...
That tells nndpd to answer NDP requests for the entire /80 from which we'll be assigning IPv6 addresses to our devices. Obviously you will need to change that IP prefix to your own.
There is a handy program to help you with ip subnetting: apt install ipcalc
The rule should use the static
or iface
option. We saw some flakiness with auto
.There is a handy program to help you with ip subnetting: apt install ipcalc
Then you'll want to start nndpd and tell it to start on boot.
Code Block |
---|
systemctl start ndppd systemctl enable ndppd |
It doesn't come with init/systemd scripts so we just did this:
Code Block |
---|
sudo chmod a+x /etc/rc.local |
Then edited /etc/rc.local to add:
Code Block |
---|
/usr/local/sbin/ndppd -d |
Running that command with sudo will start nndpd manually.
Once nndpd is running try ping6 ipv6.google.com again from one of your devices. For us it worked right away!
Congratulations! You now have a global IPv6 address for every device on your virtual network.
Step 4f: IPv6 Security (optional)
This configuration gives every device on your ZeroTier network a real globally reachable IPv6 address. This is wonderful but also possibly a little bit dangerous.
If you don't want everything to be wide open like that you can use ip6tables rules to implement a stateful firewall that allows all outbound IPv6 traffic but limits inbound traffic to packets that are replies to outbound ones.
This can be done by using an alternative configuration like:
...
language | bash |
---|
...
Once nndpd is running try ping6 ipv6.google.com again from one of your devices. For us it worked right away!
Congratulations! You now have a global IPv6 address for every device on your virtual network.
Code Block |
---|
curl -4 ifconfig.co
curl -6 ifconfig.co |
Should return your ZeroTier gateway addresses.
Step 4f: IPv6 Security (optional)
This configuration gives every device on your ZeroTier network a real globally reachable IPv6 address. This is wonderful but also possibly a little bit dangerous.
If you don't want everything to be wide open like that you can use ip6tables rules to implement a stateful firewall that allows all outbound IPv6 traffic but limits inbound traffic to packets that are replies to outbound ones.
This can be done by using an alternative configuration like:
Code Block | ||
---|---|---|
| ||
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 2001:19f0:6001:01a6::/64 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT |
...
Code Block | ||||
---|---|---|---|---|
| ||||
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A FORWARD -i $ZT_IFACE -o $WAN_IFACE -j ACCEPT -A FORWARD -i $WAN_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT :OUTPUT ACCEPT :OUTPUT ACCEPT [0:0] COMMIT[0:0] COMMIT |
FreeBSD
The allowDefault=1
setting on FreeBSD clients can't work. See this github issue for a work-around https://github.com/zerotier/ZeroTierOne/issues/580.
We've disable the Allow Default setting on FreeBSD starting on versions newer than 1.10.6 until we can find a solution.
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...