AppleTV IPv6 Router

Note: These instructions have only been tested on the 1st generation AppleTV, i.e., the one that does not run iOS.

Originally, I had hoped to use my Apple Airport Extreme as the IPv6 router for my home network, since it can act as a tunnel anchor for the IPv6 tunnel I obtained from www.sixxs.net. Unfortunately, that functionality currently (as of firmware 7.4.2) only works when the uplink IPv4 address is statically configured (i.e., no DHCP). My ISP doesn’t support that; even for “static” addresses I still need to run DHCP. So instead, I hacked my AppleTV to be the tunnel anchor and route IPv6 in and out of my home. Here’s how I did it.

Updated for AppleTV software 3.0.1 on 2009-11-19; should also still work on 2.x boxes.

Note: Some home routers implement prevent IPv6 route advertisements from being forwarded between internal Ethernet ports. (For example, Apple Airport Extreme with firmware 7.5.2; 7.4.2 and older work.) If you use such a home gateway, this setup won’t work for you.

Step 1: Request an IPv6 tunnel and subnet from www.sixxs.net

Go to www.sixxs.net and sign up with them. Then log in and request an IPv6 tunnel; you want the “AYIYA” tunnel flavor. Once the tunnel has been configured, request an IPv6 subnet. This whole procedure may take a few days.

Step 2: Get shell access

You need to hack the AppleTV and enable SSH. The easiest way is to install NitoTV; follow these instructions.

After you’ve done that, make sure you run the NitoTV “smart update” function from inside FrontRow on the AppleTV. This, as a side effect, pulls down the 10.4.9 update that you’ll later need to get rtadvd and other tools from.

Step 3: Install the tunnel driver

Next you need to install the tun/tap driver for MacOS. First, ssh into the AppleTV (default password is “frontrow”):

ssh -l frontrow appletv.local

Next, using that ssh session, install the tun/tap driver on the AppleTV by copying & pasting these commands into the ssh session:

cd ~/Documents
curl -4OLk http://downloads.sourceforge.net/tuntaposx/tuntap_20080804.tar.gz
tar zxvf tuntap_20080804.tar.gz
sudo mount -uw /
sudo mkdir /Library/Extensions /Library/StartupItems
cd /Library/Extensions && sudo pax -rzf ~/Documents/tuntap_20080804.pkg/Contents/Packages/tap.pkg/Contents/Archive.pax.gz
sudo ~/Documents/tuntap_20080804.pkg/Contents/Packages/tap.pkg/Contents/Resources/postinstall
cd /Library/Extensions && sudo pax -rzf ~/Documents/tuntap_20080804.pkg/Contents/Packages/tun.pkg/Contents/Archive.pax.gz
sudo ~/Documents/tuntap_20080804.pkg/Contents/Packages/tun.pkg/Contents/Resources/postinstall
cd /Library/StartupItems && sudo pax -rzf ~/Documents/tuntap_20080804.pkg/Contents/Packages/tap-1.pkg/Contents/Archive.pax.gz
sudo ~/Documents/tuntap_20080804.pkg/Contents/Packages/tap-1.pkg/Contents/Resources/postinstall
cd /Library/StartupItems && sudo pax -rzf ~/Documents/tuntap_20080804.pkg/Contents/Packages/tun-1.pkg/Contents/Archive.pax.gz
sudo ~/Documents/tuntap_20080804.pkg/Contents/Packages/tun-1.pkg/Contents/Resources/postinstall
cd ~/Documents
rm -r tuntap_20080804.tar.gz tuntap_20080804.pkg

Step 4: Obtain and configure the tunnel client

You need to get get an aiccu tunnel client that executes on the AppleTV. Unfortunately, the MacOS X binary build provided by www.sixxs.net does not execute on the AppleTV.

The easy solution for you is to download my aiccu binary to the AppleTV:

curl -4OLk http://eggert.org/software/aiccu.gz
gunzip aiccu.gz
sudo mv aiccu /usr/sbin
sudo chown root:wheel /usr/sbin/aiccu
sudo chmod a+x /usr/sbin/aiccu

In case you prefer to compile your own, install Xcode and the 10.4 SDK on your Mac. Grab the aiccu sources and apply this patch, then build and install the result as /usr/sbin/aiccu on the AppleTV.

Once you have the /usr/sbin/aiccu binary in place on the AppleTV, you need to create /etc/aiccu.conf. Download the example from www.sixxs.net, move it to /etc and edit it for your settings:

curl -4OLk https://www.sixxs.net/archive/sixxs/aiccu/aiccu.conf
sudo mv aiccu.conf /etc
sudo chown root:wheel /etc/aiccu.conf
You’ll need to fill in your www.sixxs.net username and password, and change ipv6_interface to tun0.

Step 5: Test the tunnel

To check that the tunnel works correctly, execute this:

/usr/sbin/aiccu test

Only continue with step 6 if there are no errors during all tests!

Step 6: Install rtadvd & some other goodies

You need to install rtadvd, so that the AppleTV announces itself as an IPv6 router on your local network. Unfortunately, rtadvd isn’t part of the default AppleTV installation. Fortunately, it’s part of the 10.4.9 update that the NitoTV “smart update” procedure conveniently left behind. (As are some other goodies that may come in handy, such as nsupdate and traceroute6.) Execute these steps to install them:

hdiutil attach MacOSXUpdCombo10.4.9Intel.dmg
cd /
sudo pax -rzf "/Volumes/Mac OS X 10.4.9 Combined Update (Intel)/MacOSXUpdCombo10.4.9Intel.pkg/Contents/Archive.pax.gz" ./usr/bin/nsupdate ./usr/sbin/rtadvd ./usr/sbin/traceroute6
hdiutil eject "/Volumes/Mac OS X 10.4.9 Combined Update (Intel)"

Step 7: Configure for auto-start at boot

You’ll need to edit /etc/rc.local on the AppleTV so that a few things happen at boot time.

First off, you’ll need to assign two 64-bit prefixes out of the subnet you requested from www.sixxs.net to each of the two interfaces of the AppleTV. For example, if www.sixxs.net had assigned you the 2001:DB8:dead::/48 prefix, you could use 2001:DB8:dead:0::/64 for en0 and 2001:DB8:dead:1::/64 for en1. Then, you want to start aiccu to pull up the tunnel.

Next – and this is important – you want to enable the IPv6 firewall. The AppleTV was meant to be run behind a home gatway and by default is wide open. For IPv4, it will still be protected by your home gateway and we don’t need to change anything, but for IPv6 it will now be directly reachable by anyone on the Internet. The firewall rules below block access to AppleTV services from the Internet. Again – this is important! NitoTV can enable SSH, FTP, AFP, and more on your AppleTV, and if you don’t do this, you’ll be 0wned in no time, because anyone can simply log into your box with the default password.

Finally, you want to turn on IPv6 forwarding, and after that start rtadvd so that the AppleTV announces itself as an IPv6 router on your local network. Also, for some reason the default IPv6 route that aiccu set up doesn’t stick, so it’s better to configure it once more.

Add these lines (adjusting for whatever subnet www.sixxs.net assigned you) to the end of /etc/rc.local:

/sbin/ifconfig en0 inet6 2001:DB8:dead:0::1/64 # change the bold part for your tunnel block
/sbin/ifconfig en1 inet6 2001:DB8:dead:1::1/64 # change the bold part for your tunnel block
/bin/kill `cat /var/run/aiccu.pid`
/bin/kill `cat /var/run/rtadvd.pid`
/usr/sbin/aiccu start
sleep 3
en0=`/sbin/ifconfig en0 inet6 | /usr/bin/grep 2001: | /usr/bin/cut -d" " -f2`
en1=`/sbin/ifconfig en1 inet6 | /usr/bin/grep 2001: | /usr/bin/cut -d" " -f2`
tun0=`/sbin/ifconfig tun0 inet6 | /usr/bin/grep 2001: | /usr/bin/cut -d" " -f2`
/sbin/ip6fw -f flush
/sbin/ip6fw add allow ipv6-icmp from any to any
/sbin/ip6fw add deny ipv6 from any to $en0 via tun0
/sbin/ip6fw add deny ipv6 from any to $en1 via tun0
/sbin/ip6fw add deny ipv6 from any to $tun0 via tun0
/usr/sbin/sysctl -w net.inet6.ip6.forwarding=1
/usr/sbin/sysctl -w net.inet6.ip6.fw.verbose=1
# the IPv6 default route on the AppleTV disappears after a while, use a more specific route
/sbin/route add -inet6 2000:: -prefixlen 3 -iface tun0
/usr/sbin/rtadvd -s en0 en1

Step 8: Reboot

After you’ve double-checked everything, reboot the AppleTV:

sudo reboot

And after it comes back, it should be announcing itself as an IPv6 router to your local network and forward IPv6 packets. Congratulations!