Aiccu/OpenBSD
Attention: Stay tuned for latest update using OpenBSD 5.7!
Installing aiccu for SixXS on OpenBSD is very simple. Proofed using OpenBSD 5.1, but will most likely work on > OpenBSD 4.8, too.
Installation on OpenBSD is simplified, most of the tools are already installed.
Contents
OpenBSD Base Configuration
Use i.e. a freshly installed OpenBSD 5.7 on your favoured platform.
Examples below are taken from a WRAP based installation using a 1 GB CF card.
System:
# dmesg | awk 'NR == 1 { print $0 }'
OpenBSD 5.7-stable (GENERIC) #3: Fri Oct 16 20:49:04 CEST 2015
/etc/fstab
# cat /etc/fstab /dev/wd0a / ffs rw 1 1 swap /var mfs rw,-P=/proto/var,-s=65535,noexec,nosuid,nodev 0 0 swap /dev mfs rw,-P=/proto/dev,-s=2400,-i=128,noexec,nosuid 0 0
Base network configuration
cat /etc/hostname.vr0
dhcp inet6 alias 2001:dead:beaf::1
Ensure that this is connected to the internal LAN. See Network Concepts below.
Timezone
Ensure you the correct timezone is configured and ntpd is enabled.
# cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install
and don't forget to adjust your local timezone. Otherwise aiccu will not start.
# ls -l /etc/localtime lrwxr-xr-x 1 root wheel 39 Sep 3 00:19 /etc/localtime -> \ /usr/share/zoneinfo/right/Europe/Berlin
For any further questions consult the OpenBSD FAQ and manuals.
Aiccu
Install Aiccu
# export PKG_PATH=ftp://your.ftp.mirror/pub/OpenBSD/5.7/packages/`machine -a`/ # pkg_add aiccu
Thats all you have to do to install aiccu.
Configure Aiccu
Configuration of the aiccu configuration.
Location /etc/aiccu.conf
# $Revision: 1.2 $ # $Log: aiccu.conf,v $ # Revision 1.2 2012/09/02 17:50:42 root # username YOUR-SIXXS/T1234 password Onlyyouknow protocol tic server tic.sixxs.net ipv6_interface gif0 verbose true daemonize true automatic true requiretls false pidfile /var/run/aiccu.pid defaultroute true
Aiccu StartUp configuration
Since OpenBSD 4.9 an rc.d deamon control scripts and related configuration /etc/rc.d directory appeared. This will be cofigured by using specific parameters in /etc/rc.conf.local (See man rc.d and man rc.conf.local for further details).
Just add pkg_scripts="aiccu" to /etc/rc.conf.local and aiccu will be started as deamon.
# cat /etc/rc.conf.local ntpd_flags="-s" # enabled during install pkg_scripts="aiccu" # enable aiccu start
aiccu can be controlled manually
# /etc/rc.d/aiccu
usage: /etc/rc.d/aiccu [-df] {start|check|reload|restart|stop}
That is all. aiccu will launched as deamon after a reboot.
rtadvd
Configure rtadvd
rtadvd is the router advertisement daemon in OpenBSD. Default configuration file is /etc/rtadvd.conf.
cat /etc/rtadvd.conf
# $Id: rtadvd.conf,v 1.1 2012/09/02 17:49:12 root Exp $
# $Author: root $
# $Date: 2012/09/02 17:49:12 $
# $Revision: 1.1 $
# $Log: rtadvd.conf,v $
#
sis0:\
:addrs#1::addr="2001:dead:beaf::":prefixlen#64:raflags#64:
sis0 is the first network interface i.e. on a PC Engines WRAP single board computer. Please check your indivdual hardware configuration.
Enable ipv6 forwarding in /etc/sysctl.conf
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
Enable manual
# sysctl net.inet6.ip6.forwarding=1 net.inet6.ip6.forwarding: 0 -> 1
Start rtadvd
Modify the interface for rtadvd in /etc/rc.local.
rtadvd_flags=vr0 # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
Populate rtadvd with you ipv6 network
cat /ect/rtadvd.conf
#
vether0:\
:addr="2001:dead:beaf::":prefixlen#64:raflags#64:
Be sure you use the correct interface according your requirements. The interfaces used within this example map to the network concept shown below.
Start /usr/sbin/rtadvd manually.
Make familar with rcctl - configure and control daemons and services
Network Concepts
One possible design is to connect an OpenBSD ipv6 router inside your lan. Connect your ipv6 OpenBSD router to a lan interface of your ipv4 Cable/DSL router. If you use aiccu on an OpenBSD router connected direct to the internet check the rtadvd configuration carefully. Don't advertise your own ipv6 adresses on your WAN interface!!!!
Network Topology
Your
(....) Router ALIX
( ) ______ _______
( ) Modem | if1 |<===================>| vr0 |
( ) ___________ | | | |
( internet )====> |Cable/DSL |=====>| ipv4 | | ipv6 |
( ) | ___________ | | | |
( ) | dhcp | if4 |=====>( LAN ) | |
( ) | |______| (10.x.1.0/24) |_______|
(....) |
| (2000::dead:beaf::/48)
| SIXXS Tunnel
(....) |
( ) |
( ) |
( ) |
( Ipv6 )====>|
( )
( )
( )
(....)
Firewall PF
This are the firewall rule for the example shown above. Adopt according your requirements.
#
# --- Simple pf.conf for ipv4 and ipv6 (aiccu)
#
# Macros
int_if = "vr0" # macro for internal interface
tun_if = "gif0" # macro for aiccu tunnel interface
localnet = $int_if:network
mytunnelstart = 2001:dead:beef:fdb8::1
mytunnelendpoint = 2001:dead:beef:fdb8::2
# don't filter on the loopback interface
set skip on lo0
# scrub incomming packets
match on $tun_if scrub (no-df)
#
# --- ipv6 rule set
#
# block in/out on $tun_if
block in log on $tun_if inet6
block out log on $tun_if inet6
# keep alive rules
pass out log proto 41 from ($ext_if) to [PoP IPv4 Endpoint] keep state
pass in log proto 41 from [PoP IPv4 Endpoint] to ($ext_if) keep state
# allow heartbeat ping
pass in log quick on $tun_if inet6 proto { ipv6-icmp } from $mytunnelstart
to $mytunnelendpoint keep state
# pass tcp, udp, and icmp6 out on the ipv6 tunnel interface.
pass out log quick on $tun_if inet6 proto { tcp udp ipv6-icmp} keep state
Find a more sophisticared router pf configuration here https://www.sixxs.net/wiki/IPv6_Firewalling#OpenBSD_support
