Dynamic IPv6 Subnet & ip6tables

Great! Native IPv6. Now all my computers/devices in my LAN have a public IP address!

So first of all think about security.
With IPv4 and NAT, all devices are not accessible directly because they have a private IP address.
Now with IPv6 all your devices receive a public IP address, and are available over the internet for everybody.

A good thing is that Tomato Toastman activates ip6tables for your whole LAN.
So everything is closed down at the router level! Great!

But of course you might want to open like SSH to your local computer, or connectivity to your NAS.
Easy, just:

This works fine, but not in the case where your ISP thinks its needed to give out a dynamic prefix.
As the full IPv6 address will change every time, its not possible to add such a rule to your ip6tables.

Searching on the internet for a possible solution, I found out the ‘EUI64’ module in ip6tables.
But after some testing/source code checking it was clear this module was not made for this case.
The module only checks the source MAC address and the EUI64 of the source IP and checks if it matches.
Its made to beat spoofing/unauthorized IP’s in your network.

So we mailed to the netfilter mailing list for a possible solution.
And guess what, its already possible by default, but not documented.

Lets take you want to allow traffic to your computer with MAC address ‘a1:a3:be:89:93:af’.
If you use SLAAC your IP will be: Prefix:a3a3:beff:fe89:93af.
Now to allow traffic to this you can use the following ip6tables rule:

No more changes to your rules if your Prefix changes. It just keeps working!

Read More

Belgacom & IPv6

After using a SixXS tunnel for years, my ISP (Belgacom) finally started to deploy native IPv6 some months ago.
Of course we were happy there was finally native IPv6 support, but unfortunately it was only available for people with a new BBOX3 modem.

But after months, we finally got hold of a BBOX3 modem some days ago.

On my BBOX3 I connect my Linksys E3000 router which does all the routing & WiFi.
The E3000 also does the PPPoE connection so we have a public IP on our own router.

Now IPv6 isn’t activated directly when you connect a BBOX3 modem to it.
The provisioning at Belgacom activates it somewhere at a random time if it notices there is a BBOX3 connected.
But I got lucky, and IPv6 was activated after like 24 hours.

My E3000 router runs Tomato Toastman, and is configured the following way:
: “DHCPv6 with Prefix Delegation”
: 56
Static IPv6 DNS: Not Available. This was confirmed by Eva on Twitter the 8 aug (“Momenteel zijn deze er nog niet. Je kan eventueel de IPv6 DNS’en van Google gebruiken. Mvg, Eva”).

These settings will give you a public IPv6 IP address and then a /56 subnet for assigning IP’s to the clients in the LAN network.
There are more then enough IP’s for everybody :)

Tomato also starts handing out IP’s from the first /64 range in the /56 subnet.
So all my clients in my LAN had a public IPv6 address.

Read More