Now that I have a dual stack working with IPV6 I decided to test wireless and IPV6.
That posed a problem since the wireless router I use does not support IPV6 and it cannot be upgraded but that would not have helped me since I receive a /64 and you cannot create several networks out of it, let’s say /65, since stateless configuration will break and you need separate networks to route properly.
So what can you do? Well there is a solution.
- Use ULA. They are not routable on the Internet so you will be ok.
- Use masquerading and IP6TABLES to get to the the Internet.
In order to do this though you need:
- A kernel newer than 3.7.
- A version of IPTABLES that supports IPV6 and the latest additions for IPV6 NAT.
- A Linux box that you can put on that will have IPV6 on the wired and a USB stick for the Wi-Fi interface.
So let’s go to it!
Prep Work
Install the latest kernel using the method your distro supports. I am using 3.8.0-25 on Ubuntu 13.04 in my case. I had to upgrade to 13.04 since 12.10 was a bit behind.
You need at least IPTables 4.18 for NAT to work. Ubuntu 13.04 does not so you will need to download the latest tarball, compile and install.
Configure Interfaces
I am assuming that you have a working IPV6 setup. Further let’s assume that the LAN interface is eth0 and the Wi-Fi interface is wlan0.
- Your wlan0 interface should be recognized and setup for IPV6 but do not set it for auto-configure.
- Create an ad-hoc network using wlan0, it is similar as creating one for IPV4.
- We will use ULA, as a reminder ULA are addresses that are assigned out of the following fc00::/7 prefix.
- The prefix above is divided into two prefixes:
- fc00::/8
- fd00::/8
- We will use the latter for our interface.
- So configure the address for wlan0 as fd00:x:x:x::1/64, I will recommend that use the prefix you have and replace the first hexit with fd00.
- Enable forwarding by issuing the following:
sudo sysctl -w net.ipv6.conf.all.forwarding=1.
Configure Radvd
Now you need to configure radvd so the client can obtain what it needs to route properly.
- Install radvd if not installed already.
- Edit /etc/radvd.conf and use:
interface wlan0 {
AdvSendAdvert on;
AdvLinkMTU 1280;
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
prefix fd00:x:x:x::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
- Start the service, your Wi-Fi client should join your ad-hoc network and if you look at your interfaces it should have obtained an IP from radvd.
- Test that your connectivity is ok with the client. You should be able to ping the wlan0 IPV6 and the eth0 IPV6 addresses on the router you set above since ULA are routable locally.
Configure IP6tables
Now configure IP6tables by using the following:
# Generated by ip6tables-save v1.4.18 on Tue Jun 25 18:37:28 2013 *filter :INPUT ACCEPT [698:82364] :FORWARD ACCEPT [2559:2158868] :OUTPUT ACCEPT [766:86950] COMMIT # Completed on Tue Jun 25 18:37:28 2013 # Generated by ip6tables-save v1.4.18 on Tue Jun 25 18:37:28 2013 *nat :PREROUTING ACCEPT [122:11801] :INPUT ACCEPT [13:1643] :OUTPUT ACCEPT [43:3820] :POSTROUTING ACCEPT [44:3924] -A POSTROUTING -s fd00:x:x:x::/64 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Jun 25 18:37:28 2013
At this point you should be done.
Test that you are properly masquerading by SSH to a device on your LAN using IPV6. You will notice that the connection appears to be coming from eth0 on the Linux box acting as the router.
Next try ipv6.google.com you should be there. The rule set above is very basic, one saving grace is that we are using non-routable addresses so sniffing of your Wi-Fi clients will be difficult but not impossible. Still some consideration should be given to a more specific rule set for the purpose of testing it as a proof of concept it is good enough.
Of course handling addresses via DHCPV6 would be better, besides authentication to join your wireless network that you should use, you can enforce MAC address filtering so only those devices you want can join your Wi-Fi network. But that will be the topic of another post.
Enjoy.