Re: converting home network to IPv6; ppp, IPv6, dsnmasq and iptables

[Antonio Perez <ap45872@gmx.com>]

H.S. wrote:

> Here are the correct settings that seem to work:
> 
> 1)
> Addresses given by my ISP:
> HEX1:aa00::/64
> HEX2:bb00::/56 <-- this is the one used below

Excellent.

> 2) /etc/network/interfaces file
> #for IPv6 config  (note "bb01"). Goes to LAN switch
> iface eth0 inet6 static
>         address HEX2:bb01::01
>         netmask 64
>         network HEX2:bb01::

> #for IPv6 config (note "bb00"). Goes to ADSL modem
> iface eth1 inet6 static
>          address HEX2:bb00::01
>          netmask 64
>          network HEX2:bb00::

You don't need to assign different blocks to each NIC, all your network 
needs only one block of addresses. It is, however, a good idea, security 
wise, to keep them apart.

> 3) I also have the "+ipv6" option in my dsl-provider file to be used when
> I make an ADSL connection.

> 4)
> And added the route:
> $> sudo route --inet6 add default dev ppp0

That seems reasonable.
 
> Further, in my /etc/radvd.conf on this router machine, I have the
> following(recall that eth0 is connected to a switch on the LAN):
>> cat /etc/radvd.conf
> interface eth0
> {
>         AdvSendAdvert on;
>         AdvLinkMTU 1280;
>         MaxRtrAdvInterval 300;
>         MinRtrAdvInterval 30;
>         prefix HEX2:bb01::/64  # <-- note this address and ref. eth0
>         {
>                 AdvOnLink on;
>                 AdvAutonomous on;
>         };
> };

This seems ok as well.


> Now another machine on my LAN is able to get an IPv6 address:
> {LAN machine}$> /sbin/ifconfig eth0 | grep inet6
> $> /sbin/ifconfig eth0 | grep inet6
>           inet6 addr: HEX2:bb01:HEXblah:/64 Scope:Global
>           inet6 addr: fe80::204:75ff:fe8a:d6df/64 Scope:Link

Excellent.

> So, I had to assign address from HEX2:bb00::/56 range. One network was
> eth1 (HEX2:bb00::) and another was eth0 (HEX2:bb01::). Basically, the
> two NICs in the same machine need to be on different IPv6 networks ...
> same as in IPv4 (Doh!).

Not really.

> Now, do the above observations mean I am now correctly using my IPv6
> networking and ppp connection given by my ISP? Also, what is the
> HEX2::/64 address given to me by my ISP for?

The only thing which is really missing in your setup is firewall. Iptables 
has a dual personality (reflecting the dual stack devices), there is the 
normal iptables and the ip6tables for IPV6. The setup you are using does 
allow you to connect to the IPV6 network out there, but also allows 
connections from "out there" to your computers.

Read: http://www.networkworld.com/community/node/42436

there is a free "certification" for IPV6, which might help to understand 
the basics:
	http://ipv6.he.net/
	http://ipv6.he.net/certification/

Also be sure to set a firewall for IPv6, remember that IPv6 is independent 
of IPv4 and allows external computers to connect to your systems, even 
behind the "Debian router":
	http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
	http://www.exp-networks.be/blog/ipv6-firewall/
http://www.debian-administration.org/article/Is_your_firewall_IPv6_aware

This programs for firewall setting in debian may be of help:
	http://wiki.debian.org/Firewalls
Shorewall seems to be a good choice.


-- 
Antonio Perez