1

On one side I have an Ubuntu server in a data center that has IPv6 connectivity. The eth0 interface has a public IPv4 and also a public IPv6 /48. From that server I can ping IPv6 addresses OK.

On the other side I have a home network on an IPv4 only ISP. The router is a Mikrotik and receives a dynamic IPv4 from the ISP. Then the router serves as DHCP server for an IPv4 LAN with private addresses.

I want to build a tunnel between the server and the home network.
I want the nodes in the LAN to get IPv6 connectivity from that range attributed to the server.
It would be better if one node could act as the local end to the tunnel and also as a router (preferably the Mikrotik router but I can also dedicate an Ubuntu on the local network to that task if it is easier) and the rest of the nodes get their configuration automatically. But I am also ready to consider each local node making its own tunnel with the server if that makes more sense.

Constraints:
I have read about many different ways to tunnel IPv6 but none was describing this exact situation. I don't want to use Teredo, neither a tunnel broker.
I would like the server to only accept connections from the nodes on the local network which does not have a fixed IPv4 so some sort of authentication should probably occur. Maybe through OpenVPN or similar.
I can configure some nodes to a good extent like the linux ones, but there are other nodes on the LAN like an iPad that are not as easy to tweak and should receive their config automatically if possible. But if only the linux nodes are connected it is also OK.

What would be a sensible way to build it and its corresponding configuration?

Bastian
  • 263
  • 3
  • 13
  • 1
    Leaving the rest of this aside, if your public server really has a `/128` v6 address, then yes, it means you do only have a single v6 address. Does that render the rest of the question moot? – MadHatter Nov 19 '15 at 11:45
  • If they say you have a `/128`, then what they really mean might be that they have allocated **one** IPv6 address to you on a `/64` link, which is shared with other customers. To configure your own tunnel server you need a routed prefix (preferably `/63` or shorter) - not just a link prefix. Using the `/sbin/ifconfig` command on the server will tell you how the link is configured, but it won't show you whether a prefix is routed to your server. – kasperd Nov 19 '15 at 12:16
  • Indeed the /128 worries me. I have to get in touch with the ISP to understand exactly what they allocate (it is not clear in the contract nor admin panel). My previous ticket with them has been sitting opened for 2 days now so I don't expect a quick answer. But I am definitely interested in building this and if I have to get extra IPs I will consider it. So yes, please, if you have possible answers, go ahead! – Bastian Nov 19 '15 at 14:14
  • 1
    It looks like I can use the /64. I have a v6 IP that ends in ::1/128 and I have tried to add one in ::2/128 and I can ping it and connect through ssh to the server with that IP from the outside IPv6 world. I'm editing my question to reflect that. – Bastian Nov 19 '15 at 14:40
  • @Bastian There are hacks, which will allow you to use a link prefix as if it was a routed prefix. There are some drawbacks to that, so it is really not in anybody's interest to do so. However some providers are a bit lame and refuse to provide a routed prefix, so in those cases you may need such hacks. – kasperd Nov 19 '15 at 15:25
  • @kasperd Thanks for the idea, I hope I don't have to get to that point! After playing a bit, it really looks like the server gets automatically configured with a /128 but the whole /64 is routed towards the server. So let's go with it. – Bastian Nov 19 '15 at 16:00
  • @Bastian I'm not sure the prefix is routed to the server. More likely it is routed to the ISP router and configured as a link prefix. Try dumping the network traffic on your server while you ping a random address in the prefix from outside. This command could work: `tcpdump -ni eth0 icmp6` If it is a link prefix, the ISP router will send neighbor discovery packets to you. If it is a routed prefix, the ISP router will forward the echo request without needing neighbor discovery. You can read more about the difference here: http://serverfault.com/q/684455/214507 – kasperd Nov 19 '15 at 16:11
  • @kasperd thanks for explaining the concept. I have tried the experiment you mentionned and the results confuse me. First I have tried to ping the address that is supposed to be mine and routed, the ::1 and the ping hung for a moment while tcpdump said: ICMP6, neighbor solicitation, who has x:x:x::1, length 32. And then my ip answered to the router: ICMP6, neighbor advertisement, tgt is x:x:x::1, length 32. And that's when the ping started to work. Then I tried with random addresses as you suggested and the same neighbor solicitation happened again. I'm not sure what to conclude here. – Bastian Nov 20 '15 at 00:01
  • @Bastian When you say "the same neighbor solicitation" do you mean solicitation for x:x:x::1 or solicitation for the random address which you were trying? – kasperd Nov 20 '15 at 06:34
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/31853/discussion-between-bastian-and-kasperd). – Bastian Nov 20 '15 at 09:54
  • Just to avoid confusion / distraction from the main question: I have access to a /48. And even if this were theoretical I would still be interested in knowing how this setup would work. – Bastian Dec 03 '15 at 11:20

0 Answers0