splitbrain.org

electronic brain surgery since 2001

Writing /var/www/html/data/log/deprecated/2024-11-07.log failed

IPv6 Day - Setup IPv6 at Hetzner.de

Today is World IPv6 Day. Many big players on the Internet like Google, Facebook and Akamai will enable IPv6 support for their services as a “test flight” for 24 hours.

This will give them a good way to see if there's still anything buggy in their setups but is also meant as an encouragement for everybody to finally make the switch to IPv6.

Thanks to my router's capabilities and the free IPv6 tunnel service from Sixxs I have IPv6 at home for a while now.

Now the servers running DokuWiki.org and splitbrain.org are native IPv6 enabled, too.

Both servers are hosted at Hetzner. Since this is a popular provider in Germany I thought it might be a good idea to give a short introduction on what I had to do to make my servers IPv6 enabled.

Firewall

You will need a IPv6 capable firewall script. Unfortunately these seem still to be rare. On splitbrain.org I'm using Arno's Firewall Script. Unfortunately a recent version with proper IPv4 and IPv6 support is only available in testing. But you can simply install the package from testing: 

#> wget http://ftp.de.debian.org/debian/pool/main/a/arno-iptables-firewall/arno-iptables-firewall_2.0.0.a-2_all.deb
#> dpkg -i arno-iptables-firewall_2.0.0.a-2_all.deb

All you need to do for IPv6 support is set the follwing option in /etc/arno-iptables-firewall/firewall.conf 

IPV6_SUPPORT=1

On the DokuWiki.org server we're running shorewall. For IPv6 support you'll need to install the shorewall6 package on Debian and setup a completely new firewall right beside to your IPv4 one. Luckily you can simply copy (or even symlink) most config files as they work exactly the same as for IPv4.

Interface IP

Next, is to configure the IP address. Hetzner has native IPv6 support so there's no need to fiddle with any tunnel configs. They provide you with your own IPv6 /64 subnet, just order in the robot. A minute later you'll get a mail with the details.

Here's what I got for the splitbrain.org server: 

IPs:
   2a01:4f8:140:5484:: /64
Gateway:
   2a01:4f8:140:5480::1 /59
Usable IP-Adresses:
   2a01:4f8:140:5484::2 bis 2a01:4f8:140:5484:ffff:ffff:ffff:ffff

Since there's no router advertisement, IPs have to be set statically.

As you can see, the gateway is not part of the subnet you got assigned. Hetzner's wiki recommends to set a route to the gateway. That worked well on the command line but didn't work when put in the /etc/network/interfaces config of my Debian system1). This was probably caused by a bug in Arno's Firewall.

My workaround was to simply set up my interface with the full /59 network. This way, the route to the gateway is implicitly clear. Of course I have to remember not to use any addresses outside my real /64 address range, but I don't plan to use more than one address anyway.

This is what my setup looks like now:

/etc/network/interfaces
# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  eth0

# IPv4 Configuration
iface eth0 inet static
  address   46.4.78.73
  broadcast 46.4.78.95
  netmask   255.255.255.224
  gateway   46.4.78.65
  post-up   mii-tool -F 100baseTx-FD eth0
  # default route to access subnet
  up route add -net 46.4.78.64 netmask 255.255.255.224 gw 46.4.78.65 eth0

# IPv6 Configuration
iface eth0 inet6 static
  address   2a01:4f8:140:5484::b00b
  netmask   59
  gateway   2a01:4f8:140:5480::1

Testing

After a reboot, you should check if your interface has the correct IP: 

# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:21:85:63:78:18  
        inet addr:46.4.78.73  Bcast:46.4.78.95  Mask:255.255.255.224
        inet6 addr: 2a01:4f8:140:5484::b00b/59 Scope:Global
        inet6 addr: fe80::221:85ff:fe63:7818/64 Scope:Link
        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
        RX packets:47441 errors:0 dropped:0 overruns:0 frame:0
        TX packets:71811 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000 
        RX bytes:7504499 (7.1 MiB)  TX bytes:89090259 (84.9 MiB)
        Interrupt:25 Base address:0x2000

Looks good. Let's check for the default gateway: 

# ip -f inet6 route
2a01:4f8:140:5480::/59 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2a01:4f8:140:5480::1 dev eth0  metric 1  mtu 1500 advmss 1440 hoplimit 4294967295

Good as well. Let's ping the gateway: 

$ ping6 2a01:4f8:140:5480::1
PING 2a01:4f8:140:5480::1(2a01:4f8:140:5480::1) 56 data bytes
64 bytes from 2a01:4f8:140:5480::1: icmp_seq=1 ttl=64 time=4.46 ms

Now let's ping something outside, we can use the IP of heise.de: 

$ ping6 2a02:2e0:3fe:100::8
PING 2a02:2e0:3fe:100::8(2a02:2e0:3fe:100::8) 56 data bytes
64 bytes from 2a02:2e0:3fe:100::8: icmp_seq=1 ttl=56 time=19.4 ms

The same again with DNS name: 

$ ping6 heise.de
PING heise.de(redirector.heise.de) 56 data bytes
64 bytes from redirector.heise.de: icmp_seq=1 ttl=56 time=19.4 ms

Finally ping the server from the outside2): 

$ ping6 2a01:4f8:140:5484::b00b
PING 2a01:4f8:140:5484::b00b(2a01:4f8:140:5484::b00b) 56 data bytes
64 bytes from 2a01:4f8:140:5484::b00b: icmp_seq=1 ttl=52 time=56.9 ms

DNS

Once everything works, you need to add AAAA records in your DNS to point your domains to the IPv6 address as well.

I manage my domains through regfish, where I have a convenient web interface for adding DNS setups.

You should also add a reverse DNS entry for the IP you configured at your server. This has to be done whereever you got the domains from. In my case at Hetzner's robot:

1)
The my ip route calls in the up stanzas seemed to be igonored
2)
You need to do this from a IPv6 enabled system, alternatively use an online tool