Super Mac IPv6 Sleeper: Airport Extreme does IPv6 tunneling AND firewalling!
It’s been known for some time that Apple’s Airport Extreme base station can double as an IPv6 tunnel gateway. But the Extreme’s IPv6 support was kind of half-baked: it’s rudimentory “firewall” was all-or-nothing, and its NAT pass-through support was buggy. But Apple’s latest Extreme — the “Late 2009″ edition with 7.5x firmware– fixes those bugs AND adds a spiffy new IPv6 firewall. (Alas, older Extreme’s only support up through 7.4 firmware, which still has problems with IPv6).
It took me about five minutes to create a Hurricane Electric (http://tunnelbroker.net) account and configure the Extreme as an IPv6-over-IPv4 tunnel gateway, with the Extreme configured in transparent mode, using a private DHCP address acquired from the local LAN. I just plugged in the remote tunnel IPv4 address, local tunnel IPv6 endpoint address, the IPv6 default route, and the LAN’s IPv6 subnet address. (Note: Apple swapped the order of remote and local ipv6 in the upgrade from 7.4 to 7.5 firmware.) The tunnel popped into existence instantly. I had set up Google’s open IPv6-enabled DNS server (IPv4 address 8.8.8.8) for the LAN DNS server address.
The Extreme seems to have IPv6 Router Advertisements enabled by defaul, so IPv6 stateless autoconfig cheerfully gave everyone on the LAN a Global IPv6 address from the HE.net /64 assignment, and all the LAN systems were suddenly IPv6 enabled! This is too easy!
The Extreme’s IPv6 firewall option appears when you click “Block incoming IPv6 connections” (without which the Extreme allows all inbound connections), at which point a new “IPv6 Firewall” tab appears. (Apparently this has always been there but I never clicked the “Block incoming” box and so never saw it before. )You can permit Teredo tunnels if you like, as well as inbound IPsec connections, with a couple clicks. The “firewall” interface is primitive but gets the job done, letting you allow specific TCP and UDP protocols to specific inside IPv6 addresses. The Extreme IPv6 firewall is v6-only, however, so you still need a good IPv4 firewall.
So far I’ve only tried running an Extreme as an IPv6 gateway using its LAN-transparent mode, in which the device gets a LAN IP from your local DHCP server. I did this to avoid double-NAT. However, you should be able to set up IPv6 tunneling in routed mode — where the Extreme’s WAN port faces the Internet with a provider-assigned public IPv4 address. In this arrangement, the LAN ports create an IPv6 “sandbox” — as long as your border firewall supports passing GRE protocol (IP protocol 47) outbound. But at least you don’t have to open any pinholes to the Extreme or otherwise weaken your enterprise security stance.
The one missing bit: the Extreme has no built-in DHCPv6 server, so it can’t distribute name server settings to clients after stateless autoconfig. However, as long as your LAN IPv6 clients use an IPv6-enabled DNS server at an IPv4 address (Google’s 8.8.8.8 qualifies), then you can get to the IPv6 Internet via names without problem.
At $179, this is the cheapest easy-to-configure IPv6 gateway appliance on the market!
[UPDATE on 2010/06/06: A reader tells me that the IPv6 firewall has been in the Extreme for more than a year, but few people find it because it's hidden behind that "Block all incoming IPv6 connections" checkbox. I've edited this post to reflect that. -mel]
instruction guide.