At home i use a Cisco 877 ADSL router with the advanced-ip-services IOS software on it. While the Cisco 800-series routers are quite good, it’s insane that Cisco wants an extra $$$ for the IOS software with IPv6. It definitely should be a default in all CPE devices. On the other hand, Cisco is one of the few with a very nice IPv6 implementation ready whereas other (Chinese, Taiwanese…) vendors only have half of it or none at all. It’s pathetic!

If you want more information on IPv6 i can really recommend you the book by Iljitsch van Beijnum named Running IPv6 which contains all the gory details on every aspect IPv6 has to offer. After reading the book you will notice that IPv6 is definitely not rocket science and it’s very easy to implement.

This is what i want on an IPv6 setup :

• A /48 block of global IPv6 addresses
• Router-advertisements on the LAN so i don’t have to configure them by hand
• A firewall on my router

A firewall? Yes! There’s no NAT anymore with IPv6, so every PC on your LAN gets a public routable IPv6 address which is great but without a decent firewall it’s a potential security risk. Especially because of the different (crappy) firewall implementations on various operating systems (Windows, Mac OS X) we really want this to be done on the router just like a NAT router blocks all incoming and passes all outgoing. I know that you cannot compare a NAT router with a firewall but for the sake of simplicity this is the way it’s going to be.

On the Cisco i have an ADSL line, configured with PPP-over-ATM. I cannot do native IPv6 on the thing right now because i have been pretty lazy on reconfiguring my own DSL line . For now, i’m tunneling IPv6 through a GRE tunnel over IPv4 to a tunnel endpoint at my job premises.

The actual Cisco configuration for the network and routing connections :

ipv6 unicast-routing

This is mandatory! Without this, the Cisco will not do any routing on IPv6

ipv6 cef
interface tunnel1
 no ip address
 ipv6 address 2001:4fff:5:1::1:1/126
 ipv6 enable
 tunnel source
 tunnel destination
!
interface Vlan1
 ipv6 address 2001:4fff:4::1/64
 ipv6 enable
 ipv6 nd prefix 2001:4fff:4::/64
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 4
!

The latter command (ipv6 nd ra interval 4) fixed an annoying problem i had with one of the Windoof Vista hosts on the network.

Alright! We have a running IPv6 configuration with router-advertisements (ipv6 nd) sending to my clients. This way all my clients will have a working IPv6 configuration ready to use.

BUT.. You’re not finished just yet..

Do not forget the firewall step

ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic ftp
ipv6 inspect name traffic icmp
!
interface tunnel1
 ipv6 traffic-filter tu1-in in
 ipv6 traffic-filter tu1-out out
!
ipv6 access-list tu1-in
 permit icmp any any echo-request
 permit icmp any any echo-reply
 permit tcp 2001:4fff::/32 any eq 22
 evaluate reflectout
 deny ipv6 any any log-input
!
ipv6 access-list tu1-out
 permit icmp any any echo-reply
 permit icmp any any echo-request
 permit tcp any any reflect reflectout
 permit udp any any reflect reflectout
 deny ipv6 any any log-input
!

As you can see, this is a stateful firewall configuration on an IOS device. The reflect rule creates the state and the evaluate (in tu1-in) tries to find a match on the reflect rule. For this to work i found out i needed the ipv6 inspect rules.

And that’s about it! If you have real native-IPv6 on your ethernet router this will even be more easy.

That’s it for today. If you have any comments or things to add, please leave a comment. Awareness for IPv6 is key at this moment!

Today, we’re going to talk about pfSense. A software stateful-firewall based on the excellent pf firewall in FreeBSD. It’s an easy to install from-ISO appliance.

From the pfSense website:

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.

pfSense is a nice piece of software, but the developers don’t seem to be very interested in integrating IPv6 support in the interface. Too bad, because IPv6 is hot and will replace IPv4 within the next few years. I’m not going to integrate IPv6 in the GUI of pfsense with this tutorial, but after following the instructions you will have a working IPv6 router/firewall with support for stateless autoconfiguration. The configuration is built from my own needs, so if it doesn’t match your expectations please add your features.

For this setup i use pfSense 1.2.3-RC1 which is out for quite a while and pretty stable in it’s use.

I’m not going to discuss the installation of pfSense. If you can’t install the pfSense ISO, you shouldn’t be doing IPv6 on it anyway . First of all, make sure you enable SSH in pfSense. You can find the feature at “System” > “Advanced”

After enabling, connect (via SSH) to the pfSense box. Ofcourse, if you’re sitting behind the box you can do it on the console also .

You will be presented a nice text menu:

*** Welcome to pfSense 1.2.3-RC1-pfSense on myFirewall ***

WAN*                     ->    bce0    ->    123.123.123.1
LAN*                     ->    bce1    ->    192.168.0.254

pfSense console setup
***********************
0)  Logout (SSH only)
1)  Assign Interfaces
2)  Set LAN IP address
3)  Reset webConfigurator password
4)  Reset to factory defaults
5)  Reboot system
6)  Halt system
7)  Ping host
8)  Shell
9)  PFtop
10)  Filter Logs
11)  Restart webConfigurator
12)  pfSense PHP shell
13)  Upgrade from console
14)  Disable Secure Shell (sshd)

We want to go to the CLI shell. Select 8.

On my box, i’m using Broadcom network interfaces. On FreeBSD these are named ‘bce0′ and ‘bce1′. You can find the respective names with the ‘ifconfig’ command. On my setup, bce0 is the outside interface and bce1 is the inside interface.
My setup is fully native-IPv6, which means that i’m not doing any tunnelling at all. On the outside interface, i have an IPv6 address from my provider’s /64 block he used for my connection. On the inside, i have  a /64 of IPv6 addresses which are publically reachable (global-unicast). Ofcourse i’m using fake addresses to prevent my firewall being bombed all-over .

Let’s say, these are my network variables :

• The WAN IPv6 network is : 2001:4cb8:a95:1::/64
• The WAN IPv6 address is : 2001:4cb8:a95:1::2
• The WAN IPv6 default gateway is : 2001:4cb8:a95:1::1
• The LAN IPv6 network is : 2001:4cb8:b95:1::/64
• The LAN IPv6 address is : 2001:4cb8:b95:1::1

With this information, we’re going to create our boot-script to configure the interfaces and routing.

cd /usr/local/etc/rc.d
vi 00_config-ipv6-if.sh

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="bce0"
IFIN="bce1"
DFGW="2001:4cb8:a95:1::1"

####### Configure the stuff

# Configure the interfaces
ifconfig $IFOUT inet6 alias 2001:4cb8:a95:1::2 prefixlen 64
ifconfig $IFIN inet6 alias 2001:4cb8:b95:1::1 prefixlen 64

# Set the default route
route -n add -inet6 default $DFGW

# Configure IPv6 forwarding
sysctl net.inet6.ip6.forwarding=1

# My /etc/rtadvd.conf looks like this
#
# bce1:\
#   :addrs#1:addr="2001:4cb8:b95:1::":prefixlen#64:tc=ether:
#
# Startup rtadvd
/usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN

Ok, that’s pretty much all there is to enable IPv6 and configure the static routing to the ISP.
Next, we need to change permissions on this file :

chmod 755 /usr/local/etc/rc.d/00_config-ipv6-if.sh

After bootup, IPv6 will be running on the pfSense box, but it won’t do a thing. This is because we need to change the filter (PF) also. This is going to be our next script.

cd /usr/local/etc/rc.d
vi 10_config-ipv6-pf.sh

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="bce0"
IFIN="bce1"

####### Configure the stuff

# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt

# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e

And change the permissions also:

chmod 755 /usr/local/etc/rc.d/10_config-ipv6-pf.sh

Finally, we need to configure the router advertisement daemon (rtadvd) to get stateful autoconfiguration to work.

vi /etc/rtadvd.conf

bce1:\
  :addrs#1:addr="2001:4cb8:b95:1::":prefixlen#64:tc=ether:

After rebooting the pfSense firewall (or run script 00 and 10) IPv6 will work on your box.
But.. when you change filter rules (or anything actually) in the GUI, the filter settings are overwritten and your IPv6 connectivity will break.
After some searching on the box, i noticed that after changing things in the GUI the function filter_configure_sync() is called and the rules will be flushed.
This function can be found in /etc/inc/filter.inc (line 78). In the function, there’s a hook to a plugin directory. When the function filter_configure_sync() is called, the function will look in the /usr/local/pkg/pf directory for scripts, which will be executed. This only happens if scripts end with “.sh” as the extension.
We will symlink the 10_config-ipv6-pf.sh script to this location to make it work.

ln -s /usr/local/etc/rc.d/10_config-ipv6-pf.sh /usr/local/pkg/pf/

Congratulation! You got yourself a working IPv6 setup.

If you want to know more ins and outs about IPv6, i suggest reading the book “Running IPv6″ by Iljitsch van Beijnum. You can find more information at http://runningipv6.net/

But…

Configuring NAT on a J-series Juniper box is pretty well documented in the Juniper documentation. I mean.. VERY well documented in a way nobody seems to get the whole point about NAT’ting on the box.

The most straightforward NAT configuration is never being discussed anywhere in the documentation and that makes it pretty hard to get it to work. After some braincracks, i finally managed to get it to work in a way i want it.

The usual CPE setup applies here, so we have one single public IP address on the outside and an RFC1918 192.168.1.0/24 subnet on the inside interface. Our default gateway resides at 217.1.10.254. Our mailserver is at 192.168.1.254, doing only SMTP.

“NAT the easy way”

remco@router> configure
remco@router# set system host-name myrouter
remco@router# set system domain-name remcobressers.nl
remco@router# set root-authentication plain-text-password

    Enter your password here for root access.

remco@router# set domain-search remcobressers.nl
remco@router# set time-zone Europe/Amsterdam
remco@router# set location country-code nl
remco@router# set system name-server 217.1.10.10 217.1.10.11
remco@router# set system login user remco uid 2000 class super-user authentication plain-text-password

    Enter your user password to enter the CLI.

remco@router# set system services ssh

Alright. We’re all set. Now let’s configure the interfaces. Let’s say ge-0/0/0 is our outside WAN interface and ge-0/0/1 is the inside LAN interface.

remco@router# edit interfaces ge-0/0/0
[edit interfaces ge-0/0/0]
remco@router# set description "WAN"
remco@router# set unit 0 family inet address 217.1.10.1/24

remco@router# top
[edit]
remco@router# edit interfaces ge-0/0/1
[edit interfaces ge-0/0/1]
remco@router# set description "LAN"
remco@router# set unit 0 family inet address 192.168.1.1/24
remco@router# top
[edit]
remco@router# set routing-options static route 0.0.0.0/0 next-hop 217.1.10.1

Ok. Our basic setup is completed. Let’s configure NAT. We have an internal server at 192.168.1.254 which does SMTP, so we need to configure 2 things:

• NAT from LAN to the WAN (overload)
• NAT port forwarding from WAN to 192.168.1.254 SMTP on the LAN

Shouldn’t be to difficult.

remco@router# edit services service-set wan-service-set
[edit services service-set wan-service-set]
remco@router# set nat-rules nat-outgoing
remco@router# set nat-rules nat-incoming
remco@router# set interface-service service-interface sp-0/0/0.0
remco@router# up
[edit services]
remco@router# edit nat
[edit services nat]
remco@router# set pool nat-pool address-range low 217.1.10.1 high 217.1.10.1
remco@router# set pool nat-pool port automatic
remco@router# edit rule nat-outgoing
[edit services nat rule nat-outgoing]
remco@router# set match-direction output
remco@router# set term 1 then translated source-pool nat-pool
remco@router# set term 1 then translated translation-type source dynamic
remco@router# up
[edit services nat]
remco@router# edit rule nat-incoming
[edit services nat rule nat-incoming]
remco@router# set match-direction input
remco@router# set term smtp from destination-address 217.1.10.1/32
remco@router# set term smtp from applications junos-smtp
remco@router# set term smtp then translated destination-prefix 192.168.1.254/32
remco@router# set term smtp then translated translation-type destination static
remco@router# set term other from destination-address 217.1.10.1/32
remco@router# set term other then no-translation

Alright. This looks like a little confusing. It all comes down to the following.

1. Create a service-set named “wan-service-set”, which holds our nat rules “nat-outgoing” and “nat-incoming”. Services needs a virtual services interface. In this case, the default is sp-0/0/0.0.
2. In the NAT configuration, we create a pool, which holds one single public IP address (217.1.10.1). The ports are dynamically assigned.
3. Our outgoing NAT rule is used to translate our internal traffic to the Internet on the public address. Our source pool is the pool we just created.
4. Our incoming NAT rule is used to translate incoming SMTP traffic to our internal SMTP server at 192.168.1.254.
5. We use the application “helper” junos-smtp instead of creating our own application. The result is the same.
6. Other incoming traffic won’t be translated (this is important to include).

We now need to configure the service-set “wan-service-set” to the interface we do the translation on, which is the outside interface ge-0/0/0.

remco@router# top
[edit]
remco@router# edit interfaces ge-0/0/0 unit 0 family inet
[edit interfaces ge-0/0/0 unit 0 family inet]
remco@router# set service input service-set wan-service-set
remco@router# set service output service-set wan-service-set

Alright, that’s about it. You can commit the configuration now with the “commit” command.
Your configuration will now look like this :

remco@router# top
[edit]
remco@router# show

## Last changed: 2008-07-17 21:13:49 CEST
version 9.1R1.8;
system {
    host-name myrouter;
    domain-name remcobressers.nl;
    domain-search remcobressers.nl;
    time-zone Europe/Amsterdam;
    location country-code nl;
    root-authentication {
        encrypted-password "**************"; ## SECRET-DATA
    }
    name-server {
        217.1.10.10;
        217.1.10.11;
    }
    login {
        user remco {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "***********"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh {
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "WAN";
        unit 0 {
            family inet {
                service {
                    input {
                        service-set wan-service-set;
                    }
                    output {
                        service-set wan-service-set;
                    }
                }
                address 217.1.10.1/24;
            }
        }
    }
    sp-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/1 {
        description "LAN";
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 217.1.10.254;
    }
}
services {
    service-set wan-service-set {
        nat-rules nat-outgoing;
        nat-rules nat-incoming;
        interface-service {
            service-interface sp-0/0/0.0;
        }
    }
    nat {
        pool nat-pool {
            address-range low 217.1.10.1 high 217.1.10.1;
            port automatic;
        }
        rule nat-outgoing {
            match-direction output;
            term 1 {
                then {
                    translated {
                        source-pool nat-pool;
                        translation-type {
                            source dynamic;
                        }
                    }
                }
            }
        }
        rule nat-incoming {
            match-direction input;
            term smtp {
                from {
                    destination-address {
                        217.1.10.1/32;
                    }
                    applications junos-smtp;
                }
                then {
                    translated {
                        destination-prefix 192.168.1.254/32;
                        translation-type {
                            destination static;
                        }
                    }
                }
            }
            term other {
                from {
                    destination-address {
                        217.1.10.1/32;
                    }
                }
                then {
                    no-translation;
                }
            }
        }
    }
}