• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Dropped in the deep end and floundering

Started by Powertrain, October 29, 2012, 09:55:06 AM

Previous topic - Next topic

Powertrain

Hey all having some problems and questions. Got the word today that our stuff needs to be reachable by government clients using ipv6. Our DataCenter does not have routers supporting ipv6 The server is attached to a firewall that does not support ipv6. It is all currently reachable by ipv4. My boss dropped this on me this morning so I am trying to figure out what exactly is going on. Sorry if this is noob stuff, I tried looking at all the videos and FAQs but am still confused. I am running:

1. CentOS
2. Apache

Questions:

1. Will this tunnel allow me to set up say example.mydomain.com and have that be an IPv6 address that goes to my server despite the v6 incompatibilities listed above?
2. I have set up a AAAA record for my example, pointing to the IPv6 listed in my Client IPv6 Address is this correct?
3. On my server I have run the commands for ifconfig to set up sit0 and sit1. Was this the right thing to do?
4. I have modified my Apache to

Listen 80
and
<VirtualHost 10.10.10.xxx:80 [2001:470:7:40e::2]:80>

Is this correct? The actual IP address from the Client IPv4 Address is actually the firewall that then routes to 10.10.10.xxx, if its not v6 compliant is this a problem?

5. If I set the ipv6 of eth0 from ifconfig my Apache will serve the site locally but not externally.

Sorry for all the questions, I feel a bit out of my element doing this type of networking. Let me know if I am completely off base, as I had no say in this matter :)

kasperd

#1
Quote from: Powertrain on October 29, 2012, 09:55:06 AMGot the word today that our stuff needs to be reachable by government clients using ipv6.
Did you receive specifications on which protocols you need to support over IPv6? Could be DNS, HTTP, SMTP or other protocols. Regardless of what the specific requirements are, I think HTTP and HTTPS are a good place to start.

Quote from: Powertrain on October 29, 2012, 09:55:06 AM1. Will this tunnel allow me to set up say example.mydomain.com and have that be an IPv6 address that goes to my server despite the v6 incompatibilities listed above?
Yes, but you'd have to open protocol 41 through your firewall. If the firewall cannot inspect contents of protocol 41 packets, then you'll essentially be without firewall for IPv6. You can do separate firewalls for IPv4 and IPv6. So you can let your existing firewall take care of IPv4 and setup another to take care of IPv6.

As I understand your post, you are intending to terminate the tunnel on a Linux host, so ip6tables would be an obvious choice for the IPv6 firewall.

There are other options. You can convert the traffic on the outside of your firewall. A few days ago I saw an ad from Internet Society pointing to  a video explaining how this can be achieved through the use of a CDN.

With that users talk IPv4 or IPv6 with the CDN and the CDN talk IPv4 with the webserver. If you feel a CDN is suitable for you (once you understand the advantages and disadvantages of using a CDN), then it can give you some flexibility in the upgrading. There is no drawback from using IPv4 on one side of the CDN and IPv6 on the other side. Once you are ready to upgrade your webserver, you can even move the webserver directly from IPv4 only to IPv6 only since the CDN can still talk both IPv4 and IPv6 with the users.

If you'd rather host your own protocol translation on the outside of your firewall, it may be that the router you have outside the firewall is already capable of such translation, otherwise I can offer you a free evaluation copy of a product I have for such translation.

If the firewall cannot be updated to support IPv6 (possibly through a firmware upgrade), then you'll have to replace it at some point. You could choose to do that right now.

Or you can ignore the firewall issue altogether and run the site without firewall for IPv6, if you think you can properly secure the server without needing a firewall.

It is up to you, which of the five possibilities I mentioned above is right for you. There may be other options, which I haven't thought of.

Quote from: Powertrain on October 29, 2012, 09:55:06 AM2. I have set up a AAAA record for my example, pointing to the IPv6 listed in my Client IPv6 Address is this correct?
Again there is more than one possible solution. Pointing the AAAA record at the client IPv6 address is one solution that can work. If the tunnel is only to be used for one single host, then that is also the simplest solution.

Quote from: Powertrain on October 29, 2012, 09:55:06 AM3. On my server I have run the commands for ifconfig to set up sit0 and sit1. Was this the right thing to do?
You didn't specify what commands you used. I have been using a script (which I believe I got from this website) to setup sit0 and sit1. That script uses four ifconfig commands to set up sit0 and sit1, and then one route command to setup a default route. That script has worked quite well. So assuming your ifconfig commands had the right arguments, then yes, it was the right thing to do. Remember that once you have it working, you'll also need to ensure it gets activated at boot.

Quote from: Powertrain on October 29, 2012, 09:55:06 AM4. I have modified my Apache to

Listen 80
and
<VirtualHost 10.10.10.xxx:80 [2001:470:7:40e::2]:80>

Is this correct?
I don't know what it looked like before. I think there shouldn't have been any need to modify it in the first place. However if you do need multiple virtualhosts, then I think a good solution is to assign multiple IPv6 addresses to the webserver and use the IPv6 address to pick which virtualhost instead of using hostname. However such changes shouldn't be the first you do. At first you should try to keep your IPv6 setup as similar to your IPv4 setup as possible.

Quote from: Powertrain on October 29, 2012, 09:55:06 AMThe actual IP address from the Client IPv4 Address is actually the firewall that then routes to 10.10.10.xxx, if its not v6 compliant is this a problem?
There are two sorts of problems to think about. Is it a problem for security, that your firewall does not support IPv6? And is it going to work at all?

I discussed the security concern above. As for getting it to work at all, you need to ensure that protocol 41 packets are forwarded from the firewall to the server. At this time, you probably only have a rule to forward TCP ports 80 and 443 to the server. You need a new rule to also forward protocol 41 to the server.

How to forward a protocol depends on your firewall. There probably exists some firewalls, which cannot do it at all.

Quote from: Powertrain on October 29, 2012, 09:55:06 AM5. If I set the ipv6 of eth0 from ifconfig my Apache will serve the site locally but not externally.
What exactly do you mean with locally?

Powertrain

#2
Thank you for the very detailed answer!

Did you receive specifications on which protocols you need to support over IPv6? Could be DNS, HTTP, SMTP or other protocols. Regardless of what the specific requirements are, I think HTTP and HTTPS are a good place to start.

We host their website, which they need to get to from their IE. So I guess for now its just HTTP and HTTPS.

Yes, but you'd have to open protocol 41 through your firewall.

Is this just opening port 41 on TCP and UDP? I have looked in our Firewall, and we have a SonicWall NSA 3500. The user here had a similar system:
http://www.tunnelbroker.net/forums/index.php?topic=1528.0

But going to Custom IP Type 41 instead of working gives me the error "Error: Service Object: Updating Server Tunnel: Invalid Custom IP Type"

You didn't specify what commands you used.

Sorry, I used the 5 commands on the Example Configurations tab:


ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.22.2
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:7:40e::2/64
route -A inet6 add ::/0 dev sit1


What exactly do you mean with locally?

I mean that if I do "curl <url pointing to client v6 address>" I get the website. But no places outside can see it.

cholzhauer

#3
Quote
Is this just opening port 41 on TCP and UDP?

No....keep in mind that port != protocol.  Many firewalls don't allow you to pass a specific protocol and you end up needing to allow all traffic to the host.

As far as your problem of not being able to see your IPv6 site externally, there has to be a firewall in the way somewhere.  What are you using for a firewall?

Powertrain

Was researching and just had to add:

I have looked in our Firewall, and we have a SonicWall NSA 3500. The user here had a similar system:
http://www.tunnelbroker.net/forums/index.php?topic=1528.0

So I think the Firewall is blocking it, but not sure how to fix.

cholzhauer

Did you try following what worked for him?  Is there an available firmware update you could try?

Powertrain

Yes it gave the error "Error: Service Object: Updating <service name>: Invalid Custom IP Type"

But I was able to add protocol 40 and 42 no problem :\

Powertrain

So based on this topic:

http://www.tunnelbroker.net/forums/index.php?topic=1999.0

I think the reason I cant add protocol 41 is because it is already added on SonicWall as 6to4

Of course, none of the other information about being able to actually add a v6 seems to be correct on my firewall, not able to see anything the documentation says about v6 :\

Powertrain

I have tried to set this up using a seperate system that is outside of our primary firewall, and is inside a different firewall, a Juniper 710.

I added Protocol 41 and added it to my site policies so it should get through. The internal linux server is able to do:

ping6 ipv6.google.com

And get responses. While the other servers behind the SonicWall are not able to.

Is there any way to know if traffic is reaching the box?

Powertrain

I somehow fixed it I think.

Not sure what I did, just tinkering with the Juniper until I got it going.

Powertrain

#10
SonicWall seems unable to pass protocol 41 along. Its got a build in service 6over4 but setting a policy that allows WAN > LAN for it doesnt work :(.

The odd thing is that the SonicWall 6over4 service has a start and end port of Port 1. Cant be changed either :\

kasperd

Quote from: Powertrain on October 29, 2012, 04:11:27 PMSorry, I used the 5 commands on the Example Configurations tab:


ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.22.2
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:7:40e::2/64
route -A inet6 add ::/0 dev sit1
That's also the page I got my commands from. They are the same except of course your IPs are not the same as mine.

Quote from: Powertrain on October 29, 2012, 10:11:00 PMThe odd thing is that the SonicWall 6over4 service has a start and end port of Port 1. Cant be changed either :\
I guess the port numbers show up that way because their UI cannot show a service without any port numbers. They shouldn't mean anything, which is why you cannot change them. It does sound as if you are using a newer firmware than what was discussed in that thread.

But if it now knows what protocol 41 is used for, then maybe it can do something intelligent with it. Terminating the tunnel on the firewall and using the routed /64 between the firewall and the server would be a better solution, if your firewall supports it. But from what you have told so far, I still haven't figured out, what the firewall is capable of doing with protocol 41.