Xaero.org

If you’ve read my article on connecting to the IPv6 Internet, you should be familiar with the principles of IPv6 over IPv4 connectivity and have some basic IPv6 knowledge.

I’ve wanted to use IPv6 with my pfSense firewall for quite some time but it seems that the developers don’t want to be bothered supporting it. Fear not! There is a way to get IPv6 connectivity, though it won’t work through the GUI.

I won’t go into a great amount of detail on configuring your end PCs for IPv6 connectivity except to say that it’s generally turned on by default for Linux, you need to add “ipv6_enable” and reboot for FreeBSD, and that you need to add the IPV6 protocol in Windows XP (newer versions have it enabled by default). From that point on, your computer should send out solicitation messages which your pfSense firewall will respond to and you’ll get allocated an IPv6 address.

For the remainder of this article, I’m using this article (cached version here) for my template. That article is intended for native IPv6 connectivity, not tunneled connectivity. Also note that you should have configured an IPv6 over IPv4 tunnel. I suggest using a provider such as Hurricane Electric. Lastly, once you have a tunnel configured, you’ll want to allow pings from the tunnel’s endpoint to your router so it knows your side is up. I enabled this by going to Firewall/Rules and adding a ping rule that allows only the IPv4 tunnel endpoint to ping your firewall’s external IP. Use ICMP, then Any ICMP type, then specify the host IP of the remote tunnel endpoint. Don’t forget to apply it!

For your pfSense box, you’ll want to be running the latest release (1.2.3-RELEASE as of this writing). Be sure to enable SSH from the web gui since you’ll need to log into the command line. For your tunnel settings, I’ll assume the following addresses:

• WAN IPv6 IP: 2001:db8:0:1::2
• WAN IPv4 IP: 192.0.2.2
• WAN IPv4 Tunnel Destination: 192.0.2.15
• LAN IPv6 allocation: 2001:db8:0:2::/64

Log into your firewall using the credentials you configured when you first set it up. At the menu, use option 8 to drop to a shell. Next, create the following file:

#!/bin/sh
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"
DFGW="2001:db8:0:1::1"

####### Configure the stuff

# Configure the interfaces
ifconfig $IFOUT create
ifconfig $IFOUT tunnel 192.0.2.2 192.0.2.15
ifconfig $IFOUT inet6 2001:db8:0:1::2 prefixlen 64
route -n add -inet6 default 2001:db8:0:1::1
ifconfig $IFOUT up

ifconfig $IFIN inet6 alias 2001:db8:0:2::1 prefixlen 64

# Set the default route
route -n add -inet6 default $DFGW

# Configure IPv6 forwarding
sysctl net.inet6.ip6.forwarding=1

# My /etc/rtadvd.conf looks like this
#
# bce1:\
#   :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:
#
# Startup rtadvd
/usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN

Save this file as 00_config-ipv6-if.sh under /usr/local/etc/rc.d/ so it will automatically be executed upon reboot and change the permissions to 755 so it has permissions to execute. Don’t forget to change the inside interface to the name of your interface.

Next we need to configure the pf firewall to allow the tunnel to work. Create a file with the following contents:

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"

####### Configure the stuff

# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
# pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt

# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e

Save this file as 10_config-ipv6-pf.sh under /usr/local/etc/rc.d/ and chmod it to 755 so it can execute on startup.

Lastly, create /etc/rtadvd.conf and add the following to it:

bge1:\
:addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:

Save that file. At this point you can either reboot your pfSense box or execute the two scripts. You should have IPv6 connectivity through your tunnel. You can test it using traceroute6 and ping6. Another great test to try is to go to http://ipv6.google.com. If the logo bounces, you have IPv6 connectivity.

Enjoy!

Ever since ZFS became production ready on FreeBSD 8 (and backported to 7), I’ve been itching to switch to using it and getting rid of UFS. For one, UFS is OLD. It was first used in 4.2BSD if that gives any indication. The most salient problem with UFS is the lack of real journaling. True, you have the soft-updates feature, but soft-updates are an alternative to journaling. This may not be a problem for users with older hardware and smaller hard disks, but with today’s multi-terabyte drives, a power failure or system crash can lead to painfully long waits as fsck verifies the consistency of your file system.

To that end, I followed this handy guide to installing a FreeBSD system on a pure ZFS-only setup. Note that you’ll end up with a system with no traces of UFS whatsoever, meaning you have to use the ZFS bootloader and can’t dual boot anymore. If that’s not to your liking, have a look at the index of ZFS on root guides. If you need to dual boot, you’ll want to follow one of the MBR guides. For my needs, if I find myself needing to boot to another operating system, I simply hit F12 when my system is performing a POST test and choose a different drive to boot to. It’s simple and separates your operating systems so they don’t affect one another. Another alternative is to use virtualization if your needs aren’t too demanding.

One thing none of the ZFS on root guides show you is also one of the most important: how to update and rebuild your system! If you’re a developer you probably already know how to do this, but for the rest of us, it’s important to know how to properly update your system when needed.

To begin, you’ll want to sync your source tree. Instructions for that are located in the handbook, but it really boils down to using csup to synchronize source from a cvsup server to your local machine. If you do anything that requires building a kernel module, you’re probably familiar with this. With your source tree synchronized to your desired version of FreeBSD, you can follow the the handbook guide to rebuilding world.

Once you have installed the kernel, reboot into single user mode as the guide tells you. Issue the “mount” command. You’ll notice that no filesystems are mounted except for devfs and the root ZFS filesystem you marked as legacy. The handbook tells you to use “mount -a -t ufs” but obviously this won’t work since we have banished UFS from our FreeBSD box. To mount all the ZFS mountpoints you have, simply use “zfs mount -a”. This should mount everything except for / (root) as read-write. To enable a writable file system root, use “mount -uw /” and then “mount -a” to mount anything else. The “-uw” option unsets any mount options and then sets the write bit so you can write to that mount point. At this point you should be able to use mergmaster and installworld to finish rebuilding your system. One important task you must do before rebooting into your updated system is to install updated boot code. This is done with the following command after installing the new world: “gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 disk” where disk is the name of the drive you installed to (usually ad0). With this, you should have an updated system with ZFS as your file system!

Enjoy!

I’ve been happily using FreeBSD 7.2 on my IBM Thinkpad T40 and decided it was time to upgrade to the latest and greatest: FreeBSD 8. FreeBSD 8.0 brings many changes to the base system, but one of the more significant ones is the configuration of wireless (802.11) networking. After a bit of mucking around, I’ve figured out some interesting things that relate to wireless, especially on the Thinkpad T40.

The biggest change is that you no longer configure the physical device interface. That is, no more “ifconfig_” where interface is either ath or ipw or some variation. Instead, you create a pseudo-interface, map it to the physical interface, and from there, configure your IP settings on the pseudo interface.

Another important point is the the existing ipw2100 driver that the Thinkpad relies on is horribly broken in FreeBSD 8. This means we’ll have to configure the interface using NDIS instead. Don’t worry though, it’s not that difficult.

To begin, go to the Lenovo website and download the wireless drivers. There are several there, so be sure to grab the one for the Intel 2100 802.11b wireless interface. The filename should be 1rwc89ww.exe. Unfortunately, you’ll need a nearby Windows machine to decompress the executable. Alternatively, you could probably download the same driver from Intel’s website directly, but it’s likely to be a self-extracting executable as well. Regardless of which method you use to obtain the driver, the two files we’re interested in are named W70N501.INF and W70N51.SYS. The first file describes how to install the driver on a Windows computer and the second file is the actual driver itself.

Next, we need to convert the Windows driver to a kernel module that FreeBSD understands. To do this, go to the directory containing the two files mentioned above and type “% ndisgen W70N501.INF W70N51.SYS”. From here, the ndisgen utility will prompt you for a few questions. Just continue to keep hitting enter. Note that you’ll want to have a source tree on your system that is in sync with your kernel so ndisgen is able to build a kernel module. Consult the FreeBSD handbook in order to learn how to synchronize a source tree to your system. When finished, you should see a new file named W70N51_SYS.ko in your directory. Copy this file to the /boot/modules directory. You might even convert it to lower case to make things easier.

Now that we have a suitable driver in place, we need to load up the ndis API. To do this, type “sudo kldload if_ndis” and “sudo kldload ndis”. To load our fancy new driver, type “sudo kldload W70N51_SYS” (or the lower case equivalent if you changed case). We’re now ready to configure IP addressing.

I’ll take the simplest use case and assume you’re using WPA authentication and getting an IP address via DHCP. Add the following lines to /etc/rc.conf

#Wireless
wlans_ndis0=”wlan0″
ifconfig_wlan0=”WPA DHCP”

The first line incorporates the new wireless interface in FreeBSD 8. It creates a “wlan0″ pseudo-interface and maps it to the physical ndis interface. The second line simply tells the ifconfig command to use WPA authentication and to grab a dynamic IP. Next, add the following to your /boot/loader.conf to make these changes permanent:

#Wireless
if_ndis_load=”YES”
W70N51_SYS_load=”YES”

At this point, you can either reboot the laptop or restart networking using “/etc/rc.d/netif restart”. If you choose to restart networking, you might have to manually create the pseudo-interface using the following command: “ifconfig wlan0 create wlandev ndis0″. If you are upgrading your laptop, you may wish to remove all the ipw* entries from both configuration files as they are no longer needed.

Using this configuration, one odd bug I’ve run into is that my wireless interface comes up and associates with the WAP but I do not get an IP address. I suspect that this could possibly be due to the fact that the DHCP server is on a different box, but I’ll have to run a few debugs to see where it’s sticking.

Using ndis, while a little clunky initially, has proven to be a much better replacement for the built in ipw driver. While I was on FreeBSD 7.2 and even Linux, my wireless interface would frequently reload the driver firmware. I’m told that’s due to a bursting configuration on the WAP but I don’t have bursting enabled and no other wireless device on my network displays the same behavior. Along with the cool changes in FreeBSD 8, this makes BSD on my laptop that much more enjoyable!

Recently I was mucking around with some stuff on my FreeBSD laptop (7.2) and caused my system to lock up completely. Not thinking much of it, I rebooted the system and everything seemed normal. I went about my business and needed to install some software. I tried to ’su’ on the system (sudo wasn’t yet installed) and got the message “su: who are you?”. Ugh… I took a look at my ‘/etc/passwd’ database and found that it contained parts of ‘/etc/resolv.conf’ and a lot of gibberish. Looks like UFS’s lack of journaling struck again.

Just for grins, I tried to change my password using the ‘passwd’ command and got the same message. After a few Google searches, I ran across the pwd_mkdb command. The man page for this command points you towards ‘/etc/master.passwd’ but again, in my case, it was corrupted. Ugh.

Since I’m an avid user of FreeBSD, I have plenty of systems from which I can copy the password database. So, fingers crossed, I booted my laptop into single user mode and copied the master password database over on a USB flash drive. I then issued the ‘#pwd_mkdb /etc/master.passwd’ command (I copied over the corrupted master password database) and it didn’t return any errors. Fingers still crossed, I rebooted and was pleasantly surprised to no longer see all the “unknown user” messages. After successfully logging in as root, I was able to change my passwords back to what they were using the regular ‘passwd’ command. Whew!

No, I didn’t fall off a cliff. Been busy with lots of stuff:

• Passed the CCDP ARCH test and became a CCDP on April 25th!
• Lots of house remodeling projects
• Working on my final Cisco test (for now : ), the MPLS exam
• Various other sundries

On the FreeBSD front, I found an old 250GB SATA drive and installed it in my current rig as the only drive (just to be sure I don’t screw something up). Not surprisingly, rebuilding the kernel and world with the latest 7.2 Release is quite snappy as compared to the Thinkpad T40. I was pleased that the Nvidia driver in ports worked without a hitch though it has no 3D acceleration whatsoever. For that you need Nouveau. I went my usual install route: install the minimal FreeBSD distribution, build world and build kernel, build Xorg from ports (including mouse, keyboard, Nvidia driver, and vesa driver for backup) with HAL support, build some sort of window manager (Fluxbox is my current favorite), install a shell (I’m torn between bash and zsh), and install Firefox 3. The entire process took about an hour and a half.

All of my hardware either worked out of the box or worked after a few tweaks but I used the i386 version of FreeBSD, not the AMD64 version. Before I built HAL, I had to use a PS/2 keyboard in order to actually install. Either I missed something or USB hotplug support isn’t there out of the box and needs to be added to rc.conf. I was pleasantly surprised to see that my Blackberry was recognized when I plugged it in. It didn’t automount or anything but it was neat to see it get recognized. I’ve yet to get it to work, but there is a ports version of barry available. Barry is a little rough around the edges but I was able to back up my Blackberry Curve 8320 to my Linux box with it.

It seems like FreeBSD is maturing and quite rapidly. Now that VirtualBox is coming for FreeBSD, the only barrier left is either getting a native 64-bit Flash plugin/player or for Gnash to mature rapidly. I tried Gnash on i386 FreeBSD and it works, but only part of the time.

I still watch with a bit of wonder and amazement at the effort that goes into an Open Source operating system and applications. That the developers can get their projects working with little or no support from hardware vendors is nothing short of amazing.

Not too long ago I wrote a how-to article on how to get FreeBSD 7.0 working on my IBM Thinkpad T40. Among other things, I omitted a section on getting proper video drivers working. The graphics chip is an ATI RV250 (Mobility 9000). This means the driver you should use is the ‘radeon’ driver. Use ‘pciconf -lv |grep ATI‘ to see which chip you’ve got. After toiling a bit with it, I figured out how to get the Open Source ATI drivers working.

Because I want to generally keep my systems pretty current, I recently installed FreeBSD 7.1 on my T40. It’s important to know that the FreeBSD project generally breaks up development into three separate releases, namely CURRENT, STABLE, and RELEASE, in order of most bleeding edge to most stable. After building Xorg 1.6.0, I tried to start an X session just to see if I would get the ugly TWM desktop. To my surprise I got just a black screen but that was it. Even more surprising was that the usual “three finger salute” (ctrl + alt + backspace) didn’t kill my X session. I then hit ‘alt + F2′ to log into another vty and manually kill off X. Here’s where the fun began. It killed more than X; it locked my entire machine up. I continued futzing with my xorg.conf, kernel modules, and locking my system up for a good hour. I then threw in the towel and wound up asking a friend who’s a FreeBSD developer WTF was going on. I learned a few interesting facts:

• The DRM code in 7.1 was more than 2 years old
• It is not necessary to manually load or pre-load any kernel modules for video
• X.org should work well with ATI graphics cards (but the amd64 release may not work) since the ATI driver model has had substantial structural changes to it.

On the first point, there’s two ways around the old code: Either download/burn/install the FreeBSD 7.2 release candidate or rebuild world. Since I’m a glutton for punishment, I decided to rebuild world. It’s not actually that hard, just time consuming. Use the ‘csup’ utility to grab the entire CVS source tree from your nearest csup server and follow the directions listed here to rebuild your system using the RELENG_7 tree.

The second point is easy enough. There’s no need to add anything to your /boot/loader.conf file in order to get X working. X.org will load any necessary kernel modules when you type ‘startx‘. As an interesting aside, I actually locked my system up when attempting the unload the radeon.ko kernel module when I had learned that preloading isn’t necessary. Doh!

Once you’ve rebuilt your system and are running 7.2-STABLE, it probably wouldn’t be a bad idea to rebuild your installed ports. This isn’t necessary per se since X.org should work without even building a config file, but it is a good step, just to make sure everything is up to date. I use the portupgrade utility located in /usr/ports/ports-mgmt/ with the following: portupgrade -aRr. That should upgrade all outdated ports recursively as well as recursively rebuilding dependencies.

I’ll expand on the last point a bit. ATI has been much more generous with contributing documentation to the Open Source community than Nvidia. In fact, Nvidia hasn’t contributed anything other than a proprietary driver for Linux and FreeBSD, though there’s a project called Nouveau which aims to build an Open Source Nvidia driver. Because of this, FreeBSD has an Open Source ATI driver (/usr/ports/x11-drivers/xf86-video-radeonhd and usr/ports/x11-drivers/xf86-video-ati) and using the old proprietary fglrx driver is no longer necessary. There’s one hiccup to this though. The driver has to be re-worked every time a new ATI chip comes out. To solve this, ATI is moving towards the same unified driver model Nvidia has used for years and taking it a step further. They now have an Open Source BIOS abstraction layer called ATOMBios. The idea is to make it easier to more rapidly deploy drivers for new graphics cards. Read all about that in this article. Bravo ATI!

By the time you finish reading this, your ports should be up to date and you should be able to use hardware accelerated ATI drivers on your Thinkpad. I’m running XFCE4 on my Thinkpad and it’s causing me to reevaluate the old “FreeBSD vs. Linux” question. Maybe I’ll spend a little more time working on the other parts that I overlooked in my article.

Enjoy!