IPv6 at home using a tunnel broker

IPv6 at home using a tunnel broker

IPv6 at home using a tunnel broker

IPv6 is here to stay, so why not get familiar with it before it’s all over the place? I like to play around with different technologies and stuff in my home network, because if I mess up, it is not a production network I bring down, but only my home network. As of now, my ISP does not offer IPv6 connectivity to customers like me, even though I have a commercial subscription. There are several tunneling mechanisms built in various operating systems today, but they are not what I am looking for. I would like to have an IPv6 network running on my gear, and not just the PCs themselves creating a dynamic tunnel.

What I needed was an IPv6 Tunnel broker, and luckily, there are plenty of those out there, and also for free! I chose Hurricane Electric (tunnelbroker.net) as my tunnel broker, and I’ve used it for about 4 months now without any problems.

A few requirements are necessary in order to run an IPv6 tunnel. Firstly, you need to have a static IPv4 address, and secondly you need something that can terminate a GRE tunnel.

This is a brief sketch of my setup

IPv6Tunnelsetup

 

You need to sign up at Hurricane Electric to get a tunnel going, where you need to provide some information about who you are and so on. Also you will need to provide the IPv4 address to which the tunnel will terminate. You can request a /48 address block for your disposal, which I have done. This way I can create various subnets, i.e. DMZ networks etc.

Next step is to configure the local end of the tunnel. I use a Cisco ASA5505 as my firewall, but unfortunately, it cannot terminate a GRE tunnel, so I needed something else to do it. I had a Cisco 1841 router, which would do fine for this job. The 1841 does not have a very high throughput, but my Internet connection is a 20/2 Mbps DSL, so it will not be a bottleneck here :).

 

Local tunnel router configuration

c1841

The local tunnel router will terminate the GRE tunnel from the tunnel broker and the configuration for that is quite simple. The inside of the tunnel will be “directly” connected to the IPv6 internet – i.e. whatever firewall is protecting the network for IPv4 is not protecting the IPv6 tunnel endpoint.

I only have one public IPv4 address, so the tunnel router will be placed behind my ASA on a dedicated VLAN and subnet. The IPv6 tunnel will be on a different VLAN and become an outside_IPv6 interface in the ASA. For that I configured a 802.1Q trunk on one of the routers interfaces. I will use VLAN 4 for IPv4 and VLAN6 for IPv6 traffic.


interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.4
description Tunnel IPv4 interface
encapsulation dot1Q 4
ip address 192.168.XXX.XXX 255.255.255.252
!
interface FastEthernet0/0.6
description IPv6 Outside to ASA
encapsulation dot1Q 6

Next make sure the router is enabled for IPv6 routing at all. Enable with these commands


ipv6 unicast-routing
ipv6 cef

Then create a tunnel interface on the router and configure the type, source and destination as needed – there is a good guide at Hurricane Electrics site specific to your tunnel setup and equipment.


interface Tunnel0
description HE IPv6 Tunnel
no ip address
ipv6 address 2001:aaaa:bbbb:cccc::x/64
ipv6 enable
tunnel source 192.168.xxx.xxx
tunnel destination [HE TUNNEL ROUTER]
tunnel mode ipv6ip

Both the destination address and the IPv6 address for the tunnel is provided by the broker.

Hurricane Electric routes the assigned /48 prefix to the tunnel endpoint, and we just need to add a static default route for IPv6 pointing to the tunnel interface.


ipv6 route ::/0 Tunnel0

The tunnel router itself does not need to have an IPv6 address assigned from your prefix, because the routing is done by using LinkLocal addresses. I choose to run OSPFv3 for my IPv6 network, and the configuration is very similar to OSPF on IPv4. The router-id is still in the format of an IPv4 address, and the router process will use the same method for selecting a router id if none is set specifically.


ipv6 router ospf 6
router-id 0.0.0.2
log-adjacency-changes
default-information originate
passive-interface default
no passive-interface FastEthernet0/0.6

Note that no network commands are entered under the router process. Instead we associate the interfaces with the router process under the interface configuration like the following.

interface FastEthernet0/0.6
ipv6 enable
ipv6 ospf 6 area 0

That should be it for the tunnel configuration.

 

Configuring the Firewall

asa5505

 

On the ASA5505 we need to create the  2 VLAN interfaces to connect to the tunnel router, one for the IPv4 traffic and one for the IPv6 Outside.


interface Vlan4
nameif IPv6-Tunnel-TRANSIT
security-level 11
ip address 192.168.xxx.xxx 255.255.255.252
!
interface Vlan6
nameif outside-ipv6
security-level 0
no ip address

A 802.1Q trunk is created on one of the ASAs switchports and the 2 VLANs are allowed on the trunk.


interface Ethernet0/3
description IPv6 Tunnel Router
switchport trunk allowed vlan 4,6
switchport mode trunk

Then network objects are created for the tunnel endpoint, both the local and the tunnel brokers


object network dev_IPV6TUNNEL
host 192.168.xxx.xxx
description Local IPv6 Tunnel Router
!
object network ext_HE-TUNNEL-ENDPOINT
host x.y.z.q
description IPv6 Tunnel endpoint for Hurricane Electric

I also created an object for the tunnel protocol, so I’ll be able to firewall the IPv4 traffic and only allow protocol nummer 41 (IPv6 Encapsulation) to and from the tunnel router


object service IPv6IP
service 41
description IPv6 Encapsulation

Now the ACLs are put together. We need to allow the local tunnel router access to the other end using protocol 41 outbound, and we also need to allow the tunnel broker access inbound to the local router, so the tunnel will work i both directions regardless of where the traffic is initiated,


access-list OUTSIDE_IN remark Allow IPv6 Tunnel traffic from HE tunnel endpoint to tunnel router
access-list OUTSIDE_IN extended permit object IPv6IP object ext_HE-TUNNEL-ENDPOINT object dev_IPV6TUNNEL
!
access-list IPv6-TUNNEL-TRANSIT_IN remark Allow IPv6 Tunnel router out to HE tunnel endpoint
access-list IPv6-TUNNEL-TRANSIT_IN extended permit object IPv6IP object dev_IPV6TUNNEL object ext_HE-TUNNEL-ENDPOINT


ipv6-acl01 ipv6-acl02

For now I don’t have any ACL on the IPv6 outside interface, so it will use the implicit rule, which is deny everything inbound for a security level 0 interface.

Next is NAT. As I only have one public IPv4 address which is assigned to my outside interface, and I have other services running on that, so I cannot just make a one to one static NAT to the tunnel router. So I’ve made at NAT statement, which will NAT any service between the two tunnel endpoints.


nat (IPv6-Tunnel-TRANSIT,outside) source static dev_IPV6TUNNEL interface destination static ext_HE-TUNNEL-ENDPOINT ext_HE-TUNNEL-ENDPOINT description IPv6 Tunnel to HE

ipv6-nat01

Now the tunnel should be able to run, and using ping from the the tunnel router we can verify this.

ipv6-ping01

Good! On the ASA we need to configure OSPFv3 as well.

ipv6 router ospf 6
router-id 10.0.0.2
passive-interface default
no passive-interface outside-ipv6
log-adjacency-changes

Now the outside-ipv6 interface will be added to the OSPFv3 process, so the tunnel router and the ASA will become neighbors and exchange routing information. The inside interface will also be added to the process and will be assigned an IPv6 address in a /64 prefix. This prefix will be the prefix used by clients, and the prefix will be distributed to the tunnel router by the routing protocol.


interface Vlan6
ipv6 enable
ipv6 ospf 6 area 0
!
interface Vlan1000
ipv6 address 2001:AAAA:BBBB:1::1/64
ipv6 enable
ipv6 ospf 6 area 0

On the tunnel router we can verify OSPFv3 is running

ipv6-ospf01

 

Client configuration

Most newer operating systems don’t need special configuration for IPv6, as they will use stateless autoconfiguration out of the box. To verify connectivity in a Windows 8 box, we could first see if the system obtained an IPv6 address with the expected prefix.

ipv6-win8

Next we could ping a public IPv6 address – i.e. one of Googles DNS servers – google-public-dns-a.google.com – 2001:4860:4860::8888

ipv6-win8-ping

There are several IPv6 testing sites available, some of them cannot be accessed from IPv4 at all, others will tell you if you have IPv6 or not.

How about perfomance? Of course there will be a performance degradation because the packets will be encapsulated in the tunnel, but it is at an acceptable level. Test result vary from time to time and from testing site to testing site.

This test is made by http://ipv6-test.com/speedtest/

ipv6-speed-compare01

This is an IPv4 only test from http://www.speedtest.net/

ipv6-speed-compare03

 

And an IPv6 test from http://www.thinkbroadband.com/speedtest.html

ipv6-speed-compare02

That’s it! IPv6 – the internet of tomorrow – today at home… 🙂