azcrumpty's Site
  • Home
  • Journal
  • Search

IPv6 Home Network DMZ: IPv6 Ubuntu Router

10/6/2012

 
Picture
IPv6 Ubuntu Linux Router
The basic building block of my IPv6 homenetwork DMZ is the Ubuntu Linux based IPv6 router.  The router consists of four network interfaces: external (eth0), internet facing tier one (eth1), application logic tier two (eth2), and a database in tier three (eth3).  All of these functions could have been placed on one host, of course, but doing so would have made for one boring article.

This IPv6 multi-subnet Linux based router runs Ubuntu Server 12.04 in a VirtualBox virtual machine.  Setup is simply a matter of setting IPv6 forwarding, net.ipv6.conf.all.forwarding=1  in the sysctl.conf file and setting static addresses on the interfaces.

The bind9 and squid3 packages are installed to support domain name service forwarding and http proxying for the DMZ nodes which have no internet access.

Lastly, the main router needs some static routes since the local network addresses need to be specified and I didn't subnet the router interfaces for the tier 1 LAN.

Squid cache proxy needs a few tweaks to enable ACLs for the new subnets.  The private block is already included so I added the tier 1 block in the ACLs: acl localnet src fd00::/7 2001:470:f379:31::/64.

NTP is not used here but other virtual machines may need time synchronization so plan for it if your clock drifts while running in the virtual machine.  You would set your NTP host to the corresponding router's tier network address.

I wanted to build an IPv6 only environment, but Ubuntu's repository's doesn't always respond with a quad A records (AAAA) so I have to enable IPv4 on eth0 (dhclient eth0) so the proxy on the router can reach IPv4 sites for updates.  This series of articles is configured for IPv6 only and the firewall script removes the IPv4 interface when run.

The router software was installed with the Basic Server option menu choice in the Ubuntu server config screen.  The unique local addresses are not pseudorandom, as the RFC 4193 calls for.

/etc/resolv.conf

azcrumpty@tier1# cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
domain chickenkiller.com
search chickenkiller.com

Add Static IPv6 Routes to DD-WRT

Adding a static IPv6 route to your main router may be different than what lies below.
ip -6 route add 2001:470:f379:30::/62 via 2001:470:f379::30
ip -6 route add fd01:470:f379:30::/62 via 2001:470:f379::30

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth0
iface eth0 inet6 static
     address 2001:470:f379::30
     netmask 64
     gateway 2001:470:f379::1

auto eth1
iface eth1 inet6 static
     address 2001:470:f379:31::1
     netmask 64

auto eth2
iface eth2 inet6 static
     address fd01:470:f379:32::1
     netmask 64

auto eth3
iface eth3 inet6 static
     address fd01:470:f379:33::1
     netmask 64

/etc/bind/named.conf.options

The forwarders are needed due to the IPv6 only network stack preventing some lookups.

options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk. See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // Added Forwarders to an IPv6 Address since it can't reach IPv4
     forwarders {
         2001:4860:4860::8888;
     };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys. See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no; # conform to RFC1035
     listen-on-v6 { any; };
};

Previous: Design
Next: Firewall Rules

IPv6 Home Network DMZ: Virtual Machines

10/6/2012

 
The virtual machines are easy to setup using the VirtualBox software.  I didn't use Linux's KVM because the host hardware doesn't support CPU virtualization, but I do have a similar setup with KVM on a computer that does.  I have used this setup with VMWare and Virtual PC as well.  The router gets four interfaces each independent of the other while interface eth0 gets bridged to the outside world.  The remaining interfaces are placed on internal networks named for their purpose.
Picture
Virtual IPv6 Router With 3 Tiers
Picture
IPv6 Tier 1 Reverse Proxy On Internal Interface int1
Picture
IPv6 Tier 2 Application Server On Internal Interface int2
Picture
IPv6 Tier 3 MySQL Server On Internal Interface int3
Previous: IPv6 DNS

Home Network With IPv6 and Wordpress in DMZ

9/3/2012

 
Picture
IPv6 Wordpress Site
I've been enjoying the end to end connectivity I get with IPv6.  For many home networkers, this will be best method of doing a home network.  Just get IPv6 and you have plenty of space for a place on the web!  I have setup a Linux based IPv6 router and a subnet just for the Internet facing servers.  I could filter this subnet out at the router so it can't connect to the hom LAN.  However, I have just begun and have much work to do.

You can view my notes at azcrumpty.mooo.com/, which only works if you have IPv6 setup and working.  If you don't, you may use a gateway azcrumpty.mooo.com.ipv4.sixxs.org/.

My ISP doesn't block the smtp port, 25 on IPv6, so I can run my own mail gateway.  If your provider can send to IPv6, which I find many don't, you can email me at email at ipv6@azcrumpty.mooo.com.  The folks at FreeDNS have graciously allowed my to piggyback on their domain.

I will take this server offline after about a month since the computer it runs on is actually my Linux Mint laptop, which I would like to use for laptop use. It is virtualized, so I can move it should I wish to keep it turned on.

Freedom Lan Using Anonymous Middle Router with Tranparent Tor

5/11/2011

 
I have seen many posts discussing providing free Wi-Fi with Tor. I did this a long time ago and I realize my external test lab uses a similar concept so I decided to show it here. This configuration is designed to require a computer with two network interfaces.  I used an old 802.11b transmitter bridged to the LAN interface to connect people to Tor.

You will essentially follow the Middle Box instructions from the Tor web site to make this work.

I used OpenBSD 4.9 for the task, but the instructions show many operating systems will work. So, after a clean install, make the torrc, pf.conf. and dhcpd.conf changes. Use static addresses or DHCP at your own discretion..  This config assumes inteface pcn0 to be the gateway and pcn1 is the dhcpd LAN and they are already configured.

Configure torrc with transparent mode settings as described in the Middle Box guide.
Configure Internal Lan as 192.168.168.55.10.
Configure dhcpd.conf to serve that LAN.
Configure rc.local to start Tor on bootup..

Many will use this for free public Wi-Fi through Tor. I use it as the basis of my Tor test network. I setup an internal interface and I have Damn Small Linux virtual machine boot up and get a DHCP assignment from the Tor middlebox. I have said before that Tor can do so much more than just be an anonymizing tool.

Picture
OpenBSD 4.9 running Tor in Transparent Proxy Mode
So, here we see the fruits of of our labor.  On bootup, Tor is running in transparent proxy mode.  This is the output you would like to see.  The daemon log will show bootstrap at 100% when it is ready to do its job.
Picture
OpenBSD with Tor in Virtual Box using Interal Lan
Here, you see the OpenBSD server uses intnet on VirtualBox.  This would be your internal physical LAN if you were using a phyiscal server.
Picture
Damn Small Linux (DSL) running in an anonymous LAN
Here is Damn Small Linux with an IP address identification service verifying we are indeed using the Tor network.  You would see the exit node change at regular intervals if you check back every 10 minutes or so.

Home Network Designs That Didn't Make the Cut

4/11/2011

 
I posted my Home Network with DMZ on my blog a few months ago where I listed how I setup a DMZ in my home network. There are so many different ways to do your home network that I could not describe them all; people like short blog posts. I choose this setup for a two main reasons:

1) My pfSense server is a laptop which is very old (purchased in 2000) and I wanted a design that was easy to swap out the laptop should it fail. I can swap the Linksys router into the edge of the network quickly if the pfSense server fails.

2) The laptop has two PCMCIA ports and a network adapter (NIC) fills each port. I could do more with multiple NICs and would have preferred 8 ports on the laptop.  I didn't want to use a USB network adapter because the laptop uses the slow  USB 1.1 interface.
Picture
Two NAT Devices With Middle DMZ
I contemplated doing a double NAT type configuration, pictured left, with the pfSense router at the network edge in the red zone, a network hub in the middle to service the hosts in the DMZ, and the Linksys router connected via its WAN port. The DMZ servers would be in the green zone between the two routers. The inner router would provide firewall and NAT services to the blue zone. I declined this design because there are enough cables, wires, and lost outlets where the equipment goes. I wanted to keep the design simple and I wanted the design to consume less power. Also, some software works poorly when positioned behind two NAT routers.

Lastly, my preferred choice was to use a filtering bridge, pictured below, in place of the Linksys e3000. The filtering bridge would filter the upper portion of the network (.200) as DMZ servers while leaving the lower portion without filtering. The pfSense box only has two NICs so I would have needed an extra machine or a separate hub. Again, this design offers too much complexity for home use.
Picture
Filtering using one composite LAN
The first design above allows the user to use an older 802.11b or 802.11g router in the design bypassing using pfSense. It is cheap and easy to setup as many people have their old broadband routers laying around somewhere. The second design requires more effort and more parts when you have only two ports on the filtering bridge. It also requires writing filtering rules and possibly bridging two physical LANs together. The best feature of the bridge is that it eliminates the need for the clients in the green zone to pass through two NATs.

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by