IPv6 Static Address on Ubuntu

27 04 2012
So – I have blogged about how to enable IPv6 on your firewall & setup your tunnel, and how to manually add addresses to an ubuntu server, but what about the server you are sticking on the end of the tunnel permanently – you want it up every reboot.
I have an Ubuntu box sitting on 2001:470:489e::100. This hosts http://public6.blackundertone.com & also my mail host mail.blackundertone.com
Most modern distro’s will have IPv6 enabled out of the box & it will do its best to grab an address. I didnt want autoconfiguration to hand any old address to it (even with SLAAC using the MAC address) to this host – so I could properly setup inbound & outbound FW rules.
You can turn it off by entering the following in /etc/sysctl.conf & reboot
– Disable the autoconf / SLAAC capability for all interfaces

net.ipv6.conf.eth0.autoconf=0

– Ignore the RA messages from your router

net.ipv6.conf.eth0.accept_ra=0

If you just want to test it out – or dont want to reboot your machine

sudo sysctl -w net.ipv6.conf.eth0.autoconf=0
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=0

–BEFORE with autoconfigured Global IPv6 address–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:489e:0:250:56ff:fea1:70d1/64 Scope:Global
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56 errors:0 dropped:12 overruns:0 frame:0
          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6219 (6.2 KB)  TX bytes:7140 (7.1 KB)
–AFTER only link-local address remains–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:254 errors:0 dropped:12 overruns:0 frame:0
          TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24646 (24.6 KB)  TX bytes:33280 (33.2 KB)
Now – its simply another couple of lines in your /etc/network/interfaces file & a quick network restart
iface eth0 inet6 static
        address 2001:470:489e::100
        netmask 64
        gateway 2001:470:489e::1
and your shiny new STATIC ASSIGNED IPv6 address is active
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          inet6 addr: 2001:470:489e::100/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:806 errors:0 dropped:116 overruns:0 frame:0
          TX packets:716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71814 (71.8 KB)  TX bytes:110482 (110.4 KB)
Apache & Postfix should already listen on any IPv6 addresses – so simply restart the services.




FortiGate IPv6 using tunnelbroker.net

22 04 2012
My previous IPv6 network was configured with Astaro – recently I have switched vendor to Fortinet (partly troubleshooting, partly cause I could). Using one of their FortiGate FWs – its been “fun” getting all the functions working that I had on the Astaro – one that was a bit more complex was the IPv6 config. It was pretty much point & click GUI driven on the Astaro, its a lot more CLI driven on the FortiGate.
Im using PPPoE without a static IP – so when my IPv4 ISP connection changes address, it will take out my IPv6 Tunnel – I will try to work out how this needs to be fixed later.

 

First step is to enable IPv6 in the GUI – most of the tunnel config is going to be done on the CLI, but with the GUI enabled, you can at least manage the addresses / policies easily.
config system global
  set gui-ipv6 enable
end

 

Configure up the tunnel – if you are using he.net (tunnelbroker.net), there is a shortcut you can take.
View your Tunnel Details on their admin page, make sure you set the correct “Client IPv4 Address” to match your current PPoE or other connection. Then click on the tab called “Example Configurations” which allows you to simply select your OS & it populates the changes needed with the correct IP addresses. In this case, FortiGate 4.x
config system sit-tunnel
    edit “HE”
        set destination 64.62.134.130
        set ip6 2001:470:66:288::2/64
        set source 121.216.247.8
    next
end
config router static6
    edit 1
        set device “HE”
    next
end
Once you have pasted that into the CLI on the FG, check the tunnel comes up & finish the config

Ping from the Fortigate to the tunnel broker

Fortigate # execute ping6 2001:470:66:288::1
PING 2001:470:66:288::1(2001:470:66:288::1) 56 data bytes
64 bytes from 2001:470:66:288::1: icmp_seq=1 ttl=64 time=159 ms
64 bytes from 2001:470:66:288::1: icmp_seq=2 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=3 ttl=64 time=157 ms
64 bytes from 2001:470:66:288::1: icmp_seq=4 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=5 ttl=64 time=158 ms— 2001:470:66:288::1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4042ms
rtt min/avg/max/mdev = 157.156/158.424/159.138/0.802 msFortigate #

 

Configure IPv6 on one of your FW interfaces (In this case, my port3(DMZ) interface)
config system interface
     edit port3
            config ipv6
                set ip6-address 2001:470:489e::1/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2001:470:489e::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                            set preferred-life-time 3600
                        next
                    end
                set ip6-send-adv enable
          end
     next
end
**NOTE “set ip6-send-adv enable” enables the router auto advertisement on that segment – so any hosts configured with stateless autoconfiguration (most late OS’s) will pickup an address.

 

Create a FW policy to allow ping traffic to & from your network for testing
config firewall address6
    edit “DMZ_v6”
        set ip6 2001:470:489e::/64
    next
end
config firewall policy6
    edit 1
        set srcintf port3
        set dstintf HE
            set srcaddr “DMZ_v6”
            set dstaddr “all”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable
    next
    edit 2
        set srcintf HE
        set dstintf port3
            set srcaddr “all”
            set dstaddr “DMZ_v6”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable
    next
end

 

Ping from another host or one of the many test websites

 

To the Firewall DMZ Interface
PING 2001:470:489e::1: 56 data bytes
64 bytes from 2001:470:489e::1: icmp_seq=0. time=339. ms
64 bytes from 2001:470:489e::1: icmp_seq=1. time=336. ms
64 bytes from 2001:470:489e::1: icmp_seq=2. time=335. ms
64 bytes from 2001:470:489e::1: icmp_seq=3. time=334. ms
64 bytes from 2001:470:489e::1: icmp_seq=4. time=334. ms
—-2001:470:489e::1 PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 334./336./339./2.2

 

To another host on my DMZ (public6.blackundertone.com)
PING public6.blackundertone.com: 56 data bytes
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=0. time=354. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=1. time=332. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=2. time=333. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=3. time=334. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=4. time=334. ms
—-public6.blackundertone.com PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 332./337./354./9.5

 

From a host on my DMZ out to IPv6 Internet site
C:\Users\ash>ping ipv6.google.com
Pinging ipv6.l.google.com [2001:4860:4001:801::1010] with 32 bytes of data:
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=159ms
Ping statistics for 2001:4860:4001:801::1010:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 159ms, Maximum = 160ms, Average = 159ms
C:\Users\ash>

Configure some FW policies to allow your internal hosts to browse the IPv6 internet (HTTP/HTTPS/PING6/DNS). You can now use the GUI on the FortiGate to configure your new IPv6 FW rules, just remember to use the “IPv6 Policy” menu, not the standard “Policy” page – as that is your IPv4 traffic.

 

A note on IPv6 DNS & the FortiGate
After some mucking around & frustration, it was clear that the FortiGate was not advertising DNS to stateless autoconfiguration clients. This meant that I had to configure the IPv6 DNS server manually – hardly a great solution (you can use the one from HE).
I found another couple of config items that seems to fix the issue (I added these to my config above)
    set ip6-manage-flag enable
    set ip6-other-flag enable
Documentation from Fortinet on this is not great, so I dont know the full impact of these, but it seems to do what I want, as long as your IPv4 DNS server is the Fortigate.
As you can see, I only have an IPv4 nameserver (The FortiGate), but both IPv4 & IPv6 DNS entries are happily being resolved.
ash@public:~$ dig aaaa ipv6.google.com
; <<>> DiG 9.7.3 <<>> aaaa ipv6.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25610
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ipv6.google.com.               IN      AAAA
;; ANSWER SECTION:
ipv6.google.com.        13160   IN      CNAME   ipv6.l.google.com.
ipv6.l.google.com.      273     IN      AAAA    2001:4860:4001:801::1013
;; Query time: 7 msec
;; SERVER: 10.0.1.254#53(10.0.1.254)
;; WHEN: Sun Apr 22 14:59:40 2012
;; MSG SIZE  rcvd: 82
ash@public:~$ cat /etc/resolv.conf
nameserver 10.0.1.254
Once you are done, visit somewhere like http://ipv6-test.com/ to check your workstation is using IPv6

 

Resources Used:
and the usual www.google.com