Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
1 juin 2013 6 01 /06 /juin /2013 18:09

For this second step in IPv6 static networking, we will put in place an IPv6 router, to be able to route two ULA ( Unique Local Address ) subnets.

 

The network map is this :

 

Static2a.gif

 

We use the same ULA Network ID as the last post, RFC 4193 Compliant.

 

The Client PC is running Windows 7, the Server is running Windows Server 2008 R2. You can use any Vista, Seven, 8, Windows Server 2008, 2008 R2 or 2013 for this lab of course, you don't need a server OS.

the Router used is a neat, IPv6 capable, little Router : D-link DIR 626 L. For 40 $/€, it is fully IPv6 capable, and even has an USB port for a NAS function. You don't need expensive appliances to experiment with IPv6.

 

As we won't be networking beyond Router 2 for yet, you can replace Router 2 with a switch, or even use the switching side of a non IPv6-capable router. Just keep the IPv4 address to this Router 2 in the same subnet as Router 1 Wan Subnet, and disable DHCPv4, if IPv4 is too in use on this subnet.You can even completely do withot Router 2.

The network would then look like this :

 

Static2b.gif

 


The goal here is to have PC 1 and Server able to ping each other, and PC 1 able to have remote desktop access to the Server, using IPv6.

 

 

IPv6 Router Setup

IPv6.gif

 

1. Setup ) IPv6 ) Manual IPv6 Local Connectivity Setup )

    Uncheck ' Enable ULA '

See the ' more details part ' down the page for explainations about this choice


Local.gif

 

 

2. Setup ) IPv6 ) Manual IPv6 Internet Connection Setup )


We'll use these setings :

Static IPv6
Wan :                          fd07:432d:ce02:2::230
Default Gateway :     fd07:432d:ce02:2::1
DNS :                          nc
Lan :                            fd07:432d:ce02:3::1
Lan DHCPv6/SLAAC :     No

 

Static2c.gif

 

 

 

 

3. IPv6 Routes

 

Have a look at the Status Tab ) IPv6 Routing :

The routes between the two networks fd07:432d:ce02:2::/64 and fd07:432d:ce02:3::/64 have been automatically set up, as well as the default gateway route ( ::/0 )

 

Static2d.gif

 

 

( Just for info, here is a copy of the default, empty, IPv6 route page : Route2.gif )

 

 

4. IPv6 Firewall

 

 

The last thing we'll need to setup is the IPv6 Firewall.
Setup ) IPv6 ) Advanced ) IPv6 Firewall

Enable IPv6 Ingress Filtering :        Unchecked

Enable IPv6 Simple Security :        No

Mode :                    IPv6 Firewall ON and ALLOW rules listed

We'll create 2 rules for allowing ICMPv6 ( Ping6 ) trafic between the two hosts

plus a rule to allow RDP ( Remote Desktop ) trafic from PC1 to Server

Static2e.gif

 

This is a basic, hand-wired, all closed by default firewall rule. See the ' more details part ' down the page for explainations about the Dir-626 L IPv6 Firewall.

don't forget to setup properly PC 1 address :        fd07:432d:ce02:3::140/64 default gateway fd07:432d:ce02:3::1
and Server address :        fd07:432d:ce02:2::200/64 and default gateway fd07:432d:ce02:2::1

 

 

5. Server Settings

 

you can now try to ping Server with PC 1 and ... it doesn't work ... I'll leave you a minute to guess why, if you haven't yet ...

Yes, Server has no route to PC 1 fd07:432d:ce02:3::/64 network.

On the Server, to check the Server's routes :
>netsh int ipv6 show route

To add Server a route to the fd07:432d:ce02:3::/64 network :

First check its interface index ( Idx ) typing :

>netsh int ipv6 show interface

Then add the route :

>netsh int ipv6 add route fd07:432d:ce02:3::/64 [Idx] fd07:432d:ce02:2::230

( replace [Idx] with the right number for your case )


We can now do some IPv6 Ping between the two hosts, and use Remote Desktop to our Server, using its fd07:432d:ce02:2::200 IPv6 address.

 

Static2f

 

 

Static2g.gif

 

We can too admin our Router using its IPv6 address, just type [fd07:432d:ce02:3::1] in the address bar.
Don't forget the brackets, they are mandatory.

Status2.gif

 

 

 

More Details :


Why to Uncheck ' Enable ULA ' in ' Manual IPv6 Local Connectivity Setup '

Forget about your usual Lan side/Wan side setup, each with its own dedicated page in the Router's web admin page.
At least for this DLink Dir 626L.

Here, we have the pages :

 . Manual IPv6 Internet Connection Setup

 . Manual IPv6 Local Connectivity Setup

 

IPv6

 

The routing function, the Wan setup, the Router's Lan address, and even the DHCPv6 and SLAAC for the Lan side are in an only unique place : Manual IPv6 Internet Connection Setup

So what is the point of the ' Manual IPv6 Local Connectivity Setup ' page ?

Well, if you're only routing a private fd::/8 network, you don't use nor need it.

But IF, and if only, you want the router to route 2000::/3 global networks between the Wan and the Lan sides AND you want at the same time to use a FD::/8 ULA network on the LAN side, then this ' Manual IPv6 Local Connectivity Setup ' might prove usefull.


An interesting details : it is possible to set this up :

    Wan=   fd07:432d:ce02:2::/64
    Lan=    fd07:432d:ce02:3::/64
    ULA=   fd07:432d:ce02:4::/64

The Router will setup automatically the routes between it's Wann and Lan side


The ' Manual IPv6 Local Connectivity Setup ' default ULA prefix is a set prefix, that I suppose to be MAC-derived. It is static, supposed to be ' pseudo random enough ' to avoid ULA prefix collision, but doesn't fully comply with RFC 4193, which recommends a precise prefix setup, hashing the MAC address and Time sum, for a good pseudo-unique and changing at will ULA prefix.


The DLink DIR 626-L IPv6 Firewall

The IPv6 Firewall implemented here seems to have a BSD, IP Filter origin. The DIR 626 L manual doesn't document a lot its functions. I'll try to discover its way of functionning. All I can say is that IPv6 Simple Security seems to relate to RCF , which describes an easy default mode for Consumers IPv6 Firewalls that copies the IPv4 NAT Firewall fonctionning :
Allowing everything to go out, Denying everything to get in exept answers from previous outgoing requests.

 

 

 

Static2e

 

 

I'll try to fully test this firewall, and document in a comming post its functionning.

Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens