IPv6 Home Network DMZ: IPv6 Ubuntu Router

10/6/2012

IPv6 Ubuntu Linux Router

The basic building block of my IPv6 homenetwork DMZ is the Ubuntu Linux based IPv6 router. The router consists of four network interfaces: external (eth0), internet facing tier one (eth1), application logic tier two (eth2), and a database in tier three (eth3). All of these functions could have been placed on one host, of course, but doing so would have made for one boring article.

This IPv6 multi-subnet Linux based router runs Ubuntu Server 12.04 in a VirtualBox virtual machine. Setup is simply a matter of setting IPv6 forwarding, net.ipv6.conf.all.forwarding=1 in the sysctl.conf file and setting static addresses on the interfaces.

The bind9 and squid3 packages are installed to support domain name service forwarding and http proxying for the DMZ nodes which have no internet access.

Lastly, the main router needs some static routes since the local network addresses need to be specified and I didn't subnet the router interfaces for the tier 1 LAN.

Squid cache proxy needs a few tweaks to enable ACLs for the new subnets. The private block is already included so I added the tier 1 block in the ACLs: acl localnet src fd00::/7 2001:470:f379:31::/64.

NTP is not used here but other virtual machines may need time synchronization so plan for it if your clock drifts while running in the virtual machine. You would set your NTP host to the corresponding router's tier network address.

I wanted to build an IPv6 only environment, but Ubuntu's repository's doesn't always respond with a quad A records (AAAA) so I have to enable IPv4 on eth0 (dhclient eth0) so the proxy on the router can reach IPv4 sites for updates. This series of articles is configured for IPv6 only and the firewall script removes the IPv4 interface when run.

The router software was installed with the Basic Server option menu choice in the Ubuntu server config screen. The unique local addresses are not pseudorandom, as the RFC 4193 calls for.

/etc/resolv.conf

azcrumpty@tier1# cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
domain chickenkiller.com
search chickenkiller.com

Add Static IPv6 Routes to DD-WRT

Adding a static IPv6 route to your main router may be different than what lies below.

ip -6 route add 2001:470:f379:30::/62 via 2001:470:f379::30
ip -6 route add fd01:470:f379:30::/62 via 2001:470:f379::30

/etc/bind/named.conf.options

The forwarders are needed due to the IPv6 only network stack preventing some lookups.

options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk. See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // Added Forwarders to an IPv6 Address since it can't reach IPv4
     forwarders {
         2001:4860:4860::8888;
     };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys. See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no; # conform to RFC1035
     listen-on-v6 { any; };
};

Previous: Design

Next: Firewall Rules

Comments are closed.