Tunnel IPv6 over IPv4
Page content
let’s assume you need ipv6 connectifity somewhere … You can use some Tunnelbrokers or your run OpenBSD on your Boxes and want todo it on your own. Here some hints.
Server with DualStack
you need a Maschine out in the Internet which is DualStacked
stoege@dualstack$ i3
IPv4: 11.22.33.44
IPv6: 2001:db8:100::100
Host with IPv4 only
stoege@ipv4 host ~# i3
IPv4: 55.66.77.88
IPv6: !NETWORK
and you want to bring IPv4 to the second host
Configure GIF Interfaces
Server
cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Host
tunnel 11.22.33.44 55.66.77.88
inet6 alias 2001:db8::1 128
dest 2001:db8:::2
EOF
sh /etc/netstart gif0
IPv4 Host
cat << 'EOF' > /etc/hostname.gif0
# IPv4 Tunnel to Dualstack
tunnel 55.66.77.88 11.22.33.44
inet6 alias 2001:db8::2 128
dest 2001:db8:::1
!route -n add -inet6 default 2001:db8:::1
EOF
sh /etc/netstart gif0
Enable IPv4 and IPv6 Forwarding
you know, the sysctl stuff and so ..
stoege@nerd ...nolink.ch$ cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.tcp.ecn=1
Tweak pf.conf
Server
/etc/pf.conf
### DEFAULT SETTINGS ###
set block-policy drop
set limit states 500000
set optimization normal
set skip on { lo0 enc0 gif0 } <-- add you gif interface here
set syncookies adaptive (start 25%, end 12%)
--- snip ---
# Tunnel -> NAT66 outgoing (as we don't have public ip space there)
match out log on egress inet6 from 2001:db8:99::1 nat-to (egress)
### RULES ###
# Block all
block log
...
--- snip ---
# Allow IP Tunnel from IPv4 Host
pass in log quick inet from 11.22.33.44 to (self)
pass log quick inet6 from 2001:db8:::2 to any
Finally, let’s try again ..
Host with IPv4 only
stoege@ipv4 host ~# i3
IPv4: 55.66.77.88
IPv6: 2001:db8:100::100
and you will get the same IPv6 Address as the other Host does NAT66 …
have fun !
Any Comments ?
sha256: 7524bdd8ca31c09fb27166b143c7caa752293336fd8eb0a813aa29064903574c