Overblog Suivre ce blog
Administration Créer mon blog
23 juillet 2013 2 23 /07 /juillet /2013 14:49

We'll see here how to setup a public accessible Web Server using Windows Server 2008 R2, the nework settings, and DNS issues, with a special focus over IPv6


Our web server will have the GUA 2001:db8:4b17:2::200 for this exemple.
Here is the network map :

 

WS6a.gif

 

 

 

Web Server Installation

 

First, we add the Server Role in the Server Manager :

 

WS6c.gif

 

Add Roles ) Web Server ( IIS ) :

 

WS6d.gif

 

We can leave all the default optionst.

The server manager automatically creates an inbound rule for HTTP ( TCP port 80 ) on the Server :

 

WS6e.gif

 

 

 

We can test the default website from our client PC ( PC1 ), typing its IPv6 address in brackets in the browser :

 

WS6n.gif 

 

 

 

FQDN Resolution

Here we want our web server to be accessible by its FQDN ( www.example.com ). There are 4 options here:

 

1. Use our host file :

                                        . not very convinient

                                        . no public name  resolution


2. Use a local DNS Server not authoritative to the Internet :

                                        . no public name resolution


3. Use a local DNS Server authoritative to the Internet :

                                        . too heavy daily management task, not suited ( see previous posts )


4. Use our registrar of example.com, and add an A and a AAAA record :

                                        . light task, suited

                                        . public name resolution

The last choice is what we want to do. This way, the admin task is light, public access to our web server is possible thanks to its FQDN being resolved on the Internet, and our local network PCs can resolve its name by regular DNS querry out to the Internet ( DNS querry forwarding in our local DNS Server ). ( more infos here :   Domain name choice and design for DNS and Active Directory setup  )

The network / DNS maps looks like this then :

 

WS6b.gif


We just have to login in our registrar web admin page :

 

. we clean any A, AAAA, or CNAME record refering to www.example.com

 

. we add A and AAAA records for the host www.example.com :


A record :             www.example.com                 [ Public IPv4 Address ]
AAAA record :      www.example.com                 [Web server IPv6 address ]

We just have to wait a little while to the changes to propagate in the DNS servers of the Internet, untill we can check the name résolution is right :


nslookup www.example.com

 

 

 

Internet Gateway setup

 

We have to do a port forwarding at our Internet Gateway, to forward port 80 ( HTTP ) to the private IPv4 of our Web Server, if we want the Web Server to be reachable over IPv4.


We too have to create an IPv6 firewall rule, so to allow IPv6 port 80 to pass through the IPv6 Firewall :

 

WS6m.gif

 

 

 

Web Server websites management

 

The default website is at :
C:\inetpub\wwwroot\

Using the server manager IIS Manager, we can add websites, manage them, their listening IPs and their listening port.

Remember that an [ IP address/port ] combinaison can be used by only one website.

 

as an example, to add a site :

 

WS6f.gif

 

To stop a website :

 

WS6k.gif

 

To edit a website bindings ( IP / port combinaison ) :

 

WS6g.gif

 

 

WS6h.gif

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
21 juillet 2013 7 21 /07 /juillet /2013 10:42

We'll see here the essentials of Windows Server 2008 R2 System Backup and Restore.

 

 

Adding the Server Backup Feature

 

First, we need to add the Windows Server Backup Feature :

 

Server Manager ) add features ) Windows Server Backup Features ( including both subordinate items : Windows Server Backup, Command-line Tools

 

 

 

 

Doing a Full Server Backup

 

The Full Server Backup is performed using Administrative Tools ) Windows Server Backup :

 

WS5a.gif

 

Then, we can do a first backup of our server, using either a local HDD or a Network Share. Of course, in the case of a local HDD, as we're doing a full server backup, the local HDD has to be excluded from the save.

 

WS5b.gif

 

 

WS5c.gif

 

 

The Server Backup Feature offers many backup types, options, and fine-grain. Here we want to perform a System Backup, so we choose ' Full Server Backup '. It's a complete server image, ie like a Norton Ghost.

 

 

 

Doing a Full Server Restore

 

To perform a Full Server Restore, we need to boot with the Windows Recovery Environment. It can be done either by :

 

. using the OS Install DVD

 

. or rebooting and pressing F8 ) Repair Your Computer

 

 

Please note that the Full Server Restore will replace all folders and documents with the one being present at the time of the backup. It's a time machine, so remember to save and export current important datas.

 

 

 

Doing a System State Restore

 

System state seems to recover the system, in a close to ghost way, but doesn't change the installed softwares, their settings and the user documents.
MS is not very clear about the level of system restoration of this recovery. It does seem to fit between restore-point and ( bare-metal / recovery of the Operating System )

 

System State Restore is usefull when you're using Remote Desktop to the Server and/or need a quick fix.

To do a System State Restore, we use the same Administrative Tools ) Windows Server Backup :

 

WS5a

 

and choose Recover :

 

WS5f

 

 

 

The different restore levels in details

 

 

Here is a sum-up of the different levels of system restore :

 

Online ( Using the booted Windows Server OS ) :

 

                 . System State recovery

 

Offline ( Using either the install DVD or F8 ) :

 

                 . Bare metal Recovery

                 . OS Recovery

                 . Full Server recovery

 

 

Full Server Recovery is a 'all Server Disks ' imaging including documents and applications.

The difference between Bare metal Recovery and OS Recovery is not clear

System State Recovery seems even less complete than the two laters, but the difference is still not clear.

 

Here is some official Microsoft Documentation :

 

WS5e.gif

 

 

What doesn't help to sort all of this out is that MS documentation lists what System State Recovery saves, instead of what it doesn't save. I'll add better infos here as soon as I'll manage to clear all this up

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
18 juillet 2013 4 18 /07 /juillet /2013 15:11

We'll see in this post using GUA ( Global Unicast Addresses ) for our DNS Server and what it involves compared to ULA.
See previous post about the basics of DNS Server, using ULA.

 

WS3a.gif

 

As stated during the two previous posts, our DNS Server will only be authoritative upon our local network. We'll leave our public servers DNS management at the registrar level. See the two previous posts for explainations and details.

[G] represents our /48 GUA prefix throughout this post ( 2001:0DB8:0::/48 as an example )

 

Subnet design of the GUA network

 

As we're using GUA ( Global Unicast Addresses ), we need to use a clear separation between our authority and our non-authority zones. We'll use subnets for this :

WS3b.gif

 

 

the [G]:2::/64 and [G]:1::/64 subnets will be for our non-public network
the [G]:0::/64 will be for our public-access network

for this, we create two reverse-lookup zones :


new reverse lookup zone :

    Primary zone

    IPv6

    [G]:3::/64

    Net03GUA.dns

    do not allow dynamic updates



new reverse lookup zone :

    Primary zone

    IPv6

    [G]:2::/64

    Net02GUA.dns

    do not allow dynamic updates



we then add the AAAA records for our network nodes :


add AAAA records for PC1, PC2, vefsna, router1, Router2





Using both ULA and GUA on the non-public network


of course, we can register both the ULA and GUA non-public subnets. We just have to register both the ULA and GUA reverse-lookup zones, and both ULA and GUA AAAA records for the nodes.

the only point to choose is wether to register distinct hosts and routers  names for ULA and GUA.
[G] being our /48 GUA prefix and [H] being our /48 ULA prefix, we could have :

[G]:3::210    PC1
[H]:3::210    PC1

or

[G]:3::210    PC1gua
[H]:3::210    PC1

it is just a design choice.

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
15 juillet 2013 1 15 /07 /juillet /2013 12:41

Now that we know how to choose the right domain name, let's see the DNS Server implementation.
We'll use Windows Server 2008 R2 here, and keep a special focus over IPv6.

D7o.gif

 

 

Our DNS Server won't be authoritative over external Internet servers. This is a heavy task ( Having servers in distinct physical locations, facing flooding and DNS poisoning, ...) and is beyond the scope of this post. Further more, it only makes sense in very special cases or for big firms.

So our DNS server will be authoritative only over our local network. We'll use example.net as our domain name, but you can replace it with int.example.com if you wish, it's the same.

See previous post for more details about Domain name design and choice in DNS Server / Active Directory implementation.

PC1, PC2, VEFSNA and Router1 ( LAN ) are on the subnet 192.168.3.0 / fd07:44de:a327:3::/64

PC3 and Router2 ( LAN ) are on the subnet 192.168.2.0 / fd07:44de:a327:2::/64

Since we're using ULAs, we don't even have to think about DNS Server Authority. Our DNS Server will be authoritative over our local network and will forward all queries to an outside DNS Server.

 

 


Server preparation

 

We first clean up any previous DNS Server implementations in our WS2008 R2 by cleaning up the folders :

C:\Windows\System32\DNS
C:\Windows\System32\DNS\Backup

only leaving these two empty folders.

 

We can clean some previous DNS Server logs :

 

D7n.gif

 

In network connections, we set our interfaces DNS IPs to either :

 

                . [Server IP]

 

or            . Loopback ( 127.0.0.1 / ::1 )

 

 

In Advanced System Properties, we check our Server name and DNS sufix :

 

. computer name :                 [Server Name]
. dns sufix  :                             example.net

And we reboot

 

 

 

DNS Role installation and configuration

 

We then add the DNS Server Role : Server Manager ) Add Roles ) DNS Server

D7b

 

 

 

We will then configure our DNS Server expanding the Server Manager tree :

 

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Right click : Configure a DNS Server :

 

D7c.gif

 

 

We will use these settings for the configuration :

 

       . Create a forward lookup zone
       . This server maintains the zone
       . Zone name : example.net
       . File name : default ( example.net.dns in this case )
       . Dynamic Updates : Do not allow dynamic updates                  ( there is no AD here )
       . Forward queries :    . Yes                                                                 
                                             . IPv4 ISP DNS or openDNS
    .

 

we use forward queries, because we want the DNS querie we are not authoritative upon to be directly forwarded to an outside DNS Caching Server or Recursive DNS Server.

 

 

 

Lookup Zones configuration

 

We will then configure our Reverse Lookup Zones, both for IPv4 and IPv6.

 

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone ) Right click : new zone

 

D7d.gif

 

 

We use these settings for this IPv4 Reverse Lookup Zone :

 

    . Primary zone
    . IPv4 Reverse Lookup Zone
    . 192.168.3
    . zone file : new file ( default )                                                                     ( 3.168.192.in-addr.arpa.dns in this case )
    . Dynamic updates : Do not allow dynamic updates                             ( there is no AD here )

We then create a second Reverse Lookup Zone, for IPv6 this time ( Right click ) New Zone ) :


    . Primary zone
    . IPv6 Reverse lookup zone
    . fd07:44de:a327:3::/64
    . zone file : new file : net03.dns                                                                  (create your own name here)
    . Dynamic updates : : Do not allow dynamic updates                           (there is no AD here )

 

Do note two things about IPv6 in DNS Server :

 

    . You have to enter the zone subnet using a [prefix]/[prefix length] format :

 

D7e.gif

 

    . There is no default zone file created, so you have to make one up. I like to tag the subnet, so I use Net03.dns in this case ( because the subnet is fd07:44de:a327:3::/64 and I use the last hex quad for subnet tagging ). Just make it end with .dns :

 

D7f.gif

 

Normally, the NS and SOA fiels have been automatically filled with the right settings and host records have been automatically made for the Server IP addresses :

 

D7m.gif

 

Finally, we have to add PTR records ( Reverse Lookup ) for our Server own IP.

Using Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone :

 

We right click our IPv4 zone ( 3.168.192.in-addr.arpa here ) and choose ' new PTR record ' :

 

 

and then add our Server Name ( vefsna ) and IPv4 DNS address here :

 

 

We do it againg for the DNS Server IPv6 address.

We right click our IPv6 zone ( net03.dns here ) and choose ' new PTR record ' :

 

 

and then add our server Name ( vefsna here ) and IPv6 DNS address :

 

 

 

 

We can check our DNS server functionning by doing :

Roles ) DNS Server ) DNS ) [ Server Name ] ) right click ) nslookup :

 

D7p.gif

 

the DNS Server should be able to resolve its own name, IPv4 and IPv6 addresses. Further more, the field ' DNS Server ' should list our Server name ( vefsna in this case )

 

 

 

Adding DNS records for network hosts and routers

 

To add a record, we just have to add a new host in the Forward Lookup Zone. The PTR record will be created automatically. Please note that you have to create 2 records for each host : 1 IPv4 record and 1 IPv6 record.

 

Roles ) DNS Server ) DNS ) [ Server Name ] ) Forward lookup zone ) example.net ) right click :
new host ( A or AAAA ) :

 

D7g.gif

 

 As an example, for PC1, we create an IPv4 Record using these settings :

 

   PC1
    192.168.3.140
    Create associated PTR Record : yes
    Add Host ( click )

 

D7h.gif

 

 

 and we create an IPv6 record using these settings :

 

   PC1
    fd07:44de:a327:3::140
    Create associated PTR Record : yes
    Add Host ( click )

D7i.gif

 

We create records the same way for PC2 and Router1 (Lan IP).

We can test these records functionning using the Server Manager Nslookup Tool :

 

Roles ) DNS Server ) DNS ) [ Server Name ] ) right click ) nslookup

 

 

Client computers configuration

 

We have to make sure PC1 and PC2 get the Server DNS IP and domain prefix for DNS resolution :

 

. Either statically, using Network Connections ( for DNS IP ) and Advanced System Properties ( for domain sufix )

. Either dynamically, registering these two settings in Router1

 

 

 

Testing DNS resolution

 

We can test forward DNS resolution using these commands :

 

nslookup [name]                                                                           ( resolves [name] into its IPs )

nslookup [name] [DNS Server IP]                                              ( forces the use of a specific IP for DNS resolution )

 

 

We can test reverse DNS resolution using these commands :

 

nslookup [IP]                                                                                  ( performs a reverse-lookup over [IP] )

nslookup [IP] [DNS Server IP]

 

Please note these special commands :

 

ping -a [IP]                                                                                       ( performs a ping+reverse-lookup )

tracert -d [name]                                                                             ( tracert without intermediate nodes reverse-lookups )

tracert -d [IP]                                                                                    ( idem )

 

for example, here is a sequence to test DNS query, reverse lookup, sufix settings and DNS forwarding :


nslookup pc1.example.net fd07:44de:a327:3::210
nslookup pc1.example.net
nslookup pc1
nslookup www.wikipedia.org

 

nslookup fd07:44de:a327:3::140

 

 

Adding more zones

 

We might want to add more zones to our DNS Server. In this example, we will add the zone that contains PC3 and Router2 ( Lan IP ) :

 

D7o

 

This means adding two new reverse lookup zones :

. 192.168.2.0 subnet

. fd07:44de:a327:2::/64 subnet

 

we do it the same way we added the two first reverse lookup zones :

Server Manager ) Roles ) DNS Server ) DNS ) [ Server Name ] ) Reverse Lookup Zone ) Right click : new zone

 

we add a new IPv4 reverse lookup zone : 192.168.2

and a new IPv6 reverse lookup zone : fd07:44de:a327:3::/64

 

we now have 4 reverse lookup zones :

 

D7k.gif

 

 

we can now add new hosts records : PC3 and Router2
( using Roles ) DNS Server ) DNS ) [ Server Name ] ) Forward lookup zone ) example.net ) right click :
new host ( A or AAAA ) :

 

D7l.gif

 

 

we can now start experimenting with our two subnets, doing as an example :

tracert router2

 

we can see nodes reverse name resolution occuring on the fly.

we can login in our routers using router1 or router2 ( domain sufix is added on the fly )

we can even add more subnets to manage to our DNS Server

 

 

 

Registering our public-access services

 

 

D7o

 

We finally have to register our public-access services, which reside on our outside domain example.com.

 

Of course, the Web/FTP server and the Internet Gateway have to use Global Unicast Address.

 

To do this, we just have to login to our registrar page, and add A and AAAA records for both :

www.example.com

ftp.example.com

 

pointing to our public IPv4 IP for the A records                                                    ( Port forwarding needed for IPv4 )

pointing to our Web/FTP server IPv6 IP in the case of IPv6                               ( No port forwarding needed for IPv6 )

 

for our inside network hosts, www.example.com and ftp.example.com will be resolved by query forwarding

 

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
15 juillet 2013 1 15 /07 /juillet /2013 11:09

Choosing the right domain name is a strategic step when setting up Windows Server DNS and Active Directory. We'll see briefly the right way to do it. Next, we'll see why other ways may create troubles and shouldn't be used.


We'll see things from a practical, professionnal point of view, ie taking into consideration the custommer needs like public access ( website, ftp site ), domain name securing, sites / firms acquisition and merging issues, ...

 

D6a.gif

 

 

 

The right way to choose and design the domain name :

 

 

Domain name authority

 

We should have an internet-accessible domain name, for present and future access needs ( Web Server, FTP Server, ... ). We need it too for identity / visibility locking on the Internet.

 

We too need a second domain name :

We don't want to be authoritative over a whole unique domain name. It is only fit in very special situations or for big firms. Otherwise, it requires too a heavy duty ( having several physical located DNS Servers, facing DNS flooding and poisoning attacks, ... ).

So we have to use two domain names : one for external accessed services ( Web Server, FTP Server, ... ) and one for internal services ( DHCP, DNS, Active Directory, .. ). The external-domain name management will stay at the registar level, our DNS server will only manage our internal domain name.

 

 

Domain name design

 

To be able to use these two domain names, we can choose either subdomain or distinct domain name design :

two domains using a subdomain

D6a

 

 

 

In this case we use a subdomain of our registered, external use domain name. I like to use 'int' ( as for internal ), but you can use corp, ad ( as for active directory ), ...
exemple :

external services ( Web server, ... ) :              example.com
internal services ( DNS, AD, .. ) :                    int.example.com

This is clear, convinient, althrough it will require a litte Windows Server extra settings for perfect design of mail and Active Directory easy and short loggings. But this is only a cosmetic issue.

of course, int.example.com will have to not be used or registered at the example.com authoritative DNS servers.


two domain names using 2 distincts domain names

D6b.gif

 

 

In this case we use a separate, registered, domain name for internal services ( DNS Server, Active Directory Server, Exchange Server, ... ) and another one for external public-accessibles services ( web server, ftp server, etc ... ).
either changing the tld ( top level domain, ie .com, .net, ... ) or the first subdomain ( 'example' here ).exemple :

external services ( Web server, ... ) :                example.com
internal services ( DNS, AD, .. ) :                      example.net

this creates a clear distinction / decoupling between inside needs and outside needs.
AD and mail loggings are slick and easy
Furthermore, in case of firm aquisition or merging, only the external domain name has to change. We can keep the Internal domain name, avoiding an Active Directory migration.
Best of all is if we did chose a 'vendor-neutral' internal domain name.



Why these 2 options are the right choices


. The domain names are registered, so guaranteed to be uniques. Futur sites / firms mergings will be simple at the Active Directory level
. Our domains names are registered, thus secured. So we won't be forced to change our domains names, for various causes, with an Active Directory migration as a consequence.

. We avoid the task of public DNS management, only managing our internal DNS needs.



The choices that shouldn't be done, and why

. using a single label domain name ( ie without a tld, like 'example' ). Some softwares will get confused and messy

 

. using invented but not registered domain names. They are not guaranteed to be uniques, so futures sites / firms mergings will get complicated. Beside, there may be som legal issues there.

 

. using an invented tdl : your domain name isn't registered then, so you have the same problems as with using a non-registered domain name. Furtermore, this invented tld may be registered further in time, creating a conflict risk.

 

. use .local tld : this is used by Apple's Bonjour network services, and may cause conflicts.

 

 

RFC technical details

RFC 6761 and RFC 6762 describe some reserved tlds. They are :

.test                             reserved for internal testing
.example                    reserved for documentation
.localhost                   reserved for loopback addressing
.invalid                        reserved for tagging ( self-explainatory )
.local                           private, Multicast DNS link local

they describe too reserved domain names :

example.com             reserved for documentation
example.net               reserved for documentation

example.org               reserved for documentation

 

 

A possible Lab choice

for testing labs, the tld .test may be used, with an invented subdomain. Private DNS Servers can resolve them, if explicitly configured to do so. Public DNS Servers won't.


otherwise, for private use, as well as for testing labs, registering a domain name is the best idea. It's only 7€/$ a year !

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
8 juillet 2013 1 08 /07 /juillet /2013 14:22

We'll see how to pin on the taskbar every shortcuts a network admin, including Network Connections. It works for Windows Server 2008 R2 and Windows 7.

 

O2j

 

 

 

How to pin the command line, advanced firewall, computer management and task manager to the taskbar

Most of the usefull shortcuts are easy to pin to the taskbar : We just have to find them in the start submenus, right click, and choose : ' Pin to Taskbar '. We can do this for the command line, the advanced firewall and the computer management :

 

O2a.gif

 

To pin the task manager, just type taskmgr.exe in the search field, and right click the found result to pin it :

 

O2b.gif

 

 

 

How to pin Network Connections on the taskbar

 

To pin the network connections is a little more complicated, but for a network admin, it's really worth the 2 minutes spent. Here is how :


. Create a folder in a safe place. I use Documents\Shortcuts\ but you might prefer C:\Shortcuts. So we create a Shortcuts folder


. Right click in this newly created Shortcuts folder and choose New Shortcut :

 

O2c.gif

 

fill the new shortcut fields like this :

 

    location : ncpa.cpl
    name : Network Connections :

 

O2d.gif

 

 

. right click on this newly created ' Network Connections ' shortcut and choose copy :

 

O2e.gif

 

O2f.gif

 

 

. Right click again in our newly created Shortcuts folder and choose New Shortcut :

 

O2g.gif

 

fill the new shortcut field like this :

 

    location : explorer.exe [CTRL+V]                                           ( type 'explorer.exe '+ perform a paste here )
    name : NC

 

O2h.gif

 

 

. Personalise the NC shortcut icon if you will ( right click ) Properties ) Change Icon )

 

. Right click on this NC shortcut ) pin to taskbar :

 

O2i.gif

 

Voila ! Network Connections one click away !
Here is my complete Windows Server setup :

O2j.gif

Note that if you don't mind to have the network connections as a desktop shortcut, it's even easier : just right click a new shortcut on the desktop ( location : ncpa.cpl ).


Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article
8 juillet 2013 1 08 /07 /juillet /2013 13:41

Netsh is the remote and local command line tool to manage network connetions. Here are a few tips about netsh use, as well as a basic netsh batch file explaination.

 

 

Netsh


Netsh is a very powerfull tool, easy to use. Here are 2 things you might not know yet :

. It has a on-going help feature. If you're not sure of a syntax, or a choice, just type the next shorter version.
As an exemple, if you're not sure of what you might use after ' ipv6 netsh int ipv6 show ' just type it and netsh will display you the different posibilities :

 

O1b.gif

 

Further, if you're not sure of how to use ' netsh int ipv6 set interface ' just type it. Netsh will display the syntax as well as the many options.

. The second nice and lean feature is its autocompletion. You can shorten the words, as long as there is no ambiguity. The more you get used to netsh, the more you spontaneously shorten the words. Here is an exemple :
netsh interface ipv6 set interface routerdiscovery=enable
can be shorten into :
netsh int ipv6 set int router=ena


Netsh and the batch file

Reaching a point, we might like to automate our netsh command lines, so we don't have to type over the same lines. The batch file might help here. Here is a basic batch file :

O1a.gif

replace [Idx] with your interface index, [Host IP] with your Host IP, ....

( to check the [Idx], just type : netsh int ipv6 show int )
This basic configuration sets up an interface with an IPv6 address, Default Gateway and DNS server. The last two lines just add a pause, so we have the time to read the result.

Using notepad, we just have to save it with the .bat extension. We can now lauch it easily. Just remember to run it as administrator ( right click )


Here is another Netsh batch file, IPv4 this time. It sets up a static IPv4. It's very usefull, when you regulary shift your network location while doing networking admin :

 

O1c.gif

replace [Idx] with your interface index, [Host IP] with your host IP, ...

IPv4 is somewhat easier to admin using batch netsh, because of its ' 1 IP address per interface ' nature.

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
2 juillet 2013 2 02 /07 /juillet /2013 13:55

RIP ( Routing Information Protocol ) is the next step to go farer into dynamic IPv6 networking. RIPng builds on the foundations of RIPv2, but adds IPv6 support. RIPng stands for ' RIP next generation '

 

RIPng

 

Like RIPv2, RIPng is a distance-vector routing protocol. It is based on hop count, and thus make nodes choose the shortest path hop-count-wise. The limit is 15 hops, so the network size musn't exceed this limit.

 

some important notes :

 

RIPng doesn't support updates authentication ( while RIPv2 does )

RIPng doesn't allow arbitrary tags on routes, neither next-hop encoding ( while RIPv2 does )

 

RIPng is multicast using the multicast group ff02::9 ( all RIP Routers link-local )

 

 

RIPng implementation on a small network

 

( to be completed as soon as I receive my two RIPng capable IPv6 routers )

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
1 juillet 2013 1 01 /07 /juillet /2013 17:16

We will see here the SLAAC settings for Raspberry PI / Raspbian : Default Gateway, Default Gateway + SLAAC advertiser

Configuration files will be shown.

 

D7b.gif

 

 

RASPBIAN as a Default Gateway

 

 

For this setup, we want Raspbian 1 to advertise itself as a Default Gateway through RAs ( Router
Advertisements ), advertising hosts to request for a full DHCPv6 on the Subnet. Here is the network map :

 

D7a.gif

 

First we set static IPv6 Addresses for eth0 and eth1.
We allow routing and disable SLAAC autoconfiguration for the Raspbian :

sudo nano /etc/sysctl.conf :

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth1.autoconf=0
net.ipv6.conf.eth0.autoconf=0

( the last two line may be needed to erease previous configurations)

We install the radvd package :

sudo apt-get update
sudo apt-get install radvd

We edit the radvd config file :

sudo nano /etc/radvd.conf :

interface eth1 {
 AdvSendAdvert on;
 AdvManagedFlag on;
 AdvOtherConfigFlag on;
 MinRtrAdvInterval 3;
 MaxRtrAdvInterval 10;
 prefix 2001:db8:0:1::/64 {
  AdvOnLink on;
  AdvAutonomous off;
  AdvRouterAddr on;
 };
};

not much to comment about this configuration file :

RA advertisement is on                                 Raspbian do send RA

Managed + OtherConfig are on                   Client should request full statefull DHCPv6 on the

subnet

MinRtr + MaxRtr                                               Advertisement Timings

AdvOnLink on                                                  Raspbian precise he's on-link ( not

behind a router )

AdvAutonomous off                                        Clients should not perform SLAAC

autoconfiguration

AdvRouterAddr on                                           MAC address of the Rasbian is sent

 

 

RPI advertised as default gateway + SLAAC + Stateless DHCPv6 provider

D7b

Here we wish to have the Raspbian OS perform as a full Gateway :

. Advertise itself as a default gateway

. Send SLAAC autoconfiguration datas

. Send DNS Servers IPs + Domain name

First, we static IPv6 Addresses for eth0 and eth1.

We allow routing and disable SLAAC autoconfiguration for Raspbian interfaces :

the /etc/sysctl.conf file needs to contain this part :

#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth1.autoconf=0
net.ipv6.conf.eth0.autoconf=0

( The last two line may be needed, to erease previous interfaces configuration )

We install the radvd package :

sudo apt-get update
sudo apt-get install radvd

We edit the radvd configuration file :

sudo nano /etc/radvd.conf :

interface eth1 {
 AdvSendAdvert on;
 AdvManagedFlag off;
 AdvOtherConfigFlag on;
 MinRtrAdvInterval 3;
 MaxRtrAdvInterval 10;
 prefix 2001:db8:0:1::/64 {
  AdvOnLink on;
  AdvAutonomous on;
  AdvRouterAddr on;
 };
};

It's the same as the previous example ( see for details ), except for the Managed and Autonomous

flags :

Managed flag is off, and Autonomous flag is on :

The host will autoconfigure its IPv6 addresses using SLAAC. Do note that because the OtherConfig flag

is on, hosts will send a DHCPv6 request for DNS / Domain name datas.

So we need to install the wide-dhcpv6-server package for this :

sudo apt-get install wide-dhcpv6-server

and create its configuration file :

sudo nano /etc/wide-dhcpv6/dhcp6s.conf

 

option domain-name-servers 2001:4860:4860::8888;
option domain-name "example.com";

interface eth1 {
};


( See previous posts for full explainations about the wide-dhcpv6 packages and Raspbian )

Do remember to take care of firewall rules, for the RAs and DHCPv6 requests to get in.

Finally, for precision, here is a static IPv6 configuration file :

cat /etc/network/interfaces


auto lo

iface lo inet loopback
iface eth0 inet dhcp
iface eth1 inet dhcp

iface eth0 inet6 static
address 2001:db8:0:0::240
netmask 64
gateway 2001:db8:0:0::1

iface eth1 inet6 static
address 2001:db8:0:1::1
netmask 64


allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

 

 

RASPBIAN OS as a Default Gateway / SLAAC / RDNSS provider

 

[ to be written soon. A network component is needed ]

 

Repost 0
Published by computer outlines - dans RASPBERRY PI
commenter cet article
1 juillet 2013 1 01 /07 /juillet /2013 16:02

We will see here the settings for Raspberry PI / Raspbian as a SLAAC Client. Configuration files will be shown.

 

 

  D6a

 

RASPBIAN SLAAC / Stateless DHCPv6 Client

 

We will first see how to setup Raspbian OS as a simple SLAAC + Stateless DHCPv6 client.

Here is the network map used :

 

D6a

 

First, we setup /etc/sysctl.conf. It should contain these lines :

 

#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.autoconf=1
net.ipv6.conf.eth0.autoconf=1

( the last line may be needed, to erease some previous settings )

 

We need a dhcpv6 client for the Stateless DHCPv6 requests :

 

sudo apt-get install wide-dhcpv6-client

 

The default config file doesn't need to be changed. It will request DNS and Domain name informations. To check it :

 

cat /etc/wide-dhcpv6/dhcp6c.conf

 

( to be added )

 

The default /etc/network/interfaces doesn't need to be changed either. Here is the default one :

 

cat /etc/network/interfaces

 

( to be added )

 

Finally, we need to remember to let RAs ( Router Advertisements ) in using ip6tables

 

 

RASPBIAN SLAAC / RDNSS client

 

Now let's see how to setup our RASPBIAN OS using SLAAC / RDDNS. The network map is :

 

 

D6a

 

First, we setup /etc/sysctl.conf. It should contain these lines :

 

#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.autoconf=1
net.ipv6.conf.eth0.autoconf=1

( the last line may be needed, to erease some previous settings )

 

We need a RDNSS client for the RDNSS requests :

 

sudo apt-get install rdnss

 

The default config file doesn't need to be changed. It will append IPv6 DNS IPs to /etc/resolv.conf.

 

The default /etc/network/interfaces doesn't need to be changed either. Here is the default one :

 

cat /etc/network/interfaces

 

( to be added )

 

Finally, we need to remember to let RAs in ( Router Advertisements ) using ip6tables

 

There is an important point to look at :

 

Resolvconf only puts 3 records max in /etc/resolv.conf. As an exemple if you happen to have 3 DHCPv4 records advertised to the RASPBIAN OS ( because of dual NIC ) There won't be no place left for RDNSSD to register. one advertised DHCP DNS record as to be removed.

1st solution :

 

edit the resolvconf/interface-order to put rddnsd first :

 

sudo nano /etc/resolvconf/interface-order

and add as first line :

# interface-order(5)
*.rdnssd


2nd solution :

Remove one or two advertised DHCP DNS records from the RASPBIAN OS subnets.


RASPBIAN dual SLAAC client + RDNSS client

 

This third configuration is rarely usefull, but it brings some very interesting points into light. Here is the network map :

 

D6b

 

We wish to have Raspbian 1 request for a full SLAAC configuration via eth0 ( IPv6 addresses, default gateway, DNS server IPs ), and setup to use Internet Gateway as a default gateway via eth0.

We wish too to have eth1 to get too a SLAAC IPv6 address. We don't need to receive DNS IPs from Router 1/eth1, and don't want to have Router 1/eth1 registered as a default gateway.

 

First, we setup /etc/sysctl.conf. It should contain these lines :

 

#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.autoconf=1
net.ipv6.conf.eth1.accept_ra_defrtr=0
net.ipv6.conf.eth1.autoconf=1
net.ipv6.conf.eth0.autoconf=1

 

( the last two lines may be needed, to erease some previous settings )

Please note this line : net.ipv6.conf.eth1.accept_ra_defrtr=0 :

It prevents eth1 to register a default route, so we will only have one default route listed.

To check the IPv6 default routes registered by the RASPBIAN OS :

 

ip -6 route show

 

 

We need a RDNSS client for the RDNSS requests :

 

sudo apt-get install rdnss

 

The default config file doesn't need to be changed. It will append IPv6 DNS IPs to /etc/resolv.conf.

 

The default /etc/network/interfaces doesn't need to be changed either. Here is the default one :

 

cat /etc/network/interfaces

 

( to be added )

 

Finally, we need to remember to let RAs in ( Router Advertisements ) using ip6tables

 

Again we have the resolv.conf point to look at :

 

Resolvconf only puts 3 records max in /etc/resolv.conf. As an exemple if you happen to have 3 DHCPv4 records advertised to the RASPBIAN OS ( because of dual NIC ) There won't be no place left for RDNSSD to register. one advertised DHCP DNS record as to be removed.

1st solution :

 

edit the resolvconf/interface-order to put rddnsd first :

 

sudo nano /etc/resolvconf/interface-order

and add as first line :

# interface-order(5)
*.rdnssd


2nd solution :

Remove one or two advertised DHCP DNS records from the RASPBIAN OS subnets.


Repost 0
Published by computer outlines - dans RASPBERRY PI
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens