Categories
Uncategorized

Configuring a Dual-Stacked Ubuntu Router on Aussie Broadband NBN

The NBN connection that was scheduled to arrive on my street in 2013 finally arrived last week. IPv4 worked straight out of the box, but IPv6 took considerably longer to get working. This is mostly caused by shortcomings in netplan (Ubuntu’s new network config renderer introduced in 18.04) and ISC DHCP Server when combined with ABB’s DHCPv6-PD system. My router is running Ubuntu 20.04, which doesn’t appear to be any different.

Even though Aussie Broadband provide you with a somewhat-fixed /56 prefix delegation, it will drop all traffic unless that prefix is currently leased through DHCPv6-PD. You must request it from DHCPv6, not statically define it.

Sign up to the IPv6 Beta


Firstly, IPv6 is opt-in. You can opt into the IPv6 beta here. You will be assigned two addresses. One is an IA-NA (a single /128 address from a /64 block for the router), the other is an IA-PD (/56 prefix delegation to use on your network).

Configure Network Interfaces with Netplan

Here’s how to set up /etc/netplan/01-netcfg.yaml for the LAN interface. Ensure that “fdxx:xxxx” is changed to a suitable ULA prefix. I use ULAs as it provides a guaranteed static IP for internal services which cannot leak to the outside internet. It provides a failover for the local network when the internet is down. Subtitute the MAC address of the LAN interface.

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0f0:
      match:
        macaddress: xx:xx:xx:xx:xx:xx
      addresses: ["fdxx:xxxx::1/64", 192.168.1.1/24]
      dhcp4: false
      dhcp6: false
      accept-ra: false
      set-name: lan

Here’s how to set up /etc/netplan/02-wancfg.yaml for the WAN interface. Again, set the correct MAC address.

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0f2:
      match:
        macaddress: xx:xx:xx:xx:xx:xx
      dhcp4: true
      dhcp6: false
      accept-ra: false
      set-name: wan

You will notice that dhcp6 and accept-ra are disabled. This is intentional, as enabling either of these will invoke ISC dhcp client for IPv6, which prevents the wide-dhcp6-client service from functioning.
Run sudo netplan generate when done. This will render a network config that will be applied the next time the system boots.

Allow DHCPv6 through the firewall

DHCPv6 communicates through UDP port 546. Traffic on this port must be explicitly allowed in order to receive an address allocation through DHCPv6.

Add the following line to /etc/iptables/rules.v6:

-A INPUT -d fe80::/64 -i wan -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT

Enable forwarding and router advertisements

Uncomment the following line in /etc/sysctl.conf to enable forwarding:

net.ipv6.conf.all.forwarding=1

Because enabling forwarding disables router advertisements (RA), it must be manually enabled on the WAN interface. Because netplan needs accept-ra set to ‘false’ to prevent ISC from blocking the interface, we need to enable it through /etc/rc.local:

#!/bin/sh -e

#Enable router advertisements on WAN
sysctl -w net.ipv6.conf.wan.accept_ra=2
sysctl -p

exit 0

Install WIDE DHCPv6 Client

Install the wide-dhcpv6-client apt package, then modify /etc/wide-dhcpv6/dhcp6c.conf:

# Default dhpc6c configuration: it assumes the address is autoconfigured using 
# router advertisements.
profile default
{
  information-only;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";
};
interface wan {
  send ia-na 1;
  send ia-pd 0;
};
id-assoc na 1 {
};
id-assoc pd 0 {
  prefix-interface lan {
    sla-id 1;
    sla-len 8;
  };
};

This enables both IA-NA and IA-PD (something netplan + ISC cannot do right now). The “sla-id 1” will assign the second /64 prefix to the LAN interface. We’re saving the first /64 (sla-id 0) for the WAN interface.

RADVD Configuration

RADVD provides router advertisements to your local network. You must use the same prefix assigned to your LAN interface by wide-dhcp6-client (sla-id 01), hence the “01” at the end of the prefix.

Here is /etc/radvd.conf

interface lan
{
  AdvSendAdvert on;
  AdvOtherConfigFlag on;
  prefix fdxx:xxxx::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
  prefix 2403:5800:xxxx:xx01::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
  RDNSS fdxx:xxxx::1 { };
};

Only add the RDNSS line if you are running a local DNS server.

Final steps

This should be enough for the router to provide IPv6 to your network. Reboot the router and see how it works. However, the /128 address assigned to the router doesn’t appear to give the router itself IPv6 access. You need to give it an IP address from within your assigned /56 delegated prefix.

sudo ip addr add 2403:5800:xxxx:xx00::1/64 dev wan

Unfortunately, it appears you need to do this manually after the interface has come up, which means this is a manual process to be done on each boot. I’ll update here if I find a reliable way to trigger it automatically.

Debugging

If things go wrong, it’s necessary to see what DHCPv6 is doing.

sudo tcpdump -i wan -vv -n port 546

Run this command from one terminal and run sudo service wide-dhcpv6-client restart from another. I’ve found ABB’s DHCP server will respond with UnspecFail quite a lot, and when this happens, I find it’s necessary to reboot everything, including the modem. It’s also worth checking that you have a default route:

$ ip -6 route | grep default
default via fe80::2a2:ff:feb2:c2 dev wan proto ra metric 1024 expires 1702sec hoplimit 64 pref high

If you don’t have a default route, chances are that net.ipv6.conf.wan.accept_ra is not set to ‘2’. The default route is only configured if RAs are accepted by the interface. Lastly, make sure you have an actual /128 on the WAN, /64 global IP addresses on the WAN and LAN interfaces:

$ ip addr show lan
2: lan: mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:71:f1:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global lan
       valid_lft forever preferred_lft forever
    inet6 2403:5800:xxxx:xx01:xxxx:xxxx:xxxx:xxxx/64 scope global
    valid_lft forever preferred_lft forever
    inet6 fdxx:xxxx::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:9fff:fe71:f158/64 scope link
       valid_lft forever preferred_lft forever

$ ip addr show wan
3: wan: mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:71:f1:5a brd ff:ff:ff:ff:ff:ff
    inet 119.18.xxx.xxx/22 brd 119.18.27.255 scope global dynamic wan
       valid_lft 1235sec preferred_lft 1235sec
    inet6 2403:5800:xxxx:xx00::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2403:5800:xxxx:xx:xxxx:xxxx:xxxx:xxxx/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:9fff:fe71:f15a/64 scope link
       valid_lft forever preferred_lft forever
Categories
Uncategorized

Metric Cooking: So Far off the Mark

I’ve spent a little time in the kitchen as of late. I’ve been pulling recipes from old and new cookbooks, and of course from the internet. One thing I’ve come to realise is that precisely nobody in the industry uses the metric system correctly.

Categories
Uncategorized

Bypass Netflix Geoblocks with IPv6 [Defunct 06/16]

[UPDATE June 2016]: Netflix have blocked all HE IPv6 tunnels. Deploying IPv6 via HE’s tunnel mechanism will actually now break even the most legitimate of configurations from any country.

There’s been a lot of talk (and action) as of late as Netflix starts crumbling under the irrational demands of the content owners. It seems it’s no longer acceptable to view content from behind the IP of a node that’s known to obscure the true location of the endpoint (i.e. a VPN or proxy).

Categories
Uncategorized

A Political/Economic Rant: Why Holding an Absolute Position is Absolutely Wrong

Many people these days would categorise a government/economy as one of four types: Capitalist, Socialist, Communist or Fascist. These are well known to be completely different and assumed by many to be incompatible with one another, and conclude that any particular nation would fall into one, and only one of these categories. Some people choose a favourite and form very strong opinions to defend their position.

Categories
Uncategorized

Hacking the Realtek DVB RTL2832U into Linux by hand

I had the misfortune of purchasing two of these PCIe TV tuners (as per lsusb):

Bus 004 Device 002: ID 1f4d:a803 G-Tek Electronics Group
Bus 003 Device 002: ID 1f4d:a803 G-Tek Electronics Group

I’d assumed that the RTL2832U was a common chipset, and would detect on a stock kernel. How wrong I was. Not only do you need to compile media_build, you need to patch media_build for this card to detect.

Categories
Uncategorized

Insulating a Car on the Cheap

Here’s a one-day, $30 mod you can do to your car if it has interior rattles, road noise, or if the car is too loud and buzzy from outside once the subwoofers kick in. Mine exhibited all of these problems.

Categories
Uncategorized

Let’s Encrypt is in Beta

It appears that Let’s Encrypt has started its closed beta as of 29th October 2015. I’ve managed to get in on it, and Ubermotive is running on a brand new SSL certificate signed by the Let’s Encrypt CA. I’ve gone through the site and replaced most HTTP links with HTTPS ones and also forced HTTPS site-wide (you’ll get a redirect if you attempt to enter by HTTP). So far, so good.

Categories
Uncategorized

Integrating Netflix into MythTV

Well, MythTV launched in Australia today. I couldn’t have my wife trying to start/stop the MythTV frontend and poke around looking for web browsers, typing URLs and maximising windows and whatnot, so I quickly banged up a Netflix launch button for MythTV.

Categories
Uncategorized

Every Automated Billing System Ever is Shit

This is a part of the world that I don’t understand. There are so many companies out there who need to perform the simple task of measuring the service they provide and billing it at a set interval. I really don’t think I’m being naive when I say it’s a simple task – I’m a software engineer, and throughout my career, I’ve written ledger interfaces for a 30 billion dollar super fund, reverse-engineered communications protocols for dozens of devices, and written code for everything from firmware to websites on many major platforms. While possessing the capability to develop literally any of the billing systems I deal with month-to-month, I often find myself unable to perform the simplest of tasks.  I’ll start with the absolute worst.

Categories
Uncategorized

On IPv6

What the hell is IPv6, and why should I care?

It’s the next generation of Internet protocol. You’re probably heard that the world has pretty much run out of IPv4 addresses. Sure, four billion sounded like a lot of endpoints when it was first drafted, but absolutely predicted this sort of growth. In layman’s terms, the v4 internet is full, and we need to build a bigger one.