Noob IPv6 question

I am a home user and am fairly competant using RouterOS. I have a RS450G and 750G

Im currently using V5rc7

My ISP Cox communications in Phoenix Az is about to start a trial of native IPv6 support.

So if I just enable IPv6 on RouterOS will my router do what is nassary to enable my computers to get a Cox IPv6 address ?

If not what should I need to do. I understand the stuff about tunnels, but I wont need a tunnel in this case ?

Im using XP and have already installed the IPv6 interface ( netsh interface ipv6 install )

All of the examples and tutorials here seem to apply to using a tunnel.

Thats why I am posting. I cant find any info on doing this for a ISP that provides IPv6 native.

I’m not certain how you would go about participating in the Cox trials. I suspect they will use DHCPv6 with prefix delegation. Do you have a link to their trial documentation?

Nope… nothing yet I can find..

DHCPv6… Hmmm… I like learning new things I will go look it up and see what more I can find out from Cox. I dont think they have started on any residential addresses yet tho, just business accounts. Phoenix has started that tho and the infrusture is in place for my connection. I am DOCSIS 3.0 too.

Obviously I will need a set of firewall rules. State aware rules. Can I assign a block of IPv6 addresses in the firewall rules ? it appears I can. That will be handy.

I dont see support for DHCPv6 in the release notes for 5.0rc…

As cox will do what most ISP’s are doing for IPv6 it might be a good idea to have a thread or example manual page with a how to on setting up IPv6 for these situations for us noobs.

Sorry for multiple posts…

RouterOS IPv6 neighbors is showing something on the ISP side on ethernet 1 and my computer on the ether2. Status “noarp” for both.

address on ISP facing side ff05::101

My computer shows it has a IPv6 address and it has IPv6 DNS addresses.

But no ping6 to ipv6.google.com. It does seem to find its ipv6 name lookup tho but destination unreachable.

Maybe I just need a firewall rule or 10 ??

You don’t need a firewall ruleset to establish connectivity. It is, after all, a router out of the box, just like with IPv4. Below a simple stateful filter set for home routers, though. It assumes ether1 is the WAN interface. There is no DHCPv6, which they will likely require. How else will the route the network for your inside LAN interface to you? They’re not going to do that statically. The tunnel examples apply - it’s just not a tunnel interface, so ignore that part.

/ipv6 firewall filter
add chain=forward connection-state=established action=accept 
add chain=forward connection-state=related action=accept 
add chain=forward connection-state=invalid action=drop 
add chain=forward in-interface=!ether1 action=accept 
add chain=forward action=drop 
add chain=input connection-state=established action=accept 
add chain=input connection-state=related action=accept 
add chain=input connection-state=invalid action=drop 
add chain=input in-interface=!ether1 action=accept 
add chain=input action=drop 

Got any links to their trial program? I’m on Cox in Las Vegas and would love if they did that here. I sent them an email about it but frontline customer support is likely to just go “what are you talking about”.

There is no current support for DHCPv6 in MT. They have promised this in future releases (6 months timeframe). If you are a WISPA member, log into the WISPA member wiki. I posted an example complete configuration (HE.net tunnel) there, including a simple firewall. I also added some explanatory text for each entry.

Hi fewi !

Thanks for the ruleset. Looks basic and simple. Even a noob like me followed those rules.

So… I need a IPv6 DHCP client to do this huh. Which is what I expected.

I think MT needs to work on DHCPv6 a tad quicker considering that Cox is already doing business trials apparently with residential shortly.

I was told over at the cox dslreports.com forum that a easy to tell if Cox has upgraded you to a IPv6 capable connection was if it was DOCSIS 3.0 ready. That does not mean of course they have turned it on but just that the infrastructure hardware is all ready to go with a flip of a switch so to speak.

I don’t have links to any info more then press releases about it.
http://www.telecompetitor.com/cox-begins-ipv6-trials/

butche, I am not a wispa member but I have done a tunnel before. Been doing those going back years. But here, I dont need a tunnel and thats what is confuzing my poor noob brain.

Its really just the DHCPv6 part that I need then I think I got it. I dont think its very hard. Well, actually I dont undersand IPv6 well at all yet, but I am hoping that once I get Cox IPv6 native support going I will get to learn lots.

Thanks for the help. Any other suggestions or thoughts let me know

If they have allocated you a static IPv6 prefix then you can just stick an address in that prefix on your lan interface.

On my home router I have something like this (2001:8b0:XXX is the static prefix my ISP has assigned to me):

/ipv6 address
add address=2001:8b0:XXX::1/64 advertise=yes comment="advertise on lan" disabled=no eui-64=no \
    interface=ether2

This then advertises the prefix to machines on your LAN.

I get a default IPv6 route via my PPPoE client, by checking the Add Default Route button.

Hope that helps

Nick.

Yes that does help.

How do I go about discovering what my prefix might be without them telling me ? Is there some process or tool I could use to determine what my prefix should be ?

It is most likely that they are using DHCPv6 PD (prefix delegation). In this way, they do not have to do static routes for each client. Does Cox use DHCP for their v4 network or is it a PPPoE connection? Either way, check out http://forum.mikrotik.com/t/ipv6-todo/43429/1 for a bit more information on Mikrotik’s v6 release schedule.

Cox supplies IPv4 via DHCP. It’s exceedingly likely they’ll use DHCPv6/PD for IPv6.

Boooooo… Both on the reality that no doubt Cox will use DHCPv6 PD and that I would need to wait for ROS Version 6 before I had a DHCPv6 client.

That just takes all the fun outta my day

Maybe one of the reasons they are doing a trial with business first cuz its static IP’s.

XP does not have a DHCPv6 client, so Cox will have to provide one ?

I assume that you have the MT connected right now to the Cox network, along with a private interface on your LAN. Your XP machine would be connected via the LAN interface of the MT. (these are just my assumptions). We also have to assume (I think this is a REALLY good guess) that Cox will be offering IPv6 via DHCPv6/PD. What will eventually happen is this:

1. MT adds support for a DHCPv6 client with PD.
2. Once this support is added, you will configure the client. Cox will offer you an IP (v6) via that DHCP request and will automatically allocate your subnet as part of the DHCP offer.
3. Upon acceptance of the offer by MT, Cox will have the routing done automatically and your MT will assign the designated prefix to your LAN interface. This prefix will be assigned in such a way that it will advertise this v6 network on the LAN.
4. Your XP machine will “discover” and automatically configure itself with an IP (v6) without the need for the MT to support DHCP server (v6).

That’s how PD is imagined to work anyway. In spite of the fact that v6 has been around for nearly 10 years (in production even), there is still not a lot of factual tests, due in no small part to lack of support by vendors (not just MT).

Hope this helps to clarify. Feel free to ask further questions. FWIW, I am working on a training class for IPv6, which will include this information, along with the lab work of actually building this type of network using MT (when it is supported), Cisco and ImageStream. If this is of interest to you (the training) be sure to visit my website http://www.butchevans.com/ and join my announcements list to get the announcement when the class is available.

Very nice and simple answer. You make a good trainer

Wish I could attend but alas for just my personal use at home its hard to justify the expense in these difficult economic times. I am sure however there are lots of pros here who will attend as it would be great to hear from someone who has done this in production environments.

So without a router to do DHCPv6 DP then a XP machine would need to have a client installed by either the customer or the ISP. There are a lot of XP machines out there too.

Security concerns. It seems to me that this shift to IPv6 might be a security risk for client devices and for home networks run by the average user.. Right now your typical home user has NAT and this shields all their devices from direct exposure to the net. Placing every machine the client has directly facing the net via a switch will require each device to have a firewall with its configuration complexities. For example if a printer wants to talk to a computer then the firewall needs to allow only addresses in that prefix for the client. The firewall will need to do all this automagically for most clients. The home is now starting to fill with internet appliances like TV’s, AV Receivers, ipods/pads, wifi phones, refrigerators, VOIP, cameras and a ever growing list. Each device will need its own firewall and DHCPv6 with all the complexities involved in getting that config right. This all being in the hands of completely inexperienced users.

The other serious issue i could see is that each device will have zero-day exploit potential. Inexpensive devices are sure to have holes. Once compromised the device has access inside the firewall as it would be a trusted address by the other devices in the prefix and so you have a compromised network and your machines are exposed.

So it would seem to me that a perimeter firewall is absolutely mandatory. Further NAT seems to have appeal to me as it would auto-magically shield all these devices. I suppose good firewall rules would be ok without the need for NAT but I would think for your average user NAT is more secure as it would require zero config and would isolate all the devices.

IPv6 has challenges for home users. I see a less secure network unless something is done. Its impossible to rely on a automagic firewall in a $50 camera to protect your network. You cannot expect a client to do anything but plug in a device. Look at unsecured wifi, clients still dont secure them.

This is bound to be a issue for a ISP. Not only in support requests because something does not work, but because of the possible increases in compromised devices and the bandwidth they take up.

These all seem like interesting issues to me. There sure is a place for a router with a good firewall in the future. There is also a place for good training so the support people and engineers know all this stuff.

I think I want NAT and a DHCPv6 server hehehe…

So MT, p l e a s e lets add DHCPv6 DP sooner then later I want to play with all this stuff now.

It looks like the Astaro OS might have DHCPv6 in beta and its free to home users.

IPv6 Program - IPv6 Ready Logo Phase 1 (2010/08/17)

Astaro Security Gateway V8 has been certified with phase 1 of the IPv6 Ready program. This first stage of certification indicates that Astaro Security Gateway includes IPv6 mandatory core protocols and can interoperate with other IPv6 implementations.

Which means it can do these things
http://www.ipv6ready.org/?page=documents&tag=ipv6-core-protocols

However it looks like it will take phase 2 certification to get DHCPv6
http://www.ipv6ready.org/?page=phase-2-tech-info

specifics here
http://www.ipv6ready.org/?page=documents&tag=phase-2-dhcpv6

But for free use this OS is fairly amazing for home use.
http://www.astaro.com/landingpages/en-worldwide-homeuse

Of course I cant use it as i am using a RB450G and 750G and dedicating a computer to this is a bit overboard for home use. Mainly cuz I would need 2 gigabit networking cards and a fairly reliable computer.

But wow, free for home use, this software has a lot of features. It is pricey however for real pro use thats for sure.
http://www.astaro.com/products/astaro-security-gateway-software-appliance

I still like the idea of running a dedicated hardware router like the 450G over using a PC.

Full list of routers already approved for Phase certification

https://www.ipv6ready.org/db/index.php/public/search/?pc=2&ap=2&o=9&do=1&lim=25&p=0

You know… Looking at this list I feel left out… D-Link, Netgear, Cisco all with home routers that have Phase 2 certification.

I think MT needs to look seriously at getting to Phase 2 level…


$#%@$@ a $35 router is avaliable that is Phase 2 compliant

http://www.dlink.com/products/?pid=565

But I dont think it has DHCPv6, maybe…

Yea this D-615 $30 d-link router supports DHCPv6

http://support.dlink.com/emulators/DIR615_revc/310NA/support_adv.htm#ipv6

So without a router to do DHCPv6 DP then a XP machine would need to have a client installed by either the customer or the ISP.

Router will receive prefix delegation from ISP using DHCPv6. And for local network DHCPv6 is not necessary, autoconfiguration is enough for clients (for home use) and it’s supported by XP.

Security concerns. It seems to me that this shift to IPv6 might be a security risk for client devices and for home networks run by the average user..

Today’s average users have NATs, personal firewalls, resident antiviruses and they still somehow manage to get their PCs infected by all kinds of crazy stuff, so it doesn’t seem as big difference to me.

So it would seem to me that a perimeter firewall is absolutely mandatory. Further NAT seems to have appeal to me as it would auto-magically shield all these devices.

What’s protecting you is not NAT. It’s firewall. You can easily get the same effect with IPv6. On your router just allow all established and related connections in any direction and all outgoing connection and drop the rest (unsolicited incoming connections) and you’re set. Except that it breaks end-to-end connectivity, the long lost great feature from the past that IPv6 should restore. Hopefully no home router manufacturer will use this as default settings.

Its impossible to rely on a automagic firewall in a $50 camera to protect your network.

All what such devices need are some sensible defaults. E.g. some configuration interface accessible only from local subnet.