IPv6 on m0n0wall
I finally got around to sending my first ping6 echos! Who knew I’d get replies on my first go?!
My ADSL provider Andrews & Arnold have provided me with a /48 IPv6 subnet, which seems somewhat wasteful at 2^80 addresses (throw that in your calculator) but certainly useful for testing nevertheless. Whilst slowly getting my head around the task that is variable-length subnetting of IPv6 ranges – painful at best – I decided to just throw in a /64 subnet and set a static gateway address on m0n0wall‘s LAN interface to see if it would ‘just work’.
The result, is a working IPv6 LAN by simply enabling autoconfig from the m0n0wall box and telling Ubuntu’s Network Manager to use it. Et voila:
teh@desktop:~$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:01:29:fc:37:1d
inet addr:81.187.xxx.xxx Bcast:81.187.xxx.xxx Mask:255.255.255.240
inet6 addr: 2001:8b0:ff87:1:201:29ff:fefc:371d/64 Scope:Global
inet6 addr: fe80::201:29ff:fefc:371d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1616524 errors:0 dropped:0 overruns:0 frame:0
TX packets:2224946 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:277202062 (277.2 MB) TX bytes:519498762 (519.4 MB)
Interrupt:18
You’ll notice that the last 80 bits of my IPv6 address on this host were assigned via autoconfig, using part of my MAC address (the part that doesn’t correspond to a certain manufacturer, IIRC) as well as some randomly-generated bits, too.
And to make my night, ping6 worked straight away, too:
teh@desktop:~$ ping6 2001:08B0:FF88:0001::1
PING 2001:08B0:FF88:0001::1(2001:8b0:ff88:1::1) 56 data bytes
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=1 ttl=64 time=3.81 ms
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=2 ttl=64 time=0.130 ms
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=3 ttl=64 time=0.132 ms
--- 2001:08B0:FF88:0001::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.130/1.358/3.813/1.735 ms
Now to plan how I’m going to roll this out at work…
Now work out multihoming. And tell the rest of the internet how to do it while you’re at it
Heh, one step at a time.
I think this is the first time I can properly relate to one of your posts having just studied a module about IP & Subnetting
Got my exam back today – 92% 
Nice one! Was that a CCNA module? IIRC the CCNA1 skills test was just subnetting, heh.
IPv6 is a whole ‘nother headache though. If you’re not completely awake it just plain hurts!
no, not a CCNA module as such, theres a lot of politics about there actually being a CCNA module, but as luck would have it, our lecturer is a CCAI and has taught us so that those of us who want to go on and take the cisco exams are prepared to do so. Think i will, even as a programmer its another skill to my bow!
I’m attempting to do this same exact thing with pfsense intead of m0n0wall.
A few questions…
- Did you just put in the IPv6 address (2001:400::/64) in the “LAN” tab, and put the gateway in?
- Did you have to enable rtadvd? DHCPv6?
- Did you have to enable any firewall rules?
- Did you have to do anything to the WAN interface?
My ISP gave me a /64. There’s not many tutorials out there on how to configure pfsense/m0n0wall with a single /64 space. I’m hoping that you can shed some additional light on how you got it working.
The first step, in m0n0wall at least, is to head into ‘System: Advanced’ and check the box that says ‘IPv6 Support’. Without that, you won’t have half the options you need.
From memory, the GUI of pfSense is very similar, but to my knowledge it’s got very flakey support for IPv6 (or none, if you count only stable releases). I’d check that your build actually has v6 support first.
LAN: Add the IPv6 prefix in the appropriate box, enable RA.
WAN: This is dependant on your ISP. Is it Andrews & Arnold? If so, you just need to the ‘IPv6 mode’ to ‘PPP’, and the routing of your prefix from the LAN to the world will ‘just work’.
The firewall, from memory, doesn’t allow any v6 out by default (in contrast, it does for v4). On the ‘IPv6 Rules’ page you should just be able to add a rule that allows anything from the ‘LAN subnet’, to anywhere. And that’s job done. I believe there’s a predefined rule for blocking known aliens on the WAN, but my memory is hazy in that respect.
Hope this helps!