My two home servers are down for the moment. This also means that our two IPv6 SixXS tunnels are down which costs us 100 ISK\u00a0per week. Argh! I need to get these up and running as soon as possible. Fortunately we have another VPS on Linux that can save us. So we just have to enable the two tunnels there and make sure that we can ping to\/from both interfaces.<\/p>\n
Setting up the two tunnels is easy. Use one configuration file per tunnel. Ensure that you change the parameters “tunnel_id” to the tunnel associated to this configuration file, one “pidfile” and “ipv6_interface” for each tunnel and “defaultroute” to false because we already have a default IPv6 route. Now you can start\/stop each tunnel with:<\/p>\n
aiccu start \/etc\/aiccu\/tunnel0.conf\r\naiccu start \/etc\/aiccu\/tunnel1.conf\r\n\r\naiccu stop \/etc\/aiccu\/tunnel0.conf\r\naiccu stop \/etc\/aiccu\/tunnel1.conf\r\n<\/pre>\nDon’t forget to hack \/etc\/init.d\/aiccu<\/em> to start\/stop both tunnel on each reboot. OK! So now ifconfig list the two interfaces, up and running sixxs0 and sixxs1. This is great but wait… Nobody outside can ping these interfaces. The tunnel must ping to be considered active by SixXS so we better get this running.<\/p>\n
For now we have these three interfaces and IPs (not the actual names\/IPs):<\/p>\n
\n
- net0<\/strong>\u00a0(2001::1) default<\/li>\n
- sixxs0<\/strong> (2a02::1)<\/li>\n
- sixxs1<\/strong> (2a02::2)<\/li>\n<\/ol>\n
By default, all our IPv6 traffic goes through\u00a0net0. However and unsurprisingly our ISP filters the traffic\u00a0at the output of net0. So we cannot use this interface to answer the echo-requests. Actually, what we want is that traffic originating 2a02::1 goes through sixxs0 and from 2a02::2 goes through sixxs1. That is, one default route based on the source address.<\/p>\n
Linux\u00a0has long had support for multiple routing tables (CONFIG_IP_MULTIPLE_TABLES). Basically what we will do here:<\/p>\n
\n
- Create two routing tables for each tunnel interface\u00a0(sixxs0, sixxs1).<\/li>\n
- Each table will have a default route through its interface.<\/li>\n
- Lookup into one of the two tables according to the source IP.<\/li>\n<\/ul>\n
You can find some relevant documentation in Linux Advanced Routing & Traffic Control, Chapter 4<\/a>.<\/p>\n
We first list the actual rules:<\/p>\n
# ip rule list\r\n0: from all lookup local\r\n32766: from all lookup main\r\n32767: from all lookup default\r\n<\/pre>\nWe can see that we have three routing tables. One for the local addresses, the normal routing table (what you get with
ip -6 route<\/code>) and\u00a0the fallback default table.
\nLet’s first check the local routing table (we are just curious):<\/p>\n# ip -6 route list table local\r\nlocal ::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit 0\r\nlocal 2a02::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit 0\r\nlocal 2001::1 via :: dev lo proto none metric 0 mtu 16436 rtt 6ms rttvar 7ms cwnd 10 advmss 16376 hoplimit 0\r\nlocal 2a02::2 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit 0\r\nlocal fe80::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit 0\r\nlocal fe80::2 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit 0\r\nff00::\/8 dev net0 metric 256 mtu 1500 advmss 1440 hoplimit 0\r\nff00::\/8 dev sixxs1 metric 256 mtu 1280 advmss 1220 hoplimit 0\r\nff00::\/8 dev sixxs0 metric 256 mtu 1280 advmss 1220 hoplimit 0\r\n<\/pre>\nSo now you know what’s going on when you ping one of your local interfaces. But back to our point. We name our two new routing tables in\u00a0\/etc\/iproute2\/rt_tables<\/em>:<\/p>\n
# SixXS tables\r\n200 sixxs0\r\n201 sixxs1\r\n<\/pre>\nNow we add the default route in each of these two tables:<\/p>\n
ip -6 route add default dev sixxs0 table sixxs0\r\nip -6 route add default dev sixxs1 table sixxs1\r\n<\/pre>\nAnd finally we use two rules to map the source address to the correct routing table:<\/p>\n
# ip -6 rule add from 2a02::1 table sixxs0\r\n# ip -6 rule add from 2a02::2 table sixxs1\r\n# ip -6 rule list\r\n0: from all lookup local\r\n16383: from 2a02::1 lookup sixxs0\r\n16383: from 2a02::2 lookup sixxs1\r\n32766: from all lookup main\r\n32767: from all lookup default\r\n<\/pre>\nIt should be OK but let’s check that. We can ping from the sixxs interfaces:<\/p>\n
ping6 -c1 -I 2a02::1 www.kame.net\r\nping6 -c1 -I 2a02::2 www.kame.net\r\n<\/pre>\nWe also check that we can ping our interfaces from another host:<\/p>\n
ping6 -c1 2a02::1\r\nping6 -c1 2a02::2\r\n<\/pre>\nEverything works, that’s great! Finally we just hack\u00a0\/etc\/init.d\/aiccu<\/em> to configure the routing tables on each reboot. Note that you need to sleep a bit when you issue the aiccu start because the daemon needs a bit of time to enable the tunnels. Also note that you must be careful when you test your script (quoting the SixXS FAQ):<\/p>\n
“If a client connects more than 4 times in 60 seconds (1 minute) the client will not be allowed to connect again for the next 5 minutes. In case this threshold is exceeded more than once in 24 hours a client will be automatically blocked for a week.”<\/p><\/blockquote>\n
As you can guess, I have been blocked. Oops!<\/p>\n","protected":false},"excerpt":{"rendered":"
My two home servers are down for the moment. This also means that our two IPv6 SixXS tunnels are down which costs us 100 ISK\u00a0per week. Argh! I need to get these up and running as soon as possible. Fortunately … Continue reading