image

One of the big things on my todo list for a while now has been to get as many services on my VPS running on IPv6 as possible.

Getting up to speed on v6 is important to me for both personal and professional reasons - however, an important part of testing this is having somewhere to test from.

So for the first part of my challenge, I needed to get IPv6 working at home. Fortunately my ISP has IPv6 available via a tunnel-broker service available two hops away, so it’s almost as good as having it native and far superior to tunneling to HE.net for their otherwise excellent v6 service.

Having recently purchased an awesome Juniper SRX110H-VA for home, I’ve got a great platform for getting IPv6 up and running.

Here’s a somewhat cutdown configuration with all the bits needed to get it working.

interfaces {
    ...
    ip-0/0/0 {
        unit 0 {
            description "iiNet 6RD";
            tunnel {
                source 203.59.XXX.XX;
                destination XXX.X.XXX.XX;
            }
            family inet6 {
                address 2001:4479:cb3b:XXXX::1/64;
            }
        }
    }
    pp0 {
        unit 0 {
            ...
            description "ISP IPv4 Interface";
            family inet {
                filter {
                    input fix-6in4;
                }
                ...
            }
        }
    }
    vlan {
        unit 1 {
            description "Home clients";
            family inet {
                address 10.0.0.254/24;
            }
            family inet6 {
                address 2001:4479:cb3b:XXXX::2/64;
            }
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    zones {
        security-zone world {
            interfaces {
                ip-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            ping;
                        }
                    }
                }
            }
            ...
        }
    }
}
firewall {
    family inet {
        filter fix-6in4 {
            term term1 {
                from {
                    destination-address {
                        203.59.XXX.XX/32;
                    }
                    protocol 41;
                }
                then packet-mode;
            }
            term term2 {
                then accept;
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop ip-0/0/0.0;
        }
    }
}
protocols {
    router-advertisement {
        interface vlan.1 {
            prefix 2001:4479:cb3b:XXXX::/64;
        }
    }
}

OK, maybe that wasn’t such a quick snippet, and you’ll want to be putting some zone rules to control what traffic can ingress onto home network - as all machines will autoconfigure their own public IPv6 address. Death to NAT, yeeeeeeah baby.

Anyway, after a lot of messing wondering why things weren’t working - I realised my Ubiquiti WiFi bridges weren’t letting v6 traffic across the links. This is easily fixed by turning on it’s WDS which makes it act like a proper Layer 2 bridge.

So now I can IPv6 at home, and have been able to validate my configuration on my VPS. As of the time of writing, the following services are exposed and configured for IPv6…

  • DNS
  • SMTP & Submission
  • HTTP/SSL
  • IMAP/TLS
  • SSH
  • XMPP

Which is everything! Huzzah. Over the last few days I’ve been tracking and it looks like between 10-50% of my traffic is being delivered via IPv6, which isn’t too suprising.

I suspect that my home connection will be doing somewhere near 80% IPv6 traffic, though I’ve yet to graph that. I also need to get clients performing native IPv6 queries - currently they’re getting their DNS settings via DHCPv4.

And that’s one off the list… I’ve learnt a bit about v6, but excepting my WiFi issues it’s not as scary as everyone makes out (either that, or I’ve got a bit of a dunning-krueger thing going on, which wouldn’t suprise me).