Re: [OpenIndiana-discuss] How to deal with IPV4/6 as a router
> On 06-06-12 21:29, Gary Gendel wrote: >> >> My ISP has turned on IPV6 and I can get as many addresses as I want. >> However, some of my devices aren't ipv6 capable so I have to deal with a >> mix of ipv4 and ipv6 addresses until these are retired. >> I turned on ipv6 on bge0 and have both an ipv4 and ipv6 address. I also >> can run the ipv6 test (test-ipv6.com) perfectly. >> >> The question is: How do I set up things so it works with my internal >> devices? It seems that All I want to do is to leave the ipv4 setup as I >> have it now and pass all ipv6 packets (discovery, etc.) from bge0 to bge1 >> (and visa versa). This way my ISP will provide ipv6 addresses to those >> devices that ask for one. > We cheated ... we installed Proxies (delegate and squid) ... IPv6 on the external IPv4 on the internal, everything else is "firewalled" (because IPv4 cannot use IPv6 DNS) ... Jon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to deal with IPV4/6 as a router
Hi Gary, On 06-06-12 21:29, Gary Gendel wrote: My Home OI box currently serves as my router/gateway to my ISP. Under IPV4 I have Cable Modem <-> bge0 <-> ipfilter/nat <-> bge1 <-> network. My ISP has turned on IPV6 and I can get as many addresses as I want. However, some of my devices aren't ipv6 capable so I have to deal with a mix of ipv4 and ipv6 addresses until these are retired. I turned on ipv6 on bge0 and have both an ipv4 and ipv6 address. I also can run the ipv6 test (test-ipv6.com) perfectly. The question is: How do I set up things so it works with my internal devices? It seems that All I want to do is to leave the ipv4 setup as I have it now and pass all ipv6 packets (discovery, etc.) from bge0 to bge1 (and visa versa). This way my ISP will provide ipv6 addresses to those devices that ask for one. Normal "procedure" for IPv6 (at least as proposed by the RIPE for its region) is to provide a /64 for the link between the ISP and the CPE (customer router) and a /56 or a /48 to the customer for her own network. If you have a DSL connection, the information of your network is provided over PPPoE, but I don't know how it is done over an ethernet modem. Ask your ISP what is your private LAN. I would not advice simply bridging all traffic between the two networks as -unless you have a firewall that can inspect bridged ipv6 traffic- you place all your ipv6 enabled devices unprotected on the internet. In the logic of ipv6 (actually, the logic of the internet before it got "corrupted" by NAT :-) ), all hosts have a globally unique IP-address (so are "addressable") but that does not mean they should be "accessable". Either you must then install a firewall on your router, or you must rely on the security in the device. As for a lot of devices you have no idea of the software or network-firmware is to be trusted, it is adviced to use a firewall on the edge of your network that -by default- blocks all incoming traffic, except for return traffic of an outgoing stream or towards anything you explicitely accept. Or should I provide a "private" ipv6 address space for my LAN? This doesn't seem to be in the spirit of ipv6, but it will provide me more firewall control of traffic in and out of the network and provide "static" addresses to my hosts. You can, but then you would need to do ipv6 NAT on your router for them to access the network. However, what you can do (and what I also do) it to provide both global ip-addresses and "Unique Local" (ipv6 speak for "private" addresses, e.g. fc00::/64) to your devices. That way, your devices then have both a kinds of address. You can then set up firewall rules in your devices that you provide access to certain services only from fc00::// addresses, but not from an IP-address that comes from outside your own network. Anycase, another reason to set up a RADVD server to hand out Unique-local addresses is to have an idea exactly what devices on your network actually are ipv6 enabled and which are not. Sniff your network from your router-box and look what devices do respond to the router advertisement messages! (normally, they should do duplicate address queries for their address to make sure nobody else if already using that address). Gary Cheerio! Kr. Bonne. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] How to deal with IPV4/6 as a router
Gary Gendel wrote: > The question is: How do I set up things so it works with my internal > devices? It seems that All I want to do is to leave the ipv4 setup as I > have it now and pass all ipv6 packets (discovery, etc.) from bge0 to > bge1 (and visa versa). This way my ISP will provide ipv6 addresses to > those devices that ask for one. > > Or should I provide a "private" ipv6 address space for my LAN? This > doesn't seem to be in the spirit of ipv6, but it will provide me more > firewall control of traffic in and out of the network and provide > "static" addresses to my hosts. What, precisely, did your ISP give you? What do you see in the configuration? If they've given you just a single /64 on a broadcast-type interface (e.g. Ethernet), then you're right that this is going to be a little tough because you need either a bridge to get the unadulterated traffic onto the internal network (including the RAs from their routers) or you need the moral equivalent of "proxy ARP" for v6, which doesn't really exist. The best answer there might just be to put all of the v6 machines you have out on the switch connected to their router and be done with it. If they've given you a collection of two or more /64s so that you can route, then you should be able to set the "ROUTER" flag on the interfaces, set up some prefix advertising for the other prefixes, and do it the "right way." (Shame to burn a global /64 on a simple link to the ISP, but, well, I don't see a better way with broadcast-type interfaces.) If they've given you a single /64 on a non-broadcast type interface (such as a point-to-point tunnel), then please specify. That'd be a simple thing to handle. -- James Carlson 42.703N 71.076W ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] How to deal with IPV4/6 as a router
My Home OI box currently serves as my router/gateway to my ISP. Under IPV4 I have Cable Modem <-> bge0 <-> ipfilter/nat <-> bge1 <-> network. My ISP has turned on IPV6 and I can get as many addresses as I want. However, some of my devices aren't ipv6 capable so I have to deal with a mix of ipv4 and ipv6 addresses until these are retired. I turned on ipv6 on bge0 and have both an ipv4 and ipv6 address. I also can run the ipv6 test (test-ipv6.com) perfectly. The question is: How do I set up things so it works with my internal devices? It seems that All I want to do is to leave the ipv4 setup as I have it now and pass all ipv6 packets (discovery, etc.) from bge0 to bge1 (and visa versa). This way my ISP will provide ipv6 addresses to those devices that ask for one. Or should I provide a "private" ipv6 address space for my LAN? This doesn't seem to be in the spirit of ipv6, but it will provide me more firewall control of traffic in and out of the network and provide "static" addresses to my hosts. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss