IPv6 gateway for LAN
To test the availability of a local office network for IPv6 transition, I organized a test bench based on a FreeBSD server, which is a gateway for accessing IPv6 Internet and a server of popular network resources (WEB, eMail, FTP). The choice of FreeBSD is due to the presence of an existing virtual machine with this system. Next, I will tell you a little how everything was configured (not in the theoretical details of building and IPv6 addressing) and try to describe the situation of the readiness of existing systems and programs for use with IPv6 using the example of those services that I managed to test both from the client and and from the server side. Experiments were actively conducted during the month “before” and month “after” “IPv6 Day” on June 8, 2011, therefore, the situation with support in some programs may now change for the better.
The experiment was conducted in a local office network on 100-150 computers with Win7, a flat address space, DHCP and a DHS server based on Win2003Server, Internet access is a NAT or VPN connection, Windows AD is not used. As a server on which it was planned to make all FreeBSD8.1 settings in VirtualBox, the host machine is a personal computer on Win7.
To access the IPv6 part of the Internet, the tunnel broker www.tunnelbroker.net was used. How to register and get prefixes, set up auto-update and other useful things you can read here - version6.ru/he.net/howto .
')
The following prefixes were obtained for work:
Thus, we have a large address space to flexibly divide it between client computers and server hardware.
From the above diagram it is clear that:
Examples of setting up access through the tunnel can be obtained by creating a tunnel by simply opening the second tab in the tunnel management mode on www.tunnelbroker.net . The selection is quite large, including cisco and juniper. For my purposes, I use the following CMD script:
After that, we should at least ping ipv6.google.com:
The response time is a bit much, but the speed is good. Here you can and should experiment with various brokers and entry points to them.
It should be noted that Windows 7 itself can act as a gateway for the local network. To do this, you need to enable routing, advertise the default route and add a route that you need to distribute to the network (netsh is enough for an understanding of the configuration process). For example, if we want to distribute addresses on the local network with the prefix 2001: 470: f9e7: 2 :: / 64 and router 2001: 470: f9e7: 2 :: 1/64:
After such settings, on all computers where IPv6 is not disabled, an IPv6 default gateway 2001: 470: f9e7: 2 :: 1/64 will be added and they will receive addresses from the network 2001: 470: f9e7: 2 :: / 64.
/etc/rc.conf
Everything is standard, the commands for IPv6, respectively, have a line in the name “ipv6”, and for interfaces we indicate the type not “inet”, but “inet6”.
In order for our computers to learn about our router on the network, we need to announce ourselves, for which we use the radvd daemon, which is installed from the ports, or we can use a similar rtadvd - native FreeBSD. In radvd, you can configure the mechanism for announcing DNS servers - www.ietf.org/rfc/rfc6106.txt - in the same configuration file along with the route advertisement, therefore we use it.
/usr/local/etc/radvd.conf
Of the changes, only our prefixes and DNS were added, the rest was left as it was in the example installed with the utility.
After configuring all the interfaces, we need to ping ipv6.google.com with the FreeBSD gateway. All utilities for running IPv6 on FreeBSD end with the number "6".
When the radvd daemon is running to announce our router and its associated routes, all computers on the network that do not have IPv6 protocol disabled and the automatic configuration of addresses — www.ietf.org/rfc/rfc2462.txt — must receive an address from the network 2001: 470: f9e7: 3 :: / 64 and if they support RFC6106, then the DNS address is 2001: 470: f9e7: 1 :: 2. For Windows7, IPv6 is enabled by default and it will get the address, but getting the DNS address is not yet implemented, the current position with IPv6 support in various operating systems can be viewed on the wiki .
You can see that the main gateway here is represented by the local channel address, indicating the interface number through which it is available% 28.
In the resulting configuration, we use parallel IPv6 and IPv4 protocols on a single interface, that is, the so-called dual-stack mode, one of the recommended transition mechanisms that allows you to simultaneously access both IPv6 and IPv4 resources using their native protocol.
The Win2003Server-based server used on the network does not support AAAA records, so we do not use it as a name server for working with IPv6, but simply delegate the necessary zones to the FreeBSD gateway where we will configure DNSv6. Configuring delegation is no problem, because nothing specific IPv6 is used in this case. In addition, since Windows 7 does not receive an IPv6 DNS address, for the reasons described above, and DHCPv6 we do not use this approach will ensure that we correctly determine the IPv6 address, even if through an intermediate IPv4 only DNS.
Configure FreeBSD. In /etc/namedb/named.conf we add:
To listen to IPv6, add “listen-on-v6”. The description of the reverse zone is formed in “ip6.arpa.” And is divided not by octets, but 4 bits each, as a result of which the IPv6 address is longer in itself, the description of addresses in the zone is noticeably larger than for the IPv4 address.
/etc/namedb/master/ipv6.local
/etc/namedb/master/f9e7.470.2001.ip6.arpa
In general, the basic protocol features are present in all tested OSs: Windows, Linux, FreeBSD — address retrieval, autoconfiguration, output of the neighbor table, routing, everything is configured and can be disabled. In Windows, for most settings, this should be done through the netsh console interface, most of the settings in the graphical interface are not. Network utilities ping, traceroute, ssh, telnet, nslookup, also work great. For * BSD, the IPv6 utility versions have names with a “6” at the end, for example, ping6. In the settings files for utilities, as a rule, the changes are minimal, either a suffix with the number “6” is added, or in the same directives the IPv6 address is used as is or in brackets [].
In Windows, starting from VISTA, IPv6 is enabled by default, two TEREDO and 6to4 transition mechanisms are enabled, the ability to create tunnels is also present, and Windows is operating in the IPv6 router mode and is not limited in the number of interfaces, as is done in the IPv4 stack. However, the individual enabled parts of IPv6 can interfere with each other; if TEREDO is enabled, the traffic will go this way, and not through a manually configured tunnel. Also, the route command may not always correctly process the IPv6 route, that is, the data does not always coincide with what can be obtained using the netsh int ipv6 show route.
As a result, there was nothing to configure on personal computers, the only thing for those who turned off IPv6 support was to turn it back on. Obtaining a native IPv6 address, Windows tends to use it.
Unfortunately, we failed to test a lot, but from what we could conclude that IPv6 is already an urgent reality and we need to start planning the transition today to keep up with it.
From the fact that you should definitely read: Niel Richard Murphy, David Malone. "IPv6. Network Administration". Not a new, not very successful translation, but relevant, then where to start.
PS At the moment everything is off, so unfortunately, it will not work with the described resources.
The purpose of the experiment
- Check the compatibility of the software used with services running on IPv6;
- To achieve maximum transparency for the user. Ideally, the final subscriber should not make any settings to get to the IPv6 part of the Internet through an organized gateway.
The experiment was conducted in a local office network on 100-150 computers with Win7, a flat address space, DHCP and a DHS server based on Win2003Server, Internet access is a NAT or VPN connection, Windows AD is not used. As a server on which it was planned to make all FreeBSD8.1 settings in VirtualBox, the host machine is a personal computer on Win7.
To access the IPv6 part of the Internet, the tunnel broker www.tunnelbroker.net was used. How to register and get prefixes, set up auto-update and other useful things you can read here - version6.ru/he.net/howto .
')
The following prefixes were obtained for work:
- 2001: 470: 19: 47 :: / 64 - originally issued when registering the tunnel, we will not use it;
- 2001: 470: f9e7 :: / 48 - additionally allocated with a large address space. Here you should experiment, because not for each point of attachment you can additionally select the prefix / 48, for some it will be answered that the operation is impossible;
- 2001: 470: 18: 47 :: 2/64 - our connecting address;
- 2001: 470: 18: 47 :: 1/64 is the default gateway.
Thus, we have a large address space to flexibly divide it between client computers and server hardware.
From the above diagram it is clear that:
- 2001: 470: f9e7: 3 :: / 64 — allocated to the local network with a gateway 2001: 470: f9e7: 3 :: 1/64;
- 2001: 470: f9e7: 1 :: / 64 - a connecting network between the gateway of the local network and the IPv6 Internet gateway. At the addresses, in the ideology of IPv6, saving is not accepted - therefore the prefix is ​​also / 64.
Set up an IPv6 gateway on Win7 to work with a tunnel broker
Examples of setting up access through the tunnel can be obtained by creating a tunnel by simply opening the second tab in the tunnel management mode on www.tunnelbroker.net . The selection is quite large, including cisco and juniper. For my purposes, I use the following CMD script:
@ECHO OFF
REM
netsh interface teredo set state disabled
netsh interface 6to4 set state disabled
REM
netsh interface ipv6 delete interface "IP6Tunnel"
REM VPN
REM .
REM PPTP
FOR /F "tokens=5" %%i IN ('netsh interface ip show ipaddress VPN level^=normal ^| find "infinite"') DO CALL :IP6TUNNELUP %%i
GOTO :CONT
GOTO :END
REM
:IP6TUNNELUP
curl -k "https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=%1&pass=< tunnelbroker.net>&user_id=< tunnelbroker.net>&tunnel_id=< >"
REM
netsh interface ipv6 add v6v4tunnel IP6Tunnel %1 216.218.221.6
GOTO :END
:CONT
REM
netsh interface ipv6 set interface IP6Tunnel forwarding=enabled
REM
netsh interface ipv6 add address IP6Tunnel 2001:470:18:47::2
REM IPv6
route delete ::/0
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:18:47::1 publish=yes
REM FreeBSD
netsh interface ipv6 set interface interface=lan0 forwarding=enabled
REM FreeBSD
netsh interface ipv6 set route interface=lan0 prefix=2001:470:f9e7:1::/64 publish=yes
netsh interface ipv6 set route interface=lan0 prefix=2001:470:f9e7:3::/64 publish=yes
:ENDAfter that, we should at least ping ipv6.google.com:
ping ipv6.google.com
ipv6.l.google.com [2a00:1450:4010:c00::69] 32 :
2a00:1450:4010:c00::69: =705
2a00:1450:4010:c00::69: =701The response time is a bit much, but the speed is good. Here you can and should experiment with various brokers and entry points to them.
It should be noted that Windows 7 itself can act as a gateway for the local network. To do this, you need to enable routing, advertise the default route and add a route that you need to distribute to the network (netsh is enough for an understanding of the configuration process). For example, if we want to distribute addresses on the local network with the prefix 2001: 470: f9e7: 2 :: / 64 and router 2001: 470: f9e7: 2 :: 1/64:
netsh interface ipv6 add address lan1 2001:470:f9e7:2::1/64
netsh interface ipv6 set interface interface=lan1 advertise=enabled forwarding=enabled advertisedefaultroute=enabled
netsh interface ipv6 set route interface=lan1 prefix=2001:470:f9e7:2::/64 publish=yesAfter such settings, on all computers where IPv6 is not disabled, an IPv6 default gateway 2001: 470: f9e7: 2 :: 1/64 will be added and they will receive addresses from the network 2001: 470: f9e7: 2 :: / 64.
Now we will configure routing on the FreeBSD gateway
/etc/rc.conf
### IP ###
defaultrouter="10.0.2.1"
gateway_enable="YES"
ifconfig_em0_alias0="inet 192.168.137.15 netmask 255.255.255.0"
ifconfig_em1_alias0="inet 10.0.2.64 netmask 255.255.255.0"
static_routes="LOCAL"
route_LOCAL="-net 10.0.0.0/8 10.0.2.1"
### IPv6 ###
ipv6_enable="YES"
ipv6_defaultrouter="YES"
ipv6_defaultrouter="2001:470:f9e7:1::1"
ipv6_gateway_enable="YES"
ifconfig_em0="inet6 2001:470:f9e7:1::2 prefixlen 64"
ifconfig_em1="inet6 2001:470:f9e7:3::1 prefixlen 64"
radvd_enable="YES"Everything is standard, the commands for IPv6, respectively, have a line in the name “ipv6”, and for interfaces we indicate the type not “inet”, but “inet6”.
In order for our computers to learn about our router on the network, we need to announce ourselves, for which we use the radvd daemon, which is installed from the ports, or we can use a similar rtadvd - native FreeBSD. In radvd, you can configure the mechanism for announcing DNS servers - www.ietf.org/rfc/rfc6106.txt - in the same configuration file along with the route advertisement, therefore we use it.
/usr/local/etc/radvd.conf
interface em1
{
AdvSendAdvert on;
MinRtrAdvInterval 60;
MaxRtrAdvInterval 300;
AdvDefaultPreference low;
AdvHomeAgentFlag off;
prefix 2001: 470: f9e7: 3 :: / 64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001: 470: f9e7: 1 :: 2
{
AdvRDNSSLifetime 300;
};
}; Of the changes, only our prefixes and DNS were added, the rest was left as it was in the example installed with the utility.
After configuring all the interfaces, we need to ping ipv6.google.com with the FreeBSD gateway. All utilities for running IPv6 on FreeBSD end with the number "6".
#ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:f9e7:1::2 --> 2a00:1450:4010:c00::67
16 bytes from 2a00:1450:4010:c00::67, icmp_seq=0 hlim=49 time=699.042 ms
16 bytes from 2a00:1450:4010:c00::67, icmp_seq=1 hlim=49 time=697.743 ms
#traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2a00:1450:4010:c00::67) from 2001:470:f9e7:1::2, 64 hops max, 12 byte packets
1 vi-host-w7.ipv6.local. 0.601 ms 0.493 ms 0.475 ms
2 2001:470:18:47::1 362.289 ms 362.791 ms 362.885 ms
3 gige-g3-13.core1.hkg1.he.net 359.731 ms 365.100 ms 359.570 ms
4 google3-10g.hkix.net 360.840 ms 361.714 ms 365.369 msWhen the radvd daemon is running to announce our router and its associated routes, all computers on the network that do not have IPv6 protocol disabled and the automatic configuration of addresses — www.ietf.org/rfc/rfc2462.txt — must receive an address from the network 2001: 470: f9e7: 3 :: / 64 and if they support RFC6106, then the DNS address is 2001: 470: f9e7: 1 :: 2. For Windows7, IPv6 is enabled by default and it will get the address, but getting the DNS address is not yet implemented, the current position with IPv6 support in various operating systems can be viewed on the wiki .
> ipconfig
Ethernet adapter Local Area Connection 1:
DNS suffix to connect. . . . . : lan-user
IPv6 address . . . . . . . . . . . : 2001: 470: f9e7: 3: c5ac: 17b8: bd30: 7a1e
Temporary IPv6 address. . . . . . . : 2001: 470: f9e7: 3: 749d: 8c9d: f317: 7819
The local IPv6 address of the channel. . . : fe80 :: c5ac: 17b8: bd30: 7a1e% 28
IPv4 address . . . . . . . . . . . : 10.0.2.19
Subnet mask . . . . . . . . . . : 255.255.255.0
Main gate . . . . . . . . . . : fe80 :: a00: 27ff: feb0: c719% 28
10.0.2.1 You can see that the main gateway here is represented by the local channel address, indicating the interface number through which it is available% 28.
How to check if it does not work in Windows 7 (in brackets commands for FreeBSD)
- ping (ping6), tracert (traceroute6); .
- We look issued IPv6 address - ipconfig (ifconfig);
- We look at the table of neighbors (analogue of ARP in the world of IPv4) - netsh int ipv6 show ne (ndp -a);
- We look at the routing table - route print or netsh int ipv6 show route (netstat -r).
In the resulting configuration, we use parallel IPv6 and IPv4 protocols on a single interface, that is, the so-called dual-stack mode, one of the recommended transition mechanisms that allows you to simultaneously access both IPv6 and IPv4 resources using their native protocol.
DNS
The Win2003Server-based server used on the network does not support AAAA records, so we do not use it as a name server for working with IPv6, but simply delegate the necessary zones to the FreeBSD gateway where we will configure DNSv6. Configuring delegation is no problem, because nothing specific IPv6 is used in this case. In addition, since Windows 7 does not receive an IPv6 DNS address, for the reasons described above, and DHCPv6 we do not use this approach will ensure that we correctly determine the IPv6 address, even if through an intermediate IPv4 only DNS.
Configure FreeBSD. In /etc/namedb/named.conf we add:
listen-on {
127.0.0.1;
192.168.137.1;
10.0.2.64;
};
listen-on-v6 {
::one;
any;
};
zone "ipv6.local." {
type master;
file "/etc/namedb/master/ipv6.local";
};
zone "7.e.9.f.0.7.4.0.1.0.0.2.ip6.arpa." {
type master;
file "/etc/namedb/master/f9e7.470.2001.ip6.arpa";
}; To listen to IPv6, add “listen-on-v6”. The description of the reverse zone is formed in “ip6.arpa.” And is divided not by octets, but 4 bits each, as a result of which the IPv6 address is longer in itself, the description of addresses in the zone is noticeably larger than for the IPv4 address.
/etc/namedb/master/ipv6.local
$ ORIGIN ipv6.local. $ TTL 3h @ IN SOA @ admin.ipv6.local. 2011041212 1d 12h 1w 3h @ IN NS @ @ IN AAAA 2001: 470: f9e7: 1: 0: 0: 0: 2 nsv4 IN A 10.0.2.64 @ IN MX 10 @ vi-host-w7 IN AAAA 2001: 470: f9e7: 1: 0: 0: 0: 1 ns IN AAAA 2001: 470: f9e7: 3: 0: 0: 0: 1
/etc/namedb/master/f9e7.470.2001.ip6.arpa
$ ORIGIN 7.e.9.f.0.7.4.0.1.0.0.2.ip6.arpa.
$ TTL 3h
@ IN SOA ns.ipv6.local. admin.ipv6.local. 2011042812 1d 12h 1w 3h
IN NS ns.ipv6.local.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR vi-host-w7.ipv6.local.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR ipv6.local.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0 IN PTR ns.ipv6.local. What was possible to test
- WEB http (s) - fully supported by both clients and servers, probably the most supported platform of problems that did not arise, a lot of clients from the most popular to the console that fell into my hands coped with IPv6 addressing. Apache was configured from the server side, the use of IPv6 addresses is implemented in the same directives, just the IPv6 address itself must be taken in square brackets. All this is detailed in the server documentation, in particular, about the “Listen” directive httpd.apache.org/docs/2.0/bind.html;
- FTP - server-side support is provided for widely used solutions, tested for ftpd, proftpd, vsftpd, there are features, for example, the inability to work in the same process for IPv6 and IPv4, but this is all solved and described in the documentation, for example for vsftpd
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
inted also works with IPv6 for which there are tcp6 and udp6 protocols.
With clients, things are already worse, implemented as separate clients: console (supplied with Windows), Explorer, FileZilla are coping with the task. Clients implemented in file managers are not ready for the most part, for example, Far Manager could not connect; - MAIL - the situation is the same as with the FTP server is ready for work, popular clients are also ready, but some well-known ones — Claws Mail, for example, have failed. For dovecot, IPv6 addresses are written with the same directives only in square brackets:
# A space separated list of IP or host addresses where to listen in for
# connections. "*" listens in all IPv4 interfaces. "[::]" listens in all IPv6
# interfaces. Use "*, [::]" for listening both IPv4 and IPv6.
For exim, IPv6 is also supported in all directives, without any reservations, for example, the description for interfaces www.exim.org/exim-html-current/doc/html/spec_html/ch13.html; - JABBER and other IM - found only one in clients and servers, from one manufacturer Spark (client) and OpenFire (server). No client supports any more, either with the help of plug-ins, in any way. OpenFire is configured via WEB, there the difference between IPv6 and IPv4 addresses is not done;
- PROXY also works on SQUID, but transparent proxying is not supported, otherwise everything is fine. IPv6 addresses are processed on a par with IPv4 without any additional conditions. SQUID overview for IPv6 wiki.squid-cache.org/Features/IPv6 . Browsers able to work with IPv6 WEB coped with IPv6 PROXY. Proxy is probably one of the easiest ways to get access from an IPv6 only network to an IPv4 network.
In general, the basic protocol features are present in all tested OSs: Windows, Linux, FreeBSD — address retrieval, autoconfiguration, output of the neighbor table, routing, everything is configured and can be disabled. In Windows, for most settings, this should be done through the netsh console interface, most of the settings in the graphical interface are not. Network utilities ping, traceroute, ssh, telnet, nslookup, also work great. For * BSD, the IPv6 utility versions have names with a “6” at the end, for example, ping6. In the settings files for utilities, as a rule, the changes are minimal, either a suffix with the number “6” is added, or in the same directives the IPv6 address is used as is or in brackets [].
In Windows, starting from VISTA, IPv6 is enabled by default, two TEREDO and 6to4 transition mechanisms are enabled, the ability to create tunnels is also present, and Windows is operating in the IPv6 router mode and is not limited in the number of interfaces, as is done in the IPv4 stack. However, the individual enabled parts of IPv6 can interfere with each other; if TEREDO is enabled, the traffic will go this way, and not through a manually configured tunnel. Also, the route command may not always correctly process the IPv6 route, that is, the data does not always coincide with what can be obtained using the netsh int ipv6 show route.
As a result, there was nothing to configure on personal computers, the only thing for those who turned off IPv6 support was to turn it back on. Obtaining a native IPv6 address, Windows tends to use it.
Unfortunately, we failed to test a lot, but from what we could conclude that IPv6 is already an urgent reality and we need to start planning the transition today to keep up with it.
From the fact that you should definitely read: Niel Richard Murphy, David Malone. "IPv6. Network Administration". Not a new, not very successful translation, but relevant, then where to start.
PS At the moment everything is off, so unfortunately, it will not work with the described resources.
Source: https://habr.com/ru/post/134797/
All Articles