Questions about local ipv6 setup

[Jon Radel]

On 2/16/17 11:28 AM, Ernie Luzar wrote:

> 
> Does ipv6 have a range of non-public routeable ipv4 address that are
> reserved for LAN use like 10.0.0.0/8 is for ipv4?

Yes, several different flavors, some of which are not directly
comparable to anything in ipv4.

A mandatory address for every ipv6 configured interface is the
link-local address in fe80::/64.  As suggested by the name, this is an
address that is only usable on the LAN the interface is attached to,
these addresses are not routed.  On most modern ipv6 stacks you'll end
up with one of these automatically, with least significant 64 bits based
on a transformation of the MAC for the interface.  You can, however,
assign a different or additional one of these and use that on the LAN.

Most directly comparable to RFC 1918 addresses would the the unique
local addresses in fc00::/7.  To do it right, you'd use fd00::/8 half of
that space, concatenated with a different 40-bit pseudo-random number
for each of your LANs.  You could route these anywhere in your network,
but not globally.

After that you get into the weird stuff, such as using ipv4-mapped-ipv6
space for the RFC 1918 numbers.  I can't think of why this wouldn't
work, but certainly haven't tried it.


> 
> Do any of the 3 freebsd firewalls have ability to do ipv6 NAT?

Consider avoiding NAT entirely.  One of the beautiful things about ipv6
is avoiding NAT and all the breakage that results from NAT.  If you're
actually connected to the ipv6 Internet you should have no trouble
getting an address for every device you own many times over.

> 
> Can the default dhcp client handle ipv6?

I believe not but haven't checked recently if that is still true.  But
really, the use case for DHCP is minimal in IPv6.  There are better ways
to dynamically assign addresses unless you have special requirements.
See net/dhcp6 and other ports for more.

> 
> On my host I run ipfilter firewall, I have done nothing to enable ipv6,
> but the daily security email shows a list of ipv6 denied packets. Does
> this mean that ipv6 packets are flowing freely on the public internet?
> 

It possibly just means that something else on your LAN is talking ipv6.
However, it is true that there are an awful lot of ipv6 packets on the
ipv6 Internet--frankly it would be extremely sad if there weren't.
There are even a lot of ipv6 packets on the ipv4 Internet, though
they're all encapsulated in some fashion or another.  But without the
slightest hint as to whether you're connected to the ipv6 Internet, what
type of packets they are, and what address they're coming from, it's
right hard for us to even guess what it all means.

It could be that your local gateway is configured to send out RA (router
advertisement) packets routinely.  See
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol for more.

> My current goal is to configure ipv6 to work only between my gateway and
> LAN nodes. Have been unable to find example on how to accomplish this.
> Can anyone point me to such documentation.

Things to try when you've got a bit of ipv6 running:

ndp -a
ndp -an

which show you everything speaking ipv6 on your LAN(s).

ping6
traceroute6

should be obvious.

If during setup you say you want to use ipv6, you should end up with at
very least an fe80:: address, which should be sufficient to talk to
anything else on your LAN that speaks ipv6.  Whether you get more
depends on what your router is configured to do in regards to NDP, etc.,
etc.


-- 
--Jon Radel
jon at radel.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170216/31251cd0/attachment.bin>