Dynamic IPv6 Subnet & ip6tables

Great! Native IPv6. Now all my computers/devices in my LAN have a public IP address!

So first of all think about security.
With IPv4 and NAT, all devices are not accessible directly because they have a private IP address.
Now with IPv6 all your devices receive a public IP address, and are available over the internet for everybody.

A good thing is that Tomato Toastman activates ip6tables for your whole LAN.
So everything is closed down at the router level! Great!

But of course you might want to open like SSH to your local computer, or connectivity to your NAS.
Easy, just:

This works fine, but not in the case where your ISP thinks its needed to give out a dynamic prefix.
As the full IPv6 address will change every time, its not possible to add such a rule to your ip6tables.

Searching on the internet for a possible solution, I found out the ‘EUI64’ module in ip6tables.
But after some testing/source code checking it was clear this module was not made for this case.
The module only checks the source MAC address and the EUI64 of the source IP and checks if it matches.
Its made to beat spoofing/unauthorized IP’s in your network.

So we mailed to the netfilter mailing list for a possible solution.
And guess what, its already possible by default, but not documented.

Lets take you want to allow traffic to your computer with MAC address ‘a1:a3:be:89:93:af’.
If you use SLAAC your IP will be: Prefix:a3a3:beff:fe89:93af.
Now to allow traffic to this you can use the following ip6tables rule:

No more changes to your rules if your Prefix changes. It just keeps working!

Read More

Dynamic IPv6 Subnet & dnsmasq

After I finally had IPv6 in my network I started to configure everything perfectly.
So first of all: What address does the clients receive?

My Linksys E3000 router runs on Toastman Tomato.
This custom firmware has everything included to support IPv6 correctly.

Now I noticed my computer in the LAN received 2 IPv6 addresses out of the /64 range that was announced by the router.
I got 1 DHCPv6 address, and 1 SLAAC address.

DHCPv6?
DHCPv6 works exactly the same as DHCP for IPv4.
The client computer asks for an IP, and the DHCPv6 daemon gives you an IPv6 to assign.
Also DNS servers are passed to the client.

Stateless address autoconfiguration aka SLAAC
This is something new in the world of IPv6.
As a IPv6 address is 128 bits, and subnets are (normally) a /64, then we can use the device’s MAC address for the last 64 bits.
And this is how SLAAC works.

The router sends RA (Router Advertisement) messages to the network with just the prefix (first 64 bits).
Your client in the LAN receives this message and generates a EUI64 from its MAC address.
This part is then added to the announced prefix, and there we have our IPv6 address.

What to choose?
You now need to decide what to choose. Will I use DHCPv6 ? Or will I use SLAAC?

SLAAC
+ All clients support this
+ Easy config, no states
– Privacy (as the MAC address is included in the IPv6 address, everybody can check your MAC address and thus reveal information of your device)
– No support for passing DNS (RDNSS got added later)

DHCPv6
+ Privacy (random IP’s are assigned)
+ You can use a small range to assign to some clients (for example make DHCP reservation for some clients and allow that range to connect to your server)
– Not all devices support this (Android for example does NOT support DHCPv6!)
– Can’t pass routes

So as you see, both have its pro’s and con’s.
But you can combine both by setting some bits (M/O and A-bit).
See the image below:
IPv6-picture

In my case I chose for SLAAC to assign addresses in my network and set the routing.
And then use DHCPv6 to tell clients which DNS server to use.

But Tomato uses by default the following dnsmasq setting:

This causes the router to set the A-bit and the M-bit.
So we have 2 IPv6 IP’s.

As it wasn’t possible to fix this by default in Tomato, I patched the code and added an option to enable/disable DHCPv6/SLAAC.
So now you will have 3 options:

1) SLAAC only (but DHCPv6 for DNS)

2) DHCPv6 only (but RA for route)

3) SLAAC & DHCPv6

In Tomato the options will look like this:

ipv6_options

The patch I made to fix this will be sent to Tomato.
So I hope this option will be available soon for everybody :)

Read More

Belgacom & IPv6

After using a SixXS tunnel for years, my ISP (Belgacom) finally started to deploy native IPv6 some months ago.
Of course we were happy there was finally native IPv6 support, but unfortunately it was only available for people with a new BBOX3 modem.

But after months, we finally got hold of a BBOX3 modem some days ago.

On my BBOX3 I connect my Linksys E3000 router which does all the routing & WiFi.
The E3000 also does the PPPoE connection so we have a public IP on our own router.

Now IPv6 isn’t activated directly when you connect a BBOX3 modem to it.
The provisioning at Belgacom activates it somewhere at a random time if it notices there is a BBOX3 connected.
But I got lucky, and IPv6 was activated after like 24 hours.

My E3000 router runs Tomato Toastman, and is configured the following way:
: “DHCPv6 with Prefix Delegation”
: 56
: WAN
Static IPv6 DNS: Not Available. This was confirmed by Eva on Twitter the 8 aug (“Momenteel zijn deze er nog niet. Je kan eventueel de IPv6 DNS’en van Google gebruiken. Mvg, Eva”).

These settings will give you a public IPv6 IP address and then a /56 subnet for assigning IP’s to the clients in the LAN network.
There are more then enough IP’s for everybody :)

Tomato also starts handing out IP’s from the first /64 range in the /56 subnet.
So all my clients in my LAN had a public IPv6 address.

Read More