• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Are you using a DSL Connection??

Started by UltraZero, February 04, 2011, 08:22:08 AM

Previous topic - Next topic

antillie

Quote from: UltraZero on February 16, 2011, 01:57:14 PM
Antillie - Are you still running access list/firewall software on the cisco in order to protect it as well?

Short answer, not really. Access to the router itself is limited to SSH only and SSH user authentication is handled by a backend RADIUS server with account lockout policies. The router just routes, it doesn't really filter much. Basically the router just blindly forwards everything to the 5505. The 5505 then decides what to allow in and what to drop based on its ACL rules and stateful firewall inspection engine.

Long answer, kinda. For IPv4 I have port 22 forwarded to the 5505 which in turn is configured to limit SSH access to only 3 certain external IPs that I personally trust. In IPv6 the router has an ACL on the tunnel interface that drops port 22 and allows everything else. So if you try and SSH to any of my IPv6 addresses the router will drop the traffic. If you try to SSH to my IPv4 address you hit the 5505 which won't talk to you anyway. That way random people can't try and brute force their way into any of my network devices over SSH. 

If you send me IPv6 traffic on any other port you pass straight through the router and hit the 5505's firewall rules. If you send me IPv4 traffic on some other port you'll have to pass through the router's PAT table (which isn't hard) but then you hit the 5505 and its stateful inspection engine and firewall rules again.

Quote from: UltraZero on February 16, 2011, 01:57:14 PM
So.. If you were to run in a non dual stack mode, IPv6 only,  the 5505 would or would not work??

The 5505 would work just fine in an IPv6 only network for the most part. The only thing it really needs IPv4 connectivity for is for AAA servers (like RADIUS) or DNS name servers. Neither of those things are strictly needed to make it work as a firewall though.

Quote from: UltraZero on February 16, 2011, 01:57:14 PM
BTW - You wrote me a reply some time ago about my configuration. You said I didn't have any unicast address in my config.  That which you were talking about was just for the purposes of routing internally from subnet to subnet and out onto the tunnel.  Which wasn't the issue with fixing the not pinging issue. correct??

Well without a global unicast address on given interface an IOS router can't route public IPv6 traffic on that interface. So in order for hosts on your LAN to hit ipv6.google.com your IOS router will need a global unicast address on its tunnel interface and on its LAN facing interface. (and a default route for IPv6 traffic) But if you are just trying to ping ipv6.google.com from the router itself all you need is a global unicast address on the tunnel interface and a default route for IPv6 traffic pointing to the address on the other side of the tunnel. You can take a look at most of my router config in this post. I removed the VPN and IPv4 port forwarding stuff for simplicity's sake but all the basic IPv6 connectivity config is there. You can even see the IPv6 ACL that drops port 22.

UltraZero

Re: your config, I have had this sitting on my desktop for some time.  I just wanted to get to this after I figured out the modem issue.

BTW - No go on the Dlink modem. I spend the better part of today on trying to get that thing to connect the way I have my existing unit to connect.  I guess I will have to sit down and figure out PPPoe w/NAT overload and possibly dhcp on the same interface.  I think there is a conflict with the ip address line where one statement wants no ip address, the other wants dhcp and the other wants negotiated.  So, I need to sit down and sort this out so I can get past the PPPoe issue and move on.

I see there isn't any PPPoe in your config.  What is your network connection.  Are you performing the PPPoe via the modem??

Also, I see you are running Radius software.  I have run radius back in the early 90s when I ran a small ISP out of my house.  Who makes a good software now a days.  Back then, it was shareware and I think it can still be obtained as such..

Thanks

antillie

#62
I am not using PPPoE. My internet connection is a cable modem from Time Warner Cable. This makes things a bit simpler for me as my cable modem is just a dumb layer 1 and 2 bridge device that translates between RJ45/Ethernet and Coax/DOCSIS. I honestly don't have much experience with PPPoE or DSL. Unfortunately this may make my router config a bad example when using DSL or PPPoE. Hopefully it will still be a useful example in some way or another.

My back end RADIUS device is a Windows Server 2008 R2 box running active directory. Win2k8 R2 can act as a RADIUS server out of the box via the Network Policy Server role. Older versions of Windows Server can do it as well. I choose to tie RADIUS to AD to make user account management easier (one login for everything) and to make it easy to implement account lockout policies across my network for PCs, network devices, VPN access, and wifi access. Yes, my home LAN is a little crazy. ;)

Since RADIUS is an open standard I'm sure there are plenty of open source implementations out there for just about any platform you might want to use.

I think chenson's advice is good. Get your IPv4 connectivity working first and then worry about playing with IPv6. Take it slow, step by step. My LAN is the product of 3 years of evolutionary tweaking, upgrading, and learning. I didn't go from 2 WinXP boxes with a Linksys WRT54g to a fully Cisco powered network with internal DNS, AD, RADIUS, WPA2-Enterprise, IPv6, and VPN access in a day. ;)

UltraZero

Hmm.  I've always gone in head first.

I am basically Rip Van Winkle.  Many years ago, I was a netware admin.  1990s.  I use to have 25 pcs, running under netware and windows nt 3.5.  I also had linux when it first came out.  man those were the days.  Having to compile the operating system to fit ones needs was pretty fun.  Also, I ran SCO Unix.  All systems were tied together with NFS. This way, I could have a whopping 60 gig of disk space tied together.  I use to run a BBS as well.  I was doing this before the internet became public.  I also had a fractional frame relay connection in my house supporting a small ISP.  Man, that was fun.

So.. slowly that went away.. 2001 I fell asleep.  Dot com bust happened, and I left the industry completely.  PCs went away due to age.  Well, I woke up this past December with an itch. 

I thought i had a pretty large home network back then.  Now, I see some people have small datacenters in their house. 10s of terabytes of storage.  Routers, Racks Servers.  Hmmm.. I like it..

Getting a large network connection is really expensive,but, a T1 pretty much has not changed in price.  A little slow,but, several can be put together.  I personally would not mind having a T3 to the home.

Anyway...  I'm scratching it. Again head first.  Nice to know old auction contacts. 

Netware is dead although I still have my netware servers which haven't been started since about 2001.  Software is still expensive.   Windows 2008 i have only seen shortly.  Windows 2003 is not bad.   I supported a Heavily used netware server that stayed online and was not taken down for 370 days.  We took it offline because we needed I needed to perform a UPS Upgrade for a datacenter and all systems had to be brought offline (1am maint.  Done a few of them)

I think Netware was far better than Windows.  Microsoft gained ground when Novells stock dropped.  Microsoft saw an oppertunity to kick a company when they were down for 1 day and took the market share by heavy advertisement from Novell.  I guess thats how the cookie crumbles.  The company I worked for bowed down and went that route.  It's much better than it use to be....

chenson

Nice to see some old school folks still around. My start was similar. However, I stayed in the IT game. Moved into Networking and Security mostly. You are right about home LANs. 15 years ago my "home LAN" was an RJ-11 cable I used to dial into systems with. Now, I have a DMZd wifi for my kids PSPs and DSIs. My wifes MAC uses it as well as my netbook and multiple laptops. Then, hardwired, I have a half rack in the basement with my networking equipment and servers. I've had small business deployments with less technology and features deployed. :)

IPv6 is just an animal I have dodged for no other reason than I didn't need to deal with it and I had plenty of other stuff to deal with. Now it's time to get a better understanding of it. My cable modem at home with Charter is a dynamic IP. There is an interesting thread regarding some perl scripts being used to manage dynamic IPs. I will get to that later. Right now, my focus is my AT&T DSL in my work lab. We have the tunnel up and we are running fine with the routed 64. However, I am using the complimentary /48 behind my PIX and having several issues. About the only thing working there is SLAC. So I'm focusing on that right now. Nothing to do with my HE tunnel. This is a Cisco issue.

Anyway, keep us posted on your progress. It's like riding a bike. Yes, SCO and Netware are mostly conversation pieces these days. But the logic never changes.
-CHenson-

UltraZero

Man..  You hit the nail on the head.

In reference to you DSL setup at work, I think you said you are running a Cisco router.  What are you using for the DSL modem.

- In reference to my home network, I use to work for a 2 billion dollar company who had a terrible network.  They had presence all over the world,but, their network in the Corporate office was slow and needed to be updated. No backups on their servers.  (they did but, the hardware was old and so was the software.  I think I got the job because on my resume, I listed the hardware and software I owned and that I could take home any of their projects and test it out on my network. I also told them if I needed to obtain additional disk space, I would foot the bill to do it. 

Now, my network isn't as impressive as what I hear people have.  I have a wireless net, but, I'm not impressed with it.  Security is on my mind constantly.  In the last 2 months. I went from having a simple DSL connection with 1 wireless computer and 1 hard wired computer to, (went into the garage)  Pulled out my old PCs, Pulled out my original Cisco 2621 and went from there.  Mind you, Even though I was Rip Van Winkle, I had 1 sleepy hand hanging out the of the bed typing on ebay  buying Cisco equipment.  That being said, certain rooms get loud and warm. 

I will say this, I have in the last 2 months, stated studying for my Cisco Certs.  In a few weeks, I hope I can take my first test.  then it's on to the CCNP.  Now there's something i need equipment for.  Need several more switches. Routers I got covered.  I can create router wise a pretty large CCIE lab.  I'm thinking of after my CCNP dabbling a little in Juniper just to see what is there.  I think Security is going to be a problem as someone mention with NAT going away, networks will not be able to hide under the dynamic IP numbers.  Funny enough,  I started looking into the total amount of IP addresses.  I saw a number of 18 Quintillion and I thought that was large, But, being a person who likes to think ahead, I thought we would run out of IPv6 number in my lifetime.  Even though the number is so large, I figured since the beginning of computers, we have always pinholed ourselves by thinking "Oh, we will never be able to use that much memory 640K barrier, or Oh. no one could ever  fill a 10 gig hard drive" For those who have not been around that early in the game.

Well I thought for sure, seeing is China hasn't really come online with the internet.  The US uses 75 percent of the IP address scheme.  I figures a quintillion will surely be eaten up in 20 years.  Really, think about the plan.  Every item is going to have an IP address.  Cars, Watches, TVs Coke machines (already have them) I'm sure the new Social Security Numbers will be and IP Address.  (Just made that last one  up) 

then....... I stumbled on the real possible number that just blew my mind  340 Undecillion.  The number is so large, my spelling check is having a conniption. O.K.  I've totally drifted as usual.  One you get my fingers going, they don't want stop..

Back to the task at hand. 

I really want to know what you are using in the lab for the modem.  If you are using a WIC card or a external modem, I'd like to know.  Also are you in bridge mode on the external modem and if so, are  you using PPPoe with NAT and DHCP. If so, I have issues with that because I am running into a conflict with these being on 1 interface.  the NO IP address vs IP address DHCP vs IP Address Negociated is my hangup for the configuration in order for me to put the modem in bridge or at least move the PPPoe function/firewall functions over to the router.

let me know.

Whew... That was a mouth full..

man.. i could talk all day about the old days.  Especially the Novell Netware vs Microsoft Windows NT conversion..  Someone during that time could not stay online past 1 month without being rebooted.  Hmm I wonder who that was..

chenson


DSL@WORK - Cisco 2851ISR with WIC-1-ADSL card. The hardest part was explaining to the AT&T Consumer support folks that I needed the VPI/VCI values to configure the ATM p2p subinterface. They were like... "Huh?". :) Once they did some checking in their knowledge base they found a few numbers and read them for me and I was up running fine. I definetly like the DSL being native to the router so I can really see what's going on.

And then your post went all over the place..... :)

And here is my sanitized router config for your viewing pleasure. Including the IPv6 stuff.

PS: Studying - Look into GNS3. Think VMWare for IOS. I run between 10 and 15 virtual routers with full MPLSS/OSPF/BGP topologies on a single HP server. It's all wired up for my studies. It's just a file. You can lay your topology out any way you want. I baseline configs in a virtual sandbox before deploying them to production. Doesn't cost me anything. I could go on forever about it but that's an different forum. Just check it out. You'll be thankful you did.

CONFIG:
###########################################################################


RTR-1>
RTR-1>
RTR-1>ena
RTR-1#sho run
Building configuration...

Current configuration : 1785 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!         
!
ipv6 unicast-routing
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:7:B67::2/64
ipv6 enable
tunnel source 65.15.158.25
tunnel destination 216.66.22.2
tunnel mode ipv6ip
!
interface GigabitEthernet0/0
ip address 65.15.158.25 255.255.255.248
duplex auto
speed auto
ipv6 address 2001:470:8:B67:DEAD::1/64
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 13
!
!
interface Dialer1
mtu 1492
ip address 192.168.1.10 255.255.255.0
encapsulation ppp
dialer pool 13
ppp chap hostname myname@myemail.net
ppp chap password 0 youllhavetoguess
ppp pap sent-username myname@myemail.net password 0 itoldyoutoguess
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
!
ip access-list extended DENY-EVERYTHING
deny   ip any any
deny   icmp any any
!
ipv6 route 2001:470:E375:BAD1::/64 2001:470:8:B67:DEAD::2
ipv6 route ::/0 Tunnel0
!
!
!
control-plane
!
!
!
!
!
!
!
!         
!         
!
line con 0
line aux 0
line vty 0 4
access-class DENY-EVERYTHING in
no login
transport input none
line vty 5 15
access-class DENY-EVERYTHING in
login
transport input none
!
scheduler allocate 20000 1000
!
end

RTR-1#

###########################################################################
-CHenson-

UltraZero

Did you say earlier,  your connection speed is around 1.5 on the DSL??

BTW - I know.  I talk to much.  Remember, I  just woke  up and have a lot of years to catch up on..

LOL>>

Thanks

BTW - should have new net connection tomorrow.  hopefully this will resolve the problem.  Still keeping DSL for a while.  I still want to figure out why I can't get the connection to work.

chenson

That's right. It's just a junk DSL for testing stuff out. It's 1.5Mbps.
-CHenson-

UltraZero

Hey.  If you can connect to the net, it's better than nothing.

Besides.  It works. 

I considered making the connection this way seeing is I have that same card, but, since I have a 6 meg connection, I thought it was going to give me issues due to speed difference and the fact that speed would not work for my wife and I watching alot of videos on hulu and youtube.  LOL..

Well, when the other connection gets in, I think I will have more time to take that connection offline to actually play with it.  IF I can get the DSL to work in bridge mode, maybe I'll shut off the cable.. Hmm.  I guess that depends on which one is cheaper vs faster.. and less headaches..


UltraZero

Good Afternoon/Evening.

I just thought I'd give you folks an update.

No 1.  I still can't get the ATT DSL side of my connection to work.  If I could find the instructions for the altered Semens 5100 modem, i would put the unit into bridge mode and go for it, but, I just didn't
want to get stuck.

ATT has a funny little querk.  There is an issue about wanting a hostname for getting a DHCP address.  solved that problem, but, still would not connect with to a tunnel.

No 2.  I went out and purchased a new Dlink (Really didn't want to but, I didn't find anything that looked like it was any better and not to mention,  not too many choices of modems without the router.  Well, after spending $50.00, I could not get that unit to work.  I could get the modem to connect to my Laptop with no problem, but, I could not get it to connect to my network.  Go figure. 

Pause...  Had an Idea, tried it,but, no such luck.  I thought there was an issue with the authentication of my old config for the ATT unit that was conflicting with the modem.  No such luck.
I simply could not get the DHCP to issue a number to my router.  Again... Go figure.  Semens did (ATT), Dlink would not.

No 3.  I obtain a new ISP today.  Charter Cable.  the installer was pretty good.  He let me do whatever I wanted to.  Extra cable in case I needed to move the box.  He was good about that.  Even made me some extra extension cables.   I got the 12meg connection.  Faster then the DSL 3 or 6.  Did some test to speedtest and I am hitting between 11 and 22.  Roughly 15 is where it sits.  No complaints there.

No 4.  Here is the biggie..

I noticed after the connection was established and after the tech left, that my router config had the wrong address in the source tunnel field.

Man what a bone head.  I was keeping notes as to the changes and updating the website and making changes to the router,but, I forgot the tunnel address 1 time.  Well, I tested the first time before I caught that little issue and the tunnel didn't work.  I was getting angry at myself because I knew at this point it had to be me.  After calling HE and asking what could I be doing wrong and sending the config in, I saw it.  I made the change and Bam...  Pinging IPv6.

So to make a long story short. I backtracked to ATT and updated everything and it still didn't work.

Either, it's the modem or, they are blocking protocol 41 and that's it.

I will keep ATT I guess til the end of the month.  I will try to put another Cisco router on that connection and play with it to see if I can find something out.

Anyway.....

Everyone.......  Thanks for all the help.  Also, thanks for the help I hope i will get in the future.

;D ;D ;D 

BTW - I lost my car keys about 3 weeks ago and around the time this happened, I found them.  Guess where... In the ignition of my mustang.  I put them there when I moved it during all this wiring I was doing..  Whew.. What a week.

Anyway.  Now I can get back to trying to get my printer online and practice exams for  Cisco...... ;D  ::) ::)

donbushway

Glad you got it working. Good luck on the exams.

UltraZero

Sorry. I was swinging the connection back to Charter.

Yeah..   thanks much..

glad to finally pass that little bolder in my path.  Now... Where's the next one..

;D ;D ;D

Have a great weekend.

ratcheer

#73
Quote from: UltraZero on February 10, 2011, 11:13:51 AM
Is anyone running their tunnel connection with a router behind their modem and the modem is in bridge mode??

If so, are you running bridge mode because you could not get the connection to work in regular pppoe mode?

Thanks

Yes to all of the above. I am an AT&T DSL customer (but in the old BellSouth region). I was able to expose my client PC to the outside using IP Passthrough and get my tunnel to work, but that is totally insecure, so I looked for a better way to do it. In the end, here is what worked for me:

1) Flashed my router to an IPv6-capable version of dd-wrt. (This was an adventure in itself.)

2) Bridged my DSL modem. This required a complete restructuring of my LAN. The modem now connects to the WAN port of the router. The router now maintains the PPPoE connection. And a regular ethernet port of the router is connected to the ethernet switch. All client PC's are also connected to the switch. All hosts had to obtain new NAT addresses.

3) Enabled IPv6 in the router. Unblocked external anonymous requests to the router.

4) Enabled IPv6 in the firewall of the client PC. Used HE's commands to define a link between the client IPv6 address given by HE to the IPv4 NAT address of the client PC.

I do not believe that AT&T is blocking Protocol 41 in any way. I think you were just talking to people who have no idea what they're talking about and are BS'ing their way through.

Tim

SomeJoe7777

UltraZero, I think your problem is your modem.

I have AT&T U-Verse internet service which uses VDSL.  The home gateway they give you with U-Verse can't be put into a true bridge mode, but it can be set to allow a device on the LAN side to be a "DMZ" device.  I have a Cisco 2811 behind the home gateway as the DMZ device, and my HE tunnel is working perfectly.

At least on the U-Verse internet service, protocol 41 is not blocked.

However, U-Verse does not use PPPoE, it uses straight DHCP.  I feel your Speedstream may not be capable of passing protocol 41 unless it's in bridge mode and you set up PPPoE on your Cisco.