SixXS::Sunset 2017-06-06

IPv6 gateway & radvd with ULA addresses
[br] Shadow Hawkins on Tuesday, 05 June 2012 06:24:40
Hi, I'm not sure if what I'm doing is the right way to implement it. I'm still learning about IPv6. I have an OpenWRT router which seems to have proper IPv6 connectivity through AICCU/AYIYA, I tested it with elinks and it works fine. Instead of advertising my IPv6 assigned sixxs subnet (lets call it: 2001:1291:200:s::1/64) to my lan, and expose my whole network (which I'm do not feel ready yet, I have to learn more about properly configuring ip(6)tables), I would prefer to have a single IPv6 router-gateway which should be that device running OpenWRT, and to advertise ULA addresses (fd00 prefix). I feel a little bit more safe in that way since ULA addresses are not routable. Perhaps is not even necessary since IPv6 has auto-configured UA addresses (fe80 prefixes), please correct me if I'm wrong, but in that case I don't know how to advertise the router. My idea is to advertise fd00:1:2:3::1/64 addresses to my lan which seems to works fine since my desktop (running openSUSE) gets a fd00:1:2:3:a:b:c:d/64 address, but it cannot browse over IPv6, nor ping. My questions are: - Is this the right way to "protect" a little bit more my lan? - UA addresses can be used for this purpose? How to define the default gateway then? - How do I diagnose why the desktop machine is not properly browsing over IPv6? Thanks a lot!
IPv6 gateway & radvd with ULA addresses
[ch] Jeroen Massar SixXS Staff on Tuesday, 05 June 2012 07:32:02
Just do not enable forwarding if you do not want packets to come in from the Internet and one can of course configure ip6tables additionally to not forward, thus drop/reject, any packets in that chain too. But instead of thinking of firewalling, the better approach is to not have any services listening that are unwanted or misconfigured. One can use link-local (fe80::/10) addresses for quite a few things, but as they tend to require scope specifiers they can be cumbersome to use, especially as one can't stick that into DNS either. When using ULA, do generate the prefix, see the ULA tool for an easy way to do so. Using a handpicked simple prefix like you propose voids the whole idea of ULA. Indeed, as ULA prefixes are not routable they will not allow you to browse things on the general Internet either.
- Is this the right way to "protect" a little bit more my lan?
Depends on what you want to protect and against you want to protect that.
- UA addresses can be used for this purpose? How to define the default gateway then?
ULA can be routed inside an organization the same way as normal unicast addresses.
- How do I diagnose why the desktop machine is not properly browsing over IPv6?
Check the routing tables, use traceroute, check DNS, check if your browser is IPv6 capable, check if it does not prefer IPv4 etc etc etc. Due to things like Happy Eyeballs that gets implemented at various levels (OS, libc, applications) it is sometimes quite hard to get things to do the right thing over IPv6.
IPv6 gateway & radvd with ULA addresses
[ch] Shadow Hawkins on Wednesday, 06 June 2012 09:17:45
Hi Albert, if you use non routable IPv6-Adresses on your local LAN, you will not be able to browse the internet - because your local LAN will not be routed ;-) If you want to stick to the idea of non-routable IP-Adresses, you would have to configure an application layer proxy on a machine that both connects to the Internet with a routable address (i.e. the sixxs tunnel) and to your local LAN. So you could install squid on OpenWRT (if this is supported, I don't know OpenWRT) which would enable you to browse the internet (provided you configure the proxy in your browser), but e.g. not to do an ssh-connect to a remote machine: For every service you want to use, you will need an application layer proxy. But I suggest to use routable IPv6 addresses on your local lan. To protect your internal LAN you basically need two ip6tables rules (to have a protection which is similar to IPv4 NAT, i.e. only connections initiated from the inside work):
ip6tables -A FORWARD --source $YOURIPV6SUBNET -j ACCEPT ip6tables -A FORWARD --destination $YOURIPV6SUBNET -m state --state ESTABLISHED,RELATED -j ACCEPT
In addition, I strongly suggest to let ICMPv6 to float freely. Nicolas
IPv6 gateway & radvd with ULA addresses
[br] Shadow Hawkins on Wednesday, 06 June 2012 16:12:36
Thanks Jeroen and Nicolas for your answers. I thought ULA addresses were not routable over the internet but that I could do something to allow browsing normally, i.e: routing or something similar to nat on IPv4. I might still have to much IPv4 "nat" idea in my head. I'm a complete newbie with IPv6. What I would like to do at the end is something similar to this: (1) Have a unique IPv6 gateway (2) Each machine on the lan should browse normally over IPv6 (3) Each machine on the lan should not be exposed directly over the internet (IPv6) (4) Connect to my IPv6 gateway over vpn (5) Push an additional dns server to the connected client in order to resolve lan hosts (6) Allow traffic without restrictions over the IPv6 vpn If I got it right, in order to achieve (2), I shouldn't be using ULA at all (unless I use a proxy as Nicolas said, which is not the case), instead I should use radvd with my assigned subnetwork, but by doing so each host would be exposed directly over IPv6. That could be fixed by disabling forwarding as Jeroen said but then I would be able to keep achieving (2)? Today I will switch back to advertise the subnet to the lan and I will try to access to lan hosts over another tunnel and try to adjust the firewall if necessary. Is there some sort of guide similar to what I want to achieve (including the vpn part)? Thanks again both for your help!

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker