Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: [1] 2

Author Topic: Good place to begin?  (Read 9831 times)

mvalpreda

  • Newbie
  • *
  • Posts: 11
Good place to begin?
« on: June 08, 2012, 05:39:51 PM »

First off....I am really stymied by IPv6. I am sure I am over-analyzing all this....but I'm really not even sure where to begin. Is there someplace I can go to help me get this going forward so I can grasp what is going on?

I have a Cisco ASA and a Windows 2008 server. My Windows server already has an IPv6 address (fe80::3909:df10:b5f4:ccd4%10) that has been there since day one. The Windows 2008 server is the DHCP server for my network.

I have an account here at HE and they gave me a routed /64. I understand I put that information into the ASA with the config it generates for me. They gave me 2001:470:X:XXX::2/64. Am I correct in assuming that is the IPv6 gateway for my internal clients and my clients would be say 2001:470:X:XXX::10 through 2001:470:X:XXX::whatever?

Do I need to add anything to the ASA to make sure IPv6 clients behind the firewall are protected since it is more of a routing situation opposed to a NAT situation?
Logged

snarked

  • Hero Member
  • *****
  • Posts: 762
Re: Good place to begin?
« Reply #1 on: June 08, 2012, 07:13:36 PM »

Look again at the allocation.
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #2 on: June 08, 2012, 08:10:50 PM »

I don't really know what that means.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Good place to begin?
« Reply #3 on: June 08, 2012, 08:13:56 PM »

He meant you have 2 different ranges. One is strictly for the tunnel interface on whatever device you configured the tunnel on and on HE's side (henceforth: router). The routed range is what you configure on your "router"'s LAN facing interface, and your equipment on the LAN will configure out of. If you are familiar with IPv4 routing, imagine that the "router" and HE.NET side are using a /30 for the tunnel/link. And that a /24 has been statically routed to your side of that /30.

In this case with IPv6, that /30 is now a /64. By default you get a second /64 statically routed to your Client Side IPv6 address. That is the range your "router" or I guess Win2k8 DHCP server will use to hand out to the lan.
« Last Edit: June 08, 2012, 08:18:33 PM by broquea »
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #4 on: June 08, 2012, 08:28:44 PM »

I just noticed the differences

IPv6 Tunnel Endpoints
Server IPv4 Address:66.220.18.42
Server IPv6 Address:2001:470:C....:1/64
Client IPv6 Address:2001:470:C....:2/64

Then there is a routed /64
2001:470:D....:1/64

I want to set up my DHCP and other internal IPv6 with the 2001:470:D range correct?

Would I assign the D range on my ASA as well?


Available DNS Resolvers
Anycasted IPv6 Caching Nameserver:2001:470:20::2
Anycasted IPv4 Caching Nameserver:74.82.42.42
Routed IPv6 Prefixes
Routed /64:2001:470:d:c0f::/64
Routed /48:
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: Good place to begin?
« Reply #5 on: June 08, 2012, 08:43:54 PM »

You only assign the d range in one place...which device do you want to use?

Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #6 on: June 08, 2012, 08:57:04 PM »

I have a Windows 2008 server that will give out IPv4 and IPv6 DHCP. I have a Cisco ASA that will be the tunnel endpoint.

The info I got when I signed up shows
Server IPv6 address: 2001:470:C....:1/64
Client IPv6 address: 2001:470:C....:2/64
Routed /64: 2001:470:D..../64

I see the config generated for the ASA. I'm just not clear on what IPs I assign to machines inside the network. Is it the 2001:470:D range?
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: Good place to begin?
« Reply #7 on: June 09, 2012, 04:08:37 AM »

Unfortunately that won't work...you cannot host the tunnel on the asa as the asa does not support it
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #8 on: June 09, 2012, 07:37:39 AM »

Well that stinks. I replaced a Sonicwall TZ210 with the ASA since I could not find any of the IPv6 setup on the Sonicwall even though lots of places said it was there. Now I am in the same place!
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: Good place to begin?
« Reply #9 on: June 09, 2012, 12:51:43 PM »

You can host the tunnel on the win2k8 machine though
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Good place to begin?
« Reply #10 on: June 09, 2012, 12:55:35 PM »

I thought the tunnel WAS getting hosted on the win2k8 machine in the first place, since you mentioned it handles all your DHCP to begin with.
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #11 on: June 09, 2012, 06:25:04 PM »

If I host the tunnel on the Windows 2008 machine, I would need to use that as a router then correct? If so I would rather just use a firewall.

I'm sort of irritated that a higher end firewall won't support being a tunnel endpoint. I see that an Apple Airport Extreme will host a tunnel but I am not a huge fan of those. What else can I pick up that supports VPN that can be an endpoint? I don't want to have to run any commands on the Windows clients. I just want them to get DHCPv6 addresses from the server and the heavy lifting is handled by the firewall/router. This would be connected to a 35/5 cable modem on Cox residential.

This is more for proof of concept to roll out to other locations should the need arise.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: Good place to begin?
« Reply #12 on: June 09, 2012, 06:33:53 PM »

You could grab a cisco router and use that to host the tunnel...just place the router in front of the asa

By default, windows clients don't pick up dhcpv6 addresses, so you would need to run some comands :)
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #13 on: June 09, 2012, 06:39:16 PM »

That is something else I can't get a straight answer on. I read that it will work on Vista SP2 and Windows 7. I have also read there are commands you have to run. Frustrating. I have a couple of Windows 2008 R2 SP1 machines and they picked up a DHCPv6 address.....and a few Windows 7 machines that didn't.....so WTF? LOL

I'm looking to just have one device to all this is transparent to the users. Router + ASA sounds like fun.....but I need to keep it a little more simple at home.
Logged

mvalpreda

  • Newbie
  • *
  • Posts: 11
Re: Good place to begin?
« Reply #14 on: June 09, 2012, 06:41:59 PM »

Looks like a router that support Tomato will work well....and not have to do anything too fancy with scripts like on DD-WRT.

http://troywitthoeft.com/get-your-home-network-connected-with-ipv6/
Logged
Pages: [1] 2