summaryrefslogtreecommitdiff
path: root/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
blob: 3bc7fafd2be271c75a48a7c588aa4306693a56c1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
.. _examples-tunnelbroker-ipv6:

#######################
Tunnelbroker.net (IPv6)
#######################

| Testdate: 2022-10-10
| Version: 1.4-rolling-202210090955

This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.

Prerequisites
=============

- A public, routable IPv4 address. This does not necessarily need to be static,
  but you will need to update the tunnel endpoint when/if your IP address
  changes, which can be done with a script and a scheduled task.
- Account at https://www.tunnelbroker.net/
- Requested a "Regular Tunnel". You want to choose a location that is closest
  to your physical location for the best response time.


********
Topology
********

The example topology has 2 VyOS routers. One as The WAN Router and on as a
Client, to test a single LAN setup

.. image:: _include/topology.png
  :alt: Tunnelbroker topology image


*************
Configuration
*************

First, we configure the ``vyos-wan`` interface to get a DHCP address.

.. literalinclude:: _include/vyos-wan.conf
   :language: none


Now we are able to setup the tunnel interface.

.. literalinclude:: _include/vyos-wan_tun0.conf
   :language: none
   :lines: 1-5

Setup the ipv6 default route to the tunnel interface

.. literalinclude:: _include/vyos-wan_tun0.conf
   :language: none
   :lines: 7

Now you should be able to ping a public IPv6 Address


.. code-block:: none

   vyos@vyos-wan:~$ ping 2001:470:20::2 count 4
   PING 2001:470:20::2(2001:470:20::2) 56 data bytes
   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=29.3 ms
   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=29.3 ms
   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=29.2 ms
   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=29.1 ms
   
   --- 2001:470:20::2 ping statistics ---
   4 packets transmitted, 4 received, 0% packet loss, time 3005ms
   rtt min/avg/max/mdev = 29.149/29.241/29.347/0.081 ms


Assuming the pings are successful, you need to add some DNS servers.
Some options:

.. literalinclude:: _include/vyos-wan_tun0.conf
   :language: none
   :lines: 13

You should now be able to ping something by IPv6 DNS name:


.. code-block:: none

   vyos@vyos-wan:~$ ping tunnelbroker.net count 4
   PING tunnelbroker.net(tunnelbroker.net (2001:470:0:63::2)) 56 data bytes
   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=1 ttl=52 time=178 ms
   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=52 time=178 ms
   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=52 time=257 ms
   64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=52 time=177 ms
   
   --- tunnelbroker.net ping statistics ---
   4 packets transmitted, 4 received, 0% packet loss, time 3005ms
   rtt min/avg/max/mdev = 177.430/197.453/256.532/34.109 ms


*****************
LAN Configuration
*****************

At this point, your VyOS install should have full IPv6, but now your LAN devices
need access.

With Tunnelbroker.net, you have two options:

- Routed /64. This is the default assignment. In IPv6-land, it's good for a
  single "LAN", and is somewhat equivalent to a /24.

- Routed /48. This is something you can request by clicking the "Assign /48"
  link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k

Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So
if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore
the assigned /64, and request the /48 and use that.


Single LAN Setup
================

Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker
Routed /64 prefix:

.. literalinclude:: _include/vyos-wan_tun0.conf
   :language: none
   :lines: 9-11

Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
'valid-lifetime' and 'preferred-lifetime' are set to default values of
30 days and 4 hours respectively.

And the ``client`` to receive an IPv6 address with stateless autoconfig.

.. literalinclude:: _include/client.conf
   :language: none

This accomplishes a few things:

- Sets your LAN interface's IP address
- Enables router advertisements. This is an IPv6 alternative for DHCP (though
  DHCPv6 can still be used). With RAs, Your devices will automatically find the
  information they need for routing and DNS.

Now the Client is able to ping a public IPv6 address


.. code-block:: none

   vyos@client:~$ ping 2001:470:20::2 count 4
   PING 2001:470:20::2(2001:470:20::2) 56 data bytes
   64 bytes from 2001:470:20::2: icmp_seq=1 ttl=63 time=31.1 ms
   64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=29.7 ms
   64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=30.7 ms
   64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=29.8 ms
   
   --- 2001:470:20::2 ping statistics ---
   4 packets transmitted, 4 received, 0% packet loss, time 3004ms
   rtt min/avg/max/mdev = 29.673/30.297/31.063/0.587 ms


Multiple LAN/DMZ Setup
======================

That's how you can expand the example above.
Use the `Routed /48` information. This allows you to assign a
different /64 to every interface, LAN, or even device. Or you could break your
network into smaller chunks like /56 or /60.

The format of these addresses:

- `2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker.
- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN
- `2001:470:xxxx:2::/64`: Another subnet
- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet.

In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
(1-65535).

So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:

.. code-block:: none

  set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'
  set service router-advert interface eth1 name-server '2001:470:20::2'
  set service router-advert interface eth1 prefix 2001:470:xxxx:1::/64

  set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64'
  set service router-advert interface eth2 name-server '2001:470:20::2'
  set service router-advert interface eth2 prefix 2001:470:xxxx:2::/64

  set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64'
  set service router-advert interface eth3 name-server '2001:470:20::2'
  set service router-advert interface eth3 prefix 2001:470:xxxx:3::/64

Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default,
'valid-lifetime' and 'preferred-lifetime' are set to default values of
30 days and 4 hours respectively.

Firewall
========

Finally, don't forget the :ref:`firewall`. The usage is identical, except for
instead of `set firewall name NAME`, you would use `set firewall ipv6-name
NAME`.

Similarly, to attach the firewall, you would use `set interfaces ethernet eth0
firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`.