Tunneling IPv6 on Xplornet and Triple NAT

By chris February 18th, 2016, under FreeBSD, IPv6, tips and tricks, Xplornet

IPv6 fixes the address shortage on IPv4. Most people still have their own WAN address but as new technologies emerge ISP’s are slowly going the route of Carrier NAT. Xplornet only offers you a 10.x IP address on their LTE with no option for a static IP. I could do some fizzles and pay money for another IPv4 address on my VPS ( Digital Ocean ). Since all my stuff is setup IPv6 why not bring some of those address’s down to my LAN since it costs nothing.

He.net Tunneling

Hurricane Electrics IPv6 tunnel broker offers you free IPv6 tunneling. This uses Protocol 41 which I was unable to pass directly through to them. It also requires a staticish IP. Since my IP is a in pool and randomly changes this is not the solution for me.

The Solution

My solution is to run an OpenVPN connection to my VPS. This allows me to access my LAN IPv4 and to push a /48 to my home network.

I drew up a quick visio diagram of my basic network as it sits at home.

Drawing1

To quickly explain it:

  • The CPE7000 Radio obtains a DHCP address off the Xplornet Tower (10.x/8)
  • My PFSense router obtains a 192.168.209.x/24 IP using DHCP from the CPE7000
  • My Workstation obtains its IP off of the PFSense’s DHCP server on the 192.168.0.x

The PFSense router will be making the OpenVPN connection. Since it is only 500MHz I have chosen to disable encryption. If your machine is quicker I definitely recommend encryption.

What I used for my Setup

  • PFSense 2.x on a Soekris 5501
  • FreeBSD 10.2 on Digital Ocean VPS
  • /64 and /48 from Hurricane Electric
  • SSH access to your router

Digital Ocean VPS

Go ahead and sign up for a Digital Ocean VPS. A $5 a month VPS will work excellent for this task.  Use the following link to save $10:

Save $10 Using this Link

Use whatever Operating system you would like, hurricane electric has scripts setup for just about every OS you can think of. I prefer FreeBSD but lot of people prefer Debian or CentOS those also work too. Once you signed up and deployed your first server follow the instructions to login to root. Once in root go ahead and obtain your IPv4 IP. You will need this for Hurricane Electric to place in the IP box on your tunnelbroker account.

Configuration on VPS

Setup the IPv6 tunnel using the instructions provided by your distro:

FreeBSD

Debian

CentOS

Once you are up and running test everything out by pinging google.

ping6 google.com

Screen Shot 2016-02-18 at 11.52.43 AM

Enable Routing

To turn  your VPS into a router so it can forward packets for you make sure to turn on forwarding below are some instructions to help you:

Linux

FreeBSD

 Hurricane Electric

Sign up to Hurricane Electric’s Tunnel Broker

http://tunnelbroker.net

Once you sign up assign yourself a /64 and also a /48.

Screen Shot 2016-02-18 at 10.06.36 AM

Since my VPS was in New York I used the New York tunnel to keep latency low.

chris@cloud ~]$ ping6 2001:470:1f06:1038::1

PING6(56=40+8+8 bytes) 2001:470:1f06:1038::2 –> 2001:470:1f06:1038::1

16 bytes from 2001:470:1f06:1038::1, icmp_seq=0 hlim=64 time=1.662 ms

This is excellent 1ms latency to he.net I am assuming it is in or near the same datacenter as my VPS.

OpenVPN – VPS Side

Setting up OpenVPN is very simple as we will just use a secret key to get things started quickly. You can of course upgrade the security at your need. Run this command on your VPS to generate a static key. Keep this key as PFSense will also need a copy of it.

openvpn –genkey –secret static.key

Copy this key to the OpenVPN config location (/usr/local/etc/openvpn on BSD) (/etc/openvpn on Debian and friends).

Here is the OpenVPN Configuration I used on the VPS. This will be our “server”


 

dev tun

proto udp

ifconfig 10.8.0.1 10.8.0.2

keepalive 10 120

secret /usr/local/etc/openvpn/static.key

cipher none

route 192.168.0.0 255.255.255.0

#IPv6 Goodies

tun-ipv6

push tun-ipv6

ifconfig-ipv6 2001:****:****::1 2001:****:****::2

route-ipv6 2001:****:****::/48


There are a few lines you may have to customize for your deployment:

  • ifconfig 10.8.0.1 10.8.0.2 <- This can be kept the same, if you already have another VPN using this change the subnet.
  • route 192.168.0.0 255.255.255.0 <- This is the local LAN you are running on your PFSense router. Again, change to match your configuration.
  • ifconfig-ipv6 2001:****:****::1 2001:****:****::2 <- Put your /48 in there. This will use 2 IP’s off the first /64 for the link between routers.
  • route-ipv6 2001:****:****::/48 <- Put your /48 in there. This will route all your /48 to your PFSense box.

This is only running a server so it does not connect to anything. I am assuming your not running a firewall (yet).

PFSense

Ensure your PFSense setup is up and running. The default settings should pretty much cover it. Ensure your client computers are able to access the internet.

  1. Login to the PFSense Interface (Default: http://192.168.0.1)
  2. Click on VPN -> OpenVPN -> Client
  3. Create a Client VPNPFSense4. Fill in the information similar to above, just ensure you connect to your VPS. This can be a hostname or an IP if you don’t have DNS available. Interface is the interface your internet connection is on

5. Scroll down, put in your private key you generated earlier into the Cryptography Settings

6. Ensure your routes and such look similar to mine

PFSense2

  • IP Tunnel Network -> Ensure this is the network you setup for OpenVPN earlier
  • IPv6 Tunnel Network -> This will be your /48 from he.net. Ensure you use ::1 as the IP. OpenVPN automatically sets it to ::2 internally.
  • IPv4 Remote Network -> Since my VPS is not running anything I want to directly route to it I left it blank.
  • IPv6 Remote Networks -> You will see I have 2 networks. My /48 and the /64 that is assigned as ::1 and ::2 for the he.net tunnel.
  • The rest of the settings are left default as they do not need to be changed.

7. Open up ICMP on the OpenVPN network and allow ALL IPv4 as there is nothing globally routable on there.

PFSense3

8. Also ensure IPv6 and IPv4 are globally allowed on your LAN network. This will block your outgoing traffic and is usually not wanted.

PFsense4

Verify it all works as of now

Now lets test things out and make sure they work. Although the internet will not work at your house you should be able to ping both sides of the tunnel.

ping6 2001:****:****::1

ping6 2001:****:****::2

Both of these should come back with active replies. If not, then there is an issue with your VPN, it works then lets go ahead and make this work on the internet.

PFSense6

Manually set a IPv6 Gateway (Hack/Bug?)

This part is the only part I can’t seem to figure out how to automate. This means that each time your router reboots you have to manually login to set the default v6 gateway. I tried using the pfsense GUI but it will not let me add this as a gateway. I might have a configuration incorrect, or pfsense could just not be expecting this. Since I reboot my router max a few times a year this is not too bad for me. I will keep researching another solution to allow me to manually add the gateway.

System -> Advanced

PFSense5

Enable the Secure Shell

Login to your PFSense using SSH.

Username: root

Pass: <adminpassword>

Once logged in press “8” then enter

Paste this into your command line:

route add -inet6 default 2001:****:****::1

The IPv6 address is the ::1/64 that you put in for the OpenVPN link network.

Assuming this all worked properly you should be able to access the internet using your router. With the router SSH still open try a ping6 google.com and see if it makes it.

PFSense7

Now that the router is up and running we will go ahead and assign the IPv6 /64 for the LAN network and turn on radvd to broadcast the address’s.

Assigning a /64 to our LAN on PFSense

On the PFSense home screen goto Interfaces -> LAN:

PFSense8

  • IPv6 Configuration Type <- Ensure this is a static IP all I did was take my /48 network from he.net and added a :1 before ::1 on the gateway address. So 2001:470:8b11::1 is my /48 then 2001:470:8b11:1::1/64 is my LAN network.

Next, go to Services -> DHCPv6 Server/RA then to the Router Advertisements tab

PFSense9

  • Router Advertisements <- Unmanaged, this will have it spit out IPv6 address’s to any host that requests it using part of its MAC address.

Test it all

Now that this is operational give it a couple of minutes. I know on my Mac and Debian server it picked it up almost instantly.

pfsense11

That is it, enjoy IPv6 on your LAN.

PFSense11

Whats Left ?

I still have to figure out why PFSense won’t take my default gateway. Having to SSH in to get it working is definitely not optimal. If I ever get it working I will update this guide. Also DHCPv6 might be a good idea as it lets you set reverse DNS and manage the systems that are grabbing IPv6. As per this guide, I will get into opening ports for services and setting up stuff to run off there.

Thanks for reading,

Chris Sologuk

My Experience with Xplornet LTE

By chris February 17th, 2016, under Cool, tips and tricks, Xplornet

 Before I moved to my new house there was a big worry about internets. The people in the house previously were using Xplornet Satellite service. This was not acceptable, the low caps and large amount of latency with satellite service just was not enough internet to replace traditional television in our house.

 At first, the answers from 3 Xplornet resellers is that there was a tower being installed sometime in the future and they would not install it. Luckily we called 4 resellers and the last one would come and install it. The previous tenants in the house called in and Xplornet has a deal if your on their satellite service they move you to the LTE for free. Makes sense as satellite bandwidth is a premium. I was able to test the platform before I moved in. The speed and latency wasn’t very good. 1mbit download and 0.3mbit upload was all I could get. This is better then the 0 internets promised.

 I tried my luck to get Teksavvy service. They have a 5GHz service in Grand Pointe but the service was full they put a stop sell in that area to keep the existing customers going quickly. They will be expanding it to sectors but have no ETA. This left me with Xplornet.

 We signed up for January 25’th and had an installer booked for that day. They came in and replaced the old radio with a new one. The signal was -104 and was pointed somewhere north. We moved in Feb 1’st and the internet worked as it did before. Luckily they had opened a new tower in Pain Court which is much closer and most likely has less people on it. We could have called in the provider and sent them out on our install warranty. I decided to do it myself.

 I managed to find the operator credentials for the radio to login. This allows me to see the signal levels and have a little control over the radio. This is perfect as I could now adjust the radio to the new tower.

Screen Shot 2016-02-17 at 9.50.08 AM

Just pointing the radio over it picked up the stronger tower and I did a speedtest and now get my full rated 10/1mbit even during peak hours.

Things I found out about the CPE-7000 Xplornet Radio

  • You are triple NATed off the bat

 Just when you thought carrier NAT couldn’t get any worse. You get a 10.x IP DHCP from the Xplornet Tower. Your CPE device then NAT’s that into a 192.168.201.x/24. Then your own router NAT’s yet again to 192.168.0.x/24.

 

  • The Xplornet Installers only put the radio where it is convenient

 Xplornet is on the 2.5GHz licensed wifi band, this means it follows the same rules as wifi just is allowed way more power. This lets a poor install work when it could work better. I left my radio at its current height for the time being but my goal is to install it up higher. I am going to use a Chimney Mount with a pole on it to increase the height. On my house its almost 15′ higher. According to Cisco it appears I need quite the height to avoid the fresnel zone. Although without a tower I am unable to hit the perfect zone its much better then the 10′ it is off the ground right now.

Screen Shot 2016-02-17 at 10.21.35 AM

 Once I go ahead and raise the radio up a little bit I will be able to see a difference in the numbers. Just +3dB is “doubling” the signal. It is winter now, when the tree’s grow in I might need these extra Db’s to keep my speed quick.

 

  • You cannot disable NAT and bridge the device

 To remove another layer of NAT I figured I could bridge the device, put it on a subnet my router knows about (to remotely access it) and directly DHCP off my pfsense router. This did not work. I didn’t try cloning my mac address or hostname but from my quick test it did not work. Since Xplornet LTE is carrier NAT with no option for static IP’s this doesn’t really matter much.

How to Login to your Xplornet LTE Radio

This is informational post, I’m not responsible for what happens past here.

Login to the CPE Radio ( http://192.168.209.1 )

Screen Shot 2016-02-17 at 10.36.58 AM

Username: operator

Password: g4darlet

Click on the Mobile Network Tab

Screen Shot 2016-02-17 at 10.39.04 AM

That will bring you into your statistics page.

Screen Shot 2016-02-17 at 9.50.08 AM

The main numbers we look for on here are RSRP0 and RSRP1, these are both bands connections to the towers. I found it barely works around -104 but just bringing it around -100 is the magic. I went from 1mbit /w packet loss to 10mbit with very little.

On the left hand side there are 2 tabs

  • Status
  • Technology

The Technology tab will let you turn on and off the LTE radio. That is what you use to get it to find a new tower. It will always grab the strongest tower so point it around and see what it finds.

This is just a little insight I found when setting up and signing up to the service. So far it has been excellent and I have no complaints. I was able to get my rated speed, and the service works as it should.

My next guide will show you how to tunnel IPv6 through a private VPS to bring v6 to your local LAN. This allows you to punch a hole into the NAT and connect directly in.

 

 

 

SSL Finally Updated

By chris October 21st, 2015, under Uncategorized

I have updated the SSL keys on the website, no more errors. Until next year !

Thanks,

 

Chris

New Place in the Cloud

By chris March 8th, 2015, under Uncategorized

Welcome Solosoft.ca to the Cloud !

Slowly moving all my services and sites to its new hosted location in new york. This allows me to get rid of the /28 and DSL’s I had at home. Now instead of rocking the 3x DSL lines @ 15/1.2mbit I am rocking 30/10 Cable. The single IP and NAT are fine as the VPS handles all the work.

 

Changes

By chris April 12th, 2014, under Solosoft.ca, SSL

I have removed the forced SSL, it seems to have broken indexing from Google or other search engines. You now have a choice to type the https or not. I have also updated the OpenSSL as per the Heartbeat Exploit released earlier this week.

Thanks for Visiting Solosoft.ca,

Chris

SSL

By chris July 17th, 2013, under FreeBSD, Solosoft.ca, SSL

I have “Forced” SSL on the website. Now all of your solosoft.ca goodness is encrypted.

I am really happy with StartSSL’s services. This works perfect for my personal servers allowing me to be secure and cost effective.

 

Upgrades

By chris July 17th, 2013, under Uncategorized

I finally upgraded my FreeBSD server from 2gb of memory to 8gb of RAM. I have to wait another week for the complete 16gb but thats the life of ordering RAM on ebay. The seller was nice enough to replace the faulty stick.

Mem: 365M Active, 490M Inact, 6345M Wired, 28M Cache, 612M Free
Swap: 16G Total, 153M Used, 16G Free

Things I was able to move off my Noisy 2U Xeon

  • Cacti
  • OTRS
  • PBX

All that is left is my Exchange setup running in a VM. I have been looking into one of those small Atom boards to run it since it does not do much. Now that summer is here that extra 3 AMP heater is getting a little much. The huge amount of noise is not really a problem since the AC’s drown that out.

All is well, I got all my affiliate sites up and runningish.

www.solosoft.org

www.sologuk.ca

Still have more things to do my next plan is to get solosoft.ca completely SSL enabled. Since I have so many sub domains and IP’s this might be a little more difficult then I want. It cost money for * SSL’s and im pretty cheap.

 

 

IPv6 Woes Resolved !

By chris May 2nd, 2013, under Uncategorized

Yay,

 

I am able to ping6 again. All the previous woes are resolved.

 

Thanks.

IPv6 Woes

By chris April 26th, 2013, under Uncategorized

Sorry about this, there is a AAAA record on this site and my IPv6 is currently not working. If the outage continues I will remove the record as it will cause delays for our IPv6 using clients.

🙁

Its on teh fixes tho !

Moved Servers

By chris March 4th, 2013, under Uncategorized

Yay,

The time has finally come to replace the netburst. Although it is still running it only has a NAT IP and sits for backup for configs or other settings. I will finally turn it off sometime later this week.

I had a 67 day uptime going on that computer but just like all good things it has to come to an end.

I will continue to finish the website and get everything working again. Things might be wonky for the next little bit.