IPv6 and IPCop firewall
Shadow Hawkins on Monday, 02 October 2006 23:20:32
Let me give you a run down of my network setup:
My PoP is a Cisco 827H ADSL router with an IPv6-ready IOS image.
The tunnel endpoint works fine, and I currently have working IPv6 on the connection from both SixXS and BTExact.
I have a 5 IPv4 address subnet. There are a few on this outside area, but the machine of notice is the IPCop Firewall (v1.4.11) I have in place, for internal and wireless clients.
behind the IPCop, I have a Linksys WRT54G wireless router, acting purely as an access point. Herein lies my problem:
The machines which have a globally routable IPv4 address (outside the firewall) can obtain an IPv6 Address and use the IPv6 connection without incident.
The internal machines only have IPv4 access, due to lack of native support in IPCop for IPv6.
What I want to do:
The Cisco router, being the endpoint for the IPv6 tunnel, handles the IPv6 traffic for my /48 subnet. I would like to extend the IPv6 into my internal network, while still keeping them on IPv4 via the NAT.
Is this a possibility? Is there a better alternative setup that can help this work? Would it be better to switch to a different firewall distribution? Any suggestions would be greatly appreciated.
Thanks in advance!
IPv6 and IPCop firewall
Shadow Hawkins on Wednesday, 11 October 2006 08:05:09
No answers as of yet... figured I'd ask a relavent question in the same thread.
Is it possible to forward IPv6 router advertisments (both for automatic routing and for automatic IP configuration) from a public network to a private network without the luxury of having IPv6 on the firewall seperating the two?
I tried enabling the forwarding of IPv6 packets via iptables (not ip6tables) but as of yet i have not seen a global ipv6 address on a private ipv4 machine.
IPv6 and IPCop firewall
Jeroen Massar on Wednesday, 11 October 2006 22:15:54
Forwarding IPv6 RA's is ugly. Setting up a bridge would then become a better solution.
Forwarding IPv6 RA's doesn't work as an RA is a multicast packet in the link-local range. They will thus not get forwarded. Also they have a TTL of 255 and any receiving client MUST check that that it is 255 before processing them. This makes sure that they are not sent over a routing hop. Bridging could make this setup work though.
If I where you I'd redesign your network a bit to make native IPv6 available everywhere. Kicking out that firewall and placing it a bit earlier or upgrading it to something that supports IPv6 is the way to go.
Note that when you IPv6 hosts that they are not protected by an IPv4 firewall and thus become as public as having no firewall. You will thus have to setup a firewall policy for IPv6 too to protect your hosts.
I personally am far from a firewalling person, I only block obvious things like samba and that is about it. Good note there, samba is open in IPv6 on Windows XP :)
IPv6 and IPCop firewall
Jeroen Massar on Wednesday, 11 October 2006 22:11:42
Having a firewall tool that supports IPv6 is the right way to go.
Otherwise you can setup a tunnel over the firewall onto the other side of the firewall and announce a part of your /48 there.
IPv6 and IPCop firewall
Shadow Hawkins on Wednesday, 11 October 2006 22:53:14
Re: bridge
I just finished doing exactly that. I'm sorta setting up the wireless router to dole out IPv6 addresses from a seperate subnet. All the firewalling will be done from the Cisco 827H that I've got running quite nicely. I just finished enabling the IPv6 support on the wireless router (DD-WRT on a Linksys WRT54G v1) and it should work when I get home and plug it in. We'll see what happens. Either i'll get my IP just fine, or i won't get one at all.
In regards to the IPCop firewall, I don't have much of a choice in where it goes right now, since i don't have a DSL modem card. Even then i'd much rather have the cisco on the border handling the routing and just protect the select few behind that firewall. The servers on the global IPs are a different story entirely.
I will note that I did NOT know that smb is open on XP in ipv6. Gonna have to firewall that one real fast.
Thanks again, wish me luck :D
Posting is only allowed when you are logged in. |