summaryrefslogtreecommitdiff
path: root/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst')
-rw-r--r--docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst209
1 files changed, 209 insertions, 0 deletions
diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
new file mode 100644
index 00000000..2fd70c17
--- /dev/null
+++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
@@ -0,0 +1,209 @@
+.. _examples-tunnelbroker-ipv6:
+
+#######################
+Tunnelbroker.net (IPv6)
+#######################
+
+| Testdate: 2022-03-24
+| Version: 1.3.1
+| Upgrade Version: 1.4-rolling-202203220701
+
+This guide walks through the setup of https://www.tunnelbroker.net/ for an
+IPv6 Tunnel.
+
+Prerequisites
+=============
+
+- A public, routable IPv4 address. This does not necessarily need to be static,
+ but you will need to update the tunnel endpoint when/if your IP address
+ changes, which can be done with a script and a scheduled task.
+- Account at https://www.tunnelbroker.net/
+- Requested a "Regular Tunnel". You want to choose a location that is closest
+ to your physical location for the best response time.
+
+
+********
+Topology
+********
+
+The example topology has 2 VyOS routers. One as The WAN Router and on as a
+Client, to test a single LAN setup
+
+.. image:: _include/topology.png
+ :alt: Tunnelbroker topology image
+
+
+*************
+Configuration
+*************
+
+First, we configure the ``vyos-wan`` interface to get a DHCP address.
+
+.. literalinclude:: _include/vyos-wan.conf
+ :language: none
+
+
+Now we are able to setup the tunnel interface.
+
+.. literalinclude:: _include/vyos-wan_tun0.conf
+ :language: none
+ :lines: 1-5
+
+Setup the ipv6 default route to the tunnel interface
+
+.. literalinclude:: _include/vyos-wan_tun0.conf
+ :language: none
+ :lines: 7
+
+Now you should be able to ping a public IPv6 Address
+
+
+.. code-block:: none
+
+ vyos@vyos-wan:~$ ping 2001:470:20::2 count 4
+ PING 2001:470:20::2(2001:470:20::2) 56 data bytes
+ 64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=30.7 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=29.8 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.1 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=30.2 ms
+
+ --- 2001:470:20::2 ping statistics ---
+ 4 packets transmitted, 4 received, 0% packet loss, time 9ms
+ rtt min/avg/max/mdev = 29.765/30.171/30.673/0.389 ms
+
+
+Assuming the pings are successful, you need to add some DNS servers.
+Some options:
+
+.. literalinclude:: _include/vyos-wan_tun0.conf
+ :language: none
+ :lines: 13
+
+You should now be able to ping something by IPv6 DNS name:
+
+
+.. code-block:: none
+
+ vyos@vyos-wan:~$ ping tunnelbroker.net count 4
+ PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes
+ 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=54 time=179 ms
+ 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=54 time=227 ms
+ 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=54 time=179 ms
+ 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=54 time=179 ms
+
+ --- tunnelbroker.net ping statistics ---
+ 4 packets transmitted, 4 received, 0% packet loss, time 8ms
+ rtt min/avg/max/mdev = 178.994/191.062/226.756/20.612 ms
+
+
+*****************
+LAN Configuration
+*****************
+
+At this point, your VyOS install should have full IPv6, but now your LAN devices
+need access.
+
+With Tunnelbroker.net, you have two options:
+
+- Routed /64. This is the default assignment. In IPv6-land, it's good for a
+ single "LAN", and is somewhat equivalent to a /24.
+
+- Routed /48. This is something you can request by clicking the "Assign /48"
+ link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k
+
+Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So
+if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore
+the assigned /64, and request the /48 and use that.
+
+
+Single LAN Setup
+================
+
+Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker
+Routed /64 prefix:
+
+.. literalinclude:: _include/vyos-wan_tun0.conf
+ :language: none
+ :lines: 9-11
+
+Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
+'valid-lifetime' and 'preferred-lifetime' are set to default values of
+30 days and 4 hours respectively.
+
+And the ``client`` to receive an IPv6 address with stateless autoconfig.
+
+.. literalinclude:: _include/client.conf
+ :language: none
+
+This accomplishes a few things:
+
+- Sets your LAN interface's IP address
+- Enables router advertisements. This is an IPv6 alternative for DHCP (though
+ DHCPv6 can still be used). With RAs, Your devices will automatically find the
+ information they need for routing and DNS.
+
+Now the Client is able to ping a public IPv6 address
+
+
+.. code-block:: none
+
+ vyos@client:~$ ping 2001:470:20::2 count 4
+ PING 2001:470:20::2(2001:470:20::2) 56 data bytes
+ 64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=30.6 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=30.4 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=30.5 ms
+ 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=30.6 ms
+
+ --- 2001:470:20::2 ping statistics ---
+ 4 packets transmitted, 4 received, 0% packet loss, time 9ms
+ rtt min/avg/max/mdev = 30.387/30.537/30.643/0.238 ms
+
+
+Multiple LAN/DMZ Setup
+======================
+
+That's how you can expand the example above.
+Use the `Routed /48` information. This allows you to assign a
+different /64 to every interface, LAN, or even device. Or you could break your
+network into smaller chunks like /56 or /60.
+
+The format of these addresses:
+
+- `2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker.
+- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN
+- `2001:470:xxxx:2::/64`: Another subnet
+- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet.
+
+In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
+(1-65535).
+
+So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:
+
+.. code-block:: none
+
+ set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'
+ set service router-advert interface eth1 name-server '2001:470:20::2'
+ set service router-advert interface eth1 prefix 2001:470:xxxx:1::/64
+
+ set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64'
+ set service router-advert interface eth2 name-server '2001:470:20::2'
+ set service router-advert interface eth2 prefix 2001:470:xxxx:2::/64
+
+ set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64'
+ set service router-advert interface eth3 name-server '2001:470:20::2'
+ set service router-advert interface eth3 prefix 2001:470:xxxx:3::/64
+
+Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
+'valid-lifetime' and 'preferred-lifetime' are set to default values of
+30 days and 4 hours respectively.
+
+Firewall
+========
+
+Finally, don't forget the :ref:`firewall`. The usage is identical, except for
+instead of `set firewall name NAME`, you would use `set firewall ipv6-name
+NAME`.
+
+Similarly, to attach the firewall, you would use `set interfaces ethernet eth0
+firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall
+ipv6-name`. \ No newline at end of file