How to properly set up IPv6 on a GenToo server

[Dragonlord]

I've got a working IPv4 network running with a setup like this:

(LAN PCs) <-- 192.168.1.0/24 --> (eth0) server (eth1) <-- 192.168.0.0/24 --> router --> ISP

I would like to upgrade this to include IPv6. The ISP is doing IPv6 now so I can continue from there. The router is set up to do IPv6 too. Right now I disabled DHCPv6 support on the router since I have dhcpd running on the server and would like to keep it that way. The server firewalls against the router mainly. The server and the LAN PCs have USE=ipv6 so this should be okay too. I've got now two problems.

The first ist how to configure dhcpd. I've read I can not run one daemon to server both IPv4 and IPv6. So I need a second daemon running which is configured for IPv6. At this point I'm stuck. I see under /lib/systemd/system/ that dhcpd6 is listed but /etc/init.d/dhcpd is the only present file so I assume something is missing? Also there is only one /etc/dhcp/dhcpd.conf file not two. I guess I need to manually fix this?

The second problem is the static subnet range. The server, router and some LAN PCs have fixed IPV4 which I've set up to be in two different subnets to make firewalling more secure (one for each interface). As far as I understand IPv6 does not know this concept of subnets anymore. Can I still have two "subnets" like mentioned above? How do I properly setup the routing in this situation to get IPv6 leaving through the router? Right now I get fe80::* address which is fine (I think) but I can't get the connections to route outside (hence ping -6 google.com is not working).

Some help would be nice to get something going there.

[NeddySeagoon]

Dragonlord,

Lets get the structure clear first.

Your ISP should give you a /64 for your Neighbour Discovery and a further /56 on /48 for your subnets that's your delegated prefix..
Are they assigned dynamically or statically?

Typically you use dhcpcd to talk to your ISP if its all dynamic, then radvd to distribute your delegated prefix to your subnets.
Then the rest is automatic.

Do not post your prefix. That's like publishing your public IPv4 address. However, rfc3849 says

The prefix allocated for documentation purposes is 2001:DB8::/32

, so mangle the first 32 bits.

[Dragonlord]

I see only a ****/56 from the ISP. Right now it is dynamic but getting it static I'm working on since I run web services on the server. So this means I have no ND?

And I have dhcpd not dhcpcd. Is this then not possible to do?

[NeddySeagoon]

Dragonlord,

I use dhcpcd to get my IPv4/29 and my IPv6/64 from my ISP.
My uplink is PPPoE over VHDL.
That process also delegates my /48.

Even thought it's dynamically assigned, it never changes. It just uses that mechanism.
My router is a Gentoo Kernel Virtual Machine, so its all under my control.
Including my end of the ISP link.

Your router will have kept the /64 for itself and passed on the /56.

Its possible to use dhcpd to distribute IPv6 but its not required. IPv6 was designed for autoconfiguration. Unlike IPv4
IPv6 routers advertise their presence and provide enough information for host to do the rest.
e.g. The box I'm sitting at now has fe34:97ff:feb7:d44 in the /64 delegated to my wired network.
The router is ::1/64 in the same prefix.

I use dhcp for IPv4 only.

[Dragonlord]

Just to get this right. I should not do DHCPv6 on my server but instead letting the router do the DHCPv6? Does this work if the router sits in a different network than the LAN PCs? How does static port forwarding then work? The server has web server, mail server, git server and some other stuff running. IPv4 is static and port forwarding on the router too. How would this work with IPv6 then?

[NeddySeagoon]

Dragonlord,

IPv6 is quite different to IPv4.

You usually have one public IPv4 address, which for incoming connections requires port forwarding' and for outgoing, it requires NAT.
With IPv6 (your /56) you have 2^72 public IP addresses. For comparison, the entire IPv4 address space is 2^32 addresses and they are all used.

Your server can have its own public IPv6 address. A /56 is 256 /64 subnets.
Every IPv6 address starting with the digit 2 is public.
Every system on your LAN will have a public IPv6 address.

IPv4 and IPv6 are separate. Its possible to turn off IPv4 and only use IPv6 but large parts of the internet will vanish if you try because they are not yet IPv6 aware.
They have their own firewalls. iptables and iptables6

The Wikipedia IPv6 page is a good overview.

I have 3 LANs. For IPv4 They all have NAT to the outside world and dhcpd to serve 192.168.x,y/24 IP addresses.
x is 10, 100, or 54 for historical reasons.

10 is the DMZ. it was originally 10 Mbit thin net.
54 is wifi and other untrusted devices.
100 is wired/trusted. It was originally 100Mbit wired. It made it easy to remember.

The all have IPv6 with public IPs too, each on a different /64 prefix from my /48.
My KVM router is also my boundary firewall for both IPv4 and IPv6. Incoming connection attempts are carefully controlled.
Everything that is not expressly permitted is DROPed or DENIED.

[Dragonlord]

So far so good but one thing in your explanation I don't understand. You said your PCs in the 3 LANs each have a public IPv6. Did they derive it then from the prefix assigned to them by your router? Which is what I don't get. Each LAN has in that case a different subnet. Where is it coming from? Does the router know they on a certain interface or have you hard-coded the subnet on each PC? It's not clear to me how the prefix handed down from the ISP gets modified so each LAN has an own subnet inside this prefix.

For the records I have no way to control the behavior of the router. I can only define the behavior on the routing (iptables, dhcpd, bind and so forth) on the server as well as assign static network configuration to certain LAN pcs (but not all).

[NeddySeagoon]

Dragonlord,

My router has 4 physical interfaces.
The Internet, my wired trusted LAN, my DMZ, for servers and a wireless/untrusted set.
My /etc/dhcpcd.conf contains

Code: Select all

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
#option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

#noipv6rs

ipv6only

allowinterfaces ppp0
interface ppp0

interface ppp0

        # request a normal (IA_NA) IPv6 address with IAID 0
        iaid 100

# ia_pd
ia_pd 3 eth3 eth1

interface ppp0 is my internet interface.
It gets /64 prefix delegations for eth3 and eth1 (from my /48) and assigns them to those interfaces.
The auto assigned addresses end in ::1, so they are easy to remember.

Despite the fact that I'm using dhcpcd, to do all this my ISP ensures that the addresses never change.

radvd then picks up the auto assigned addresses and advertises them over the LANs on eth1 and eth3.
The systems that get router advertisements assign themselves IPv6 addresses in the same /64.

The /etc/radvd.conf entry for eth1 is

Code: Select all

interface eth1
# green - wired

{
        ## (Send advertisement messages to other hosts)
        AdvSendAdvert on;
        ## (Fragmentation is bad(tm))
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        ## (IPv6 subnet prefix we've been assigned by our ISP)

#       dhcpcd gets our delegated prefix and allocates it
#       around our interfaces
#       it also allocates the interface IPv6 address
#       we just advertise the /64 on the interface

        prefix ::/64

        {
                AdvOnLink on;
                AdvAutonomous on;
        };
};

Others are the same.

Is your router really a router or just a modem?
Upstream of my router, I have a modem that converts the VHDL over the phone line to pppoe, which is my internet connection into my pppoe interface on my router.

[Dragonlord]

It's a Fritzbox which in my opinion is an ADSL2 modem with router functionality. I set up my IP4v network to use the modem only as a "kind of" bridge, hence why it is in an own subnet on a separate Ethernet interface on the server. The server then does the actual routing using iptables for all Ethernet interfaces. With IPv6 I would do this too if it is possible. But this begs the question if this is possible since the server does not get the ISP information. Only the modem/router has access to this. In the case of IP4v I did not care since I had static IPs and NAT. In the case of IPv6 I don't get yet how I'm supposed to solve this problem.

[NeddySeagoon]

Dragonlord.

I have a Fritzbox 7530 which I use as a modem sometimes too.

When I put my ISP username and password into the Fritzbox, it becomes by PPPoE endpoint and insists on being a router. That's not what I want/need at all.
To use it as a modem, I have to ensure that it cannot authenticate to my ISP. It does not get an IP address now.
Turn on "Allow Other Devices to Connect to the Internet" (Not reccomended). That's from memory. I can't find it in the manual.

Now your downstream gets to connect to your ISP. I get PPPoE there, which is how its done in the UK.
That should be the only connection out of the Fritzbox. It mesh noh do Wifi, dhcp or anything.
You have full control now :)

[Dragonlord]

That's not really an option right now since I want to keep the IPv4 working and there the server uses the Fritzbox as dumb hop with ISP connection. I do not want to change this setup as it is a bit "frickle". Has to do with the ISP. So given I have to keep the Fritzbox in this routing mode what options do I have to get the IPv6 working?

[NeddySeagoon]

Dragonlord,

I wonder if the Frtizbox will pass prefix delegation requests back to your ISP and be able to route its downstream prefixes.
I doubt you will find anything in the documentation.

Code: Select all

       +----------+    	+--------+
       |          |    	|        +--LAN	1 -->
---ISP-+ Fritzbox +---A---+ Server |
       |          |    	|        +--LAN	2 -->
       +----------+    	+--------+

I understand that your network is like my best ASCII art above. You may have more LANs, but that's just step and repeat.

The ISP side of the Fritzbox will have your public IPv4 and IPv6 uplink.
It will use DHCP to assign IPv4 addresses downstream. In this case just to your server. You can set it manually too.
Your server will keep your separate LANs separate by assigning different private address ranges to the separate LAN segments, and provide NAT so they can get to the outside world.

If IPv6 is enabled in the Fritzbox, your server should have a working IPv6 link to the outside world.
A good sign is an IPv6 address beginning with 2 on the interface towards the Fritzbox.

Code: Select all

ip -6 addr show
ip -6 route show

will show IPv6 addresses and routes.

On the server,

Code: Select all

ping6 google.com

should show

Code: Select all

$ ping6 google.com
PING google.com(lhr48s30-in-x0e.1e100.net (2a00:1450:4009:823::200e)) 56 data bytes
64 bytes from lhr48s30-in-x0e.1e100.net (2a00:1450:4009:823::200e): icmp_seq=1 ttl=118 time=20.1 ms
64 bytes from lhr48s30-in-x0e.1e100.net (2a00:1450:4009:823::200e): icmp_seq=2 ttl=118 time=21.2 ms
64 bytes from lhr48s30-in-x0e.1e100.net (2a00:1450:4009:823::200e): icmp_seq=3 ttl=118 time=20.6 ms

Let's get that far. Confirm my understanding of your LAN too please.

[Dragonlord]

No, this is not the case. "ip -6 addr show" shows only "fe80****".

In the router IPv6 support is enabled. It uses native IPv6 to the ISP (ISP confirmed this "should" work on my link). The option "fetch global address" is enabled and I see a 2*** address on the router to the ISP. Also DHCPv6 rapid commit is enabled on the router. It is also configured to be a IPv6 router on the LAN which assigns ULAs if there is no internet connection. And it is enabled as DHCPv6 server with DNS server assigning IA_AD and IA_NA.

[NeddySeagoon]

Dragonlord,

On your server, what does

Code: Select all

ping6 ff02::2 -I <towards Fritzbox> 

tell?
Only IPv6 routers will respond.

Code: Select all

$ ping6 ff02::2 -I eth0
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::2(ff02::2) from :: eth0: 56 data bytes
64 bytes from fe80::5054:ff:febe:8d73%eth0: icmp_seq=1 ttl=64 time=0.906 ms
64 bytes from fe80::5054:ff:febe:8d73%eth0: icmp_seq=2 ttl=64 time=0.960 ms
64 bytes from fe80::5054:ff:febe:8d73%eth0: icmp_seq=3 ttl=64 time=0.908 ms

That's also my default route.

Code: Select all

$ ip -6 route show
xxx:xxx:xxx:xxx::/64 dev eth0 proto kernel metric 256 expires 86236sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::5054:ff:febe:8d73 dev eth0 proto ra metric 1024 expires 736sec mtu 1280 hoplimit 64 pref medium

Where xxx:xxx:xxx:xxx is my prefix.

Provided you get a response to ping6 ff02::2, the Fritzbox is acting as an IPv6 router. and we can try using
dhcpcd on the server to get an IP for the server to Fritzbox link and delegated prefixes for your LAN segments.

dhcpcd can do both IPv4 and IPv6 or just one.
If you want it to leave your IPv4 alone, use the

Code: Select all

ipv6only

option.
That's how my setup works.

Once we have delegated prefixes, radvd will tell your LANs all about them.

[Dragonlord]

The ping test returns two address. One is the server IP on the link and the other the fritzbox. So the router does respond.

The default route shows no prefix, only "fe80::/64 dev internet proto kernel metric 256 pref medium".

[NeddySeagoon]

Dragonlord,

OK, that sounds promising.

Read through this before you do it.

On the server, install dhcpcd, Look at /etc/dhcpcd.conf.

Add

Code: Select all

ipv6only

at the end, so it will not do anything for IPv4

Add interface

Code: Select all

<Fritzbox_Facing_Interface>
        # request a normal (IA_NA) IPv6 address with IAID 100
        iaid 100 
        ia_na 

Run it as

Code: Select all

dhcpcd -d

as the chatter between the Fritzbox and the server will be interesting.
See

Code: Select all

man dhcpcd.conf

If you want a particular address on the fritzbox facing interface you can ask for it on the ia_na entry.
That can come later.

Once That works adding

Code: Select all

# ia_pd
ia_pd 3 eth3 eth1

gets me delegated prefixes for my eth3 and eth1 interfaces.
You put your interface names there.

Do

Code: Select all

killall dhcpcd

to retest as it forks to the background.
At this point the server should be able to talk to the rest of the world over IPv6 and the server interfaces listed in the ia_pd statement should have global addresses (beginning 2) on different /64 prefixes from your /56.
The rest of the world can ping all your server interfaces on IPv6 too. Routing is automatic.

Routing is free.