Posted by: rolande | May 3, 2011

Enabling IPv6 on my Home Network

IPv6 ReadySo, after swearing off almost every possible option of being a geek at home for a significant amount of time, I finally decided I needed to spend some intimate time with IPv6. I had already read about it back in the mid-90’s and studied some of the fundamentals of it as part of my preparation for the CCIE exams. But I had never really put it to operational use, until now. It’s coming. You can’t ignore it anymore. So, it was time to immerse myself in it and lift the veil from my eyes, so to speak.

See my latest post on my IPv6 setup with AT&T U-verse.

So, I knew that my broadband provider does not offer native IPv6. Essentially, the only option that leaves me with today is to set up a tunneling service to a natively connected IPv6 host. So, I chose to set up a free account with Hurricane Electric (www.tunnelbroker.net). It takes a couple of minutes to register an account and walk through the process to create a new tunnel. It is super simple. I have a Cisco router so I selected the tunnel config example for Cisco IOS, pasted it into my router and was up and running in minutes. I also had a /48 subnet assigned to my tunnel for local network use.

So, my first thought is that I have just opened my home network up to the entire IPv6 world without any thought to security. So, I immediately shut the tunnel interface down and looked for some config notes on security setup for IPv6. I chose a basic access-list that allows limited ICMP traffic inbound to the router’s external IPv6 tunnel interface and blocks everything else.

ipv6 access-list he-inbound
 sequence 170 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any no-admin
 permit icmp any any time-exceeded
 permit icmp any any hop-limit
 sequence 290 deny icmp any any
 sequence 500 deny ipv6 any any log-input fragments

ipv6 unicast-routing
ipv6 general-prefix TheWaystation 2001:470:C4E6::/48
ipv6 cef
ipv6 cef accounting prefix-length

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:1F10:E9D::2/64
 ipv6 enable
 ipv6 traffic-filter he-inbound in
 tunnel source 70.142.142.118
 tunnel destination 209.51.181.2
 tunnel mode ipv6ip

interface FastEthernet0/0
 ipv6 address 2001:470:C4E6:BABB::1/64
 ipv6 enable
 ipv6 nd prefix 2001:470:C4E6:BABB::/64 infinite infinite
 ipv6 dhcp server Home
 ipv6 inspect firewall6 in

ipv6 route ::/0 2001:470:1F10:E9D::1

I then configured ‘ipv6 inspect‘ to allow me to initiate connectivity outbound to the IPv6 Internet and only permit return traffic that is dynamically defined by the inspection service.

ipv6 inspect max-incomplete low 100
ipv6 inspect max-incomplete high 300
ipv6 inspect udp idle-time 60
ipv6 inspect tcp idle-time 1200
ipv6 inspect tcp finwait-time 8
ipv6 inspect tcp max-incomplete host 100 block-time 1
ipv6 inspect name HE-IPv6 tcp alert on timeout 120
ipv6 inspect name HE-IPv6 udp alert on timeout 60
ipv6 inspect name HE-IPv6 icmp alert off timeout 5
ipv6 inspect name HE-IPv6 ftp alert off audit-trail off timeout 1200
ipv6 inspect name firewall6 tcp alert on timeout 120
ipv6 inspect name firewall6 udp alert on timeout 60
ipv6 inspect name firewall6 icmp alert off audit-trail off timeout 5

Once I completed that, I re-enabled the tunnel interface and tested it out by pinging to a couple of public IPv6 hosts and verified that everything worked properly.

Next I set about configuring my local network so that any IPv6 enabled devices would be able to make use of the service. I defined the general prefix 2001:470:c4e6::/48 on my router. I then assigned a unique /64 subnet to my wired VLAN and my wireless VLAN. I had to define the prefix to advertise for neighbor discovery so that clients would be able to make use of auto addressing. So, I chose a couple of 4 hex digit prefixes and defined them as the ‘ipv6 nd prefix‘ on each interface. The IPv6 enabled clients on those segments automatically detected the new advertisements and updated their configurations automatically. Both clients were able to ping my router by global and link-local address and reach a public IPv6 DNS server. I then went to test-ipv6.com and verified my IPv6 connectivity. Everything just worked properly the first time. I was pretty amazed at how simple the setup was.

OSX Advanced Network Screenshot

Once I had connectivity, it was time to see what IPv6 enabled content there was out there to test out. I found a site with a list of cool stuff and picked out a live streaming surveillance camera in Amsterdam. I was pretty impressed that I sustained a 1.5Mbps video/audio stream over a tunneled connection and it worked pretty well.

Now it is time to start lobbying AT&T to provide native IPv6 support on my DSL line.

Advertisements

Responses

  1. Hi
    I need to do the similar setup at my home. Could u tell me what is the model of router you are using for this setup. The IPv4 End Point means the IP address my DSL router gets when connects to my ISP, isnt it. Can i use my Windows 7 64-bit machine instead of router to create the required tunnel interface. Thanks. Faheem

    Like

  2. […] originally setup IPv6 on my home network using Hurricane Electric’s tunnelbroker.net service. This worked okay for some time, until […]

    Like


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: