |||||||||||
debdrupAuthorUnsubmitted Done Inline ActionsEquivalent instructions aren't provided, so unless you're volunteering to move the instructions to that file, I'm happy to leave them as they are. One advantage of this is also that this will match the expectations non-advanced users have about how IPv4 is configured (ie. where NAT is almost-ubiquitous. debdrup: Equivalent instructions aren't provided, so unless you're volunteering to move the instructions… | |||||||||||
Not Done Inline Actionss/your/the/ bcr: s/your/the/ | |||||||||||
In this example we will use RFC4193 addresses internally and use NAT to hide everything behind the single IPv6 address we got from the ISP. | |||||||||||
Not Done Inline Actionss/your/the/g bcr: s/your/the/g
| |||||||||||
First we create our very own RFC4193 address: | |||||||||||
Not Done Inline Actionss/and if you follow/and when following/ bcr: s/and if you follow/and when following/
s/and use random numbers/and random numbers are used/… | |||||||||||
[source,bash] | |||||||||||
.... | |||||||||||
% dd if=/dev/random bs=5 count=1 | hexdump -C | |||||||||||
00000000 PP QQ RR SS TT |.....| | |||||||||||
00000005 | |||||||||||
.... | |||||||||||
Your RFC4193 compliant IPv6 network then becomes: | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
fdPP:QQRR:SSTT:: | |||||||||||
.... | |||||||||||
Not Done Inline Actions/Your/This/ bcr: /Your/This/ | |||||||||||
Not Done Inline ActionsWhat this is doing is really unclear. Could the text please explain that we're just trying to generate five random hex chars (and not use P through T, because they aren't)? ceri: What this is doing is really unclear. Could the text please explain that we're just trying to… | |||||||||||
Next assign a static address to the internal interface of the gateway, and there is a neat trick available here: | |||||||||||
If the internal `ie0` is configured for IPv4 like this in [.filename]#/etc/rc.conf#: | |||||||||||
melifaroUnsubmitted Done Inline ActionsProbably worth considering em instead of ie (was the latter 10Mbit/s driver)? melifaro: Probably worth considering `em` instead of `ie` (was the latter 10Mbit/s driver)? | |||||||||||
phkUnsubmitted Done Inline ActionsPlease see the Note at the bottom :-) phk: Please see the Note at the bottom :-) | |||||||||||
debdrupAuthorUnsubmitted Done Inline ActionsI changed ed0 and ie0 to em0 and em1, because ed0 is deprecated and ie(4) has no manual page. debdrup: I changed ed0 and ie0 to em0 and em1, because ed0 is deprecated and ie(4) has no manual page. | |||||||||||
freebsd_igalic.coUnsubmitted Done Inline Actionsnow we're using ie0 instead of ed0? freebsd_igalic.co: now we're using ie0 instead of ed0?
oh, this is for internal LAN.
maybe we should announce… | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
ifconfig_ie0="192.168.10.102/24" | |||||||||||
.... | |||||||||||
We can configure it for IPv6 like that in [.filename]#/etc/rc.conf#: | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
ifconfig_ie0_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.102/120" | |||||||||||
.... | |||||||||||
Not Done Inline Actionsthis ceri: this | |||||||||||
Unfortunately the does not work everywhere, but here it does. | |||||||||||
freebsd_igalic.coUnsubmitted Done Inline Actionsthe does not -> that does not freebsd_igalic.co: the does not -> that does not | |||||||||||
The math behind `/120` is `/(128 - (32 - 24))`, in case you used a different netmask for you internal network. | |||||||||||
We want the machine to act as a gateway through [.filename]#/etc/rc.conf# | |||||||||||
Not Done Inline ActionsWhat? ceri: What? | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
Not Done Inline Actionss/you used a different netmask for you internal network/a different netmask for the internal network is used/ bcr: s/you used a different netmask for you internal network/a different netmask for the internal… | |||||||||||
ipv6_gateway_enable=yes | |||||||||||
.... | |||||||||||
Not Done Inline Actionsconfigure ceri: configure | |||||||||||
We need to start rtadvd(8) to answer the rtsold(8) requests from the machines on the inside via [.filename]#/etc/rc.conf# | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
rtadvd_enable=yes | |||||||||||
rtadvd_interfaces="ie0" | |||||||||||
.... | |||||||||||
And finally we need to tell pf(4) to NAT everything onto the IPv6 address we got from our ISP via [.filename]#/etc/pf.conf# | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
if_ext="ed0" | |||||||||||
[…] | |||||||||||
nat on $if_ext inet6 from !($if_ext) -> ($if_ext:0) | |||||||||||
.... | |||||||||||
(A bug in FreeBSD-12 prevents this from working, you will have to enter the actual address on your `ed0` interface, and change it if/when your ISP changes their address-layout.) | |||||||||||
Reboot the gateway, and then configure a test machine on the internal network via [.filename]#/etc/rc.conf#: | |||||||||||
[.programlisting] | |||||||||||
.... | |||||||||||
Not Done Inline ActionsLong sentence, probably better to split it in two to also kill the 'you': bcr: Long sentence, probably better to split it in two to also kill the 'you':
(A bug in FreeBSD-12… | |||||||||||
ifconfig_ie0_ipv6="inet6 fdPP:QQRR:SSTT::192.168.10.81/120" | |||||||||||
ipv6_cpe_wanif=ie0 | |||||||||||
rtsold_enable=yes | |||||||||||
rtsold_flags=ie0 | |||||||||||
ipv6_activate_all_interfaces=yes | |||||||||||
.... | |||||||||||
Reboot the test machine and try if "ping6 freebsd.org" works. | |||||||||||
You do not need to configure a `defaultrouter` for IPv6, rtadvd(8) and rtsold(8) takes care of that. | |||||||||||
[NOTE] | |||||||||||
===== | |||||||||||
The choice of 'ed0' and 'ie0' interface names commemorates the two of the most important ethernet drivers in FreeBSD, when IPv6 was rushed into existence 25 years ago. | |||||||||||
===== | |||||||||||
[[config-network-testing]] | [[config-network-testing]] | ||||||||||
=== Testing and Troubleshooting | === Testing and Troubleshooting | ||||||||||
Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. Alternatively, apply the settings to the networking system with this command: | Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. Alternatively, apply the settings to the networking system with this command: | ||||||||||
[source,bash] | [source,bash] | ||||||||||
.... | .... | ||||||||||
# service netif restart | # service netif restart | ||||||||||
.... | .... | ||||||||||
[NOTE] | [NOTE] | ||||||||||
==== | ==== | ||||||||||
If a default gateway has been set in [.filename]#/etc/rc.conf#, also issue this command: | If a default gateway has been set in [.filename]#/etc/rc.conf#, also issue this command: | ||||||||||
[source,bash] | [source,bash] | ||||||||||
Not Done Inline Actionss/You do not need/There is no need/ bcr: s/You do not need/There is no need/ | |||||||||||
.... | .... | ||||||||||
# service routing restart | # service routing restart | ||||||||||
.... | .... | ||||||||||
==== | ==== | ||||||||||
Once the networking system has been relaunched, test the NICs. | Once the networking system has been relaunched, test the NICs. | ||||||||||
▲ Show 20 Lines • Show All 980 Lines • Show Last 20 Lines |
I think this and the one below for v6 should be "Network Interface" rather than card