Implementing dual stack IPv4/IPv6 at my home

[riahc3]

Hello,

 

As you know, I very recently started a thread that I was asked at work to make our network IPv6.....

 

This is related but more on a personal level as it is for my home. Might as well do it now than later.

 

I believe my ISP supports native IPv6 but Ive left a comment on their forums so I should know 100% shortly.

 

Lets see:

4 Windows 7 PCs

1 Blu-ray player in about 2012

A TV in 2006-2007

Various Android phones

 

As much as I can remember right now, those devices are the equipment in my home that our connected to the internet thru my router.

 

Its obvious that at this stage a dual stack of mixing IPv4 and IPv6 (tunnel or nonrelated?) is required since at home a lot of sites accessed will still be IPv4 only.

 

Oh, I have a DD-WRT router (SVN revision 18777) and a Amper ASL-26555 as my ADSL modem (IPv6 compatible). 

 

Thank you for reading and helping.

[PGHammer]

Hello,

 

As you know, I very recently started a thread that I was asked at work to make our network IPv6.....

 

This is related but more on a personal level as it is for my home. Might as well do it now than later.

 

I believe my ISP supports native IPv6 but Ive left a comment on their forums so I should know 100% shortly.

 

Lets see:

4 Windows 7 PCs

1 Blu-ray player in about 2012

A TV in 2006-2007

Various Android phones

 

As much as I can remember right now, those devices are the equipment in my home that our connected to the internet thru my router.

 

Its obvious that at this stage a dual stack of mixing IPv4 and IPv6 (tunnel or nonrelated?) is required since at home a lot of sites accessed will still be IPv4 only.

 

Oh, I have a DD-WRT router (SVN revision 18777) and a Amper ASL-26555 as my ADSL modem (IPv6 compatible). 

 

Thank you for reading and helping.

 

The Android phones likely support IPv6, as mobile has been a big driver, especially in Asia.  The issue will be the TVs and BD player (if it supports wireless connectivity) - if Linux is the base, IPv6 could be present.

Windows has supported IPv6 out of the box since Vista, and has been backported all the way back to Windows 2000.

[riahc3]

Hello,

The Android phones likely support IPv6, as mobile has been a big driver, especially in Asia.  The issue will be the TVs and BD player (if it supports wireless connectivity) - if Linux is the base, IPv6 could be present.

Windows has supported IPv6 out of the box since Vista, and has been backported all the way back to Windows 2000.

Im almost sure the BD player does but the TV Im not sure....should be since its updated recently too so lets just suppose they do...

[+BudMan MVC]

To play with or setup a dual native what does it matter if some devices do not support ipv6 as of yet - that is the whole point of dual stack ;)  I would not mess with your tv or bluray player for ipv6 to be honest.

 

If your planning on using dd-wrt as your ipv6 router - I would really suggest you look into how to add ipv6 firewall on it.  I don't think it has one enabled by default.  You don't want to expose boxes directly to ipv6.

 

You might want to look into running something that is going to give you more insight and features with ipv6 at your gateway - pfsense has great ipv6 support, and m0n0wall does as well.  With ipv6 firewall.

[riahc3]

Hello,

To play with or setup a dual native what does it matter if some devices do not support ipv6 as of yet - that is the whole point of dual stack ;)  I would not mess with your tv or bluray player for ipv6 to be honest.

 

If your planning on using dd-wrt as your ipv6 router - I would really suggest you look into how to add ipv6 firewall on it.  I don't think it has one enabled by default.  You don't want to expose boxes directly to ipv6.

 

You might want to look into running something that is going to give you more insight and features with ipv6 at your gateway - pfsense has great ipv6 support, and m0n0wall does as well.  With ipv6 firewall.

http://www.dd-wrt.com/wiki/index.php/IPv6#ip6tables_for_K26_big_images

It looks pretty easy enough to implement. Thing is my router TP-Link TL-WR1043ND runs k2.4 and Im not sure if its OK with k2.6

[riahc3]

Hello,

:( Sadly still in 2013 my ISP, one of the biggest at international level, tells me that Im stuck with a tunnel if I want to use IPv6.

[tonyjr]

 

If you have a tunnel from HE.net, it isn't too much work to get it working on your router. The main bit is the firewall, which is a bit different to IPv4, but doesn't take too long to remember the basics. The screenshot attached shows the tunnel endpoint configured, addresses for the tunnel endpoint and local network interfaces, the RA setting for the local network interfaces and firewall.

 

Working configuration for a few years.

 

Have a play with it and see how it goes.

 

 

[riahc3]

Hello,

ipv6.png

 

If you have a tunnel from HE.net, it isn't too much work to get it working on your router. The main bit is the firewall, which is a bit different to IPv4, but doesn't take too long to remember the basics. The screenshot attached shows the tunnel endpoint configured, addresses for the tunnel endpoint and local network interfaces, the RA setting for the local network interfaces and firewall.

 

Working configuration for a few years.

 

Have a play with it and see how it goes.

I wanted to get it working internally first then work with HE.net (also recommended by BudMan) to have WAN IPv6 access.....

I actually already have a IPv6 firewall working on the DD-WRT. I mean working as in implemented, not yet tested.

[+BudMan MVC]

"I wanted to get it working internally first then work"

And why would it not already be working internally? Your 4 windows 7 machines out of the box should be able to talk to each other on via their link local ipv6 addresses.

Unless you plan on creating multiple ipv6 segments on your local network to play with - the only really way to play with it in any real sense is to get a tunnel if your isp does not support it.

[riahc3]

Hello,

"I wanted to get it working internally first then work"

And why would it not already be working internally? Your 4 windows 7 machines out of the box should be able to talk to each other on via their link local ipv6 addresses.

Using ping, it gives me (out of 4) 2 or 3 that say "Request timed out". The rest ping normally.

In a traditional manner, shouldnt I use DHCPv6? This was I know a set of IPs the clients will get...

Unless you plan on creating multiple ipv6 segments on your local network to play with - the only really way to play with it in any real sense is to get a tunnel if your isp does not support it.

OK :) So how would I go on setting up a tunnel (Ill use HE since Ive read a lot recommend it) on DDWRT?

[The_Decryptor Veteran]

Running DHCPv6 lets you create a mapping of hostname <> IP, which you don't get with normal auto-configuration. Windows Server comes with a good one, otherwise you can run (newish) builds of dnsmasq (Although I prefer the default setup of OpenWRT, it has a custom DHCPv6 server)

If DD-WRT comes with the required modules then creating a HE.net tunnel should be as simple as following the instructions HE.net gives you, then configuring the firewall to not leak everything in your network to the world (To the router, your HE.net tunnel is exactly the same as your normal internet connection, you need to setup forwarding/routing rules between your internal prefix and the internet)

That being said, unless you're close to a HE POP, you probably won't see much IPv6 usage due to "Happy Eyeballs", even with my native v6 connection (Which is actually slightly faster than my v4 one) apps will randomly fall back to IPv4 on some systems.

[tonyjr]

I wouldn't bother with DHCPv6, personally. Just use whatever's built into your router to broadcast RAs.

 

Simple and it does the job.

[The_Decryptor Veteran]

If you want a mapping of hostnames to IP (And back again) you need DHCPv6 though (Or hope every system has Bonjour/Avahi installed). If you're using IPv4 with DHCP then it's likely you've already got that DNS mapping happening, in which case your systems won't use IPv6 to talk to each other (Since they won't know the other system has an IPv6 address, outside of plain fe80::/10 broadcasts)

On my router (OpenWRT trunk) I have a combined DNS/DHCPv4 server called dnsmasq, and a DHCPv6/RA server called 6relayd that inserts the DHCPv6 records into dnsmasq, so when a system does a DNS lookup for a host on my network it gets back both the v4 and v6 addresses (And when a system does reverse DNS it finds the normal hostname)

Sure, not using DHCPv6 won't hurt, but it does mean you'll have to enter the hexadecimal addresses to communicate, which is a right pain.

Edit: Oh, and if you want to split your network in two with a "downstream" router, you'd then have to manually configure the IP addresses. DHCPv6 also hands out network prefixes, not just plain IP addresses.

[tonyjr]

I'm running dual stack without DHCPv6 and any dual stack client sutomatically registers its IPv6 address into Windows Server DNS with secure update once it receives the RA with DNS server information. I don't think I had to configure anything on the DNS Server. Static entries required for static IPv6 addresses as usual though.

[The_Decryptor Veteran]

Hmm, so that is what Windows does, seems strange (Like, the DNS server shouldn't allow any random system to update records, it should only allow a trusted client)

 

Won't work in a mixed setup though, where you have Linux and Windows clients, or use a non Windows Server DNS server (like bind)

 

Edit: And putting the logic in the DHCP server allows for stuff like batching, restoring DNS info across restarts, etc.

[tonyjr]

Hmm, so that is what Windows does, seems strange (Like, the DNS server shouldn't allow any random system to update records, it should only allow a trusted client)

 

Won't work in a mixed setup though, where you have Linux and Windows clients, or use a non Windows Server DNS server (like bind)

 

Edit: And putting the logic in the DHCP server allows for stuff like batching, restoring DNS info across restarts, etc.

I just checked and it is only Windows clients that do this through dynamic registration (or whatever it is called). It looks a lot easier to manage with DHCPv6. I suppose just using stateless is good for a 'click and go' situation.

 

I have a question though. What happens with DHCPv6 clients and the Temporary IPv6 address? Does that also show up in the management console as a EUI64 (i.e. does it register somewhere aswell)? Usually the temporary address is the preferred source for IPv6 data from a host. I am unable to try this out for myself.

 

It would be hard to keep track of some things in a mixed environment with all these different addresses and the temporary ones too.

 

Time for bed.

[The_Decryptor Veteran]

By default (with a DHCPv6 managed network) each system will have at least 3 addresses, one assigned by DHCP (Which can be easily tracked), one assigned by SLAAC (Which might be the EUI64 of the NIC, by default Windows randomises it with the same algo as privacy addresses) and at least one privacy address (Which is used as the default outgoing IP)

During the transition between privacy addresses you might have 2 bound to the adapter, although I've seen up to 10 at any one point on my Mac (Not counting DHCP/SLAAC)

I assume Windows clients would register all the addresses (But maybe not the DHCP provided one?), and then whatever comes first in DNS wins (Unless you're using a Mac client but meh) Now as for outgoing address selection, that's a bit stranger. From quick testing both OS X and Windows seem to use the DHCP provided address to communicate with systems on the same subnet (And I assume SLAAC if you don't have DHCP), but the privacy address for systems outside it, which does make sense (You can already see the MAC on the network, what's the point in hiding it?)

[tonyjr]

By default (with a DHCPv6 managed network) each system will have at least 3 addresses, one assigned by DHCP (Which can be easily tracked), one assigned by SLAAC (Which might be the EUI64 of the NIC, by default Windows randomises it with the same algo as privacy addresses) and at least one privacy address (Which is used as the default outgoing IP)

During the transition between privacy addresses you might have 2 bound to the adapter, although I've seen up to 10 at any one point on my Mac (Not counting DHCP/SLAAC)

I assume Windows clients would register all the addresses (But maybe not the DHCP provided one?), and then whatever comes first in DNS wins (Unless you're using a Mac client but meh) Now as for outgoing address selection, that's a bit stranger. From quick testing both OS X and Windows seem to use the DHCP provided address to communicate with systems on the same subnet (And I assume SLAAC if you don't have DHCP), but the privacy address for systems outside it, which does make sense (You can already see the MAC on the network, what's the point in hiding it?)

 

 

I am going to see what happens with the DNS registration in a few days when I have some spare time. I can add that static IPv6 addresses also get registered, however I have also noted the following:

 

over a site-to-site vpn (different subnet), the static address is used as source.

for same subnet traffic, the SLAAC address is used

for internet traffic, the temporary address is used.

 

This is for Win2k8 R2. I am not sure why the static address is only used as source for inter-site/subnet traffic. I haven't set anything up for it to do that.

 

Tony

[The_Decryptor Veteran]

I was reading up on DNS behaviour and I found that BIND also supports the client-registration method, seems strange to me though and I haven't seen it used in practise (Although my experience with Windows Server/BIND/Enterprise setups is pretty much non-existent)

That's strange behaviour of using a different address for VPN traffic vs. local subnet/internet traffic.

[riahc3]

Hello,

 

Glad this conversation is still going on :)

 

Now that I have vacations, I might get around to implementing this (finally) on my network (like the original purpose of this thread was)