How to Build a Virtual Dual Stack Router with FreeBSD...
Transcription
How to Build a Virtual Dual Stack Router with FreeBSD...
How to Build a Virtual Dual Stack Router with FreeBSD 9.1 and VirtualBox Lawrence E. Hughes 1 Aug 2013 There are times you need a router (or three) when learning networking, designing networks, developing network applications, or even writing about multi-subnet networks. It may not be convenient or in your budget to use commercial physical routers. You may need features not commonly found in, or available as add-ons to, commercial routers. If you are building virtual networks, it may be impossible or very difficult (and probably violates license terms) to deploy virtual routers using commercial router iso images. For one thing, the commercial router hardware may not look much like a generic PC, which is what VMWare and VirtualBox emulate. You can actually install and configure this software on a hardware box as well (assuming it runs FreeBSD i386 or amd64, and has at least two NICs supported by FreeBSD). This is very handy when you need one or more real routers in a hurry, or on the cheap, or one with unusual capabilities. If you buy generic “firewall appliance” boxes from Lanner or other vendors, the end result will be a very nice yet inexpensive router that you can upgrade as you want very easily. All it will be missing are GUI management and exotic interfaces like V.35, but you can manage it via ssh and get cables that include those interfaces that plug into your Ethernet RJ-45 adapter, if needed. When you start working with IPv6, any available routers you have lying around may have only limited (or no) support for it. Unlike layer 2 devices (like NICs and switches), layer 3 devices (like routers and firewalls) must have explicit support for IPv6 - no free rides here, like you get with layer 2 devices. Older physical routers and firewalls are very much designed around IPv4 and NAT. For IPv6, you want bidirectional routing without any NAT, and may even want to do the same with a large private IPv4 block that spans routers. This may be difficult or clumsy to do with commercial routers even if they support IPv6, especially low end SOHO models. You may want support for IPsec and/or multicast, which may not be present in the commercial routers you have available, even mid ranges one (unless you pay a lot extra for an upgraded version of IOS). For all of these reasons (and more) you may want to build a software router based on an open source OS. All of the software components are readily available in the standard distribution, and you can even include a packet filter such as pf to turn it into a firewall. You can even create virtual routers. FreeBSD based software routers are very easy to run in VirtualBox, and you can create any number of copies (completely legally) to build very complex multi-subnet networks (given enough RAM). They only require 256MB of RAM (and you can ever reduce that with a bit of work). A Windows 7 box with 16GB can run a dozen or more nodes (especially if most of them are running FreeBSD or Linux) including multiple subnets and routers, using VirtualBox. You can configure a FreeBSD router using ssh and your favorite full screen editor (vi or uemacs). Many current network professionals may not remember a time when a router was a software application that ran on UNIX. Ever since Cisco created a custom router-oriented operating system ("IOS") and put it in a custom hardware box optimized for routing (including various interface modules), a router has been a box to most network engineers (as opposed to a software application). The good news is that in many cases, a software router running on a general purpose OS, in addition to being much cheaper, is actually much more useful and flexible (and in my opinion, much easier to configure IOS is not particularly easy to master). Given what powerful CPUs and large memory can be had cheaply today, and the CPUs and memory found in most commercial routers, it may well outperform many hardware routers, as well (especially if you use good quality Intel NICs). Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 1 If you build a virtual router in VirtualBox, there is no need for a GUI (e.g. GNOME or KDE), so an 8GB virtual HDD and 256MB of RAM (or even less) are adequate when you create the virtual appliance. By eliminating unneeded parts of the OS you can reduce the requirements even more. This last optimization may require rebuilding FreeBSD, which is beyond the scope of this document. You can create as many virtual network interfaces as you need (up to 4 using the GUI) on a given virtual machine. Normally a router needs two – one to connect to the external subnet, and one to connect to the internal subnet. In VirtualBox you can have as many internal subnets as you like - just connect a virtual network interface to an "internal network" and give that internal network a name. Magically you have a virtual subnet. Each named internal subnet is separate from all other named internal subnets (you can call these virtual networks or virtual subnets – link is actually the correct term). You can connect any number of virtual machines to a given named internal subnet (just use the same internal subnet name when you connect the virtual network interfaces). For example, if you connect the interfaces on four virtual machines to internal subnet int1, they are all connected to each other. If you want to connect a virtual interface in parallel to the host computer's physical network interface, select "bridged adapter" instead of “internal network”. It will behave as if a separate network interface was connected to the same physical subnet to which the host computer is connected. You can obtain another address via DHCPv4 or SLAAC valid on the physical network, or assign valid static addresses. In this example, we will bridge the external interface of the virtual router to the physical LAN, but connect the internal interface of the virtual router to internal subnet int1. Other nodes we connect to int1 will be on the internal subnet, behind the virtual router. For example you might have two virtual routers, router A and router B. The external network interface of router A could be connected to your physical network (bridged adapter) and the internal network interface to internal network int1. The external network interface of virtual router B might be connected to internal network int1 and the internal network interface to internal network int2. Any number of internal virtual nodes could be connected to either internal network (int1 or int2). You don't need to create or configure these named internal networks - just use them. Create as many as you like. VirtualBox will manage them for you. This is much easier than setting up two physical routers, two switches and a bunch of network cables. Getting the FreeBSD 9.1 Installation Media To obtain the FreeBSD installation media download it from www.freebsd.org. Versions are available for i386 (Intel 32 bit x86 architecture) and amd64 (AMD 64 bit or "Intel-64" architecture). Determine what type CPU you have on your host computer and download the correct version. In VirtualBox, to install a 64-bit guest operating system (e.g. FreeBSD 9.1 amd64) you must be running a 64-bit host operating system (e.g. Windows 7 Professional 64-bit). You must also be running the 64-bit version of VirtualBox. Furthermore, the host computer must support Hardware Virtualization (called "VT-x" on Intel CPUs and "AMD-V" on AMD CPUs). If any of this is not present, you can always run 32 bit guest operating systems (e.g. FreeBSD 9.1 i386), even under a 64-bit host OS. For a router, unless you are using IPsec, or need more than 3G of RAM, there is not much advantage to running 64-bit. The 32-bit version is fine for a virtual router. You should download the FreeBSD "DVD-1" ISO image. You do not need to burn a DVD VirtualBox can mount and install from an ISO image directly. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 2 These instructions will guide you through creating a basic dual stack router for use in VirtualBox. It does include a DHCPv4 server (for automated IPv4 network configuration) and a Router Advertisement Daemon (to support IPv6 Stateless Address Autoconfiguration, or SLAAC). These instructions do not include installing or configuring dynamic routing protocols like RIPv2, RIPng, OSPFv2, OSPFv3 or BGP, or multicast routing. Those can be installed in a FreeBSD based virtual router, and will be added in a separate paper. Another paper will guide you through adding pf to turn your router into a firewall with stateful packet filtering. Yet another paper will describe deploying IPsec in a virtual router or virtual node, complete with IKEv2 and IPsec digital certificates. Or you can simply buy SolidGate, which has all of this done, complete with a nice GUI interface usable from any web browser. Preparing for FreeBSD 9.1 Basic Install on VirtualBox The following steps assume you have downloaded an ISO image of the FreeBSD 9.1 install DVD onto your computer. They also assume you have installed VirtualBox 4.2.14 (or later). If you haven't done either of these things yet, do so now. 1. Download, install and run VirtualBox on your host computer. The current version of VirtualBox for Windows (as of the writing of this white paper) is 4.2.14. You should also download and install the corresponding "extension pack". The extension pack includes some things licensed in a different way, but improves the functionality of VirtualBox. 2. Create a new virtual machine In VirtualBox, click the New button (the serrated round, blue icon at top). 3. New Virtual Machine Wizard When you see a dialog box saying Welcome to the New Virtual Machine Wizard, click Next. In the VM Name and OS screen, for Name, enter router 1 (or some other appropriate name). You can enter the fully qualified domain name if you like (e.g. router1.v6lab.edu). This is used only to identify the virtual machine. For Operating System, select BSD. For Version, select FreeBSD (64 bit) (or as appropriate). Click Next. On the Memory screen, select 256MB. Click Next. Assuming you don't install any GUI (e.g. GNOME or KDE), this will be ample. If you are a FreeBSD guru you can reduce this even further by rebuilding the OS and leaving out any unnecessary components or device drivers. On the Virtual Hard Disk screen, accept defaults. Click Next. On the Virtual disk creation wizard screen, accept default (VDI). Click Next. On the Virtual disk storage details screen, accept default (Dynamically allocated). Click Next. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 3 On the Virtual disk file location and size screen, accept default location, and change the disk size to 8 GB. You might get by with less if you don't install the complete source (src). You may need more if you plan to rebuild FreeBSD. Click Next. On the Summary screen, review your selections and then click Create. The new virtual machine should appear in the main list and be highlighted. 4. Settings - Storage Click on the Settings icon (yellow cog wheel) at the top left corner of VirtualBox. In the Settings dialog, select the Storage tab. Under the IDE Controller, there are two items. The first is the virtual hard disk drive, and the second is the virtual optical drive. Click on the virtual optical drive. On the right under Attributes, click on the optical disk medium icon. From the resulting pull-down menu, select Choose a virtual CD/DVD disk file... Now select the iso image of the FreeBSD 9.1 install DVD. If you are installing the 64 bit version use the amd64 install DVD. If you are installing the 32 bit version, use the i386 install DVD. Do not dismiss the Settings dialog box yet. 5. Settings - Network In the Settings dialog, select the Network tab. By default, one network adapter has been enabled, but not yet configured. If you want this network adapter connected to the physical LAN that the host computer is connected to, select Bridged Adapter and in the next menu below, choose the appropriate network adapter on the host (e.g. Realtek PCIe GBE Family Controller). If you import this appliance onto another computer, you may have to change the real network interface it is bridged to. Note that if you later change your physical connection to a different interface (e.g. from wired Ethernet to WiFi) you will need to change this selection manually. If you want this network adapter connected to an internal (virtual) network, choose Internal Network, and either enter a new network name (e,g. int1) if this is the first virtual interface connected to this virtual network, or choose an existing virtual network name from the pulldown list. Remember that all interfaces connected to a given named internal network are on the same link, and can communicate with each other via link-local addresses. Nodes connected to a named internal network can communicate with nodes on other networks only if routers connect this internal network to those other networks, and you have enabled packet forwarding on those routers. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 4 In either case, click the Advanced item if you want to select virtual adapter type, control promiscuous mode or alter the MAC address. If you click the green rotary arrows, VirtualBox will generate a new random MAC address for this virtual interface. If you import another virtual router appliance from the same virtual appliance, you should randomize the MAC addresses of each interface when you import it (or you can randomize them later). VirtualBox has mechanisms for this. Now create a second virtual network interface by clicking on the Adapter 2 tab. Enable the second interface by clicking on Enable Network Adapter (a check will appear when it is enabled). Configure it as before, but connected to a different network (typically an internal network, e.g. "int1"). Dismiss the Settings dialog box by clicking OK at the bottom. 6. Start Virtual Machine Double click on the new virtual machine name in the main list to "power it on". FreeBSD will begin loading. Continue as with a FreeBSD installation on a physical machine. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 5 Basic Install - FreeBSD 9.1 In the following steps, select the recommended response (or an appropriate response for your case). You can use up and down arrows on the keyboard, or tab key to highlight any of the options. Once the desired option is highlighted, pressing Enter will execute that selection. In many cases (e.g. Yes, No, A for Auto defaults, Q to finish), typing the first letter of the option will select and execute it immediately. 1. Begin installation If you were doing a FreeBSD install on a physical machine, at this point you would insert a bootable installation CD or DVD and boot from it. The steps done above on VirtualBox are the equivalent of this. There will be various “loading” messages for a few minutes while the install script probes your hardware, after which you will see a “Welcome to FreeBSD!” screen (including ASCII art of the FreeBSD logo) with a 10 second countdown. You can hit Enter to proceed immediately, or just wait for it to count down, at which time it will proceed by itself. The installer will probe your hardware and select appropriate drivers. This takes a few minutes – be patient. You will eventually see a "FreeBSD Installer" screen with three options: <Install> <Shell> <Live CD> Choose <Install>. 2. Keyboard Mapping You will next see a screen with the message Would you like to set a non-default key mapping for your keyboard? Choose <No>. 3. Machine Hostname For machine hostname, enter any valid UNIX hostname complete with domain name, e.g. vrouter.v6lab.info. Then choose <OK>. 4. Choose optional system components to install. Select doc, lib32, ports, and src (remove games). Choose <OK>. If you are sure you will not need the source, you can save some time and disk space by not selecting src. You can always add it later if needed. 5. Disk Partitioning This assumes you will use the entire virtual hard disk drive - for other options, see FreeBSD install documentation. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 6 Choose <Guided>. On the following screen, select <Entire Disk>. On the third screen it will show its proposed partition scheme. Unless you have some really good reason to change this, accept it by choosing <Finish>, and then <Commit>. The installer will then create the specified partitions, create the appropriate file systems in them, and then copy files from the CDROM into them. This step will take 5 or 10 minutes to complete depending on your system performance. 6. Root password In these directions, we use the password rootpw. You should carefully choose some other password, and be sure you don't forget or lose it. One good approach is to choose two unrelated words separated by a special character, like purple$house. Password strength increases very rapidly with additional password length, but only slowly with additional character sets (e.g. upper case alpha, lower case alpha, numeric and special characters). However, the ability to remember a password decreases rapidly with increasing number of character sets. For example, purple$house is thousands of times stronger than pUrpL3, but far easier to remember. Note that "hacker" spelling (substituting 0 for o, 3 for E, etc) is always tried by password crackers. It may look cool, but it doesn’t really add anything to security. You are asked to enter the new password for the root user: Please select a password for the system management account (root): Changing local password for root New password: rootpw (the characters won't echo). You are then asked to enter it again: Retype New Password: rootpw (the characters won't echo). 7. Network Configuration. The following assumes at least one interface of your computer (physical or virtual) is connected to a network that has a properly configured DHCPv4 server and Router Advertisement daemon. If there is no such network connectivity now, provide that before proceeding. You will see a list of available interfaces to configure. In VirtualBox this is what you will see: em0 em1 Intel (R) PRO/1000 Legacy Network Connection 1.0.3 Intel (R) PRO/1000 Legacy Network Connection 1.0.3 Select the external interface (the interface bridged to your physical network interface, em0) and choose <OK>. When asked Would you like to configure IPv4 for this interface? choose <YES> Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 7 When asked Would you like to use DHCP to configure this interface? choose <YES>. It will then say Trying to Acquire DHCP lease... Assuming there is a DHCPv4 server on your physical LAN (more than likely), FreeBSD will obtain a lease and configure the IPv4 node address, netmask, default gateway and IPv4 address(es) for DNS from DHCPv4. When asked Would you like to configure IPv6 for this interface? choose <YES>. When asked Would you like to try stateless address autoconfiguration (SLAAC)? choose <YES>. It will then say Sending Router Solicitation Assuming it receives a Router Advertisement in response to the Router Solicitation; it will enable IPv6 networking and generate a link local node address and a global unicast address in addition to determining the IPv6 default gateway. It will then show the default Resolver Configuration. This will show the search domain, and a list of the DNS servers discovered previously, via DHCPv4. The displayed values may differ in your network. Resolver Configuration Search IPv6 DNS IPv6 DNS IPv4 DNS IPv4 DNS v6edu.net #1 #2 #1 #2 172.25.0.11 `For now, accept these by choosing <OK>. 8. System Time Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 8 It will ask if the ROMBIOS clock is set to UTC. Normally it isn't, select [NO]. Now choose your time zone, for example, Asia / Hong Kong. It will ask you to confirm if the selected timezone (e.g. HKT) looks reasonable. If so, choose [YES]. 9. System Configuration Select sshd, and ntpd. We will not be installing a GUI, so we don't need moused. Accept these by choosing <OK> When asked Would you like to enable crash dumps? choose <NO> 10. Add User Accounts We will now create a system administrator account (admin). In some situations (e.g. access via ssh), root is not allowed to login. Even when using the system console, rather than log in as root, you will normally log in as admin, and only use root privilege as needed (using su and/or sudo). The admin user will need to be a member of the wheel group, and you will need to install and configure the sudo application for this to work right. In these directions, we will use the password adminpw for the admin account. You should choose your own password and be sure not to lose or forget it. When asked Would you like to add users to the installed system now? choose <Yes>. Enter the following info for a system administrator account: Username: admin Full name: System Administrator Uid (Leave empty for default): Login group [admin]: Login group is admin. Invite admin into other groups? [] wheel Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/admin]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: adminpw (the characters will not echo) Enter password again: adminpw (the characters will not echo) Lock out the account after creation? [no]: (it will now show all of the options selected above) Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 9 OK? (yes/no): yes adduser: INFO: Successfully added (admin) to the user database. Add another user? (yes/no): no 11. Final Configuration Choose Exit. It will then ask if you would like to open a shell to make any final modifications. Choose <No>. It will then ask if you want to reboot into the installed system now. Choose <Reboot>. Be sure to remove or dismount the install DVD before the system restarts (otherwise the install process will begin again). Allow the virtual computer to reboot and log in as user admin. Use your own admin password instead of adminpw. The FreeBSD startup scripts will run, then the system ID is displayed, followed by the login prompt: FreeBSD/amd64 (vrouter.v6lab.info) (ttyv0) login: admin Password: adminpw (the characters will not echo) FreeBSD 9.1-RELEASE (GENERIC) #0: r243825: Tue Dec 4 09:23:10 UTC 2012 <the Message Of The Day will display – you can edit this in /etc/motd> $ FreeBSD 9.1 is now up and running and you are logged in as user admin. The "$ " is the default shell command prompt for user admin. That means FreeBSD is waiting for you to enter a command. To issue commands requiring root privilege, enter the command su, and when asked, enter the root password (e.g. rootpw). The command prompt will change to “vrouter# ” when you have root privilege. To exit root privilege, enter the command exit. For details on FreeBSD commands, check online, or in any of the many available books on FreeBSD. You should learn at least one screen-oriented text editor, either vi (the default UNIX screen oriented text editor) or edit (a simple emacs-like editor). Again, there is documentation on these online and in books (edit is a simple emacs style editor). I happen to like the uemacs (“Micro Emacs”) text editor (also similar to emacs, but a more complete than edit), which can be installed from the FreeBSD ports collection. We will install it from the ports shortly. 12. View and test network configuration. Use “ifconfig –a” to view current network configuration of all interfaces (em0 and em1 are Ethernet interfaces, lo0 is the “loopback” interface). Ping the em0's IP address (e.g. 172.20.1.3), the default gateway (e.g. 172.20.0.1), an external node by IP address (4.2.2.2) and an external node using symbolic nodename (www.kame.net). Note that ping will keep running until you stop it by typing Ctrl-C. Note: depending on the configuration of your DHCPv4 server, your node may obtain some other IPv4 node address, subnet mask and default gateway. Your output may vary some from the following: Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 10 $ ifconfig -a em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:e0:f2:1f inet 172.20.1.3 netmask 0xffff0000 broadcast 172.20.255.255 inet6 fe80::a00:27ff:fee0:f21f%em0 prefixlen 64 scopeid 0x1 inet6 fda4:73c2:e5b8:1000:a00:27ff:fee0:f21f prefixlen 64 autoconf inet6 2001:470:3d:3000:a00:27ff:fee0:f21f prefixlen 64 autoconf nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:13:77:d5 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> You should now try to do some pings to verify connectivity. $ ping 172.20.1.3 PING 172.20.1.3 (172.20.1.3): 56 data bytes 64 bytes from 172.20.1.3: icmp_seq=0 ttl=64 time=0.056 ms 64 bytes from 172.20.1.3: icmp_seq=1 ttl=64 time=0.076 ms 64 bytes from 172.20.1.3: icmp_seq=2 ttl=64 time=0.057 ms ^C --- 172.25.0.126 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.056/0.063/0.076/0.009 ms $ ping 172.20.0.1 PING 172.20.0.1 (172.20.0.1): 56 data bytes 64 bytes from 172.20.0.1: icmp_seq=0 ttl=64 time=1.267 ms 64 bytes from 172.20.0.1: icmp_seq=1 ttl=64 time=1.540 ms 64 bytes from 172.20.0.1: icmp_seq=2 ttl=64 time=1.579 ms ^C --- 172.25.0.1 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.267/1.462/1.579/0.139 ms $ ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes 64 bytes from 4.2.2.2: icmp_seq=0 ttl=239 time=286.044 ms 64 bytes from 4.2.2.2: icmp_seq=1 ttl=239 time=284.474 ms 64 bytes from 4.2.2.2: icmp_seq=2 ttl=239 time=285.687 ms ^C --- 4.2.2.2 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 284.474/285.402/286.044/0.672 ms $ ping www.kame.net PING orange.kame.net (203.178.141.194): 56 data bytes 64 bytes from 203.178.141.194: icmp_seq=0 ttl=46 time=225.970 ms 64 bytes from 203.178.141.194: icmp_seq=1 ttl=46 time=248.911 ms Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 11 64 bytes from 203.178.141.194: icmp_seq=2 ttl=46 time=224.022 ms ^C --- orange.kame.net ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 224.022/232.968/248.911/11.302 ms $ Step 7 – Install additional packages via FTP $ su Password: root*pw (characters will not echo) root@vrouter:/usr/home/admin # sysinstall This will bring up a menu based wizard that allows additional system installation steps. Select Configure, then Packages. Select FTP as installation media. Hit Enter. You can add any of the packages listed, but be sure to include security / sudo-1.8.3_1. Once all additional packages are selected, select [OK], then [Install]. It will list the selected packages. Select [OK]. The selected packages (and any dependencies) will be installed. To exit sysinstall, select X Exit from the configure menu, then X Exit Install from the main menu. Note: after this step, I will not show the complete root prompt, just “#”. Step 8 – Install Micro Emacs text editor from ports If you are familiar with the UNIX vi editor, that is always available (no installation is required). If not, there is a simple emacs style full screen editor called edit in FreeBSD, but Micro Emacs (uemacs) is more complete. We will build and install uemacs from the FreeBSD ports. You can install additional applications from the FreeBSD ports if you need them. # cd /usr/ports/editors/uemacs Pkg_info | grep ueamc# make install clean ... ===> Registering installation for uemacs-4.0 ===> Cleaning for uemacs-4.0 # pkg_info | grep uemacs uemacs-4.0 A full screen editor The last step allows use of the entire 80x24 screen size by removing the help text at top of screen if you are already familiar with emacs style commands. You can just rename the file if you prefer. # cd /usr/local/share/uemacs/ # rm .emacsrc Terminate super user mode with the exit command. You will once again be running as admin, as indicated by the "$" command prompt. # exit exit $ Now test uemacs editor. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 12 $ uemacs testfile (start uemacs editor on “testfile”, currently empty) (type a few lines of text, exit editor with ESC Z) $ cat testfile ... (view contents of "testfile") Step 9 – Configure and use the sudo utility The sudo utility is an alternative to the su command, which allows you to execute one command with root privilege. It is safer than temporarily becoming the root user with su. It also only requires you to know your own password, not the root password. You must edit a file to enable members of the wheel group to issue commands with root privilege (but they must supply their own password). First, enter super user mode with su. Use uemacs (or any other text editor) to edit the file /usr/local/etc/sudoers. This must be done with root privilege. $ su Password: rootpw vrouter# uemacs /usr/local/etc/sudoers Find the line that says ## Uncomment to allow members of group wheel to execute any command. The next line currently contains # %wheel ALL=(ALL) ALL Remove the leading "#" to uncomment it. It should now look like this: %wheel ALL=(ALL) ALL Exit the editor and save the file (ESC Z). Terminate super user mode with the exit command. # exit $ To use this utility, type the command sudo followed by any command that requires root privilege. The first time you use sudo, it will print a warning. It will always ask for your password (not the root password). If you enter it correctly, the command will be executed with root privilege, and then your normal privilege level will resume. For example (even though "ls /usr" doesn't require root privilege): $ sudo ls /usr We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 13 Password: adminpw bin home lib games include lib32 $ libdata local libexec obj ports sbin share src If you have authenticated yourself to sudo in the last few minutes, it will not ask for your password again, it will just immediately perform the specified command at root privilege. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 14 Network Configuration Now that you've completed the basic FreeBSD install, it is time to do some additional configuration of it. In FreeBSD 9.1, network configuration is done by editing various text files in /etc. File /etc/rc.conf - Node addresses, prefix lengths, default gateways and routing In /etc/rc.conf, you configure the IPv4 and IPv6 node addresses and prefix lengths for each interface, as well as the default gateways. Note that the syntax for some configuration items changed starting with FreeBSD v9.0. To specify the IPv4 node address and netmask: ifconfig_ifname="inet ipv4_address netmask subnet_mask" To specify the IPv4 default gateway: defaultrouter="ipv4_address" To accept router advertisements on an interface (there is no need to enable IPv6 in 9.x, as you had to do in earlier versions of FreeBSD - it is enabled by default): ifconfig_ifname_ipv6="inet6 accept_rtadv" To specify an IPv6 node address and prefix length (the default prefix length is 64, so most of the time the second form is acceptable): ifconfig_ifname_ipv6="inet6 ipv6_address prefixlen prefix_length" ifconfig_ifname_ipv6="inet6 ipv6_address" To enable automatic only link-local address generation (no global unicast addresses): ifconfig_ifname_ipv6="inet6 auto_linklocal" To manually specify the IPv6 default gateway (normally this is obtained via SLAAC): ipv6_defaultrouter="ipv6_global_address" ipv6_defaultrouter="ipv6_linklocal_address%ifname" Examples: ifconfig_em0="inet 172.20.10.1 netmask 255.255.0.0" ifconfig_em1="inet 172.21.0.1 netmask 255.255.0.0" defaultrouter="172.16.0.1" ifconfig_em0_ipv6="inet6 2001:470:3d:3000:172:20:10:1 prefixlen 64" ifconfig_em0_ipv6="inet6 accept_rtadv" ifconfig_em1_ipv6="inet6 auto_linklocal" ipv6_defaultrouter="2001:db8:1:2::1" ipv6_defaultrouter="fe80::16da:e9ff:fe41:871b%em0" Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 15 To enable packet forwarding between all IPv4 enabled interfaces (disabled by default): gateway_enable="YES" To enable packet forwarding between all IPv6 enabled interfaces (disabled by default): ipv6_gateway_enable="YES" To specify IPv4 static routes: static_routes="list_of_network_names" route_network_name_n="-net ipv4_netblock ipv4_gateway_address" To specify IPv6 static routes (normally target in IPv6 static router should be link local addresses): static_routes="network_name_1 network_name_2 ... network_name_N" route_network_name_n="ipv6_netblock ipv6_gateway_address" rtadvd_enable="YES" To specify the interface(s) on which Router Advertisements will be sent: rtadvd_interfaces="ifname1 ifname2 ... ifnameN" Examples: gateway_enable="YES" static_routes="v4int1 v4int2" route_v4int1="-net 172.21.0.0/16 172.20.10.1" route_v4int2="-net 172.22.0.0/16 172.20.10.2" ipv6_gateway_enable="YES" static_routes="v6int1 v6int2" route_v6int1="2001:db8:1:3::/64 fe80::16da:e9ff:fe41:871b%em1" route_v6int2="2001:db8:1:4::/64 fe80::16da:e9ff:fe41:54dd%em1" Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 16 Sample initial /etc/rc.conf (both NICs, IPv4 and IPv6 packet forwarding enabled): # Configuration file for vrouter.v6lab.info hostname=”vrouter.v6lab.info” # IPv4 Configuration ifconfig_em0=”inet 172.20.10.1 netmask 255.255.0.0” defaultrouter=”172.20.0.1” ifconfig_em1=”inet 172.21.0.1 netmask 255.255.0.0” # enable IPv4 packet forwarding gateway_enable=”YES” # IPv6 Configuration ifconfig_em0_ipv6=”inet6 –accept_rtadv” ifconfig_em0_ipv6=”inet 2001:470:3d:3000:172:20:10:1” ipv6_defaultrouter=”fe80::290:bff:fe1b:5762%em0” ip6addrctl_policy=”ipv6_prefer” ifconfig_em1_ipv6=”inet6 2001:470:3d:3001::1” # enable IPv6 packet forwarding ipv6_gateway_enable="YES" # Misc sshd_enable=”YES” ntpd_enable=”YES” dumpdev=”NO” Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 17 DNS Resolver Configuration In /etc/resolv.conf you configure the DNS client (resolver) on this node as follows: To specify the domain name (if not specified here, this is obtained from the hostname as returned by gethostname(): domain domain_name To specify one or more domain names to search when just a nodename is specified (by default the list contains only the node's domain name): search domain_name1 domain_name2 ... domain_nameN To specify the IP address of a DNS server (and number of IPv4 and/or IPv6 addresses may be specified): nameserver ip_address Example configuration: domain v6lab.info search v6lab.info nameserver 172.25.0.13 nameserver 172.25.0.14 nameserver 2001:db8:1:2::13 nameserver 2001:db8:1:2::14 Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 18 DHCPv4 Access for Nodes in an Internal Subnet In order for nodes in any subnet to do automated network configuration those nodes must have linklocal access to a DHCPv4 server, or to a DHCPv4 relay agent that in turn has unicast access to a remote DHCPv4 server (one located in some other subnet). Nodes make DHCPv4 requests using broadcast, which will not cross a router. So, if you create an "internal" subnet connected to the rest of the network via a router, there must be a DHCPv4 server or relay agent on that subnet. Although this could be deployed on any node in the subnet, the ideal node is in the border router itself. FreeBSD includes both a DHCPv4 server and a DHCPv4 relay agent. You can deploy and configure a DHCPv4 server with just the information needed for this subnet. If there is a remote DHCPv4 server available, that can provide network configuration (indirectly) for nodes in this subnet, you can deploy a DHCPv4 relay agent. A relay agent only needs the address of the remote DHCPv4 server. A local DHCPv4 server must have a valid IP node address pool, and various stateless information including the subnet mask, the default gateway, the IPv4 address(es) of DNS, appropriate for nodes in this subnet. DHCPv4 Server Deployment and Configuration The FreeBSD DHCPv4 server (dhcpd) must be installed and configured. Once you install it, additional information on dhcpd is available via man dhcpd. You can install it via the package system, or build it from the ports. The package name is isc-dhcp42server-4.2.4_2. In the ports system, look under /usr/ports/net/isc-dhcp42-server. Assuming the internal NIC of the router is em1, to start the ISC dhcpd server for DHCPv4 at boot time, include the following lines in /etc/rc.conf: dhcpd_enable="YES" dhcpd_conf=”/usr/local/etc/dhcpd.conf” dhcpd_ifaces="em1" dhcpd_flags=”-q” The configuration of the DHCPv4 server is done in file /usr/local/etc/dhcpd.conf. Complete details are available via man dhcpd.conf, but a basic configuration is shown below. There are many other options you can configure, and you can also give the server hints about the total network topology. The subnet is as follows: IPv4 netblock: IPv4 default gateway: Managed IPv4 address pool: IPv4 address of DNS: Subnet domain name: DHCPv4 default lease time: Maximum lease time: 172.21.0.0/16 (prefix = 172.21.0.0, netmask = 255.255.0.0) 172.21.0.1 (inside NIC of router) 172.21.2.1 to 172.21.2.254 172.20.0.13, 172.20.0.14 (in the physical LAN) v6lab.info 1 day (86400 seconds)) 1 week (604800 seconds) Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 19 Sample /usr/local/etc/dhcpd.conf file for above subnet: # dhcpd.conf # global configuration items (affect all declared subnets) option domain-name "v6lab.info"; option domain-name-servers 172.20.0.13, 172.20.0.14; # 600=10 min, 3600=1 hour, 86400=1 day, 604800=1 week, 2592000=30 days default-lease time 86400; max-lease-time 604800; # disable dynamic DNS registration ddns-update-style none; # this DHCPv4 server is official for the declared network authoritative; # hints about other subnets (no configuration will be done on these subnets) subnet 172.20.0.0 netmask 255.255.0.0 { } # subnet declaration for this DHCPv4 server subnet 172.21.0.0 netmask 255.255.0.0 { range 172.21.2.1 172.21.2.254; option routers 172.21.0.1; option subnet-mask 255.255.0.0; } Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 20 Install and Configure ISC DHCPv6 Server The same executable used for DHCPv4 can be run with the -6 command line option, to provide DHCPv6 service. The configuration is similar to that for DHCPv4, but a bit different given the differences in DHCPv4 and DHCPv6 and the two types of addresses. If you need to start the DHCPv6 server manually, use the following command: /usr/local/sbin/dhcpd -6 –d –cf /usr/local/etc/dhcpd6.conf em1 “-6” says to run DHCPv6 instead of DHCPv4. “–d” says to send messages to the standard error descriptor for debugging (default = use syslog) “–cf /usr/local/etc/dhcpd6.conf” specifies the path of the configuration file “em1” specifies the interface on which to accept DHCPv6 messages Assuming the internal NIC of the router is em1, to start the ISC dhcpd server for DHCPv6 at boot time, include the following lines in /etc/rc.conf: dhcpd6_enable="YES" dhcpd6_conf=”/usr/local/etc/dhcpd6.conf” dhcpd6_ifaces="em1" You can confirm that both DHCPv4 and DHCPv6 servers are running with the ps command. You should see two processes listed, as shown (one for DHCPv4 and one for DHCPv6): $ ps -ax | grep dhcp 865 ?? Is 0:00.00 /usr/local/sbin/dhcpd -6 -cf /usr/local/etc/dhcpd6.conf 882 ?? Is 0:00.00 /usr/local/sbin/dhcpd -q -cf /usr/local/etc/dhcpd.conf -l 1038 0 R+ 0:00.00 grep dhcp $ Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 21 The configuration file is in /usr/local/etc/dhcpd6.conf and mine contained the following. Modify addresses, domain name and times for your configuration. # Server configuration file for DHCPv6 # 30 days = 2592000 seconds # 1 week = 604800 seconds # 1 day = 86400 seconds # 1 hour = 3600 seconds # IPv6 address valid lifetime – 30 days is usual IPv6 setting default-lease-time 2592000; # IPv6 address preferred lifetime – 7 days is the usual IPv6 setting preferred-lifetime 604800; # T1, the delay before Renew # default is 1/2 of the preferred lifetime option dhcp-renewal-time 3600; # T2, the delay before Rebind (if Renews failed) # default is 3/4 of the preferred lifetime option dhcp-rebinding-time 7200; # Enable RFC 5007 support (same as for DHCPv4) allow leasequery; # Global definitions for name server addresses and domain search list option dhcp6.name-servers 2001:470:3d:3000::13, 2001:470:3d:3000::14; option dhcp6.domain-search “v6lab.info”; # Set preference to 255 (maximum) to avoid waiting for another DHCPv6 server # when there is only one option dhcp6.preference 255; # Server side command to enable rapid-commit (2 message exchange). # Here it is commented out, so the normal 4 message exchange is used. #option dhcp6.rapid-commit; # The delay before information-request refresh (min 10 min, max 1 day, # default = no refresh. Set here to 6 hours option dhcp6.info-refresh-time 21600; # The path of the lease file – the script in /usr/local/etc/rc.d will # create this the first time, and set permissions as needed dhcpv6-lease-file-name “/var/db/dhcpv6.leases”; # The subnet where the server is attached (i.e. the server has an address # in this subnet) subnet6 2001:470:3d:3001::/64 { range6 2001:470:3d:3001::1:1 2001:470:3d:3001::1:ffff; # use the whole /64 prefix for temporary addresses as per RFC 4941 range6 2001:470:3d:3001:: temporary; } Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 22 Providing Router Advertisements for Nodes in the Internal Subnet (to enable SLAAC) To enable nodes in the internal subnet to do automated IPv6 network configuration with SLAAC, there must be a source of Router Advertisement messages in one or more routers on that subnet. Typically there is only a single router for a subnet, so that is where the Router Advertisement daemon is deployed. A Router Advertisement daemon can only be deployed on a router (a node with multiple network interfaces, and in which packet forwarding is enabled). You cannot deploy a Router Advertisement daemon on a host (a node that has only one network interface, or that is not doing packet forwarding). It is also possible to deploy a stateless DHCPv6 server (one that supplies stateless information, such as the IPv6 addresses of DNS) or a stateful DHCPv6 server (one that also can supply a unique IPv6 unicast address in addition to any created via SLAAC). You cannot do automated network configuration with just DHCPv6, unlike in IPv4. You can prevent the Router Advertisement messages from including a subnet prefix, in which case nodes will not generate unicast global IPv6 addresses during SLAAC. IPv6 nodes will generate a unique link-local address without any help, but they can only discover the IPv6 default gateway via manual configuration or by getting Router Advertisements during SLAAC. Nodes cannot obtain the IPv6 default gateway address from DHCPv6. Note that a Router Advertisement daemon will periodically send unsolicited Router Advertisement messages. It will also reply immediately to a Router Solicitation message from any node on the subnet with a solicited Router Advertisement. Solicitations are sent by any node to the all routers on local-link multicast address (ff02::2). Router Advertisements are sent by all routers to the all nodes on local link multicast address (ff02::1). Recently, RFC 6106 has introduced a way for routers to provide one or more IPv6 addresses of DNS servers (rdnss), and a DNS search list (dnssl) as new options in Router Advertisement messages. In FreeBSD, this option is supported for the first time in v9.x. The FreeBSD 9.x Router Advertisement daemon (rtadvd) can advertise these items, and a FreeBSD v9.x host can obtain these items during SLAAC. As of the writing of this paper, Windows nodes do not support RFC 6106. This means Windows clients cannot obtain DNS information from Router Advertisement messages, even if they are present. Likewise, the Router Advertisement daemon in Windows Server 2008 (or 2008 R2) cannot include these new options in Router Advertisement messages. Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 23 Enable and Configure Router Advertisements The FreeBSD Router Advertisement daemon (rtadvd) is installed by default, but not enabled or configured. Additional information on rtadvd is available via man rtadvd. Assuming the inside NIC of the router is em1, to enable the FreeBSD Router Advertisement daemon, include the following lines in /etc/rc.conf: rtadvd_enable="YES" rtadvd_ifaces="em1" The configuration of the Router Advertisement daemon is done in file /etc/rtadvd.conf. Complete details are available via man rtadvd.conf, but a basic configuration is shown below that will advertise the prefix 2001:db1:1:1000::/64 on interface em1. em0:\ :rltime#0: em1:\ :addr="2001:470:3d:3001::":prefixlen#64: The configuration for em0 sets the router lifetime to 0, so that it will not be considered as a gateway. Without this, internal nodes may configure two default gateways (the real one, and the external NIC of this router). Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 24 A more complex configuration example will cause rtadvd to advertise all of the following items as options in its Router Advertisement messages: Item Keyword Default Setting Default Hop Limit Router Adv. Flags Router lifetime Reachable time Retrans time chlim raflags rltime rtime retrans 64 0 1800 0 0 32 hops 128 (M flag = 1, O flag = 0) 3600 seconds (1 hour) 1000 milliseconds (1 second) 100 milliseconds Prefix length Address prefix Valid lifetime Preferred lifetime prefixlen addr vltime pltime 64 (none) 2592000 (30d) 604800 (7d) 64 2001:db8:1:2000:: 604800 (7d) 172800 (2d) MTU mtu (none) 1500 bytes IPv6 DNS address DNS search string rndss dnssl (none) (none) 2001:470:3d:3000::13, 2001:470:3d:3000::14 v6lab.info So here is the contents of /etc/rtadvd.conf for the above configuration: em0:\ :rltime#0: em1:\ :chlim#32:raflags=128:rltime#3600:rtime#1000:retrans#100:\ :vltime#604800:pltime#172800:mtu#1500:\ :addr="2001:470:3d:3001::":prefixlen#64:\ :rdnss="2001:470:3d:3000::13,2001:470:3d:3000::14":\ :dnssl="v6lab.info": Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 25 Final /etc/rc.conf file # Configuration file for vrouter.v6lab.info hostname=”vrouter.v6lab.info” # IPv4 Configuration ifconfig_em0=”inet 172.20.10.1 netmask 255.255.0.0” defaultrouter=”172.20.0.1” ifconfig_em1=”inet 172.21.0.1 netmask 255.255.0.0” # enable IPv4 packet forwarding gateway_enable=”YES” # IPv6 Configuration ifconfig_em0_ipv6=”inet6 –accept_rtadv” ifconfig_em0_ipv6=”inet 2001:470:3d:3000:172:20:10:1” ipv6_defaultrouter=”fe80::290:bff:fe1b:5762%em0” ip6addrctl_policy=”ipv6_prefer” ifconfig_em1_ipv6=”inet6 2001:470:3d:3001::1” # enable IPv6 packet forwarding ipv6_gateway_enable="YES" # enable DHCPv4 server dhcpd_enable="YES" dhcpd_conf=”/usr/local/etc/dhcpd.conf” dhcpd_ifaces="em1" dhcpd_flags=”-q” # enable DHCPv6 server dhcpd6_enable="YES" dhcpd6_conf=”/usr/local/etc/dhcpd6.conf” dhcpd6_ifaces="em1" dhcpd6_flags=”-q” # enable router advertisements rtadvd_enable="YES" rtadvd_ifaces="em1" # Misc sshd_enable=”YES” ntpd_enable=”YES” dumpdev=”NO” Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 26 Static Routes The default routing rules (for both IPv4 and IPv6) are: 1. If destination is "on-link" (on same link as sender), deliver packet directly to destination node 2. If destination is "off-link" (in some other link), deliver packet to default gateway These rules work most of the time, but when you have nested subnets, static routes are required to allow nodes to communicate "upstream". These normally go not on the nodes that are communicating, but on the router which is the default gateway for the downstream subnet (e.g. the External subnet, below). In this case, we have two subnets and a router connecting them: External Subnet (the physical LAN, closer to ISP): IPv4 Netblock: IPv6 Netblock: IPv4 Default Gateway: IPv6 Default Gateway: 172.20.0.0/16 2001:470:3d:3000::/64 172.20.0.1 fe80::290:bff:fe1b:5762 Internal Subnet (VirtualBox internal network “int1”, further from ISP): IPv4 Netblock: IPv6 Netblock: IPv4 Default Gateway: IPv6 Default Gateway: 172.21.0.0/16 2001:470:3d:3001::/64 172.21.0.1 fe80::a00:27ff:fe13:77d5 Node vrouter, with em0 (external interface) connected to the external subnet, and em1 (internal interface) connected to the internal subnet, forwarding packets between them. em0 connected to external subnet: IPv4: 172.20.10.1 IPv6 Global: 2001:470:3d:3000:172:20:10:1 IPv6 Link-local: fe80::a00:27ff:fee0:f21f IPv4 Default Gateway: 172.20.0.1 IPv6 Default Gateway: fe80::290:bff:fe1b:5762 em1 connected to internal subnet: IPv4: 172.21.0.1 IPv6 Global: 2001:470:3d:3001::1 IPv6 Link-Local: fe80::a00:27ff:fe13:77d5 Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 27 Using default routing rules, nodes in internal subnet cannot successfully connect "upstream" to nodes in External Subnet. For such connections to work, you must install static routes on the router at External Subnet’s default gateway (the one at 172.20.0.1) for both IPv4 and IPv6. The two routes basically say: 1. Redirect all IPv4 traffic for subnet 172.21.0.0/16 to 172.20.10.1 (IPv4 address of external NIC of vrouter) 2. Redirect all IPv6 traffic for subnet 2001:470:3d:3001::/64 to fe80::a00:27ff:fee0:f21f (link local address of external NIC of vrouter). The syntax for these static routes depends on the brand or OS of the router which is the default gateway for subnet A. Note that in IPv6, the target of a static route should always be a link-local address, not a global unicast address (or the Neighbor Discovery redirect mechanism won't work correctly). Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide Page 28