Xaero.org

If you’ve read my article on connecting to the IPv6 Internet, you should be familiar with the principles of IPv6 over IPv4 connectivity and have some basic IPv6 knowledge.

I’ve wanted to use IPv6 with my pfSense firewall for quite some time but it seems that the developers don’t want to be bothered supporting it. Fear not! There is a way to get IPv6 connectivity, though it won’t work through the GUI.

I won’t go into a great amount of detail on configuring your end PCs for IPv6 connectivity except to say that it’s generally turned on by default for Linux, you need to add “ipv6_enable” and reboot for FreeBSD, and that you need to add the IPV6 protocol in Windows XP (newer versions have it enabled by default). From that point on, your computer should send out solicitation messages which your pfSense firewall will respond to and you’ll get allocated an IPv6 address.

For the remainder of this article, I’m using this article (cached version here) for my template. That article is intended for native IPv6 connectivity, not tunneled connectivity. Also note that you should have configured an IPv6 over IPv4 tunnel. I suggest using a provider such as Hurricane Electric. Lastly, once you have a tunnel configured, you’ll want to allow pings from the tunnel’s endpoint to your router so it knows your side is up. I enabled this by going to Firewall/Rules and adding a ping rule that allows only the IPv4 tunnel endpoint to ping your firewall’s external IP. Use ICMP, then Any ICMP type, then specify the host IP of the remote tunnel endpoint. Don’t forget to apply it!

For your pfSense box, you’ll want to be running the latest release (1.2.3-RELEASE as of this writing). Be sure to enable SSH from the web gui since you’ll need to log into the command line. For your tunnel settings, I’ll assume the following addresses:

• WAN IPv6 IP: 2001:db8:0:1::2
• WAN IPv4 IP: 192.0.2.2
• WAN IPv4 Tunnel Destination: 192.0.2.15
• LAN IPv6 allocation: 2001:db8:0:2::/64

Log into your firewall using the credentials you configured when you first set it up. At the menu, use option 8 to drop to a shell. Next, create the following file:

#!/bin/sh
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"
DFGW="2001:db8:0:1::1"

####### Configure the stuff

# Configure the interfaces
ifconfig $IFOUT create
ifconfig $IFOUT tunnel 192.0.2.2 192.0.2.15
ifconfig $IFOUT inet6 2001:db8:0:1::2 prefixlen 64
route -n add -inet6 default 2001:db8:0:1::1
ifconfig $IFOUT up

ifconfig $IFIN inet6 alias 2001:db8:0:2::1 prefixlen 64

# Set the default route
route -n add -inet6 default $DFGW

# Configure IPv6 forwarding
sysctl net.inet6.ip6.forwarding=1

# My /etc/rtadvd.conf looks like this
#
# bce1:\
#   :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:
#
# Startup rtadvd
/usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN

Save this file as 00_config-ipv6-if.sh under /usr/local/etc/rc.d/ so it will automatically be executed upon reboot and change the permissions to 755 so it has permissions to execute. Don’t forget to change the inside interface to the name of your interface.

Next we need to configure the pf firewall to allow the tunnel to work. Create a file with the following contents:

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"

####### Configure the stuff

# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
# pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt

# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e

Save this file as 10_config-ipv6-pf.sh under /usr/local/etc/rc.d/ and chmod it to 755 so it can execute on startup.

Lastly, create /etc/rtadvd.conf and add the following to it:

bge1:\
:addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:

Save that file. At this point you can either reboot your pfSense box or execute the two scripts. You should have IPv6 connectivity through your tunnel. You can test it using traceroute6 and ping6. Another great test to try is to go to http://ipv6.google.com. If the logo bounces, you have IPv6 connectivity.

Enjoy!

I’ve been happily using FreeBSD 7.2 on my IBM Thinkpad T40 and decided it was time to upgrade to the latest and greatest: FreeBSD 8. FreeBSD 8.0 brings many changes to the base system, but one of the more significant ones is the configuration of wireless (802.11) networking. After a bit of mucking around, I’ve figured out some interesting things that relate to wireless, especially on the Thinkpad T40.

The biggest change is that you no longer configure the physical device interface. That is, no more “ifconfig_” where interface is either ath or ipw or some variation. Instead, you create a pseudo-interface, map it to the physical interface, and from there, configure your IP settings on the pseudo interface.

Another important point is the the existing ipw2100 driver that the Thinkpad relies on is horribly broken in FreeBSD 8. This means we’ll have to configure the interface using NDIS instead. Don’t worry though, it’s not that difficult.

To begin, go to the Lenovo website and download the wireless drivers. There are several there, so be sure to grab the one for the Intel 2100 802.11b wireless interface. The filename should be 1rwc89ww.exe. Unfortunately, you’ll need a nearby Windows machine to decompress the executable. Alternatively, you could probably download the same driver from Intel’s website directly, but it’s likely to be a self-extracting executable as well. Regardless of which method you use to obtain the driver, the two files we’re interested in are named W70N501.INF and W70N51.SYS. The first file describes how to install the driver on a Windows computer and the second file is the actual driver itself.

Next, we need to convert the Windows driver to a kernel module that FreeBSD understands. To do this, go to the directory containing the two files mentioned above and type “% ndisgen W70N501.INF W70N51.SYS”. From here, the ndisgen utility will prompt you for a few questions. Just continue to keep hitting enter. Note that you’ll want to have a source tree on your system that is in sync with your kernel so ndisgen is able to build a kernel module. Consult the FreeBSD handbook in order to learn how to synchronize a source tree to your system. When finished, you should see a new file named W70N51_SYS.ko in your directory. Copy this file to the /boot/modules directory. You might even convert it to lower case to make things easier.

Now that we have a suitable driver in place, we need to load up the ndis API. To do this, type “sudo kldload if_ndis” and “sudo kldload ndis”. To load our fancy new driver, type “sudo kldload W70N51_SYS” (or the lower case equivalent if you changed case). We’re now ready to configure IP addressing.

I’ll take the simplest use case and assume you’re using WPA authentication and getting an IP address via DHCP. Add the following lines to /etc/rc.conf

#Wireless
wlans_ndis0=”wlan0″
ifconfig_wlan0=”WPA DHCP”

The first line incorporates the new wireless interface in FreeBSD 8. It creates a “wlan0″ pseudo-interface and maps it to the physical ndis interface. The second line simply tells the ifconfig command to use WPA authentication and to grab a dynamic IP. Next, add the following to your /boot/loader.conf to make these changes permanent:

#Wireless
if_ndis_load=”YES”
W70N51_SYS_load=”YES”

At this point, you can either reboot the laptop or restart networking using “/etc/rc.d/netif restart”. If you choose to restart networking, you might have to manually create the pseudo-interface using the following command: “ifconfig wlan0 create wlandev ndis0″. If you are upgrading your laptop, you may wish to remove all the ipw* entries from both configuration files as they are no longer needed.

Using this configuration, one odd bug I’ve run into is that my wireless interface comes up and associates with the WAP but I do not get an IP address. I suspect that this could possibly be due to the fact that the DHCP server is on a different box, but I’ll have to run a few debugs to see where it’s sticking.

Using ndis, while a little clunky initially, has proven to be a much better replacement for the built in ipw driver. While I was on FreeBSD 7.2 and even Linux, my wireless interface would frequently reload the driver firmware. I’m told that’s due to a bursting configuration on the WAP but I don’t have bursting enabled and no other wireless device on my network displays the same behavior. Along with the cool changes in FreeBSD 8, this makes BSD on my laptop that much more enjoyable!

Now that I’ve switched to Gentoo Linux, I had to learn a few tricks about getting my favorite software installed. One application I can’t live without is GNS3, or the Graphical Network Simulator. It allows you to easily simulate a network of Cisco routers in an easy to use, drag and drop interface. I’ve used it to study for a number of Cisco certification tests (and pass them too!) and it really helps. If you have access to a few IOS images that Dynamips supports, I encourage you to install GNS3 to simplify your studies.

Getting GNS3 installed under Gentoo Linux takes a little more work since Gentoo is a source distro (you have to compile the software yourself) but is well worth the effort.

Read on and find out how to get GNS3 working in Gentoo Linux!

Finishing out my Cisco studies (for now), I’ve finally passed the Cisco MPLS (642-611) exam. I have to say, this exam is probably the hardest Cisco exam I’ve taken to date. It even made the QOS exam seem easy. As usual, the easiest way to pass is to know the topics cold. In addition to the test topics, here’s what I recommend knowing:

• MPLS Fundamentals
• Intricacies of MPLS VPNs
• Differences between different types of Internet access
• Configuration of all MPLS topics

By fundamentals, I don’t mean just knowing that LDP runs on TCP port 646. You’ll want to know the nitty gritty details about cell mode and frame mode differences, exactly how labels work, and how labels are distributed throughout the network, among other things.

MPLS VPNs are pretty complicated topic, with such topics as VPN label stacks, route targets, and address families. Knowing those topics, as well as knowing redistribution and how the various routing protocols are configured will help you get past the finish line.

For some reason, Cisco documentation on MPLS Internet access is a bit sparse. I can’t really recommend anything other than picking up a good book on MPLS. Ignore the recommended Cisco Press books; they’re horribly out of date and are priced like they just came out. I recommend both the MPLS Fundamentals book and the MPLS Configuration on Cisco IOS books.

Lastly, you need to know the configuration topics like the back of your hand. To learn them, you’ll either want access to a rack of routers (and ATM switches if you’re lucky) or you can use something like GNS3 and dynamips. This is where the MPLS Configuration book really shines. Aside from teaching you all the basic topics, it also shows you how to configure all the advanced stuff. When you can configure advanced MPLS VPNs such as central service MPLS VPNs without referring to any material, you’re probably good to go. Don’t forget about managed MPLS VPN services like ODAP and NAT.

Overall, the test isn’t impossible but it’s no walk in the park. With plenty of book study and hands on time on some routers, test day should turn out successfully.

I SSH between my many computers several times in the course of a day. Today when I went to SSH to my web server I couldn’t quite figure out what was wrong. I could ping the IP address but SSH just didn’t want to work. I tried restarting the SSH daemon and when that didn’t work, I rebooted the entire box. After it still didn’t work, it finally hit me: I forgot to renew my domain name and it was set to expire on July 17th! To confirm, I did a simple dig lookup:

; <<>> DiG 9.4.2-P2 <<>> xaero.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46405
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 20 13:08:14 2009
;; MSG SIZE  rcvd: 124

Oops!! Needless to say, I very quickly renewed my domain name and within a few short hours my nameservers were happily serving up DNS again. Thankfully my registrar provides a grace period for renewing expired domains so they don’t immediately get thrown back into the available pot. Next time I’ll stamp a sticky note on my forehead.

No, I didn’t fall off a cliff. Been busy with lots of stuff:

• Passed the CCDP ARCH test and became a CCDP on April 25th!
• Lots of house remodeling projects
• Working on my final Cisco test (for now : ), the MPLS exam
• Various other sundries

On the FreeBSD front, I found an old 250GB SATA drive and installed it in my current rig as the only drive (just to be sure I don’t screw something up). Not surprisingly, rebuilding the kernel and world with the latest 7.2 Release is quite snappy as compared to the Thinkpad T40. I was pleased that the Nvidia driver in ports worked without a hitch though it has no 3D acceleration whatsoever. For that you need Nouveau. I went my usual install route: install the minimal FreeBSD distribution, build world and build kernel, build Xorg from ports (including mouse, keyboard, Nvidia driver, and vesa driver for backup) with HAL support, build some sort of window manager (Fluxbox is my current favorite), install a shell (I’m torn between bash and zsh), and install Firefox 3. The entire process took about an hour and a half.

All of my hardware either worked out of the box or worked after a few tweaks but I used the i386 version of FreeBSD, not the AMD64 version. Before I built HAL, I had to use a PS/2 keyboard in order to actually install. Either I missed something or USB hotplug support isn’t there out of the box and needs to be added to rc.conf. I was pleasantly surprised to see that my Blackberry was recognized when I plugged it in. It didn’t automount or anything but it was neat to see it get recognized. I’ve yet to get it to work, but there is a ports version of barry available. Barry is a little rough around the edges but I was able to back up my Blackberry Curve 8320 to my Linux box with it.

It seems like FreeBSD is maturing and quite rapidly. Now that VirtualBox is coming for FreeBSD, the only barrier left is either getting a native 64-bit Flash plugin/player or for Gnash to mature rapidly. I tried Gnash on i386 FreeBSD and it works, but only part of the time.

I still watch with a bit of wonder and amazement at the effort that goes into an Open Source operating system and applications. That the developers can get their projects working with little or no support from hardware vendors is nothing short of amazing.

Two cool articles up on Linuxjournal.com regarding IPTables, the built-in firewall for Linux. I’ve struggled to learn how IPTables works (especially after using the excellent OpenBSD pf firewall) but these videos really explain IPTables well:

Part 1

Part 2

I would encourage you to watch both videos if you use Linux, especially if your system is exposed to the Internet (not behind a home router).

With all the recent hubub about ISP traffic management, I figured I’d start an article series on QOS: what it is, how it works, and where it is implemented in a network. After all, my day job is networking so I may as well share some knowledge.

Since the Internet first went commericial in the mid-90s, network traffic has grown significantly (that’s a bit of an understatement really).  These days there is talk of an impending “exaflood” of network traffic – an increase of network bandwidth of epic proportions so high that all Internet traffic becomes jammed. This is little more than a theory at this point; an earlier prediction in the 1990s of a “petaflood” never actually materialized thanks to the dizzying pace of speed increases in computing power both in generic PCs and networking equipment and the phenomenal increases in network bandwidth (in the early 1990s most of the Internet was connected by 45Mbps DS3s; nowadays there are multiple 10Gbps connections between most ISPs).

The most obvious way to manage a network is to implement quality of service. QOS is called both “managed fairness” and “managed unfairness” because it attempts to provide better service for some things while providing worse service for others.

Part 1 of my QOS series lays down the foundation of QOS. Subsequent parts will discuss technologies in more detail.

Read on dear readers and learn the fundimentals of quality of service!

Okay, so I’m two weeks late on posting this but it’s still exciting! I’m actively working towards the CCIP so I wanted to take this test before June so I can stick to my “study and pass a test within a reasonable timeframe” schedule. It’s pretty difficult and I actually failed it on the first try (with a 750 out of a 755 passing score. Argh!). This time around I passed with a more respectable 912.

Without divulging too much, you should definitely know all of the testing objectives cold. They can be found here. Pay particular attention to the differences between IBGP and EBGP and all of the features each offers. I used the “Internet Routing Architectures” book by Sam Halabi and it was excellent. Even if you’re not taking the BGP test, it would be a good idea to have that book on hand as a reference. Read it twice and the test should be a piece of cake.

Wrote up a new article on how to connect your home router to the IPv6 Internet. Have fun visiting all 10 IPv6-enabled websites ; ) Check it out here – article.