Index.
- Introduction.
- Network plan.
- Configure the gateway.
- Configure the Home Server.
- Firewall.
- Add IPv6 to the nameserver.
- Client configuration.
- Download.
29-Dec-2011: Reverted named database path, fixed mkinitcpio command. 03-Dec-2011: Management workstation uses fixed IPv6 via DHCP. 17-Aug-2011: Updated DHCP client daemon. 06-Jul-2011: Initial release
Introduction.
In the previous article a IPv6 tunnel was created on the gateway. Now we add a IPv6 /48 subnet that we received from our SixXS provider. This /48 subnet belongs to our IPv6 tunnel and routing traffic from other IPv6 networks goes via our tunnel. So all we need to take care of is that IPv6 traffic that is not for our own /48 subnet must be routed via our gateway, and the other way around our gateway needs to route incoming traffic from the Internet to the right subnets inside our systems.
A few things to be aware of, each system in our network has one or more real addresses. Network Address Translation is not needed for IPv6 and doesn’t exist. The systems are protected by the firewall on the gateway, we only open ports and destination addresses that we want to be reached from the Internet. Convenient is that every service can have it’s own IPv6 address and that we can publish these on the Internet. You have always enough IPv6 addresses.
Network plan.
We have received the IPv6 range 2001:1af8:fecf::/48 subnet for our tunnel. We will give each IPv4 network segment a IPv6 /64 subnet. We make the subnet number from the second and third IPv6 address converted to 16 bits hexadecimal. For example, 126 becomes 7e and 160 becomes a0. So, the first network segment becomes 2001:1af8:fecf:7ea0::/64. This translation method will work even for large corporate networks. Our complete network plan will then look like:
| IPv4 | IPv6 | Remark |
|---|---|---|
| 10.126.160.0/24 | 2001:1af8:fecf:7ea0::/64 | Workstations LAN |
| 10.126.161.0/24 | 2001:1af8:fecf:7ea1::/64 | Server/Gateway LAN |
| 10.126.162.0/24 | 2001:1af8:fecf:7ea2::/64 | DMZ Network |
| 10.126.163.0/24 | 2001:1af8:fecf:7ea3::/64 | Spare |
| 10.126.164.0/24 | 2001:1af8:fecf:7ea4::/64 | Spare |
| 10.126.165.0/24 | 2001:1af8:fecf:7ea5::/64 | Spare |
| 10.126.166.0/24 | 2001:1af8:fecf:7ea6::/64 | Spare |
| 10.126.167.0/24 | 2001:1af8:fecf:7ea7::/64 | Spare |
We can use this translation scheme to give each system a IPv6 address. IPv4 address 10.126.160.1 becomes 2001:1af8:fecf:7ea0::1
Configure the gateway.
Because the gateway server is already prepared for IPv6 you only need to add the IPv6 addresses to the network interfaces and add a route for the LAN where the client workstations live. Change in /etc/rc.conf the network settings:
HOSTNAME="gateway" # Legacy networking eth0="eth0 10.126.161.1 netmask 255.255.255.0 broadcast 10.126.161.255 \ add 2001:1af8:fecf:7ea1::1/64" eth1="dhcp" # ADSL or Cable eth2="eth2 10.126.162.1 netmask 255.255.255.0 broadcast 10.126.162.255 \ add 2001:1af8:fecf:7ea2::1/64" INTERFACES=(eth0 eth1 eth2) # Routes to start at boot-up (in this order) # Declare each route then list in ROUTES # - prefix an entry in ROUTES with a ! to disable it # net160="-net 10.126.160.0 netmask 255.255.255.0 gw 10.126.161.2" net7ea0="2001:1af8:fecf:7ea0::/64 gw 2001:1af8:fecf:7ea1::2 eth0" ROUTES=(net160 net7ea0)
Then, reboot the gateway.
Configure the Home Server.
We must prepare this server for IPv6 like we did for the gateway in the previous article. Add ipv6 to the MODULES=() line in /etc/mkinitcpio.conf so that it probably looks like MODULES=(raid1 dm-mod ipv6). Then run mkinitcpio -p linux. Also, add the following lines to /etc/sysctl.conf:
# Disable IPv6 on the external bridged interface net.ipv6.conf.eth1.disable_ipv6 = 1
Add the IPv6 network information to /etc/rc.conf:
HOSTNAME="homsrv" # Legacy network setup eth0="eth0 10.126.160.253 netmask 255.255.255.0 broadcast 10.126.160.255 \ add 2001:1af8:fecf:7ea0::fd/64" eth1="eth1 up" # Only bring it up red0="red0 10.126.161.2 netmask 255.255.255.0 broadcast 10.126.161.255 \ add 2001:1af8:fecf:7ea1::2/64" INTERFACES=(eth0 eth1 red0) gateway4="default gw 10.126.161.1" gateway6="default gw 2001:1af8:fecf:7ea1::1" ROUTES=(gateway4 gateway6)
Reboot now. After the reboot, eth1 may not show any IPv6 (inet6) address anymore, all other interfaces must have an IPv6 address. Because the firewalls are not yet configured for IPv6, IPv6 forwarding is still off so we can’t test much at this stage.
Firewall.
- Add in the Home Server and Gateway server the IPv6 addresses of the interfaces.
- Add in the gateway server add the six0 interface.
- In the Firewalls->homsrv -or- gateway->Firewall Settings->Compiler screens, turn on “Add rules to accept IPv6 Neighbour Discovery packets to IPv6 policies”.
- In the Firewalls->homsrv -or- gateway->Firewall Settings->Prolog/Epilog screen, add the /usr/sbin/ip6tables-save > /etc/iptables/ip6tables line.
- In the Firewalls->homsrv -or- gateway->Policy->Editor change “This is IPv4 ruleset” into “This is combined IPv4 and IPv6 ruleset”.
In the gateway a rule is added in the NAT table to translate incoming DNS requests to 10.126.161.2. In the poicy for the gateway rules are added to allow DNS traffic from the Internet to 10.126.161.2 via eth1 and to 2001:1af8:fecf:7ea1::2 via the six0 interface.
The screendumps of the firewalls are too big now, but the print output pdf files are included in the download archive, that also has the complete original firewall source in each server’s /etc/iptables directory.
Add IPv6 to the nameserver.
The BIND nameserver must now be configured to listen to IPv6 addresses and provide IPv6 answers. A few new database files are needed, and a few files need to be changed (marked in red). Begin with /etc/named.conf:
#
# /etc/named.conf on homsrv.wpl.ym
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
datasize default;
listen-on {
10.126.160.253;
10.126.161.2;
127.0.0.1;
};
listen-on-v6 {
2001:1af8:fecf:7ea0::fd;
2001:1af8:fecf:7ea1::2;
::1;
};
notify no;
interface-interval 10;
recursive-clients 200;
tcp-clients 10;
files 4096;
};
#
# Internal DNS, this is used by the internal servers
# and workstations. The LAN is updated by the DHCP servers.
#
view "internal" {
match-clients {
10.0.0.0/8;
127.0.0.1;
2001:1af8:fecf::/48;
2001:1af8:feb8::/48;
};
auth-nxdomain yes;
max-cache-size 16M;
key "dhcp_updater" {
algorithm HMAC-MD5;
secret "XCe+CXl7kQBi762sjpjymg==";
};
# Your ISP's nameservers
forwarders {
195.241.77.51;
195.241.77.52;
};
#
# localhost
#
zone "localhost" IN {
type master;
file "int/db.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "int/db.0.0.127";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "int/db6.1";
allow-update { none; };
};
#
# Internal network
#
zone "wpl.ym" IN {
type master;
file "int/db.wpl.ym";
allow-update { key "dhcp_updater"; };
allow-transfer { none; };
};
zone "160.126.10.in-addr.arpa" IN {
type master;
file "int/db.160.126.10";
allow-update { key "dhcp_updater"; };
allow-transfer { none; };
};
zone "161.126.10.in-addr.arpa" IN {
type master;
file "int/db.161.126.10";
allow-update { none; };
allow-transfer { none; };
};
zone "162.126.10.in-addr.arpa" IN {
type master;
file "int/db.162.126.10";
allow-update { none; };
allow-transfer { none; };
};
zone "f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa" {
type master;
file "int/db6.fcef.8fa1.1002";
allow-update { key "dhcp_updater"; };
allow-transfer { none; };
};
};
#
# External view, used by the Internet. Most important is the
# reverse IPv6 mapping that you can set with the SixXS subnet
# configuration screen.
#
# Normal forward IPv4 and IPv6 is most likely set in the DNS
# that belongs to your domain (wpl.uk is this case).
#
view "external" {
match-clients { any; };
recursion no;
#
# Master wpl.uk
#
zone "f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa" {
type master;
file "ext/db6.fcef.8fa1.1002";
allow-update { none; };
};
};
Update /var/named/int/db.localhost, en increase the serial number:
$TTL 86400
$ORIGIN localhost.
@ IN SOA @ root (
2010121602 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
Create /var/named/int/db6.1:
$TTL 86400
@ IN SOA localhost. root.localhost. (
2010121901 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
IN PTR localhost.
Change /var/named/int/db.wpl.ym to add the AAAA records:
$ORIGIN .
$TTL 86400 ; 1 day
wpl.ym IN SOA homsrv.wpl.ym. hostmaster.wpl.ym. (
2011020705 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.wpl.ym.
A 10.126.160.253
MX 10 mail.wpl.ym.
AAAA 2001:1af8:fecf:7ea0::fd
$ORIGIN wpl.ym.
dmz A 10.126.162.1
AAAA 2001:1af8:fecf:7ea2::1
gateway A 10.126.161.1
AAAA 2001:1af8:fecf:7ea1::1
homsrv A 10.126.160.253
AAAA 2001:1af8:fecf:7ea0::fd
mail A 10.126.160.253
AAAA 2001:1af8:fecf:7ea0::fd
mgmtws A 10.126.160.5
AAAA 2001:1af8:fecf:7ea0::5
ns1 A 10.126.160.253
AAAA 2001:1af8:fecf:7ea0::fd
red A 10.126.161.2
AAAA 2001:1af8:fecf:7ea1::2
Add /var/named/int/db6.fcef.8fa1.1002
$ORIGIN .
$TTL 86400 ; 1 day
f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa IN SOA ns1.wpl.ym. hostmaster.wpl.ym. (
2011011578 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS ns1.wpl.ym.
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.e.7.f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa.
5.0 PTR mgmtws.wpl.ym.
d.f PTR homsrv.wpl.ym.
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.a.e.7.f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa.
1 PTR gateway.wpl.ym.
2 PTR red.wpl.ym.
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.a.e.7.f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa.
1 PTR dmz.wpl.ym.
Finally add the external /var/named/ext/db6.fcef.8fa1.1002 file:
$TTL 86400 @ IN SOA ns3.wpl.uk. hostmaster.wpl.uk. ( 2011081714 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 86400 ) ; minimum IN NS ns3.wpl.uk. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.a.e.7 PTR mailhub.wpl.uk. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.a.e.7 PTR dmz.wpl.uk. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.a.e.7 PTR websrv.wpl.uk.
Now restart with the /etc/rc.d/named restart command.
I think a very big warning can be said here. The reverse IPv6 zone files are reverse written IPv6 addresses, the $ORIGIN lines plus the starting digits below these lines are together 32 single hexadecimal characters. It’s easy to count wrong and then it simply doesn’t work. A simple check is to do a forward request, that should give you a IPv6 and IPv6 answer. Then on each answer do a reverse request. You need to have dnsutils installed to do this:
[root@homsrv ~]# host gateway
gateway.wpl.ym has address 10.126.161.1
gateway.wpl.ym has IPv6 address 2001:1af8:fecf:7ea1::1
[root@homsrv ~]# host 10.126.161.1
1.161.126.10.in-addr.arpa domain name pointer gateway.wpl.ym.
[root@homsrv ~]# host 2001:1af8:fecf:7ea1::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.a.e.7.f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa \
domain name pointer gateway.wpl.ym.
[root@homsrv ~]#
Note that the IPv6 reverse answer is on one line, but it’s shown here on two lines. And: use your own subnet addresses in the filenames, configuration etc.
Client configuration.
Install radvd: pacman -S radvd. The DHCP server is already present for IPv4, we only need a IPv6 configuration file and start a second instance of the DHCP server. Arch Linux has that covered. The client IPv6 network is 2001:1af8:fecf:7ea0::/64. The largest part of that range will be used for DHCPv6. Create /etc/dhcpd6.conf:
# /etc/dhcpd6.conf
#
authoritative;
ddns-update-style interim;
ddns-updates on;
ddns-domainname "wpl.ym";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
# To work around a bug where IPv4 and IPv6 updates conflict.
update-conflict-detection false;
# Adds a lot more DNS updates.
update-optimization false;
key "dhcp_updater" {
algorithm HMAC-MD5;
secret XCe+CXl7kQBi762sjpjymg==;
}
zone wpl.ym. {
primary 10.126.160.253;
key "dhcp_updater";
}
zone f.c.e.f.8.f.a.1.1.0.0.2.ip6.arpa {
primary 10.126.160.253;
key "dhcp_updater";
}
#
# Default 30 minutes, max 2 hours..
#
default-lease-time 1800;
max-lease-time 7200;
log-facility local7;
# The path of the lease file
dhcpv6-lease-file-name "/var/state/dhcp/dhcpd6.leases";
# The subnet where the server is attached
subnet6 2001:1af8:fecf:7ea0::/64 {
host mgmtws {
hardware ethernet 08:00:27:d0:de:af;
fixed-address6 2001:1af8:fecf:7ea0::5;
}
# Almost each molecule in the house it's own IPv6 address...
range6 2001:1af8:fecf:7ea0:1:0:0:0 2001:1af8:fecf:7ea0:ffff:ffff:ffff:ffff;
option dhcp6.name-servers 2001:1af8:fecf:7ea0::fd;
option dhcp6.domain-search "wpl.ym";
# Maximum 50 addresses per client.
limit-addrs-per-ia 50;
}
Then create /etc/radvd.conf:
# /etc/radvd.conf at homsrv.wpl.ym
# We only say "we are a router". The rest of the clients configuration
# is left to DHCP server. That seems enough for Windows-7 and Vista.
#
interface eth0
{
AdvSendAdvert on;
AdvManagedFlag on;
};
Now execute /etc/rc.d/dhcp6 start and /etc/rc.d/radvd start. Now start a Windows 7 or Vista computer connected to your Home Server, and surf to http://test-ipv6.com/ and check that dual stack IPv4 and IPv6 works:
ipv6-test
Download.
This is the archive with all updated configuration files, firewall sources and pdf prints.
