Linux, IPv6 and AT&T

If you have a Linux router and AT&T Gigabit fiber, you may want to have all your VLANs addressed with IPv6. This is assuming you set up the AT&T modem to do IP passthrough, so you have an actual IPv4 address in your router.

WAN Setup

First and foremost, your router needs to speak IPv6 to the world. You need to accept AT&Ts router advertisement, so you can set up your IPv6 address using SLAAC.

echo 2 > /proc/sys/net/ipv6/conf/att0/accept_ra

As you want to be a router, you need to enable forwarding for both v4 and v6:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

I named the WAN interface att0 and the LAN interface home0.

You should see something like this:

$ ip addr show att0
2: att0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff
    inet 99.1.2.3/22 brd 99.1.3.255 scope global dynamic att0
       valid_lft 2755sec preferred_lft 2755sec
    inet6 2600:1:2:3::45/128 scope global
       valid_lft forever preferred_lft forever
    inet6 2600:4:5:6:7:8:9:10/64 scope global dynamic mngtmpaddr
       valid_lft 3350sec preferred_lft 3350sec
    inet6 fe80::1:2:3:4/64 scope link
       valid_lft forever preferred_lft forever

With everything working, a ping6 to Google should work:

$ ping6 -n -c 1 google.com
PING google.com(2607:f8b0:4005:802::200e) 56 data bytes
64 bytes from 2607:f8b0:4005:802::200e: icmp_seq=1 ttl=117 time=6.04 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 6.041/6.041/6.041/0.000 ms

LAN Setup

To request prefixes for your internal VLANs, you will ask a prefix delegation (PD) via DHCPv6. Some ISPs, like Comcast, allow you to request a /60 block, so you can chop it yourself. AT&T doesn’t allow that, but they do allow requesting multiple /64s, which has the same effect at the end.

On Debian/Ubuntu, install the package wide-dhcpv6-client.

Your /etc/wide-dhcpv6/dhcp6c.conf will look like this:

interface att0 {
  send ia-pd 0;
  send ia-pd 1;
  send ia-pd 2;
  send ia-pd 3;
  send ia-na 0;
  send rapid-commit;
};

id-assoc pd 0 {
  prefix ::/64 infinity;

  prefix-interface home0.2 {
    sla-len 0;
    sla-id 0;
  };
};

id-assoc pd 1 {
  prefix ::/64 infinity;

  prefix-interface home0.3 {
    sla-len 0;
    sla-id 0;
  };
};

id-assoc pd 2 {
  prefix ::/64 infinity;

  prefix-interface home0.4 {
    sla-len 0;
    sla-id 0;
  };
};

id-assoc pd 3 {
  prefix ::/64 infinity;

  prefix-interface home0 {
    sla-len 0;
    sla-id 0;
  };
};

id-assoc na {
};

As you can see, I use send ia-pd multiple times with a different ID. Then later I associate each PD to a different interface. The order doesn’t matter.

If everything worked, ip -6 addr should show all interfaces addressed correctly.

Addressing your clients

So far, your internal clients have no idea your network can speak IPv6. You need to advertise your prefixes to them. That’s a job for the package radvd.

Your /etc/radvd.conf will look like this:

interface home0.2
{
   AdvSendAdvert on;
   prefix ::/64
   {
      AdvValidLifetime 900;
      AdvPreferredLifetime 900;
   };
   RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};

interface home0.3
{
   AdvSendAdvert on;
   prefix ::/64
   {
      AdvValidLifetime 900;
      AdvPreferredLifetime 900;
   };
   RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};

interface home0.4
{
   AdvSendAdvert on;
   prefix ::/64
   {
      AdvValidLifetime 900;
      AdvPreferredLifetime 900;
   };
   RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};

interface home0
{
   AdvSendAdvert on;
   prefix ::/64
   {
      AdvValidLifetime 900;
      AdvPreferredLifetime 900;
   };
   RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
};

You pretty much repeat the same thing over and over for each interface. RDNSS in my example is announcing the Google’s DNS servers, which are the IPv6 version of 8.8.8.8 and 8.8.4.4.

Firewall

Do not filter ICMPv6 on your input and forward chains, unless you know what you are doing. ICMP is a crucial part of IPv6.

For DHCPv6 work, you need to accept UDP datagrams on ports 546 and 547.

Security

Once you address all your internal clients, they will all have a valid IPv6 address and are able to receive traffic directly from the Internet. You probably don’t want that, so you need to set up some firewall to prevent undesired incoming traffic.

This is a simple example with NFTables, only showing the forward chain:

table inet filter {
  chain forward {
    type filter hook forward priority 0; policy drop;

    ct state related,established accept
    iifname {home0.2, home0.3} oifname att0 accept

    ip6 nexthdr ipv6-icmp iifname att0 icmpv6 type {1,2,3,4,128,129} accept
  }
}

That’s all!

The complex mission to watch an eclipse

I’ve always been super fascinated with eclipses, especially solar ones. I had never had a chance to experience a total solar eclipse, which always made me sad. There was a big one nearby on June 30, 1992. I was 11 years old. Just a couple days before, I had a serious kidney failure and I got admitted to a hospital for two weeks. I was just 230 km from the totality zone and I missed it. I remember very well to have asked the nurses to watch the partial eclipse from a hospital window, but the day was overcast. 🙁 There was another one on November 3, 1994. I was 375 km from the totality zone, but I couldn’t go either. The day was perfect though and I watched the moon partially covering the sun from my school. I never forgot that moment. I had to wait 23 more years to see a big one.

Continue reading “The complex mission to watch an eclipse”

Celebrando 20 anos de carreira

Mais ou menos 20 anos atrás, final de 1995 – início de 1996, eu estava começando o que acabou se tornando uma carreira de muito sucesso. Diferente de tudo que lemos em livros sobre como construir uma carreira, eu tomei um caminho bastante alternativo para chegar onde estou hoje. O resto do texto é longo, mas é a estória da minha vida profissional e eu não poderia passar este importante marco sem escrever a respeito.

Continue reading “Celebrando 20 anos de carreira”

O Sonho Americano – O Preço das Coisas

Uma das maiores revoltas de todos os brasileiros é o preço pago pelas coisas no Brasil, comparado ao resto do mundo. Essa discrepância tem ficado muito mais visível nos últimos anos com o fácil acesso a informação via Internet e também pela ascensão social que o Brasil tem vivido.

Comparar preços de coisas entre dois países usando meramente a taxa de câmbio só serve para os propósitos de turismo e comércio internacional, por exemplo brasileiros comprando coisas nos Estados Unidos e vice-versa. Para de fato comparar dois países, o mais correto a fazer é comparar o poder aquisitivo de cada nação. Caro e barato é algo extremamente relativo. Na prática, o que interessa para a grande maioria das pessoas é o quanto se precisa trabalhar para se alcançar algo.

Continue reading “O Sonho Americano – O Preço das Coisas”

O Sonho Americano – parte 3

Leia também os posts anteriores: parte 1 e parte 2.

Vou falar sobre comida neste post, pois comida é algo importante quando a gente viaja, e para algumas pessoas talvez seja até o principal motivo de se realizar uma viagem, ou até mesmo evitá-la.

Comida nos EUA é um negócio interessante, porque não existe exatamente o prato típico do país, nem mesmo um prato típico aqui da Califórnia. É difícil explicar a razão disso, mas eu acredito que um dos fatores seja imigratório. Com gente vindo de tantos lugares diferentes do mundo, não é simples formar um consenso.

Continue reading “O Sonho Americano – parte 3”