Sebastian Nohn

Weblog

IPv6 enabling your network with the Hurricane Electric Tunnelbroker using a Linux router

After waiting years for my ISP to introduce native IPv6 to his clients, which still hasn't happened, I decided to enable IPv6 in my home LAN via Hurricane Electric's Tunnel Broker service. The setup was quite easy:

First, I registered for their service, which only took a few minutes and then registered a new "regular" tunnel. HE offers you a number of tunnel endpoints in several countries on three continents and you should pay attention to choose the one with the lowest latency to your v4 IP (they offer a check for this).

After you successfully registered your tunnel, the party begins. You are now able to set up the tunnel on your Debian/Ubuntu/Voyage Linux router (you get all the information you need from the tunnel details page at Tunnelbroker). To add the tunnel to your config, add

auto hev6tunnel
iface hev6tunnel inet6 v4tunnel
    # this is the amsterdam endpoint. change it to your endpoint
    endpoint 216.66.84.46             
    # beware, you get assigned two prefixes from HE, a tunnel prefix and a route prefix 
    address 2001:your:tunnel:prefix::2 
    netmask 64
    # this makes traceroute work
    ttl 255                            
    up ip -6 route add default dev hev6tunnel
    down ip -6 route del default dev hev6tunnel

to your /etc/network/interfaces. If you now ifup hev6tunnel your IPv6 tunnel, you should already be able to ping IPv6 destinations:

ping6 ipv6.google.com -n -c 3
PING ipv6.google.com(2a00:1450:4016:800::1010) 56 data bytes
64 bytes from 2a00:1450:4016:800::1010: icmp_seq=1 ttl=56 time=33.6 ms
64 bytes from 2a00:1450:4016:800::1010: icmp_seq=2 ttl=56 time=33.3 ms
64 bytes from 2a00:1450:4016:800::1010: icmp_seq=3 ttl=56 time=34.1 ms

--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 33.326/33.708/34.110/0.320 ms

If it doesn't work, you may have to register your tunnel endpoint at HE: curl "https://ipv4.tunnelbroker.net/nic/update?username=youruser&password=yourpassword&hostname=yourtunnelid". To persist this, you should add the call to your PPP interface configuration:

auto dsl-provider
iface dsl-provider inet ppp
  pre-up /sbin/ifconfig eth0 up
  provider dsl-provider
  post-up curl "https://ipv4.tunnelbroker.net/nic/update?username=youruser&password=yourpassword&hostname=yourtunnelid"

Before bringing up the route to your LAN, it's time to configure your firewall. IPv6 doesn't know NAT, instead all your clients get assigned a routed IP. So to let your experiment not end in a disaster, you should filter all traffic before enabling the routed network. The easiest way is to get Fabio Baltieri's IPv6 Firewall, change WAN to hev6tunnel and adjust LAN and WLAN to whatever matches your configuration.

After that you extend your tunnel config to look like this:

auto hev6tunnel
iface hev6tunnel inet6 v4tunnel
    endpoint 216.66.84.46              # this is the amsterdam endpoint. change it to your endpoint
    address 2001:your:tunnel:prefix::2 # beware, you get assigned two prefixes from HE, a tunnel prefix and a route prefix
    netmask 64
    up ip -6 route add default dev hev6tunnel
    up ip -6 addr add 2001:your:tunnel:prefix::1/64 dev eth1 # beware, you get assigned two prefixes from HE, a tunnel prefix and a route prefix
    down ip -6 route del default dev hev6tunnel
    down ip -6 addr del 2001:your:tunnel:prefix::1/64 dev eth1 # beware, you get assigned two prefixes from HE, a tunnel prefix and a route prefix
    post-up /etc/init.d/rc.firewall6 start
    post-down /etc/init.d/rc.firewall6 stop

You can check if it works by bringing the tunnel down and back up again: ifdown hev6tunnel; ifup hev6tunnel. The output of ip6tables -L -n should look similar to this:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all      ::/0                 ::/0                
ACCEPT     all      ::/0                 ::/0                
ACCEPT     tcp      ::/0                 ::/0                tcp dpt:22
ACCEPT     icmpv6    ::/0                 ::/0                
ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all      ::/0                 ::/0                
ACCEPT     tcp      ::/0                 ::/0                tcp dpt:22
ACCEPT     icmpv6    ::/0                 ::/0                
ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Now you are ready to enable the routed network without harming your unpatched computers, smartphones and tablets. To do this, enable your routed prefix on your internal network interface:

iface eth1 inet6 static
    address 2001:your:route:prefix::2
    netmask 64

ifdown eth1; ifup eth1 to enable it. To advertise the routes to your clients using NDP install radvd with apt-get install radvd and configure it in /etc/radvd.conf to advertise your route:

interface eth1
{
   AdvSendAdvert on;
   prefix 2001:your:route:prefix::2/64 
   {
        AdvOnLink on;
        AdvAutonomous on;
   };
};

A few seconds later, your clients should start bringing up IPv6 addresses on their interfaces. ifconfig | grep inet6 sould output something like this:

inet6 addr: ::1/128 Scope:Host
inet6 addr: 2001:your:route:prefix:your:local::address/64 Scope:Global
inet6 addr: a::b:c:d:e/64 Scope:Link
inet6 addr: 2001:your:route:prefix:your:temporary:local:address/64 Scope:Global

To get to know what this temporary addresses are, please read about the IPv6 Privacy Extension.

Now you should be able to ping IPv6 destinations from your local machine:

ping6 ipv6.google.com -n -c 3
PING ipv6.google.com(2a00:1450:4016:801::1010) 56 data bytes
64 bytes from 2a00:1450:4016:801::1010: icmp_seq=1 ttl=55 time=31.9 ms
64 bytes from 2a00:1450:4016:801::1010: icmp_seq=2 ttl=55 time=31.3 ms
64 bytes from 2a00:1450:4016:801::1010: icmp_seq=3 ttl=55 time=32.5 ms

--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.361/31.955/32.539/0.502 ms

If this also works, you should see the dancing turtle, be able to SSH to your local machine from some remote location etc.

Normally your tunnelled IPv6 connection should not have much less bandwidth than your native IPv4 connection, which you can check for example on http://ipv6-test.com/speedtest/. If you do, you should try lowering the MTU in our tunnel's advanced configuration settings on the Tunnel Broker website.

Update

People were asking me, why I didn't extend my delegation to a /48 and stay with the default /64. Well, the /64 allows me to put 56759212534490928 devices per cubic metre in my flat which should be enough for now).

Posted Oct 20, 2012 by Sebastian Nohn
Tagged as: Internet, IPv6, Linux, Networking

Monitoring your ALIX I2C sensors with nagios

Most ALIX system boards come with onboard i2c temperature sensors. Nagios Plugins come with a check_sensors command.

However, the default lm-sensors configuration that ships with most distributions doesn't know about the ALIX sensors and the default Nagios plugin doesn't report performance data.

Once lm-sensors is installed and you run sensors-detect, the sensors command will output something like this:

root@bnalrr01:~# sensors
lm86-i2c-0-4c
Adapter: CS5536 ACB0
temp1:       +30.0 C  (low  =  +0.0 C, high = +70.0 C)  
                      (crit = +85.0 C, hyst = +75.0 C)  
temp2:       +36.9 C  (low  =  +0.0 C, high = +70.0 C)  
                      (crit = +85.0 C, hyst = +75.0 C)

And the check_sensors probe would output something like this:

root@bnalrr01:~# ./check_sensors 
sensor ok

To make the senors output more verbose, add this to your /etc/sensors3.conf:

chip "lm90-*" "adm1032-*" "lm86-*" "max6657-*" "adt7461-*"
   label temp1 "M/B Temp"
   label temp2 "CPU Temp"
   label tcrit1 "M/B Crit"
   label tcrit2 "CPU Crit"

Now the sensors command is a bit more verbose on the sensors:

root@bnalrr01:~# sensors
lm86-i2c-0-4c
Adapter: CS5536 ACB0
M/B Temp:    +30.0 C  (low  =  +0.0 C, high = +70.0 C)  
                      (crit = +85.0 C, hyst = +75.0 C)  
CPU Temp:    +36.6 C  (low  =  +0.0 C, high = +70.0 C)  
                      (crit = +85.0 C, hyst = +75.0 C)

To add performance data to the check_sensors probe, replace the content with

#! /bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

PROGNAME=`basename $0`
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
REVISION="1.4.15"

. $PROGPATH/utils.sh


print_usage() {
        echo "Usage: $PROGNAME"
}

print_help() {
        print_revision $PROGNAME $REVISION
        echo ""
        print_usage
        echo ""
        echo "This plugin checks hardware status using the lm_sensors package."
        echo ""
        support
        exit 0
}

case "$1" in
        --help)
                print_help
                exit 0
                ;;
        -h)
                print_help
                exit 0
                ;;
        --version)
        print_revision $PROGNAME $REVISION
                exit 0
                ;;
        -V)
                print_revision $PROGNAME $REVISION
                exit 0
                ;;
        *)
                sensordata=`sensors 2>&1`
                CPUHEAT=`sensors -A | grep CPU | grep Temp | cut -c 15,16`
                MOBHEAT=`sensors -A | grep M/B | grep Temp | cut -c 15,16`
                PERFDATA="cpu_temp=$CPUHEAT;mob_heat=$MOBHEAT"
                status=$?
                if test "$1" = "-v" -o "$1" = "--verbose"; then
                        echo ${sensordata}
                fi
                if test ${status} -eq 127; then
                        echo "SENSORS UNKNOWN - command not found (did you install lmsensors?)"
                        exit -1
                elif test ${status} -ne 0 ; then
                        echo "WARNING - sensors returned state $status |$PERFDATA"
                        exit 1
                fi
                if echo ${sensordata} | egrep ALARM > /dev/null; then
                        echo "SENSOR CRITICAL - Sensor alarm detected! |$PERFDATA"
                        exit 2
                else
                        echo "sensor ok |$PERFDATA"
                        exit 0
                fi
                ;;
esac

Now it prints out performance data and can be graphed with pnp4nagios:

root@bnalrr01:~# ./check_temp_sensors 
sensor ok |cpu_temp=36;mob_heat=30

Posted Mar 05, 2011 by Sebastian Nohn
Tagged as: ALIX, i2c, lm-sensors, Nagios

th5n2*ad d5sab3e n4036c2

If you don't know, what I want to tell with this post, just forget it. If you do, press Shift-Scrl-Lock.

Posted Feb 13, 2011 by Sebastian Nohn
Tagged as: IBM, Lenovo, Numlock, Thinkpad

Book Review: Mastering phpMyAdmin 3.3.x

When asked to review the new edition of Marc Deslisle's book Mastering phpMyAdmin 3.3.X for Effective MySQL Management, I said yes, as I already liked one of the previous editions a lot. Again I was surprised, how good the book is.

In addition to some rewritten chapters and parts, completely new aspects of phpMyAdmin are introduced compared to the 3.1 edition. This includes complete new chapters covering the new data and structure syncronization, replication features and change tracking features of phpMyAdmin 3.3.

Even if you already own a previous edition of this book, you should consider buying the new edition, as it has been improved in many different aspects.

Posted Feb 13, 2011 by Sebastian Nohn
Tagged as: Book, MySQL, PHP, phpMyAdmin, Review

First Google mod_pagespeed experiences

Nov  4 17:32:31 startup archives install
Nov  4 17:32:37 install mod-pagespeed-beta  0.9.0.0-r128
Nov  4 17:32:37 status half-installed mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 configure mod-pagespeed-beta 0.9.0.0-r128 0.9.0.0-r128
Nov  4 17:32:38 status half-configured mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 status unpacked mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 status unpacked mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 status unpacked mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 status unpacked mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:38 status unpacked mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:39 status installed mod-pagespeed-beta 0.9.0.0-r128
Nov  4 17:32:54 bnibws02 sudo: sebastian : TTY=pts/1 ; PWD=/home/sebastian ; USER=root ; COMMAND=/etc/init.d/apache2 restart
Nov  4 17:35:12 bnibws02 kernel: [ 3839.801359] CPU0: Core temperature above threshold, cpu clock throttled (total events = 1)
Nov  4 17:35:15 bnibws02 kernel: [ 3839.801363] Disabling lock debugging due to kernel taint
Nov  4 17:35:15 bnibws02 kernel: [ 3839.801724] CPU0: Core temperature/speed normal
Nov  4 17:36:08 bnibws02 kernel: [ 3900.000027] Machine check events logged
Nov  4 17:40:12 bnibws02 login[5033]: pam_unix(login:session): session opened for user sebastian by LOGIN(uid=0)
Nov  4 17:40:58 bnibws02 kernel: [ 4190.528549] possible SYN flooding on port 80. Sending cookies.
Nov  4 17:41:41 bnibws02 kernel: [ 4234.950287] CPU0: Core temperature above threshold, cpu clock throttled (total events = 9)
Nov  4 17:41:41 bnibws02 kernel: [ 4234.950653] CPU0: Core temperature/speed normal
Nov  4 17:41:59 bnibws02 kernel: [ 4252.256557] possible SYN flooding on port 80. Sending cookies.
Nov  4 17:43:23 bnibws02 sudo: sebastian : TTY=tty1 ; PWD=/home/sebastian ; USER=root ; COMMAND=/etc/init.d/apache2 stop
Nov  4 17:43:36 bnibws02 kernel: [ 4350.000059] Machine check events logged
Nov  4 17:46:42 bnibws02 kernel: [ 4534.950368] CPU0: Core temperature above threshold, cpu clock throttled (total events = 55481)
Nov  4 17:46:44 bnibws02 kernel: [ 4534.950735] CPU0: Core temperature/speed normal
Nov  4 17:47:23 bnibws02 sudo: sebastian : TTY=tty1 ; PWD=/home/sebastian ; USER=root ; COMMAND=/usr/bin/killall -9 apache2
Nov  4 17:47:43 bnibws02 kernel: [ 4596.016227] possible SYN flooding on port 80. Sending cookies.
Nov  4 17:48:16 bnibws02 sudo: sebastian : TTY=tty1 ; PWD=/home/sebastian ; USER=root ; COMMAND=/usr/bin/killall -9 apache2
Nov  4 17:49:58 bnibws02 sudo: sebastian : TTY=pts/3 ; PWD=/etc/apache2/mods-enabled ; USER=root ; COMMAND=/bin/mv pagespeed.conf pagespeed.load ../mods-available/
Nov  4 17:50:08 bnibws02 sudo: sebastian : TTY=pts/3 ; PWD=/etc/apache2/mods-enabled ; USER=root ; COMMAND=/bin/rm pagespeed.conf pagespeed.load
no comment

Posted Nov 04, 2010 by Sebastian Nohn
Tagged as: Apache, Google, Software Quality

<<< Page 1 of 8 >>>