Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
H.S. wrote:
> Here are the correct settings that seem to work:
>
> 1)
> Addresses given by my ISP:
> HEX1:aa00::/64
> HEX2:bb00::/56 <-- this is the one used below
Excellent.
> 2) /etc/network/interfaces file
> #for IPv6 config (note "bb01"). Goes to LAN switch
> iface eth0 inet6 static
> address HEX2:bb01::01
> netmask 64
> network HEX2:bb01::
> #for IPv6 config (note "bb00"). Goes to ADSL modem
> iface eth1 inet6 static
> address HEX2:bb00::01
> netmask 64
> network HEX2:bb00::
You don't need to assign different blocks to each NIC, all your network
needs only one block of addresses. It is, however, a good idea, security
wise, to keep them apart.
> 3) I also have the "+ipv6" option in my dsl-provider file to be used when
> I make an ADSL connection.
> 4)
> And added the route:
> $> sudo route --inet6 add default dev ppp0
That seems reasonable.
> Further, in my /etc/radvd.conf on this router machine, I have the
> following(recall that eth0 is connected to a switch on the LAN):
>> cat /etc/radvd.conf
> interface eth0
> {
> AdvSendAdvert on;
> AdvLinkMTU 1280;
> MaxRtrAdvInterval 300;
> MinRtrAdvInterval 30;
> prefix HEX2:bb01::/64 # <-- note this address and ref. eth0
> {
> AdvOnLink on;
> AdvAutonomous on;
> };
> };
This seems ok as well.
> Now another machine on my LAN is able to get an IPv6 address:
> {LAN machine}$> /sbin/ifconfig eth0 | grep inet6
> $> /sbin/ifconfig eth0 | grep inet6
> inet6 addr: HEX2:bb01:HEXblah:/64 Scope:Global
> inet6 addr: fe80::204:75ff:fe8a:d6df/64 Scope:Link
Excellent.
> So, I had to assign address from HEX2:bb00::/56 range. One network was
> eth1 (HEX2:bb00::) and another was eth0 (HEX2:bb01::). Basically, the
> two NICs in the same machine need to be on different IPv6 networks ...
> same as in IPv4 (Doh!).
Not really.
> Now, do the above observations mean I am now correctly using my IPv6
> networking and ppp connection given by my ISP? Also, what is the
> HEX2::/64 address given to me by my ISP for?
The only thing which is really missing in your setup is firewall. Iptables
has a dual personality (reflecting the dual stack devices), there is the
normal iptables and the ip6tables for IPV6. The setup you are using does
allow you to connect to the IPV6 network out there, but also allows
connections from "out there" to your computers.
Read: http://www.networkworld.com/community/node/42436
there is a free "certification" for IPV6, which might help to understand
the basics:
http://ipv6.he.net/
http://ipv6.he.net/certification/
Also be sure to set a firewall for IPv6, remember that IPv6 is independent
of IPv4 and allows external computers to connect to your systems, even
behind the "Debian router":
http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
http://www.exp-networks.be/blog/ipv6-firewall/
http://www.debian-administration.org/article/Is_your_firewall_IPv6_aware
This programs for firewall setting in debian may be of help:
http://wiki.debian.org/Firewalls
Shorewall seems to be a good choice.
--
Antonio Perez
Reply to:
- References:
- converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
- From: "H.S." <hs.samix@gmail.com>
- Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
- From: "H.S." <hs.samix@gmail.com>
- Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
- From: Stan Hoeppner <stan@hardwarefreak.com>
- Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
- From: "H.S." <hs.samix@gmail.com>
- Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables
- From: "H.S." <hs.samix@gmail.com>