• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Astaro ASG v8 supports IPv6 and tunnelbroker.net

Started by mcgurrin, December 14, 2010, 12:08:45 PM

Previous topic - Next topic

mcgurrin

Astaro ASG v8 supports IPv6 with several tunnel brokers out of the box, it does not include tunnelbroker.net but it has a separate section for 6to4 tunnels where you can add the IP for your tunnel server and then you add the routed /64 to your interface, I recommend your internal one for the addresses and your external for the tunnel because the prefix assignment assigns addresses from the prefix on the interface attached to that network.  While Astaro is primarily an expensive business system there is a free full version with all of the features for home for up to 50 devices to run on your own hardware.  If anyone has one set up and wants help setting up IPv6 I can help, I have done it just recently with tunnelbroker.net at one place I work.  To use prefix assignment you must assign a /64 network or it will fail.

caltechsol

Are you saying I can create a tunnel on HE's site, then use the server IPv4 address HE gives me to make a 6to4 tunnel, as long as I assign the correct 2001: address to the internet interface?

And then I can use the routed /48 as normal and not have to use the default 6to4 anycast server?

broquea

#2
Quote from: caltechsol on February 17, 2011, 02:19:40 PM
Are you saying I can create a tunnel on HE's site, then use the server IPv4 address HE gives me to make a 6to4 tunnel, as long as I assign the correct 2001: address to the internet interface?

And then I can use the routed /48 as normal and not have to use the default 6to4 anycast server?

6to4 is a protocol 41 tunnel, just with specific anycast ranges involved. So if their interface allows you to create a "6to4" tunnel and you can use our usual specifics, it theoretically should work since they utilize the same ipv6-in-ipv4 encapsulation.

caltechsol

I was able to get it to work. Added HE.net's tunnel server as the endpoint, configured an IPv6 address (my end of the tunnel) on the Internet interface, and added portions of the routed /48 to the other interfaces, and I have IPv6!

mcgurrin

Quote from: caltechsol on February 17, 2011, 03:42:15 PM
I was able to get it to work. Added HE.net's tunnel server as the endpoint, configured an IPv6 address (my end of the tunnel) on the Internet interface, and added portions of the routed /48 to the other interfaces, and I have IPv6!

Good, sorry I wasn't able to get to this sooner, have you enabled any services to let users use the addresses?  The address range that will be used for radvd (sp?) is the one for the interface they are connected to so the interface with your users is the most important one for assigning a /64 to.  I believe it also supports DHCP6 if you prefer that.  Good luck, we have been using it very successfully for a while now ant it works great and at least with macs required no client config to have it running.

caltechsol

I just set up /64s from my /48 on the Prefix Announcement page and it works fine. I don't bother with DHCPv6 because I have to dual stack anyway.

mcgurrin

Quote from: caltechsol on February 18, 2011, 07:55:19 AM
I just set up /64s from my /48 on the Prefix Announcement page and it works fine. I don't bother with DHCPv6 because I have to dual stack anyway.

My recollection is that that is radvd (sp?) that that uses, you don't need both that and DHCP6 I was just curious thst you had used either and apparently you used one.

So you know all of the same firewall rules and packet filtering/interception capabilities still work with IPv6 so that causes no security issues.

caltechsol

By default (as far as I can tell) all the Packet rules become IPv6 aware. That does mean if your only security was NAT you've a problem, but since that's a silly way to set it up it shouldn't be. You can create IPv6 or IPv4 only rules.

mcgurrin

Quote from: caltechsol on February 18, 2011, 08:06:57 AM
By default (as far as I can tell) all the Packet rules become IPv6 aware. That does mean if your only security was NAT you've a problem, but since that's a silly way to set it up it shouldn't be. You can create IPv6 or IPv4 only rules.

As far as I can tell having NAT as the only security is not possible with the ASG but in any event it would be very silly to do so with such a capable box as you say.