153 lines
8.5 KiB
XML
153 lines
8.5 KiB
XML
<?xml version="1.0" encoding="UTF-8" ?>
|
|
<heIPv6 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns="https://tunnelbroker.net/"
|
|
xsi:schemaLocation="https://tunnelbroker.net/ http://schema.xml.r00t2.io/projects/router/he_ipv6.xsd">
|
|
<!--
|
|
This is a sample XML configuration file to use with he_ipv6.py.
|
|
If you do not yet have an IPv6 Tunnelbroker.net allocation, you can get one (for free!) at:
|
|
https://www.tunnelbroker.net/tunnel_detail.php?tid=584532
|
|
I highly recommend their (free) certification as well if you're brand-new to IPv6:
|
|
https://ipv6.he.net/certification/
|
|
**It is VERY highly encouraged to only use one tunnel at a time on a machine. Completely unpredictable results will
|
|
incur if this is not heeded.**
|
|
-->
|
|
<creds>
|
|
<!--
|
|
Credentials are kept separate from tunnel configuration because you can have multiple (up to 5) tunnels per user.
|
|
-->
|
|
<cred id="ipv6user">
|
|
<user>ipv6user</user>
|
|
<password>someSecretPassword</password>
|
|
</cred>
|
|
<cred id="anotheruser">
|
|
<user>someotheruser</user>
|
|
<password>anotherPassword</password>
|
|
</cred>
|
|
</creds>
|
|
<tunnels>
|
|
<!--
|
|
Each tunnel MUST have an "id" and a "creds" attribute. The "creds" attribute should reference an "id" of a
|
|
creds/cred object.
|
|
The tunnel ID can be found by logging into your tunnelbroker.net panel, clicking on the tunnel you wish to use, and
|
|
looking at the URL in your browser.
|
|
It is in the format of https://www.tunnelbroker.net/tunnel_detail.php?tid=[TUNNEL ID]
|
|
So if it takes you to e.g. https://www.tunnelbroker.net/tunnel_detail.php?tid=12345, your tunnel ID would
|
|
be "12345".
|
|
-->
|
|
<tunnel id="12345" creds="ipv6user">
|
|
<!--
|
|
You can find the updateKey in the "Advanced" tab of your tunnel's configuration on your tunnelbroker.net panel.
|
|
-->
|
|
<updateKey>xXxXxXxXxXxXxXXX</updateKey>
|
|
<!--
|
|
Where to assign your allocations. The default allocation prefix is a /64 (prefix="64"), since that's what
|
|
SLAAC (RFC 2462) recommends.
|
|
It has one optional attribute, "raProvider", which can be "dnsmasq" or "radvd". Its configuration file will be
|
|
regenerated and the service restarted after the addresses are allocated to interfaces. Further system
|
|
configuration may be required. If not specified, the default is to not send router advertisements (RFC 4861). See
|
|
the "ra" child element under <assign> for further details.
|
|
If you are using dnsmasq, you will want to edit dnsmasq.conf to *include* the generated file, most likely, as it
|
|
only generates configuration for IPv6 options.
|
|
If this is not specified, NO RA/DHCPv6 management will be done *regardless* of any "re" child elements for below
|
|
"assign" objects.
|
|
-->
|
|
<assignments raProvider="dnsmasq">
|
|
<!--
|
|
Each assignment has the following required attributes:
|
|
* "prefix" - the size of the subnet to assign to an interface, "64" (/64) by default since that's what SLAAC
|
|
recommends. Note that if you use your /64 allocation and don't specify a longer prefix, you can
|
|
only have one assignment for that allocation.
|
|
* "alloc" - this should match the prefix of the allocation. Hurricane Electric only allows you one /64 and,
|
|
optionally, one /48. Use "alloc" to reference which allocation you want to use. Uses "64" (/64)
|
|
by default.
|
|
* "iface" - which network interface on this machine the allocation should be added to.
|
|
Make sure you don't exceed your allocation size! (A /48 has 65536 /64s in it.)
|
|
The interface will be assigned :1 (the first host in the subnet) as well, so it is recommended that you do not
|
|
assign a /128 prefix.
|
|
-->
|
|
<assign prefix="64" alloc="64" iface="eth0">
|
|
<!--
|
|
Each assignment CAN have an "ra" child. The default is to not implement RA for this interface if an ra element
|
|
is not present.
|
|
It takes one optional attribute, which is only used for raProvider="dnsmasq", "tag", which is the tag name for
|
|
the interface (this should be set in an earlier included conf/the main dnsmasq.conf).
|
|
-->
|
|
<ra tag="main">
|
|
<!--
|
|
Specify RDNSS (RFC 8106). If specified, this allocation's "router IP" (<PREFIX>::1) will be passed as a
|
|
resolver via RDNSS.
|
|
It takes one (optional) attribute, "domains", which is a space-separated list of search domains, referred
|
|
to in IPv6 as DNSSL (RFC 6106).
|
|
Note that Windows does not support DNSSL properly, and as such you must use dnsmasq as your RA provider if
|
|
you wish to send search domains.
|
|
If "domains" is specified but the element is false, the configuration will only advertise DNSSL and not
|
|
RDNSS.
|
|
If you also specify dhcpv6 below and are using dnsmasq as your raProvider, then:
|
|
* the same domains will be sent via DHCPv6 option 24
|
|
* the same RDNSS resolver will be passed via DHCPv6 option 23
|
|
-->
|
|
<dns domains="foo.com bar.com">true</dns>
|
|
<!--
|
|
Enable DHCPv6 for this assignment.
|
|
|
|
RADVD:
|
|
If you're using radvd, this will only enable the "AdvManagedFlag" and/or "AdvOtherConfigFlag" flags
|
|
(the "MO" bits). *No actual DHCPv6 address assignment will, or can, occur via radvd, only SLAAC.*
|
|
|
|
DNSMASQ:
|
|
To ensure maximum compatability with SLAAC, addresses will be served in the fixed range of:
|
|
<PREFIX>:dead:beef:cafe:[0000-FFFF]
|
|
(65535 addresses per prefix assignment, a.k.a. a /112).
|
|
Obviously your assignment's prefix length *must* be smaller than /112 (but should be at LEAST a /64 anyways
|
|
per RFC specification). Regardless of settings below, SLAAC *will* be offered if an "ra" element is
|
|
defined ("A" bit). Since we entirely deal with local links, the L bit is also always set.
|
|
|
|
It has an optional attribute, "advOther", which controls the "Other Configuration" bit.
|
|
The default is "false".
|
|
The "MO" bits (RFC 4861 § 4.2) are set accordingly:
|
|
===========================================================================================================
|
|
| Condition | M | O | A | L | Will addresses be assigned via DHCPv6 (if dnsmasq)? |
|
|
===========================================================================================================
|
|
| advOther="true", dhcpv6 is true | 1 | 1 | 1 | 1 | Yes |
|
|
| advOther="true", dhcpv6 is false | 0 | 1 | 1 | 1 | No |
|
|
| advOther="false", dhcpv6 is false | 0 | 0 | 1 | 1 | No |
|
|
| advOther="false", dhcpv6 is true | 1 | 0 | 1 | 1 | Yes (but O = 0 is pointless) |
|
|
===========================================================================================================
|
|
-->
|
|
<dhcpv6 advOther="true">true</dhcpv6>
|
|
</ra>
|
|
</assign>
|
|
<!-- Disable RA for this set (no "ra" child specified). -->
|
|
<assign prefix="64" alloc="48" iface="eth0"/>
|
|
<assign prefix="64" alloc="48" iface="eth1">
|
|
<ra tag="vmlan">
|
|
<!-- This will use strictly SLAAC (if using dnsmasq, obviously - radvd only does SLAAC). -->
|
|
<dhcpv6 advOther="false">false</dhcpv6>
|
|
<!-- And let clients choose their own resolver. -->
|
|
<dns>false</dns>
|
|
</ra>
|
|
</assign>
|
|
<assign prefix="64" alloc="48" iface="eth2">
|
|
<ra tag="wlan">
|
|
<!-- Only pass RDNSS resolvers. -->
|
|
<dns>true</dns>
|
|
<dhcpv6 advOther="false">false</dhcpv6>
|
|
</ra>
|
|
</assign>
|
|
</assignments>
|
|
</tunnel>
|
|
<!-- And you can, of course, specify multiple tunnels. -->
|
|
<tunnel id="54321" creds="anotheruser">
|
|
<updateKey>0000000000000000</updateKey>
|
|
<assignments>
|
|
<!--
|
|
Uses the default prefix of /64 from your standard /64 allocation from Hurricane Electric.
|
|
Most users probably want this if they just want IPv6 for their local computer unless they're running an IPv6
|
|
router.
|
|
-->
|
|
<assign iface="eth0"/>
|
|
</assignments>
|
|
</tunnel>
|
|
</tunnels>
|
|
</heIPv6>
|