azcrumpty's Site
  • Home
  • Journal
  • Search

IPv6 Home Network DMZ: IPv6 Ubuntu Router

10/6/2012

 
Picture
IPv6 Ubuntu Linux Router
The basic building block of my IPv6 homenetwork DMZ is the Ubuntu Linux based IPv6 router.  The router consists of four network interfaces: external (eth0), internet facing tier one (eth1), application logic tier two (eth2), and a database in tier three (eth3).  All of these functions could have been placed on one host, of course, but doing so would have made for one boring article.

This IPv6 multi-subnet Linux based router runs Ubuntu Server 12.04 in a VirtualBox virtual machine.  Setup is simply a matter of setting IPv6 forwarding, net.ipv6.conf.all.forwarding=1  in the sysctl.conf file and setting static addresses on the interfaces.

The bind9 and squid3 packages are installed to support domain name service forwarding and http proxying for the DMZ nodes which have no internet access.

Lastly, the main router needs some static routes since the local network addresses need to be specified and I didn't subnet the router interfaces for the tier 1 LAN.

Squid cache proxy needs a few tweaks to enable ACLs for the new subnets.  The private block is already included so I added the tier 1 block in the ACLs: acl localnet src fd00::/7 2001:470:f379:31::/64.

NTP is not used here but other virtual machines may need time synchronization so plan for it if your clock drifts while running in the virtual machine.  You would set your NTP host to the corresponding router's tier network address.

I wanted to build an IPv6 only environment, but Ubuntu's repository's doesn't always respond with a quad A records (AAAA) so I have to enable IPv4 on eth0 (dhclient eth0) so the proxy on the router can reach IPv4 sites for updates.  This series of articles is configured for IPv6 only and the firewall script removes the IPv4 interface when run.

The router software was installed with the Basic Server option menu choice in the Ubuntu server config screen.  The unique local addresses are not pseudorandom, as the RFC 4193 calls for.

/etc/resolv.conf

azcrumpty@tier1# cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
domain chickenkiller.com
search chickenkiller.com

Add Static IPv6 Routes to DD-WRT

Adding a static IPv6 route to your main router may be different than what lies below.
ip -6 route add 2001:470:f379:30::/62 via 2001:470:f379::30
ip -6 route add fd01:470:f379:30::/62 via 2001:470:f379::30

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth0
iface eth0 inet6 static
     address 2001:470:f379::30
     netmask 64
     gateway 2001:470:f379::1

auto eth1
iface eth1 inet6 static
     address 2001:470:f379:31::1
     netmask 64

auto eth2
iface eth2 inet6 static
     address fd01:470:f379:32::1
     netmask 64

auto eth3
iface eth3 inet6 static
     address fd01:470:f379:33::1
     netmask 64

/etc/bind/named.conf.options

The forwarders are needed due to the IPv6 only network stack preventing some lookups.

options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk. See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // Added Forwarders to an IPv6 Address since it can't reach IPv4
     forwarders {
         2001:4860:4860::8888;
     };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys. See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no; # conform to RFC1035
     listen-on-v6 { any; };
};

Previous: Design
Next: Firewall Rules

Comments are closed.

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by
✕