How to Build a Virtual Dual Stack Router with FreeBSD...

Transcription

How to Build a Virtual Dual Stack Router with FreeBSD 9.1 and VirtualBox
Lawrence E. Hughes
1 Aug 2013
There are times you need a router (or three) when learning networking, designing networks, developing
network applications, or even writing about multi-subnet networks. It may not be convenient or in your
budget to use commercial physical routers. You may need features not commonly found in, or available
as add-ons to, commercial routers. If you are building virtual networks, it may be impossible or very
difficult (and probably violates license terms) to deploy virtual routers using commercial router iso
images. For one thing, the commercial router hardware may not look much like a generic PC, which is
what VMWare and VirtualBox emulate. You can actually install and configure this software on a
hardware box as well (assuming it runs FreeBSD i386 or amd64, and has at least two NICs supported by
FreeBSD). This is very handy when you need one or more real routers in a hurry, or on the cheap, or one
with unusual capabilities. If you buy generic “firewall appliance” boxes from Lanner or other vendors,
the end result will be a very nice yet inexpensive router that you can upgrade as you want very easily. All
it will be missing are GUI management and exotic interfaces like V.35, but you can manage it via ssh and
get cables that include those interfaces that plug into your Ethernet RJ-45 adapter, if needed.
When you start working with IPv6, any available routers you have lying around may have only limited (or
no) support for it. Unlike layer 2 devices (like NICs and switches), layer 3 devices (like routers and
firewalls) must have explicit support for IPv6 - no free rides here, like you get with layer 2 devices. Older
physical routers and firewalls are very much designed around IPv4 and NAT. For IPv6, you want
bidirectional routing without any NAT, and may even want to do the same with a large private IPv4 block
that spans routers. This may be difficult or clumsy to do with commercial routers even if they support
IPv6, especially low end SOHO models. You may want support for IPsec and/or multicast, which may not
be present in the commercial routers you have available, even mid ranges one (unless you pay a lot
extra for an upgraded version of IOS).
For all of these reasons (and more) you may want to build a software router based on an open source
OS. All of the software components are readily available in the standard distribution, and you can even
include a packet filter such as pf to turn it into a firewall. You can even create virtual routers. FreeBSD
based software routers are very easy to run in VirtualBox, and you can create any number of copies
(completely legally) to build very complex multi-subnet networks (given enough RAM). They only require
256MB of RAM (and you can ever reduce that with a bit of work). A Windows 7 box with 16GB can run a
dozen or more nodes (especially if most of them are running FreeBSD or Linux) including multiple
subnets and routers, using VirtualBox. You can configure a FreeBSD router using ssh and your favorite
full screen editor (vi or uemacs).
Many current network professionals may not remember a time when a router was a software
application that ran on UNIX. Ever since Cisco created a custom router-oriented operating system
("IOS") and put it in a custom hardware box optimized for routing (including various interface modules),
a router has been a box to most network engineers (as opposed to a software application). The good
news is that in many cases, a software router running on a general purpose OS, in addition to being
much cheaper, is actually much more useful and flexible (and in my opinion, much easier to configure IOS is not particularly easy to master). Given what powerful CPUs and large memory can be had cheaply
today, and the CPUs and memory found in most commercial routers, it may well outperform many
hardware routers, as well (especially if you use good quality Intel NICs).
Copyright © 2013, Lawrence E. Hughes – All Rights Reserved, Worldwide
Page 1
If you build a virtual router in VirtualBox, there is no need for a GUI (e.g. GNOME or KDE), so an 8GB
virtual HDD and 256MB of RAM (or even less) are adequate when you create the virtual appliance. By
eliminating unneeded parts of the OS you can reduce the requirements even more. This last
optimization may require rebuilding FreeBSD, which is beyond the scope of this document.
You can create as many virtual network interfaces as you need (up to 4 using the GUI) on a given virtual
machine. Normally a router needs two – one to connect to the external subnet, and one to connect to
the internal subnet. In VirtualBox you can have as many internal subnets as you like - just connect a
virtual network interface to an "internal network" and give that internal network a name. Magically you
have a virtual subnet. Each named internal subnet is separate from all other named internal subnets
(you can call these virtual networks or virtual subnets – link is actually the correct term). You can
connect any number of virtual machines to a given named internal subnet (just use the same internal
subnet name when you connect the virtual network interfaces). For example, if you connect the
interfaces on four virtual machines to internal subnet int1, they are all connected to each other.
If you want to connect a virtual interface in parallel to the host computer's physical network interface,
select "bridged adapter" instead of “internal network”. It will behave as if a separate network interface
was connected to the same physical subnet to which the host computer is connected. You can obtain
another address via DHCPv4 or SLAAC valid on the physical network, or assign valid static addresses. In
this example, we will bridge the external interface of the virtual router to the physical LAN, but connect
the internal interface of the virtual router to internal subnet int1. Other nodes we connect to int1 will be
on the internal subnet, behind the virtual router.
For example you might have two virtual routers, router A and router B. The external network interface
of router A could be connected to your physical network (bridged adapter) and the internal network
interface to internal network int1. The external network interface of virtual router B might be connected
to internal network int1 and the internal network interface to internal network int2. Any number of
internal virtual nodes could be connected to either internal network (int1 or int2). You don't need to
create or configure these named internal networks - just use them. Create as many as you like.
VirtualBox will manage them for you. This is much easier than setting up two physical routers, two
switches and a bunch of network cables.
Getting the FreeBSD 9.1 Installation Media
To obtain the FreeBSD installation media download it from www.freebsd.org. Versions are available for
i386 (Intel 32 bit x86 architecture) and amd64 (AMD 64 bit or "Intel-64" architecture). Determine what
type CPU you have on your host computer and download the correct version. In VirtualBox, to install a
64-bit guest operating system (e.g. FreeBSD 9.1 amd64) you must be running a 64-bit host operating
system (e.g. Windows 7 Professional 64-bit). You must also be running the 64-bit version of VirtualBox.
Furthermore, the host computer must support Hardware Virtualization (called "VT-x" on Intel CPUs and
"AMD-V" on AMD CPUs). If any of this is not present, you can always run 32 bit guest operating systems
(e.g. FreeBSD 9.1 i386), even under a 64-bit host OS. For a router, unless you are using IPsec, or need
more than 3G of RAM, there is not much advantage to running 64-bit. The 32-bit version is fine for a
virtual router. You should download the FreeBSD "DVD-1" ISO image. You do not need to burn a DVD VirtualBox can mount and install from an ISO image directly.
Page 2
These instructions will guide you through creating a basic dual stack router for use in VirtualBox. It does
include a DHCPv4 server (for automated IPv4 network configuration) and a Router Advertisement
Daemon (to support IPv6 Stateless Address Autoconfiguration, or SLAAC). These instructions do not
include installing or configuring dynamic routing protocols like RIPv2, RIPng, OSPFv2, OSPFv3 or BGP, or
multicast routing. Those can be installed in a FreeBSD based virtual router, and will be added in a
separate paper. Another paper will guide you through adding pf to turn your router into a firewall with
stateful packet filtering. Yet another paper will describe deploying IPsec in a virtual router or virtual
node, complete with IKEv2 and IPsec digital certificates. Or you can simply buy SolidGate, which has all
of this done, complete with a nice GUI interface usable from any web browser.
Preparing for FreeBSD 9.1 Basic Install on VirtualBox
The following steps assume you have downloaded an ISO image of the FreeBSD 9.1 install DVD onto
your computer. They also assume you have installed VirtualBox 4.2.14 (or later). If you haven't done
either of these things yet, do so now.
1. Download, install and run VirtualBox on your host computer.
The current version of VirtualBox for Windows (as of the writing of this white paper) is 4.2.14.
You should also download and install the corresponding "extension pack". The extension pack
includes some things licensed in a different way, but improves the functionality of VirtualBox.
2. Create a new virtual machine
In VirtualBox, click the New button (the serrated round, blue icon at top).
3. New Virtual Machine Wizard
When you see a dialog box saying Welcome to the New Virtual Machine Wizard, click Next.
In the VM Name and OS screen, for Name, enter router 1 (or some other appropriate name).
You can enter the fully qualified domain name if you like (e.g. router1.v6lab.edu). This is used
only to identify the virtual machine. For Operating System, select BSD. For Version, select
FreeBSD (64 bit) (or as appropriate). Click Next.
On the Memory screen, select 256MB. Click Next. Assuming you don't install any GUI (e.g.
GNOME or KDE), this will be ample. If you are a FreeBSD guru you can reduce this even further
by rebuilding the OS and leaving out any unnecessary components or device drivers.
On the Virtual Hard Disk screen, accept defaults. Click Next.
On the Virtual disk creation wizard screen, accept default (VDI). Click Next.
On the Virtual disk storage details screen, accept default (Dynamically allocated). Click Next.
Page 3
On the Virtual disk file location and size screen, accept default location, and change the disk size
to 8 GB. You might get by with less if you don't install the complete source (src). You may need
more if you plan to rebuild FreeBSD. Click Next.
On the Summary screen, review your selections and then click Create.
The new virtual machine should appear in the main list and be highlighted.
4. Settings - Storage
Click on the Settings icon (yellow cog wheel) at the top left corner of VirtualBox.
In the Settings dialog, select the Storage tab.
Under the IDE Controller, there are two items. The first is the virtual hard disk drive, and the
second is the virtual optical drive. Click on the virtual optical drive.
On the right under Attributes, click on the optical disk medium icon.
From the resulting pull-down menu, select Choose a virtual CD/DVD disk file...
Now select the iso image of the FreeBSD 9.1 install DVD. If you are installing the 64 bit version
use the amd64 install DVD. If you are installing the 32 bit version, use the i386 install DVD.
Do not dismiss the Settings dialog box yet.
5. Settings - Network
In the Settings dialog, select the Network tab. By default, one network adapter has been
enabled, but not yet configured.
If you want this network adapter connected to the physical LAN that the host computer is
connected to, select Bridged Adapter and in the next menu below, choose the appropriate
network adapter on the host (e.g. Realtek PCIe GBE Family Controller). If you import this
appliance onto another computer, you may have to change the real network interface it is
bridged to. Note that if you later change your physical connection to a different interface (e.g.
from wired Ethernet to WiFi) you will need to change this selection manually.
If you want this network adapter connected to an internal (virtual) network, choose Internal
Network, and either enter a new network name (e,g. int1) if this is the first virtual interface
connected to this virtual network, or choose an existing virtual network name from the
pulldown list. Remember that all interfaces connected to a given named internal network are on
the same link, and can communicate with each other via link-local addresses. Nodes connected
to a named internal network can communicate with nodes on other networks only if routers
connect this internal network to those other networks, and you have enabled packet forwarding
on those routers.
Page 4
In either case, click the Advanced item if you want to select virtual adapter type, control
promiscuous mode or alter the MAC address. If you click the green rotary arrows, VirtualBox will
generate a new random MAC address for this virtual interface. If you import another virtual
router appliance from the same virtual appliance, you should randomize the MAC addresses of
each interface when you import it (or you can randomize them later). VirtualBox has
mechanisms for this.
Now create a second virtual network interface by clicking on the Adapter 2 tab. Enable the
second interface by clicking on Enable Network Adapter (a check will appear when it is enabled).
Configure it as before, but connected to a different network (typically an internal network, e.g.
"int1").
Dismiss the Settings dialog box by clicking OK at the bottom.
6. Start Virtual Machine
Double click on the new virtual machine name in the main list to "power it on". FreeBSD will
begin loading. Continue as with a FreeBSD installation on a physical machine.
Page 5
Basic Install - FreeBSD 9.1
In the following steps, select the recommended response (or an appropriate response for your case).
You can use up and down arrows on the keyboard, or tab key to highlight any of the options. Once the
desired option is highlighted, pressing Enter will execute that selection. In many cases (e.g. Yes, No, A for
Auto defaults, Q to finish), typing the first letter of the option will select and execute it immediately.
1. Begin installation
If you were doing a FreeBSD install on a physical machine, at this point you would insert a
bootable installation CD or DVD and boot from it. The steps done above on VirtualBox are the
equivalent of this.
There will be various “loading” messages for a few minutes while the install script probes your
hardware, after which you will see a “Welcome to FreeBSD!” screen (including ASCII art of the
FreeBSD logo) with a 10 second countdown. You can hit Enter to proceed immediately, or just
wait for it to count down, at which time it will proceed by itself. The installer will probe your
hardware and select appropriate drivers. This takes a few minutes – be patient. You will
eventually see a "FreeBSD Installer" screen with three options:
<Install> <Shell> <Live CD>
Choose <Install>.
2. Keyboard Mapping
You will next see a screen with the message
Would you like to set a non-default key mapping for your keyboard?
Choose <No>.
3. Machine Hostname
For machine hostname, enter any valid UNIX hostname complete with domain name, e.g.
vrouter.v6lab.info. Then choose <OK>.
4. Choose optional system components to install.
Select doc, lib32, ports, and src (remove games). Choose <OK>. If you are sure you will not need
the source, you can save some time and disk space by not selecting src. You can always add it
later if needed.
5. Disk Partitioning
This assumes you will use the entire virtual hard disk drive - for other options, see FreeBSD
install documentation.
Page 6
Choose <Guided>. On the following screen, select <Entire Disk>. On the third screen it will show
its proposed partition scheme. Unless you have some really good reason to change this, accept
it by choosing <Finish>, and then <Commit>.
The installer will then create the specified partitions, create the appropriate file systems in
them, and then copy files from the CDROM into them. This step will take 5 or 10 minutes to
complete depending on your system performance.
6. Root password
In these directions, we use the password rootpw. You should carefully choose some other
password, and be sure you don't forget or lose it. One good approach is to choose two unrelated
words separated by a special character, like purple$house. Password strength increases very
rapidly with additional password length, but only slowly with additional character sets (e.g.
upper case alpha, lower case alpha, numeric and special characters). However, the ability to
remember a password decreases rapidly with increasing number of character sets. For example,
purple$house is thousands of times stronger than pUrpL3, but far easier to remember. Note
that "hacker" spelling (substituting 0 for o, 3 for E, etc) is always tried by password crackers. It
may look cool, but it doesn’t really add anything to security.
You are asked to enter the new password for the root user:
Please select a password for the system management account (root):
Changing local password for root
New password: rootpw (the characters won't echo).
You are then asked to enter it again:
Retype New Password: rootpw (the characters won't echo).
7. Network Configuration.
The following assumes at least one interface of your computer (physical or virtual) is connected
to a network that has a properly configured DHCPv4 server and Router Advertisement daemon.
If there is no such network connectivity now, provide that before proceeding.
You will see a list of available interfaces to configure. In VirtualBox this is what you will see:
em0
em1
Intel (R) PRO/1000 Legacy Network Connection 1.0.3
Intel (R) PRO/1000 Legacy Network Connection 1.0.3
Select the external interface (the interface bridged to your physical network interface, em0) and
choose <OK>.
When asked
Would you like to configure IPv4 for this interface?
choose <YES>
Page 7
When asked
Would you like to use DHCP to configure this interface?
choose <YES>.
It will then say
Trying to Acquire DHCP lease...
Assuming there is a DHCPv4 server on your physical LAN (more than likely), FreeBSD will obtain
a lease and configure the IPv4 node address, netmask, default gateway and IPv4 address(es) for
DNS from DHCPv4.
When asked
Would you like to configure IPv6 for this interface?
choose <YES>.
When asked
Would you like to try stateless address autoconfiguration (SLAAC)?
choose <YES>.
It will then say
Sending Router Solicitation
Assuming it receives a Router Advertisement in response to the Router Solicitation; it will enable
IPv6 networking and generate a link local node address and a global unicast address in addition
to determining the IPv6 default gateway.
It will then show the default Resolver Configuration. This will show the search domain, and a list
of the DNS servers discovered previously, via DHCPv4. The displayed values may differ in your
network.
Resolver Configuration
Search
IPv6 DNS
IPv6 DNS
IPv4 DNS
IPv4 DNS
v6edu.net
#1
#2
#1
#2
172.25.0.11
`For now, accept these by choosing <OK>.
8. System Time
Page 8
It will ask if the ROMBIOS clock is set to UTC. Normally it isn't, select [NO].
Now choose your time zone, for example, Asia / Hong Kong. It will ask you to confirm if the
selected timezone (e.g. HKT) looks reasonable. If so, choose [YES].
9. System Configuration
Select sshd, and ntpd. We will not be installing a GUI, so we don't need moused.
Accept these by choosing <OK>
When asked
Would you like to enable crash dumps?
choose <NO>
10. Add User Accounts
We will now create a system administrator account (admin). In some situations (e.g. access via
ssh), root is not allowed to login. Even when using the system console, rather than log in as root,
you will normally log in as admin, and only use root privilege as needed (using su and/or sudo).
The admin user will need to be a member of the wheel group, and you will need to install and
configure the sudo application for this to work right. In these directions, we will use the
password adminpw for the admin account. You should choose your own password and be sure
not to lose or forget it.
When asked
Would you like to add users to the installed system now?
choose <Yes>.
Enter the following info for a system administrator account:
Username: admin
Full name: System Administrator
Uid (Leave empty for default):
Login group [admin]:
Login group is admin. Invite admin into other groups? [] wheel
Login class [default]:
Shell (sh csh tcsh nologin) [sh]:
Home directory [/home/admin]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: adminpw
(the characters will not echo)
Enter password again: adminpw
Lock out the account after creation? [no]:
(it will now show all of the options selected above)
Page 9
OK? (yes/no): yes
adduser: INFO: Successfully added (admin) to the user database.
Add another user? (yes/no): no
11. Final Configuration
Choose Exit.
It will then ask if you would like to open a shell to make any final modifications. Choose <No>.
It will then ask if you want to reboot into the installed system now. Choose <Reboot>. Be sure to
remove or dismount the install DVD before the system restarts (otherwise the install process will
begin again). Allow the virtual computer to reboot and log in as user admin. Use your own
admin password instead of adminpw.
The FreeBSD startup scripts will run, then the system ID is displayed, followed by the login
prompt:
FreeBSD/amd64 (vrouter.v6lab.info) (ttyv0)
login: admin
Password: adminpw
FreeBSD 9.1-RELEASE (GENERIC) #0: r243825: Tue Dec
4 09:23:10 UTC 2012
<the Message Of The Day will display – you can edit this in /etc/motd>
$
FreeBSD 9.1 is now up and running and you are logged in as user admin. The "$ " is the default
shell command prompt for user admin. That means FreeBSD is waiting for you to enter a
command. To issue commands requiring root privilege, enter the command su, and when asked,
enter the root password (e.g. rootpw). The command prompt will change to “vrouter# ” when
you have root privilege. To exit root privilege, enter the command exit. For details on FreeBSD
commands, check online, or in any of the many available books on FreeBSD. You should learn at
least one screen-oriented text editor, either vi (the default UNIX screen oriented text editor) or
edit (a simple emacs-like editor). Again, there is documentation on these online and in books
(edit is a simple emacs style editor). I happen to like the uemacs (“Micro Emacs”) text editor
(also similar to emacs, but a more complete than edit), which can be installed from the FreeBSD
ports collection. We will install it from the ports shortly.
12. View and test network configuration.
Use “ifconfig –a” to view current network configuration of all interfaces (em0 and em1 are
Ethernet interfaces, lo0 is the “loopback” interface).
Ping the em0's IP address (e.g. 172.20.1.3), the default gateway (e.g. 172.20.0.1), an external
node by IP address (4.2.2.2) and an external node using symbolic nodename (www.kame.net).
Note that ping will keep running until you stop it by typing Ctrl-C. Note: depending on the
configuration of your DHCPv4 server, your node may obtain some other IPv4 node address,
subnet mask and default gateway. Your output may vary some from the following:
Page 10
$ ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:e0:f2:1f
inet 172.20.1.3 netmask 0xffff0000 broadcast 172.20.255.255
inet6 fe80::a00:27ff:fee0:f21f%em0 prefixlen 64 scopeid 0x1
inet6 fda4:73c2:e5b8:1000:a00:27ff:fee0:f21f prefixlen 64 autoconf
inet6 2001:470:3d:3000:a00:27ff:fee0:f21f prefixlen 64 autoconf
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:13:77:d5
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
You should now try to do some pings to verify connectivity.
$ ping 172.20.1.3
PING 172.20.1.3 (172.20.1.3): 56 data bytes
64 bytes from 172.20.1.3: icmp_seq=0 ttl=64 time=0.056 ms
^C
--- 172.25.0.126 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.056/0.063/0.076/0.009 ms
$ ping 172.20.0.1
PING 172.20.0.1 (172.20.0.1): 56 data bytes
^C
$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
^C
$ ping www.kame.net
PING orange.kame.net (203.178.141.194): 56 data bytes
Page 11
^C
--- orange.kame.net ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss
$
Step 7 – Install additional packages via FTP
$ su
Password: root*pw
(characters will not echo)
root@vrouter:/usr/home/admin # sysinstall
This will bring up a menu based wizard that allows additional system installation steps. Select
Configure, then Packages. Select FTP as installation media. Hit Enter. You can add any of the
packages listed, but be sure to include security / sudo-1.8.3_1. Once all additional packages are
selected, select [OK], then [Install]. It will list the selected packages. Select [OK]. The selected
packages (and any dependencies) will be installed. To exit sysinstall, select X Exit from the
configure menu, then X Exit Install from the main menu.
Note: after this step, I will not show the complete root prompt, just “#”.
Step 8 – Install Micro Emacs text editor from ports
If you are familiar with the UNIX vi editor, that is always available (no installation is required). If
not, there is a simple emacs style full screen editor called edit in FreeBSD, but Micro Emacs
(uemacs) is more complete. We will build and install uemacs from the FreeBSD ports. You can
install additional applications from the FreeBSD ports if you need them.
# cd /usr/ports/editors/uemacs
Pkg_info | grep ueamc# make install clean
...
===>
Registering installation for uemacs-4.0
===> Cleaning for uemacs-4.0
# pkg_info | grep uemacs
uemacs-4.0
A full screen editor
The last step allows use of the entire 80x24 screen size by removing the help text at top of
screen if you are already familiar with emacs style commands. You can just rename the file if
you prefer.
# cd /usr/local/share/uemacs/
# rm .emacsrc
Terminate super user mode with the exit command. You will once again be running as admin, as
indicated by the "$" command prompt.
# exit
exit
$
Now test uemacs editor.
Page 12
$ uemacs testfile
(start uemacs editor on “testfile”, currently empty)
(type a few lines of text, exit editor with ESC Z)
$ cat testfile
...
(view contents of "testfile")
Step 9 – Configure and use the sudo utility
The sudo utility is an alternative to the su command, which allows you to execute one command
with root privilege. It is safer than temporarily becoming the root user with su. It also only
requires you to know your own password, not the root password. You must edit a file to enable
members of the wheel group to issue commands with root privilege (but they must supply their
own password).
First, enter super user mode with su. Use uemacs (or any other text editor) to edit the file
/usr/local/etc/sudoers. This must be done with root privilege.
$ su
Password: rootpw
vrouter# uemacs /usr/local/etc/sudoers
Find the line that says
## Uncomment to allow members of group wheel to execute any command.
The next line currently contains
# %wheel ALL=(ALL) ALL
Remove the leading "#" to uncomment it. It should now look like this:
%wheel ALL=(ALL) ALL
Exit the editor and save the file (ESC Z). Terminate super user mode with the exit command.
# exit
$
To use this utility, type the command sudo followed by any command that requires root
privilege. The first time you use sudo, it will print a warning. It will always ask for your password
(not the root password). If you enter it correctly, the command will be executed with root
privilege, and then your normal privilege level will resume. For example (even though "ls /usr"
doesn't require root privilege):
$ sudo ls /usr
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Page 13
Password: adminpw
bin
home
lib
games
include lib32
$
libdata local
libexec obj
ports
sbin
share
src
If you have authenticated yourself to sudo in the last few minutes, it will not ask for your
password again, it will just immediately perform the specified command at root privilege.
Page 14
Network Configuration
Now that you've completed the basic FreeBSD install, it is time to do some additional configuration of it.
In FreeBSD 9.1, network configuration is done by editing various text files in /etc.
File /etc/rc.conf - Node addresses, prefix lengths, default gateways and routing
In /etc/rc.conf, you configure the IPv4 and IPv6 node addresses and prefix lengths for each interface, as
well as the default gateways. Note that the syntax for some configuration items changed starting with
FreeBSD v9.0.
To specify the IPv4 node address and netmask:
ifconfig_ifname="inet ipv4_address netmask subnet_mask"
To specify the IPv4 default gateway:
defaultrouter="ipv4_address"
To accept router advertisements on an interface (there is no need to enable IPv6 in 9.x, as you had to do
in earlier versions of FreeBSD - it is enabled by default):
ifconfig_ifname_ipv6="inet6 accept_rtadv"
To specify an IPv6 node address and prefix length (the default prefix length is 64, so most of the time the
second form is acceptable):
ifconfig_ifname_ipv6="inet6 ipv6_address prefixlen prefix_length"
ifconfig_ifname_ipv6="inet6 ipv6_address"
To enable automatic only link-local address generation (no global unicast addresses):
ifconfig_ifname_ipv6="inet6 auto_linklocal"
To manually specify the IPv6 default gateway (normally this is obtained via SLAAC):
ipv6_defaultrouter="ipv6_global_address"
ipv6_defaultrouter="ipv6_linklocal_address%ifname"
Examples:
ifconfig_em0="inet 172.20.10.1 netmask 255.255.0.0"
ifconfig_em1="inet 172.21.0.1 netmask 255.255.0.0"
defaultrouter="172.16.0.1"
ifconfig_em0_ipv6="inet6 2001:470:3d:3000:172:20:10:1 prefixlen 64"
ifconfig_em0_ipv6="inet6 accept_rtadv"
ifconfig_em1_ipv6="inet6 auto_linklocal"
ipv6_defaultrouter="2001:db8:1:2::1"
ipv6_defaultrouter="fe80::16da:e9ff:fe41:871b%em0"
Page 15
To enable packet forwarding between all IPv4 enabled interfaces (disabled by default):
gateway_enable="YES"
To enable packet forwarding between all IPv6 enabled interfaces (disabled by default):
ipv6_gateway_enable="YES"
To specify IPv4 static routes:
static_routes="list_of_network_names"
route_network_name_n="-net ipv4_netblock ipv4_gateway_address"
To specify IPv6 static routes (normally target in IPv6 static router should be link local addresses):
static_routes="network_name_1 network_name_2 ... network_name_N"
route_network_name_n="ipv6_netblock ipv6_gateway_address"
rtadvd_enable="YES"
To specify the interface(s) on which Router Advertisements will be sent:
rtadvd_interfaces="ifname1 ifname2 ... ifnameN"
Examples:
gateway_enable="YES"
static_routes="v4int1 v4int2"
route_v4int1="-net 172.21.0.0/16 172.20.10.1"
route_v4int2="-net 172.22.0.0/16 172.20.10.2"
static_routes="v6int1 v6int2"
route_v6int1="2001:db8:1:3::/64 fe80::16da:e9ff:fe41:871b%em1"
route_v6int2="2001:db8:1:4::/64 fe80::16da:e9ff:fe41:54dd%em1"
Page 16
Sample initial /etc/rc.conf (both NICs, IPv4 and IPv6 packet forwarding enabled):
# Configuration file for vrouter.v6lab.info
hostname=”vrouter.v6lab.info”
# IPv4 Configuration
ifconfig_em0=”inet 172.20.10.1 netmask 255.255.0.0”
defaultrouter=”172.20.0.1”
# enable IPv4 packet forwarding
gateway_enable=”YES”
ifconfig_em0_ipv6=”inet6 –accept_rtadv”
ifconfig_em0_ipv6=”inet 2001:470:3d:3000:172:20:10:1”
ipv6_defaultrouter=”fe80::290:bff:fe1b:5762%em0”
ip6addrctl_policy=”ipv6_prefer”
ifconfig_em1_ipv6=”inet6 2001:470:3d:3001::1”
# Misc
sshd_enable=”YES”
ntpd_enable=”YES”
dumpdev=”NO”
Page 17
DNS Resolver Configuration
In /etc/resolv.conf you configure the DNS client (resolver) on this node as follows:
To specify the domain name (if not specified here, this is obtained from the hostname as returned by
gethostname():
domain domain_name
To specify one or more domain names to search when just a nodename is specified (by default the list
contains only the node's domain name):
search domain_name1 domain_name2 ... domain_nameN
To specify the IP address of a DNS server (and number of IPv4 and/or IPv6 addresses may be specified):
nameserver ip_address
Example configuration:
domain v6lab.info
search v6lab.info
nameserver 172.25.0.13
nameserver 172.25.0.14
nameserver 2001:db8:1:2::13
nameserver 2001:db8:1:2::14
Page 18
DHCPv4 Access for Nodes in an Internal Subnet
In order for nodes in any subnet to do automated network configuration those nodes must have linklocal access to a DHCPv4 server, or to a DHCPv4 relay agent that in turn has unicast access to a remote
DHCPv4 server (one located in some other subnet). Nodes make DHCPv4 requests using broadcast,
which will not cross a router. So, if you create an "internal" subnet connected to the rest of the network
via a router, there must be a DHCPv4 server or relay agent on that subnet. Although this could be
deployed on any node in the subnet, the ideal node is in the border router itself.
FreeBSD includes both a DHCPv4 server and a DHCPv4 relay agent. You can deploy and configure a
DHCPv4 server with just the information needed for this subnet. If there is a remote DHCPv4 server
available, that can provide network configuration (indirectly) for nodes in this subnet, you can deploy a
DHCPv4 relay agent. A relay agent only needs the address of the remote DHCPv4 server. A local DHCPv4
server must have a valid IP node address pool, and various stateless information including the subnet
mask, the default gateway, the IPv4 address(es) of DNS, appropriate for nodes in this subnet.
DHCPv4 Server Deployment and Configuration
The FreeBSD DHCPv4 server (dhcpd) must be installed and configured. Once you install it, additional
information on dhcpd is available via man dhcpd.
You can install it via the package system, or build it from the ports. The package name is isc-dhcp42server-4.2.4_2. In the ports system, look under /usr/ports/net/isc-dhcp42-server.
Assuming the internal NIC of the router is em1, to start the ISC dhcpd server for DHCPv4 at boot time,
include the following lines in /etc/rc.conf:
dhcpd_enable="YES"
dhcpd_conf=”/usr/local/etc/dhcpd.conf”
dhcpd_ifaces="em1"
dhcpd_flags=”-q”
The configuration of the DHCPv4 server is done in file /usr/local/etc/dhcpd.conf. Complete details are
available via man dhcpd.conf, but a basic configuration is shown below. There are many other options
you can configure, and you can also give the server hints about the total network topology.
The subnet is as follows:
IPv4 netblock:
IPv4 default gateway:
Managed IPv4 address pool:
IPv4 address of DNS:
Subnet domain name:
DHCPv4 default lease time:
Maximum lease time:
172.21.0.0/16
(prefix = 172.21.0.0, netmask = 255.255.0.0)
172.21.0.1
(inside NIC of router)
172.21.2.1 to 172.21.2.254
172.20.0.13, 172.20.0.14 (in the physical LAN)
v6lab.info
1 day (86400 seconds))
1 week (604800 seconds)
Page 19
Sample /usr/local/etc/dhcpd.conf file for above subnet:
# dhcpd.conf
# global configuration items (affect all declared subnets)
option domain-name "v6lab.info";
option domain-name-servers 172.20.0.13, 172.20.0.14;
# 600=10 min, 3600=1 hour, 86400=1 day, 604800=1 week, 2592000=30 days
default-lease time 86400;
max-lease-time 604800;
# disable dynamic DNS registration
ddns-update-style none;
# this DHCPv4 server is official for the declared network
authoritative;
# hints about other subnets (no configuration will be done on these subnets)
subnet 172.20.0.0 netmask 255.255.0.0 {
}
# subnet declaration for this DHCPv4 server
subnet 172.21.0.0 netmask 255.255.0.0 {
range 172.21.2.1 172.21.2.254;
option routers 172.21.0.1;
option subnet-mask 255.255.0.0;
}
Page 20
Install and Configure ISC DHCPv6 Server
The same executable used for DHCPv4 can be run with the -6 command line option, to provide DHCPv6
service. The configuration is similar to that for DHCPv4, but a bit different given the differences in
DHCPv4 and DHCPv6 and the two types of addresses.
If you need to start the DHCPv6 server manually, use the following command:
/usr/local/sbin/dhcpd -6 –d –cf /usr/local/etc/dhcpd6.conf em1
“-6” says to run DHCPv6 instead of DHCPv4.
“–d” says to send messages to the standard error descriptor for
debugging (default = use syslog)
“–cf /usr/local/etc/dhcpd6.conf” specifies the path of the
configuration file
“em1” specifies the interface on which to accept DHCPv6 messages
Assuming the internal NIC of the router is em1, to start the ISC dhcpd server for DHCPv6 at boot time,
dhcpd6_enable="YES"
dhcpd6_conf=”/usr/local/etc/dhcpd6.conf”
dhcpd6_ifaces="em1"
You can confirm that both DHCPv4 and DHCPv6 servers are running with the ps command. You should
see two processes listed, as shown (one for DHCPv4 and one for DHCPv6):
$ ps -ax | grep dhcp
865 ?? Is
0:00.00 /usr/local/sbin/dhcpd -6 -cf /usr/local/etc/dhcpd6.conf 882 ?? Is
0:00.00 /usr/local/sbin/dhcpd -q -cf /usr/local/etc/dhcpd.conf -l
1038 0 R+
0:00.00 grep dhcp
$
Page 21
The configuration file is in /usr/local/etc/dhcpd6.conf and mine contained the following. Modify
addresses, domain name and times for your configuration.
# Server configuration file for DHCPv6
# 30 days = 2592000 seconds
# 1 week = 604800 seconds
# 1 day = 86400 seconds
# 1 hour = 3600 seconds
# IPv6 address valid lifetime – 30 days is usual IPv6 setting
default-lease-time 2592000;
# IPv6 address preferred lifetime – 7 days is the usual IPv6 setting
preferred-lifetime 604800;
# T1, the delay before Renew
# default is 1/2 of the preferred lifetime
option dhcp-renewal-time 3600;
# T2, the delay before Rebind (if Renews failed)
# default is 3/4 of the preferred lifetime
option dhcp-rebinding-time 7200;
# Enable RFC 5007 support (same as for DHCPv4)
allow leasequery;
# Global definitions for name server addresses and domain search list
option dhcp6.name-servers 2001:470:3d:3000::13, 2001:470:3d:3000::14;
option dhcp6.domain-search “v6lab.info”;
# Set preference to 255 (maximum) to avoid waiting for another DHCPv6 server
# when there is only one
option dhcp6.preference 255;
# Server side command to enable rapid-commit (2 message exchange).
# Here it is commented out, so the normal 4 message exchange is used.
#option dhcp6.rapid-commit;
# The delay before information-request refresh (min 10 min, max 1 day,
# default = no refresh. Set here to 6 hours
option dhcp6.info-refresh-time 21600;
# The path of the lease file – the script in /usr/local/etc/rc.d will
# create this the first time, and set permissions as needed
dhcpv6-lease-file-name “/var/db/dhcpv6.leases”;
# The subnet where the server is attached (i.e. the server has an address
# in this subnet)
subnet6 2001:470:3d:3001::/64 {
range6 2001:470:3d:3001::1:1 2001:470:3d:3001::1:ffff;
# use the whole /64 prefix for temporary addresses as per RFC 4941
range6 2001:470:3d:3001:: temporary;
}
Page 22
Providing Router Advertisements for Nodes in the Internal Subnet (to enable SLAAC)
To enable nodes in the internal subnet to do automated IPv6 network configuration with SLAAC, there
must be a source of Router Advertisement messages in one or more routers on that subnet. Typically
there is only a single router for a subnet, so that is where the Router Advertisement daemon is
deployed. A Router Advertisement daemon can only be deployed on a router (a node with multiple
network interfaces, and in which packet forwarding is enabled). You cannot deploy a Router
Advertisement daemon on a host (a node that has only one network interface, or that is not doing
packet forwarding).
It is also possible to deploy a stateless DHCPv6 server (one that supplies stateless information, such as
the IPv6 addresses of DNS) or a stateful DHCPv6 server (one that also can supply a unique IPv6 unicast
address in addition to any created via SLAAC). You cannot do automated network configuration with just
DHCPv6, unlike in IPv4. You can prevent the Router Advertisement messages from including a subnet
prefix, in which case nodes will not generate unicast global IPv6 addresses during SLAAC. IPv6 nodes will
generate a unique link-local address without any help, but they can only discover the IPv6 default
gateway via manual configuration or by getting Router Advertisements during SLAAC. Nodes cannot
obtain the IPv6 default gateway address from DHCPv6.
Note that a Router Advertisement daemon will periodically send unsolicited Router Advertisement
messages. It will also reply immediately to a Router Solicitation message from any node on the subnet
with a solicited Router Advertisement. Solicitations are sent by any node to the all routers on local-link
multicast address (ff02::2). Router Advertisements are sent by all routers to the all nodes on local link
multicast address (ff02::1).
Recently, RFC 6106 has introduced a way for routers to provide one or more IPv6 addresses of DNS
servers (rdnss), and a DNS search list (dnssl) as new options in Router Advertisement messages. In
FreeBSD, this option is supported for the first time in v9.x. The FreeBSD 9.x Router Advertisement
daemon (rtadvd) can advertise these items, and a FreeBSD v9.x host can obtain these items during
SLAAC.
As of the writing of this paper, Windows nodes do not support RFC 6106. This means Windows clients
cannot obtain DNS information from Router Advertisement messages, even if they are present.
Likewise, the Router Advertisement daemon in Windows Server 2008 (or 2008 R2) cannot include these
new options in Router Advertisement messages.
Page 23
Enable and Configure Router Advertisements
The FreeBSD Router Advertisement daemon (rtadvd) is installed by default, but not enabled or
configured. Additional information on rtadvd is available via man rtadvd.
Assuming the inside NIC of the router is em1, to enable the FreeBSD Router Advertisement daemon,
rtadvd_enable="YES"
rtadvd_ifaces="em1"
The configuration of the Router Advertisement daemon is done in file /etc/rtadvd.conf. Complete details
are available via man rtadvd.conf, but a basic configuration is shown below that will advertise the prefix
2001:db1:1:1000::/64 on interface em1.
em0:\
:rltime#0:
em1:\
:addr="2001:470:3d:3001::":prefixlen#64:
The configuration for em0 sets the router lifetime to 0, so that it will not be considered as a gateway.
Without this, internal nodes may configure two default gateways (the real one, and the external NIC of
this router).
Page 24
A more complex configuration example will cause rtadvd to advertise all of the following items as
options in its Router Advertisement messages:
Item
Keyword
Default
Setting
Default Hop Limit
Router Adv. Flags
Router lifetime
Reachable time
Retrans time
chlim
raflags
rltime
rtime
retrans
64
0
1800
0
0
32 hops
128 (M flag = 1, O flag = 0)
3600 seconds (1 hour)
1000 milliseconds (1 second)
100 milliseconds
Prefix length
Address prefix
Valid lifetime
Preferred lifetime
prefixlen
addr
vltime
pltime
64
(none)
2592000 (30d)
604800 (7d)
64
2001:db8:1:2000::
604800 (7d)
172800 (2d)
MTU
mtu
(none)
1500 bytes
IPv6 DNS address
DNS search string
rndss
dnssl
(none)
(none)
2001:470:3d:3000::13, 2001:470:3d:3000::14
v6lab.info
So here is the contents of /etc/rtadvd.conf for the above configuration:
em0:\
:rltime#0:
em1:\
:chlim#32:raflags=128:rltime#3600:rtime#1000:retrans#100:\
:vltime#604800:pltime#172800:mtu#1500:\
:addr="2001:470:3d:3001::":prefixlen#64:\
:rdnss="2001:470:3d:3000::13,2001:470:3d:3000::14":\
:dnssl="v6lab.info":
Page 25
Final /etc/rc.conf file
# Configuration file for vrouter.v6lab.info
hostname=”vrouter.v6lab.info”
defaultrouter=”172.20.0.1”
gateway_enable=”YES”
ifconfig_em0_ipv6=”inet6 –accept_rtadv”
ifconfig_em0_ipv6=”inet 2001:470:3d:3000:172:20:10:1”
ipv6_defaultrouter=”fe80::290:bff:fe1b:5762%em0”
ip6addrctl_policy=”ipv6_prefer”
ifconfig_em1_ipv6=”inet6 2001:470:3d:3001::1”
# enable DHCPv4 server
dhcpd_enable="YES"
dhcpd_conf=”/usr/local/etc/dhcpd.conf”
dhcpd_ifaces="em1"
dhcpd_flags=”-q”
# enable DHCPv6 server
dhcpd6_enable="YES"
dhcpd6_conf=”/usr/local/etc/dhcpd6.conf”
dhcpd6_ifaces="em1"
dhcpd6_flags=”-q”
# enable router advertisements
rtadvd_enable="YES"
rtadvd_ifaces="em1"
# Misc
sshd_enable=”YES”
ntpd_enable=”YES”
dumpdev=”NO”
Page 26
Static Routes
The default routing rules (for both IPv4 and IPv6) are:
1. If destination is "on-link" (on same link as sender), deliver packet directly to destination node
2. If destination is "off-link" (in some other link), deliver packet to default gateway
These rules work most of the time, but when you have nested subnets, static routes are required to
allow nodes to communicate "upstream". These normally go not on the nodes that are communicating,
but on the router which is the default gateway for the downstream subnet (e.g. the External subnet,
below).
In this case, we have two subnets and a router connecting them:
External Subnet (the physical LAN, closer to ISP):
IPv4 Netblock:
IPv6 Netblock:
IPv4 Default Gateway:
172.20.0.0/16
2001:470:3d:3000::/64
172.20.0.1
fe80::290:bff:fe1b:5762
Internal Subnet (VirtualBox internal network “int1”, further from ISP):
IPv4 Netblock:
IPv6 Netblock:
172.21.0.0/16
2001:470:3d:3001::/64
172.21.0.1
fe80::a00:27ff:fe13:77d5
Node vrouter, with em0 (external interface) connected to the external subnet, and em1 (internal
interface) connected to the internal subnet, forwarding packets between them.
em0 connected to external subnet:
IPv4: 172.20.10.1
IPv6 Global: 2001:470:3d:3000:172:20:10:1
IPv6 Link-local: fe80::a00:27ff:fee0:f21f
IPv4 Default Gateway: 172.20.0.1
IPv6 Default Gateway: fe80::290:bff:fe1b:5762
em1 connected to internal subnet:
IPv4: 172.21.0.1
IPv6 Global: 2001:470:3d:3001::1
IPv6 Link-Local: fe80::a00:27ff:fe13:77d5
Page 27
Using default routing rules, nodes in internal subnet cannot successfully connect "upstream" to nodes in
External Subnet. For such connections to work, you must install static routes on the router at External
Subnet’s default gateway (the one at 172.20.0.1) for both IPv4 and IPv6. The two routes basically say:
1. Redirect all IPv4 traffic for subnet 172.21.0.0/16 to 172.20.10.1 (IPv4 address of external NIC of
vrouter)
2. Redirect all IPv6 traffic for subnet 2001:470:3d:3001::/64 to fe80::a00:27ff:fee0:f21f (link local
address of external NIC of vrouter).
The syntax for these static routes depends on the brand or OS of the router which is the default gateway
for subnet A. Note that in IPv6, the target of a static route should always be a link-local address, not a
global unicast address (or the Neighbor Discovery redirect mechanism won't work correctly).
Page 28

How to Build a Virtual Dual Stack Router with FreeBSD...

Transcription

Similar documents

VitalQIP 8.0 PR1 slides - Alcatel

H o w

- LearnGroup

Woodpeckers

Internet Evolution in Oman 9th MENOG Meeting

Phenolic Router Top Flyer

Four Kernels

Document 6464927

Kabel Deutschland prepares for accelerated growth - Alcatel