Step-by Step Configure IPv6 Router in FreeBSD 4.7

How to enable IPv6 routing on this machine
By default, IPv6 routing is disabled.  So you have to configure the following options to enable IPv6 packet forwarding on this machine.
        # enable IPv6
        # enable IPv6 routing. By default it's "NO".

Theoretically you can operate IPv6 router only with IPv6 linklocal addresses,however it is often convenient to assign site local or global addresses to routers. 

method 1) specify just the first 64 bits of IPv6 address
Latter 64 bits will be calculated automatically.

    ipv6_network_interfaces="ed0 ep0"        # specifies interfaces to assign IPv6 prefix
    ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002"
    ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004"        # gives the first 64 bits of the IPv6 address

method 2) specify the whole part of IPv6 address
Quite same as IPv4.
    ipv6_network_interfaces="ed0 ep0"        # specifies interfaces to assign IPv6 address
    ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64"
    ipv6_ifconfig_ed0_alias0="fec0:0:0:5::2 prefixlen 64"

How to enable IPv6 routing protocols on this machine
A.Unicast routing protocols
you can use IPv6-enabled routing software (e.g. route6d, zebra) to configure IPv6 routing protocols.

    ipv6_router_enable="YES"        # enable an IPv6 routing daemon. By default it's "NO".
    ipv6_router="/usr/sbin/route6d" # Name of IPv6 routing daemon (in this case, RIPng)

You can give arguments to routing daemon with the following option.
    ipv6_router_flags="-l"                # route6d option to exchange site local prefix

You can write some number of static routers with the following option.
    ipv6_static_routes="foo bar baz"
    ipv6_route_foo="fec0:0000:0000:0006:: -prefixlen 64 ::1"
    ipv6_route_bar="fec0:0000:0000:0007:: -prefixlen 64 ::1"
    ipv6_route_baz="fec0:0000:0000:0008:: -prefixlen 64 ::1"

In IPv6, IPv6 router should distribute its prefix to the downstream hosts viarouter advertisement.  You can control the behavior of rtadvd (FreeBSD's router advertisement daemon) using the following options.  If you would like to send router-advertisement via some other IPv6 routing daemons (e.g. zebra), you don't need to enable it.

    rtadvd_enable="YES"        # By default it's "NO".

Normally router-advertisement will be announced on all the IPv6-ready interfaces, however you can restrict this advertisement using the following

    rtadvd_interfaces="fxp0"        # by default it's "auto", enable router-advertisement on all interfaces

C.multicast routing
By default IPv6 multicast routing is disabled, so you have to explicitly configure it in rc.conf. 

Currently there are two IPv6 multicast routing daemons available in package or ports (pim6sd = PIM-SM and pim6dd = PIM-DM), but please keep  in mind that they are not installed in FreeBSD-RELEASE by default due to its licensing issue.

    mroute6d_enable="YES"          # Do IPv6 multicast routing.  By default it's "NO".
    mroute6d_program="/usr/local/sbin/pim6sd"        # Name of IPv6 multicast routing daemon.  You need to install it from package or port.

You can give arguments to IPv6 multicast routing daemon.  Normally nothing is required.
    mroute6d_flags="-d pim"
        # debugging option for pim6sd

A.How to configure static IPv6 over IPv4 tunnel
You have to specify the following three items to use static IPv6 over IPv4 tunnel.

In the following example, IPv6 over IPv4 tunnels is configured.                 
   machine-----------------------tunnel server1
          +----------------------------tunnel server2
    gif_interfaces="gif0 gif1"       
        # List of GIF tunnels to be configured
        # to tunnel server1
        # to tunnel server2

B.How to configure 6to4 tunnel
You have to specify the following two items to use 6to4 interface.
         ipv6_defaultrouter="2002:c058:6301::" # (corresponding IPv4 address is c0586301 =

    stf_interface_ipv4addr=""        # Local IPv4 address for 6to4 tunneling interface. its IPv6 address will be "2002:c0a0:0001::1"
    ipv6_defaultrouter="2002:c058:6301::"      #RFC3068 suggests anycast IPv4 address for 6to4 routers, but you can use other IPv4 address according to the
                                                                #site-adminitrator configuration.

Using the following options, you can specify prefix length for 6to4 interface to limit 6to4 peer.  By default it's 0 (i.e. all 6to4 machine
is accepted).  Effective value is 0-31.

By default, IPv6 interface-id for 6to4 interface is "::1",  so the IPv6 address of 6to4 interface is "2002:(IPv4address)::1".
However you can use EUI-64-based interface-id (using "AUTO" keyword) or other static interface-id.

    stf_interface_ipv6_ifid="1234:5678:9abc:def0"        # By default, it is "::1"

Normally 49-64th bit of IPv6 address on 6to4 interface is zero, i.e.IPv6 Site Level Aggregator for 6to4 interface is 0.  If you like, you
can specify some appropriate value (it's not necessary at all in normal cases, though).

        # By default, it is "0"

C.How to configure IPv4-IPv6 translator
There are many technologies to translate traffic between IPv4 and IPv6. By default FreeBSD include transport relay translator called FAITH (RFC3142),which translates TCP traffic from IPv6 to IPv4. 

You need to specify two things to enable FAITH; FAITH prefix and protocols to be translated
To enable a FAITH translator,  you must define FAITH prefix. If you'd like to disable FAITH, please specify "NO" here.

    ipv6_faith_prefix="3ffe:501:ffff:ffff::"        # By default, it's "NO"

The above configuration creates a routing entry on this machine to forward packets for 3ffe:501:ffff:ffff::/96 to faith interface.
When you use FAITH from other machine, you must control routing to lead packets for 3ffe:501:ffff:ffff::/96 to this machine by some way (e.g. by RIPng).

By default no protocol is tranlated via faith even when the above configuration is given.  So you have to specify the protocols to be translated in either of the following manner:

method 1) invoke faithd manually
Writes the following statement in /etc/rc.local or /usr/local/etc/rc.d/ etc.

    /usr/sbin/faithd http                                       # translates HTTP traffic
    /usr/sbin/faithd ftp /usr/libexec/ftpd ftpd -l        # translates FTP traffic unless bound for myself

method 2) invoke faithd via inetd
adds the following statement in /etc/inetd.conf This is dedicated for the cases where translation is required for  traffic not for myself and traffic bound for myself would be handled normally.

    ftp     stream  tcp6/faith  nowait  root  /usr/sbin/faithd  ftpd -l

you can set an faith-specific access control list to prevent malicious access with /etc/faithd.conf.  If you configured FAITH on /etc/inetd.conf,
you can use a tcpwrapper to control access to FAITH as normal inetd control.

Below is an example access control list using /etc/faithd.conf.
    3ffe:501:ffff::/64 deny 3ffe:501:ffff:ffff::         # deny translation from 3ffe:501:ffff:0::/64 to
    3ffe:501:ffff::/64 permit 3ffe:501:ffff:ffff::            # all ther other traffic from 3ffe:501:ffff::/64 is translated
                                                                                        # unmatched traffic won't be translated.

D. How to control IPv4-mapped IPv6 address
IPv4-mapped IPv6 address is used to let IPv6-only programs speaks IPv4 on its IPv6 sockets. 
Normally this feature is not required as there are not many IPv6-only  programs (as far as I know only mozilla make use of this) and can be
a security hole (you have to configure IPv6 filter to block IPv4 traffic. 

        # Leave empty to disable IPv4 mapped IPv6 addr communication.
        # (like ::ffff:a.b.c.d).  By default it's enabled.

E.How to configure IPv6 firewall
FreeBSD provides an IPv6 packet filter called "ip6fw".  Here its usage is described.

By default it's disabled and removed from GENERIC kernel, so you have to
    options IPV6FIREWALL


When you define IPv6 firewall, you should define its type, too.Valid values are listed below:
    open                  will allow anyone in
    client                  will try to protect just this machine
    simple                will try to protect a whole network
    closed                totally disables IP services except via lo0 interface
    UNKNOWN      disables the loading of firewall rules.
    filename            will load the rules in the given filename  (full path required)

For ``client'' and ``simple'' the optional entries should be customized appropriately.


        # suppress rule display. (By default, it's NO)
        # enable events logging. (By default, it's NO)
        # Flags passed to ip6fw when type is a "filename"

Source :
Last Archive : 2003-02-20


    IPv6 Host