Two sites, one LAN

Scenario

This lab extends a LAN over VPN link to two different sites. These sites will be connected to the Internet and routed with BGP.

eBGP to “ISP router” and iBGP between the sites.

The two “sites” are my laptops and the hosts and routers running in these “sites” are Virtualbox guests. Router guests are Vyatta 6.5, servers guests Bodhi Linux.

All the routers have an IPv4 connection to “ISP-router” which is a Cisco.

IPv6 from r1a and r2b is tunneled over IPv4 link.
L2VPN between the sites is done over IPv4 link.

The end result should be that you can connect a host to either site, using the LAN prefix 2001:98:0013:004f::/64 and that host gets IPv6 Internet-connection. The connection should have automatic failover using the other link to the “ISP router”.

Network Diagram

two-sites-one-lan

I apologise for the crappy network diagram. I drew it as Google docs presentation and it felt a bit clumsy.

Set up the Lab

Install guests (the routers) on the two hosts.
Give routers IPv4 address.
Configure IPv4 routing so that guest routers can see each other, 0/0 points to the “ISP router”.
Try that all routers can ping each other with IPv4 addresses.

L2VPN

Create L2VPN between r3a and r4b, using the IPv4 network as transport.

generate openvpn key r3a-r4b

r3a
set interfaces bridge br2
set interfaces ethernet eth4 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.4.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2
commit

r4b
set interfaces bridge br2
set interfaces ethernet eth5 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.3.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2

commit

Give the lab-routers their IPv6 addresses

set interfaces ethernet eth4 ipv6 address eui64 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert prefix 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert other-config-flag true

IPv6 tunnels

If your virtualization software and network environment allows, you may skip this phase and give r1a and r2b their IPv6 link addresses directly. In my system I have VirtualBox and the link is over wifi. It will not allow me to directly use IPv6 in this interface.

That is why I use tunnels.

Create IPv6-over-IPv4 tunnels between

“ISP-router” – r1a
“ISP-router” – r2b

IPv6 addresses for the tunnels

“ISP-router” Cisco
2001:98:0013:004e::1/126
r1a
2001:98:0013:004e::2/126

“ISP-router” Cisco
2001:98:0013:004e::5/126
r2b
2001:98:0013:004e::6/126

Cisco config
interface Tunnel3
description IPv6 tunnel to r1a
no ip address
ipv6 address 2001:98:0013:004e::1/126
ipv6 enable
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
tunnel mode ipv6ip

Vyatta config for r1a
edit interfaces tunnel tun3
set address 2001:98:0013:004e::2/126
set encapsulation sit
set local-ip 10.1.1.2
set remote-ip 10.1.1.1
set description "IPv6 tunnel to cisco"
exit
commit

Adjust accordingly for r2b.

Routing

Configure IPv6 eBGP from r1a and r2b to Internet-router.

r1a
set protocols bgp 65502 neighbor 2001:98:13:4e::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4e::1 remote-as 65501
set protocols bgp 65502 parameters router-id 10.1.1.2

cisco
router bgp 65501
no synchronization
bgp log-neighbor-changes
neighbor 2001:98:13:4E::2 remote-as 65502
no auto-summary
!
address-family ipv6
neighbor 2001:98:13:4E::2 activate
neighbor 2001:98:13:4E::2 next-hop-self
neighbor 2001:98:13:4E::2 soft-reconfiguration inbound
redistribute static
default-information originate
no synchronization
exit-address-family
!

Adjust accordingly for r2b

Configure IPv6 iBGP r1a – r2b

r2b
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 remote-as 65502
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast nexthop-self
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 update-source 2001:98:13:4f:a00:27ff:fe97:1e3c

Adjust accordingly for r1a.
Inject the LAN prefix into BGP

r1a & r2b
set protocols bgp 65502 address-family ipv6-unicast network 2001:98:0013:004f::/64

Testing

Set up a host on both “sites”
Bring down routers, links, or the connection between sites. What happens?

My observations:

1. When I turn off routers, the routing changes to the other link immediately.

2. When I put down the main WAN link, it takes time to reroute. About a minute or two.

3. From my two “servers” the other one changes the first-hop immediately and automatically. The other one does not. Don’t know why. Both hosts are with automatic configs.

BGP AS-path prepending

BGP has its ways to choose a link to use. Which route did your routers choose to be the active one? Now we want to tell it that we would prefer to pass traffic via r1a. So put this configuration in r2b to make its path appear longer.

r2b
set policy route-map prepend-secondary rule 10 action permit
set policy route-map prepend-secondary rule 10 set as-path-prepend "65502 65502"
set protocols bgp 65502 neighbor 2001:98:13:4E::5 address-family ipv6-unicast route-map export prepend-secondary

Advertisements

IPv6 to go: PPTP VPN Cisco – Mac Book and an IPv6 tunnel

[Orginally posted Sep 2, 2012 10:53 AM by Antti Uitto   [ updated Sep 2, 2012 11:40 AM ]]

This article assumes that  you have a (Cisco) router that you can administer and that router is connected to both IPv4 and IPv6 networks.

It’s ok if you don’t have IPv5 yet.

We are going to make a PPTP VPN from a Mac to the router and then, using IPv4 address pair gained from VPN client pool, tunnel some IPv6. This way you can have your IPv6 address with you where ever you go.

First configure PPTP VPN service in your router.

configure terminal
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
exit
exit
interface Virtual-Template1
ip address 192.168.34.1 255.255.255.0
peer default ip address pool PPTP-Pool
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
exit
ip local pool PPTP-Pool 192.168.34.200 192.168.34.210

Create a PPTP VPN user.

username usr1 password PASSWORD

Insert these lines to ensure that usr1 always gets address 192.168.34.200

aaa new-model
aaa authentication ppp default local
aaa authorization network default local

username usr1 aaa attribute list usr1
aaa attribute list usr1
attribute type addr 192.168.34.200 service ppp protocol ip mandatory

Create a tunnel interface for this user

interface Tunnel200
description IPv6 tunnel to MAC
no ip address
ipv6 address 2001:98:1:49:FFFF:FFFF:FFFF:FFFD/126
ipv6 enable
tunnel source 192.168.34.1
tunnel destination 192.168.34.200
tunnel mode ipv6ip
end

Those lines make a tunnel between PPTP VPN addresses (IPv4). This tunnel will be given IPv6 address from your resources.

Next configure your Mac.

Create a normal PPTP VPN connection using the OSX’s network configuration.

Then create a file called ipv6-tunnel-up on Mac, with this in it:

sudo route delete -inet6 default
sudo ifconfig gif200 create
sudo ifconfig gif200 tunnel 192.168.34.200 192.168.34.1
sudo ifconfig gif200 inet6 alias 2001:98:1:49:FFFF:FFFF:FFFF:FFFE  prefixlen 126
sudo route add -inet6 default -interface gif200

Make this file executable by saying
chmod +x ipv6-tunnel-up

You can make things even nicer by creating a similar file ipv6-tunnel-down that kills gif200 and removes ipv6 default route.

IPv6 snack; access for residential LAN via tunnel service

[Originally posted Mar 22, 2012 12:46 PM by Antti Uitto   [ updated Mar 23, 2012 6:17 AM ]]

My previous experiences with Sixxs service have been very positive but this time I used Freenet6 for no other reason but just to try out another one. And like Sixxs, this one seems to be well done. Setup was easy with two minor hiccups. (I will elaborate later in the text)

This site has a little LAN with an IPv4 Internet access through many-to-one NAT, via wireless router.  My plan was to use the old desktop machine and install Virtualbox on it. Then I would create a new virtual host with Ubuntu Server as OS and use this as my IPv6 router.

Steps taken

  1. Installed Ubuntu server (new virtual host)
  2. Enabled routing for IPv6
  3. Installed Gogo-client gogoc.
  4. Modified gogoc’s configuration
  5. Connected and pinged around
  6. Wrote ip6tables firewall rules
  7. Made things persist over reboots

 

Ubuntu Server

I installed Ubuntu Server to be my router. Nothing special here; bridged networking to host systems eth0, SSH server, static IPv4 address from our private network.

Routing IPv6

Because this machine is going to act as IPv6 router for other machines in the LAN I enabled IPv6 routing by editing file

/etc/sysctl.conf, uncommenting
net.ipv6.conf.all.forwarding=1

I then applied this change by rebooting the host.

You can also apply by running command
sudo /sbin/sysctl -q -p

Gogo-client

On Ubuntu router
sudo apt-get install gogoc

Gogo-client’s configuration

The config file for gogoc is at
/etc/gogoc/gogoc.conf

userid=MyUserName
passwd=MyPasswd
auth_method=any
host_type=router
prefixlen=56
if_prefix=eth0
tunnel_mode=v6udpv4

if_prefix means the interface on which I want my prefix to be advertised. This would be the interface facing the LAN with the client computers.

tunnel_mode The mode i chose is the one meant for hosts that are unfortunate enough to connect from behind NAT.

Connecting to IPv6 Internet

After modifying the gogoc config file, I attempted to connect. Here was a minor issue. I could make the connection to work if I changed the config to use anonymous connection. Connecting authenticated would not work. After wondering about for a while I found out (by running the client on foreground) that while attempting authenticated connection the client’s script was asking Yes/No question about wether or not I want to accept a servers key. I once accepted it and after that running client on background produced a working connection.

Run Gogo-client by commanding
sudo gogoc

Then check that you have a new tunnel interface with an IPv6 address and a globally valid-looking IPv6 address in your LAN interface.
ifconfig

Sometimes the connecting seems to take a while. Be patient and if you lose faith, check the log to see what is going on.

tail -F /var/log/gogoc/gogoc.log

You can increase logging verbosity by adjusting values in gogoc.conf.

Since I got connected after few tries, I was then able to ping and trace around

ping6 ipv6.google.com
traceroute6 ipv6.google.com

ip6tables firewall


Here is my ip6tables firewall config.

Save it for example to /home/admin/firewall6 and apply it by saying
sudo ip6tables-restore < /home/admin/firewall6

user@host:~$ cat /home/admin/firewall6

# Generated by ip6tables-save v1.4.10 on Thu Mar 22 17:55:32 2012
 *filter
 :INPUT DROP [7697:530851]
 :FORWARD DROP [53871:37157829]
 :OUTPUT ACCEPT [8129:2157811]
 #
 # == INPUT =====
 #
 # Allow anything on the local link
 -A INPUT -i lo -j ACCEPT
 #
 # Allow Link-Local addresses
 -A INPUT -s fe80::/10 -j ACCEPT
 #
 # Allow multicast
 -A INPUT -d ff00::/8 -j ACCEPT
 #
 # Allow ICMPv6 everywhere
 -I INPUT -p icmpv6 -j ACCEPT
 #
 # Allow established
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #
 # Allow SSH
 -I INPUT -p tcp --dport 22 -j ACCEPT
 #
 # Log
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables input denied: " --log-level 7
 #
 # == FORWARD =====
 #
 -A FORWARD -m state --state NEW -i eth0 -o tun -s <my_ipv6_prefix>/56 -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -p tcp --dport 22 -j ACCEPT -I FORWARD -p icmpv6 -j ACCEPT
 #
 # Log
 -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables forwarding denied: " --log-level 7
 COMMIT

Things in the rc.local


In order to make my connections come up and firewall rules to be applied after reloading the system, I put these in /etc/rc.local

mkdir /var/run/gogoc &&
gogoc &&
ip6tables-restore < /home/admin/firewall6

That mkdir -command is there because of the second issue I experienced.

Every time I rebooted my host, gogoc would not connect because of missing

/var/run/gogoc

This is my quick and very dirty fix to that. You may want to try if you get it rolling without such ridiculous trick.

Conclusion


Everything works now the way I was hoping. Client computers can access Internet hosts with both IPv4 and IPv6. The configurations on my Linux router persist over reloads. Client computers use for now only IPv4-based name server.

Sources
http://gogonet.gogo6.com/page/freenet6-ipv6-services
http://www.chronos-tachyon.net/reference/debian-ipv6-and-hurricane-electric
http://www.sixxs.net/wiki/IPv6_Firewalling

Networking with Linux; Linux Advanced Routing & Traffic Control HOWTO

[Originally posted Mar 13, 2012 4:55 AM by Antti Uitto]

Great resource:

Linux Advanced Routing & Traffic Control HOWTO

http://lartc.org/lartc.html

As I said, Linux is a powerful tool for network-related stuff. 
The link above is to an extensive HOWTO article about routing and other networking services available in most Linux distributions. 

Here is a nice one that I tried on my own router host.

If you are hosting Internet gateway for some community, put this to the interface from where the traffic returns to their LAN:

sudo tc qdisc add dev eth1 root tbf rate 64kbit latency 50ms burst 128kbit

They’ll love you for it! 🙂