IPv6 basic settings; addressing a host and static routing

[Originally posted Mar 20, 2012 12:01 PM by Antti Uitto   [ updated May 8, 2012 3:15 AM ]]

Once you have acquired yourself an globally valid IPv6 prefix, you may need to configure addresses on your hosts. By default computers will attempt to find themselves an IPv6 address automatically by using the processes of NDP or DHCPv6.

NDP (Neighbor Discovery Protocol)
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

DHCPv6 ( Dynamic Host Configuration Protocol version 6)
http://en.wikipedia.org/wiki/DHCPv6

Manual configuration is needed for example if your host acts as an IPv6 router. In that case the host does not try to autoconfigure itself.

Here are the very basics you will need to get IPv6 going. Dynamic routing, access control etc are not covered here.

Ubuntu / Debian Linux

Give IPv6 address for an interface

sudo nano /etc/network/interfaces

example snippet for interface eth0

auto eth0
 iface eth0 inet6 static
 address 2001:05c0:1400:000a:0000:0000:0000:0055
 netmask 64
 gateway 2001:05c0:1400:000a:0000:0000:0000:0001

Save and exit editor, then restart network.

/etc/init.d/networking restart

Static routes

ip -6 route add 2000::/3 via 2001:0db8:0:f101::1

Write routes also to /etc/rc.local to make them persist over reboots.

Check

ip -6 add
ip -6 route
ip -6 neigh
ping6 ipv6.google.com

Turn on IPv6 forwarding (routing) if needed.

sudo nano /etc/sysctl.conf

Uncomment
net.ipv6.conf.all.forwarding=1

Install and set up radvd

If you want this host to advertise itself as a router to your LAN, install and set up radvd

sudo apt-get install radvd

sudo nano /etc/radvd.conf

interface eth0
 {
 AdvSendAdvert on;
 prefix 2001:db8::/64
 {
 };
 };

Cisco router

conf t
 ipv6 unicast-routing
 ipv6 cef
interface Gi0/1
 ipv6 enable
 ipv6 address 2001:05c0:1400:000a:0000:0000:0000:0002/64
 or
 ipv6 address 2001:05c0:1400:000a::/64 eui-64
 (ipv6 nd suppress-ra [*] )
(ipv6 nd other-config-flag [**] )
exit
ipv6 route ::/0 2001:05c0:1400:000a:0000:0000:0000:0001
ipv6 route 2001:998::/32 2001:05c0:1400:000a:0000:0000:0000:0007[*]

[*] If the router interface in question is not facing your LAN (where the client computers are), you may want to put ipv6 nd suppress-ra  under the interface configuration.  This will disable router advertisements on that interface.

[**] Use this if you want the router to provide other IPv6 configurations to your computers, for example IPv6 DNS addresses. If you do this, you must also set up a service such as ipv6 dhcp pool that will give out these settings.

Vyatta router

By default Vyatta has IPv6 forwarding on so you can just address your interfaces and write your routes.

Give IPv6 address to an interface

set interfaces ethernet eth0 address 2001:db8:2::1/64
( set interfaces ethernet eth0 ipv6 router-advert prefix 2001:099:0013:004b::/64 [*] )
( set interfaces ethernet eth0 ipv6 router-advert other-config-flag true [**] )
commit
save

[*] Turn router-advert on if this interface is serving as IPv6 gateway to computers in your LAN. If this interface is facing only another router(s) you might want to leave it out.

[**] Use this if you want the router to provide other IPv6 configurations to your computers, for example IPv6 DNS addresses. If you do this, you must also set up a service such as DHCPv6 that will give out these settings.

 

Static route

set protocols static route6 ::/0 next-hop 2001:db8:2::1
commit
save

Check

show interfaces
show ipv6 route
show ipv6 neighbors
ping6 2001:db8:2::2
traceroute6 2a00:1450:4016:800::1010

Windows 7

To configure IPv6 for static addressing

  1. Click Use the following IPv6 address, and then do one of the following:
    • For a local area connection, in IPv6 address, Subnet prefix length, and Default gateway, type the IP address, subnet prefix length, and default gateway address.
    • For all other connections, in IPv6 address, type the IP address.
  2. Click Use the following DNS server addresses.
  3. In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

Check

Open command line  Start - Run - cmd
  ipconfig

Sources

http://technet.microsoft.com/en-us/library/cc732106.aspx
http://www.cyberciti.biz/faq/ubuntu-ipv6-networking-configuration/
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html
Carla Schroder: Linux Networking Cookbook
Vyatta documentation www.vyatta.org

Networking with Linux; source routing

[Originally posted Mar 13, 2012 5:33 AM by Antti Uitto   [ updated Mar 13, 2012 5:34 AM ]]

This was my first attempt to do anything with source routing in it, in any platform, so I may not have it all correctly, let alone being according to any best practices. Anyway I was able produce the outcome I was hoping to get. Please feel free to comment!Inspiration to this lab exercise came from the LARTC tutorial and some other articles I found from the web. (See the resources section at the bottom of this post)
And of course there is always the desire to learn more what networking things you can do with just Linux boxes!

Scope

The scope of this exercise was to create a small lab net that routes IPv4. There are two user organizations in the network that are both supposed to reach a shared resource (Internet connection via firewall) and be able to communicate with other IP addresses in their own address range.

This outcome is to be produced by using Ubuntu Linuxes as routers and iproute2 program that comes with them.

The “customer” organizations and their routing tables are called “pizza” and “kebab”.

Network diagram

What counts as a success?

“Customer” addresses in the routing table “pizza” should be able to access other addresses that are in the routing table “pizza”. They should not be able to connect to hosts that are within the table “kebab”.

All hosts should be able to reach the Internet through my firewall, via NAT.

Result

The result of this configuration was what I hoped it to be. However, on a router I can ping between the host addresses of the local router, even when they belong in different sites. I assume this is because these single host addresses are visible in the routing table named “local”.

And maby rule for “local” table is read first?

linuxlab2:~$ ip rule show
0: from all lookup local
32760: from 192.168.13.0/24 lookup kebab
32761: from 192.168.12.0/24 lookup kebab
32762: from 192.168.11.0/24 lookup kebab
32763: from 192.168.3.0/24 lookup pizza
32764: from 192.168.2.0/24 lookup pizza
32765: from 192.168.1.0/24 lookup pizza
32766: from all lookup main
32767: from all lookup default
linuxlab2
linuxlab2:~$ ip route show table local match 192.168.2.1
local 192.168.2.1 dev eth1 proto kernel scope host src 192.168.2.1
linuxlab2:~$
linuxlab2:~$ ip ro sh ta local match 192.168.2.2
linuxlab2:~$

Procedure

1. Install router hosts with ssh, vlan and bridge-utils
2. Give password for root user
3. Turn on ip forwarding
4. Give link IP’s and test connectivity
5. Create both routing tables to all routers
6. Make “customer” interfaces
7. Add them to the appropriate routing tables
8. Make static routes
8. Create ip rules to all routers (“from”-rules)
9. Give default routes to both routing tables

(you can find routing and ip rule commands later in the post)

Create new routing tables
echo 1 pizza >> /etc/iproute2/rt_tables
echo 2 kebab >> /etc/iproute2/rt_tables

“Customer” addresses

pizza
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

kebab
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

Notes

“Customer” site addresses are present in their own routing tables. Routing table called “main” has all the routes so that it can bring you the returning packets.

IP rules dictate that packets sourcing from “pizza” addresses are routed according to the “pizza” routing table. There are only “from” rules in my set.

The main table has no 0/0-route but the “pizza” and “kebab” tables do have it.

Configs per router

linuxlab1

“Customer” interfaces

# description pizza
auto eth3.10
iface eth3.10 inet static
address 192.168.1.1
netmask 255.255.255.0

# description kebab
auto eth3.20
iface eth3.20 inet static
address 192.168.11.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.2.2 table pizza
ip route add 192.168.3.0/24 via 10.1.3.3 table pizza
ip route add 192.168.1.0/24 dev eth3.10 table pizza
ip route add default via 10.2.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.2.2 table kebab
ip route add 192.168.13.0/24 via 10.1.3.3 table kebab
ip route add 192.168.11.0/24 dev eth3.20 table kebab
ip route add default via 10.2.2.1 table kebab
ip route add 192.168.2.0/24 via 10.1.2.2
ip route add 192.168.12.0/24 via 10.1.2.2
ip route add 192.168.3.0/24 via 10.1.3.3
ip route add 192.168.13.0/24 via 10.1.3.3
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab2

“Customer” interfaces:

# description pizza
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0

# description kebab
auto eth2
iface eth2 inet static
address 192.168.12.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 dev eth1 table pizza
ip route add 192.168.3.0/24 via 10.1.2.1 table pizza
ip route add 192.168.1.0/24 via 10.1.2.1 table pizza
ip route add default via 10.1.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 dev eth2 table kebab
ip route add 192.168.13.0/24 via 10.1.2.1 table kebab
ip route add 192.168.11.0/24 via 10.1.2.1 table kebab
ip route add default via 10.1.2.1 table kebab
ip route add 192.168.1.0/24 via 10.1.2.1
ip route add 192.168.11.0/24 via 10.1.2.1
ip route add 192.168.3.0/24 via 10.1.2.1
ip route add 192.168.13.0/24 via 10.1.2.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab3

“Customer” interfaces

# description pizza
auto eth2
iface eth2 inet static
address 192.168.3.1
netmask 255.255.255.0

# description kebab
auto eth3
iface eth3 inet static
address 192.168.13.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.3.1 table pizza
ip route add 192.168.3.0/24 dev eth2 table pizza
ip route add 192.168.1.0/24 via 10.1.3.1 table pizza
ip route add default via 10.1.3.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.3.1 table kebab
ip route add 192.168.13.0/24 dev eth3 table kebab
ip route add 192.168.11.0/24 via 10.1.3.1 table kebab
ip route add default via 10.1.3.1 table kebab
ip route add 192.168.1.0/24 via 10.1.3.1
ip route add 192.168.11.0/24 via 10.1.3.1
ip route add 192.168.2.0/24 via 10.1.3.1
ip route add 192.168.12.0/24 via 10.1.3.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

Commands to verify and check stuff

ip rule show
ip route show
ip route show table pizza
ip route show (table pizza/kebab) match 192.168.2.5
ifconfig
ip address
ping 8.8.8.8 -I 192.168.2.1
traceroute 8.8.8.8 -s 192.168.12.1

And then what?

I don’t know. Perhaps add IPv6 to this? Is it possible? Why would it not be?
Or maby get Quagga and make these things to do dynamic routing?

Resources

http://www.linuxhorizon.ro/iproute2.html
http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
http://lartc.org

TCP/IP by Douglas E. Comer

[Originally posted Mar 13, 2012 5:26 AM by Antti Uitto]

Just finished reading a book called “TCP/IP”.

(Original English title: Internetworking with TCP/IP Principles, Protocols and Architectures, Fourth Edition)

Catchy title pretty much tells what the book is about: it aims to give you the basics of how TCP/IP works and what is included.

This certainly is a book to read if you wan to learn about TCP/IP. I would say it is a bit dry read however. At times I found myself thinking that this info is more useful to someone coding software that uses TCP/IP rather than to someone administering networks. However, there was still plenty of useful info for a networker.

This book offers no tips and tricks, it’s all theory.

If you are impatient like me and prefer to learn from examples and configs, then some other material such as those published by Cisco Press may serve you better.

Topics covered

History of the Internet
Internet organizations
LAN and WAN technologies
IP addresses
ARP & RARP
Internet Protocol and routing
ICMP
TCP & UDP
Dynamic routing protocols
Multicast
Mobile IP
NAT & VPN
BOOTP & DHCP
DNS
Telnet, Rlogin, FTP, TFTP, SMTP….
VoIP
SNMP
Security aspects, Firewalls and IPsec
IPv6

… and a lot more …

One thing I re-learned from reading this book:
I should not buy tech books translated in my native language (Finnish). The attempts to create Finnish equivalent for some technical terms are at best irritating, but sometimes also confusing. English is the language of technology, computing and Internet and when I read geeky stuff, I will get my books in English from now on.

I am currently reading Carla Schroder’s “Linux Networking Cookbook”. Maybe a word or two about it a bit later.

And “IPv6 theory, protocol and practice” is waiting on the digital bookshelf!

Networking with Linux; Linux Advanced Routing & Traffic Control HOWTO

[Originally posted Mar 13, 2012 4:55 AM by Antti Uitto]

Great resource:

Linux Advanced Routing & Traffic Control HOWTO

http://lartc.org/lartc.html

As I said, Linux is a powerful tool for network-related stuff. 
The link above is to an extensive HOWTO article about routing and other networking services available in most Linux distributions. 

Here is a nice one that I tried on my own router host.

If you are hosting Internet gateway for some community, put this to the interface from where the traffic returns to their LAN:

sudo tc qdisc add dev eth1 root tbf rate 64kbit latency 50ms burst 128kbit

They’ll love you for it! 🙂

Networking with Linux; what goes where?

[Originally posted Mar 13, 2012 4:38 AM by Antti Uitto]

A modern Linux distribution is an impressive tool for networking. You can rather easily set up a router, firewall or VPN gateway. If you are working with a traditional router, such as Cisco or Juniper or if you have the fabulous Vyatta router at hand, you will have one place where about everything goes: the configuration. You add commands from command line and as you commit and save them, they are stored in the configuration. After next reload, your gateway will come alive with that configuration in it.This is not quite so when working with a Linux gateway. Here too you can give most if not all your commands from CLI and they will be applied either immediately or after reloading the service in question. But mostly they do not survive a boot unless you do something. 

That something you need to do is to write these commands in config files and save them.

In Linux there is, I guess always more than one way of doing any given thing.

Here are the programs I use and the config files where I write their settings. 


What’s your setup like?
/etc/network/interfaces
– Physical interfaces
– Logical Interfaces (Vlan and Bridge)
– IP addresses/etc/rc.local
– Invoke firewall ( iptables-restore < /path/to/firewall_rules )
– VPN (OpenVPN commands)
– Tunnel interfaces (ip tu add)
– Static routes (ip route add)
– Source routing commands (ip route add & ip rule add) 

Quagga router
– Dynamic routing (RIP, OSPF, BGP)
– When you say “write”, Quagga will write it’s own config in appropriate place

/home/admin/firewall
– Iptables firewall rules for filtering and logging
– Network address translation (NAT)

/var/log/syslog
– Connection attempts logged by iptables

So there is a file where the physical and logical interfaces are configured, including their IP’s. There is another place where I like to put my VPN’s, tunnels and all the static routes. If I was to use dynamic routing, I would move all my routes to Quagga and handle them from there. But If there is no need for dynamic routing, then all the statics go to a file mentioned in the list.

I do my best to write accurate and compact descriptions for things that are in these files. It nicer like that when you have to search for something or you want to take a quick look at what is here to be found.

cat /etc/rc.local | grep descr -A 3

IPv6 Over IPv4, secured with OpenVPN

(Originally posted Mar 13, 2012 4:31 AM by Antti Uitto [ updated Apr 27, 2012 12:37 PM ]

In this lab we create a OpenVPN connection between two routers that are connected to IPv4-only network. We then connect two IPv6 sites via a sit tunnel that goes inside this protected connection.

You can tunnel IPv6 over IPv4 without using encrypted VPN connection (such as OpenVPN), just make the sit tunnel between the router’s public IPv4 addresses.

Network diagram:

INSTALL OPENVPN ON BOTH ROUTERS

sudo apt-get install openvpn

GIVE IPv6 ADDRESSES

example: host1

/etc/network/interfaces

iface eth0 inet6 static
pre-up modprobe ipv6
address 2001:22::2
netmask 64
gateway 2001:22::1

VPNs

Create key on router1

openvpn –genkey –secret router1-router2

Copy the key file to router2Run these from command line and place them in to /etc/rc.local to make persistent.router1
openvpn –remote 2.2.2.2 –port 1199 –dev tun199 –ifconfig 10.4.0.17 10.4.0.18 –verb 5 –secret /home/user/router1-router2

router2
openvpn –remote 1.1.1.1 –port 1199 –dev tun199 –ifconfig 10.4.0.18 10.4.0.17 –verb 5 –secret /home/user/router1-router2

SIT TUNNELS

Run these from command line and place them in to /etc/rc.local to make persistent.

router1
sudo ip tu ad sit199 mode sit local 10.4.0.17 remote 10.4.0.18 ttl 64
sudo ip ad ad dev sit199 2001:acdc::1/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:33::/64 via 2001:acdc::2

router2
sudo ip tu ad sit199 mode sit local 10.4.0.18 remote 10.4.0.17 ttl 64
sudo ip ad ad dev sit199 2001:acdc::2/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:22::/64 via 2001:acdc::1