For this second step in IPv6 static networking, we will put in place an IPv6 router, to be able to route two ULA ( Unique Local Address ) subnets.
The network map is this :
We use the same ULA Network ID as the last post, RFC 4193 Compliant.
The Client PC is running Windows 7, the Server is running Windows Server 2008 R2. You can use any Vista, Seven, 8, Windows Server 2008, 2008 R2 or 2013 for this lab of course, you don't need a server OS.
the Router used is a neat, IPv6 capable, little Router : D-link DIR 626 L. For 40 $/€, it is fully IPv6 capable, and even has an USB port for a NAS function. You don't need expensive appliances to experiment with IPv6.
As we won't be networking beyond Router 2 for yet, you can replace Router 2 with a switch, or even use the switching side of a non IPv6-capable router. Just keep the IPv4 address to this Router 2 in the same subnet as Router 1 Wan Subnet, and disable DHCPv4, if IPv4 is too in use on this subnet.You can even completely do withot Router 2.
The network would then look like this :
The goal here is to have PC 1 and Server able to ping each other, and PC 1 able to have remote desktop access to the Server, using IPv6.
1. Setup ) IPv6 ) Manual IPv6 Local Connectivity Setup )
Uncheck ' Enable ULA '
See the ' more details part ' down the page for explainations about this choice
2. Setup ) IPv6 ) Manual IPv6 Internet Connection Setup )
We'll use these setings :
Wan : fd07:432d:ce02:2::230
Default Gateway : fd07:432d:ce02:2::1
DNS : nc
Lan : fd07:432d:ce02:3::1
Lan DHCPv6/SLAAC : No
3. IPv6 Routes
Have a look at the Status Tab ) IPv6 Routing :
The routes between the two networks fd07:432d:ce02:2::/64 and fd07:432d:ce02:3::/64 have been automatically set up, as well as the default gateway route ( ::/0 )
4. IPv6 Firewall
The last thing we'll need to setup is the IPv6 Firewall.
Setup ) IPv6 ) Advanced ) IPv6 Firewall
Enable IPv6 Ingress Filtering : Unchecked
Enable IPv6 Simple Security : No
Mode : IPv6 Firewall ON and ALLOW rules listed
We'll create 2 rules for allowing ICMPv6 ( Ping6 ) trafic between the two hosts
plus a rule to allow RDP ( Remote Desktop ) trafic from PC1 to Server
This is a basic, hand-wired, all closed by default firewall rule. See the ' more details part ' down the page for explainations about the Dir-626 L IPv6 Firewall.
don't forget to setup properly PC 1 address : fd07:432d:ce02:3::140/64 default gateway fd07:432d:ce02:3::1
and Server address : fd07:432d:ce02:2::200/64 and default gateway fd07:432d:ce02:2::1
5. Server Settings
you can now try to ping Server with PC 1 and ... it doesn't work ... I'll leave you a minute to guess why, if you haven't yet ...
Yes, Server has no route to PC 1 fd07:432d:ce02:3::/64 network.
On the Server, to check the Server's routes :
>netsh int ipv6 show route
To add Server a route to the fd07:432d:ce02:3::/64 network :
First check its interface index ( Idx ) typing :
>netsh int ipv6 show interface
Then add the route :
>netsh int ipv6 add route fd07:432d:ce02:3::/64 [Idx] fd07:432d:ce02:2::230
( replace [Idx] with the right number for your case )
We can now do some IPv6 Ping between the two hosts, and use Remote Desktop to our Server, using its fd07:432d:ce02:2::200 IPv6 address.
More Details :
Why to Uncheck ' Enable ULA ' in ' Manual IPv6 Local Connectivity Setup '
Forget about your usual Lan side/Wan side setup, each with its own dedicated page in the Router's web admin page.
At least for this DLink Dir 626L.
Here, we have the pages :
. Manual IPv6 Internet Connection Setup
. Manual IPv6 Local Connectivity Setup
The routing function, the Wan setup, the Router's Lan address, and even the DHCPv6 and SLAAC for the Lan side are in an only unique place : Manual IPv6 Internet Connection Setup
So what is the point of the ' Manual IPv6 Local Connectivity Setup ' page ?
Well, if you're only routing a private fd::/8 network, you don't use nor need it.
But IF, and if only, you want the router to route 2000::/3 global networks between the Wan and the Lan sides AND you want at the same time to use a FD::/8 ULA network on the LAN side, then this ' Manual IPv6 Local Connectivity Setup ' might prove usefull.
An interesting details : it is possible to set this up :
The Router will setup automatically the routes between it's Wann and Lan side
The ' Manual IPv6 Local Connectivity Setup ' default ULA prefix is a set prefix, that I suppose to be MAC-derived. It is static, supposed to be ' pseudo random enough ' to avoid ULA prefix collision, but doesn't fully comply with RFC 4193, which recommends a precise prefix setup, hashing the MAC address and Time sum, for a good pseudo-unique and changing at will ULA prefix.
The DLink DIR 626-L IPv6 Firewall
The IPv6 Firewall implemented here seems to have a BSD, IP Filter origin. The DIR 626 L manual doesn't document a lot its functions. I'll try to discover its way of functionning. All I can say is that IPv6 Simple Security seems to relate to RCF , which describes an easy default mode for Consumers IPv6 Firewalls that copies the IPv4 NAT Firewall fonctionning :
Allowing everything to go out, Denying everything to get in exept answers from previous outgoing requests.
I'll try to fully test this firewall, and document in a comming post its functionning.