Implementing IPv6 in a hosted virtual lab

Did you know that the IPv6 standard was drafted more than 14 years ago, in Dec 1998? Adoption grew very slowly since then, but with today's ongoing exhaustion of IPv4 addresses IPv6 is gaining momentum:
  • Almost all important ISPs (Internet Service Providers) and big companies that make business on the Internet already use and support IPv6.
  • More an more other companies and institutions look into implementing IPv6 for their Internet-facing services (mainly public web sites).
  • All modern Operating Systems have built-in support for IPv6. Many of them (inlcuding Windows 7/8) have it enabled by default.
IPv6 is inescapable. It's here. It's here to stay. It matters. Are you ready?

To this web site you are ipv6 test right now.

My hosted virtual lab ...

This post will not be a primer to IPv6 - there are enough and better sources for this (see the Links section at the end). It is about how I implemented IPv6 in my hosted virtual lab, a project that I spent quite a few days on. So far I was only using IPv4 in this environment: I have one public IPv4 address assigned to the management interface of the physical ESXi host, and a second one assigned to a Linux VM that is running as a masquerading router and firewall for all other VMs (which use private IPv4 addresses). For more details read the first part of my SBHVL post series.

This way I can provide Internet access to all VMs by using only one public IPv4 address. This saves me money (my hosting provider charges for every single additional IPv4 address), but NAT access has its limitations, and the VMs themselves are reachable from the outside only through port forwardings.

IPv6 changes this: My hosting provider assigns a whole public IPv6 /64 subnet to every root server, and they even give you a second /64 subnet for free that is routed through the first one! This is a special offer for people who run virtual machines on their boxes, and enables you to have one VM that is an IPv6 router for all the other VMs.
So this is similar to my IPv4 setup, but this time it is true bidirectional routing without the limitations of NAT!

pfSense - a FreeBSD based firewall and router appliance

Linux - like every modern Operating System - does of course support IPv6, also to such an extent that it can be used as a decent IPv6 router. So my first plan was to use the OpenSuSE VM (that was my IPv4 masquerading router) also for implementing IPv6 connectivity. However, when I looked for configuring and managing the needed services through nice GUIs (rather then via error prone command line tools and manually editing text files) I found that the available YaST tool does not really support IPv6.

So I looked for an alternative solution that would offer me both IPv4 and IPv6 capable routing and firewall capabilities plus a sophisticated web interface for management, preferably Open Source and available as a VMware virtual appliance ... Was I expecting too much? No, because I found pfSense:

pfSense 2.1 webConfigurator Dashboard
pfSense is a customized distribution of FreeBSD tailored for specifically this purpose. The current stable version (2.0) though does not yet support IPv6, but the developer branch (2.1) does. Normally you would not trust a beta product for such a security relevant task, but pfSense looked so promising that I gave it a try anyway. Today it covers the following functions in my hosted virtual lab:
  • masquerading IPv4 NAT router and firewall with port forwardings
  • IPv6 router and firewall
  • IPv6 route advertising with radvd
It is capable of much more. I encourage you to look at its feature list if you consider doing something similar.

The Linux box that used to be the IPv4 NAT router before still exists, because it also runs web services that I want to keep separate. It still runs my DNS service (pfSense implements DNS forwarding only) and DHCP services for both IPv4 and IPv6 (I plan to migrate this to pfSense later).
IPv6 is designed to support stateless address autoconfiguration (SLAAC) without the need for a DHCP server. Each client will then autoconfigure a valid IPv6 address based on the router advertising the right subnet prefix and his own address as a default gateway. However, I need to make sure that each VM always gets the same IPv6 address, because these are used in firewall rules. This is also possible by using a DHCPv6 server with address reservations - this method is commonly referred to as stateful autoconfiguration.

Issues and Caveats

pfSense was easy to set up for the described purposes and works as advertised. While fully implementing IPv6 in my lab I stumbled over few issues though while configuring all the other VMs and my devices at home as IPv6 clients. I will list them here mainly as a reminder to myself, but it might also help others that stumble over the same problems, because their resolutions were quite hard to find:
  • If your ISP uses 6to4 tunneling for providing IPv6 access to your home network then you will find that your Windows machines do not prefer IPv6 over IPv4 when a machine on the Internet is accessible through both protocols (Browse to a site like ipv6-test.com to test this). Use the command
       netsh interface ipv6 set prefix 2002::/16 30 1
    to change this (no reboot needed). To revert to the standard behavior use
       netsh interface ipv6 set prefix 2002::/16 30 2
    The full discussion is here on the MS Technet forums.
  • VMware Zimbra does not support IPv6 by default. A post in the Zimbra forums explains how to enable it.
  • The BitNami ownCloud stack is affected by a bug in the underlying Ubuntu Linux (at least version 12.04): If it is configured to get its IPv6 address from a DHCPv6 server then it won't pick up the default route from radvd announcements. Here is the bug report and a work around that solved the issue for me.

Conclusion

I learnt a lot (not only) about IPv6 while implementing it in my hosted virtual lab. And it reminded me of the fact that "Learning by doing" is far superior to only theoretical studies. It's faster and makes much more fun!

Part of the fun was taking a free online certification course that is offered by the ISP Hurricane Electric (HE):

I strongly recommend looking at their materials if you are an IPv6 newbie and/or want to dive into this topic!

Sources

No comments:

Post a Comment

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!