The DynDN.eS Blog

About DynDN.eS, eQmail, Gentoo & some other network stuff

User Tools

Site Tools


Configure IPv6 for DynDN.eS

Using IPv6 with our DynDN.eS service could be a bit difficult against IPv4. Following the steps below pragmatically will give the result that it works. It is behind the scope here to explain the IPv6 protocol as go deeper into details of firewall configuration too. The goal is to have one unique public IPv6 address for each network interface (or computer). Than the update scripts from the DynDN.eS Website are working well.

Some of the statements below are not absolutely true, but for the usual situation covered here!

Prequesites

  1. the DSL connection can do IPv6
  2. usage of a DSL router (here a Fritzbox as example)
  3. the DSL router does IPv6 autoconfiguration

Differences of IPv6

On IPv4 there is one public IP address and all traffic from the internal network will be routed by using NAT. Against that on IPv6 each machine have a public IP address and there is no NAT. Instead a subnet is routed to the DSL connection. By using the IPv6 autoconfiguration feature a few thousand ;-) computers can be used easily within. It is important to understand that you get a whole subnet assigned on a IPv6 DSL connection against to that at IPv4 connection a single address is used only.

Another important thing is that a network interface has more than one IPv6 address always, at least 2. Most of all modern operating systems have still more than 2 per default. We can ignore safely any addresses starting with  FE80:  and/or  FD[xx]:  here. Some others can be not ignored, especially a temporarily address (see below).

Configure the Fritzbox (DSL router) for IPv6

First of all enable IPv6 and go to Home → Network → Network Settings → IPv6 Addresses. I recommand to use the following settings:

  • Unique Local Addresses
(*) Do not assign unique local addresses (ULA) (not recommended)
  • DHCPv6 Servers in the Home Network
(*)Disable DHCPv6 server in the FRITZ!Box:
    (*) Enable the M and the O flag in the router advertisement messages of the FRITZ!Box

With these settings the internal network will be autoconfigured within the subnet of the actual DSL connection. In general each address of this subnet is public reachable - but don't panic, in the actual state the firewall of the Fritzbox blocks any traffic. Keep in mind that the network is available within the DSL IPv6 connection only.

Disable the temporary IP address

The temporary IPv6 address should be a security feature. I do not want to comment this. As we publish our IP address through DNS to have access from the outside it is not needed here. Instead - it could make trouble, so it should be disabled.

Windows

Open a command prompt as administrator and type in the following commands exactly:

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Restart your network connection(s). To undo the changes repeat these steps by replacing “disabled” by “enable”.

Linux

Use the  sysctl  command to check the configuration:

# sysctl -a | grep temp

This gives a detailed output for each network interface. Select the option for an interface or disable the temporary IPv6 address for all:

net.ipv6.conf.all.use_tempaddr = 0

Put this in your sysctl configuration (usually like  /etc/sysctl.d/<file>.conf   ). Reload the sysctl service. For sure you can restart the machine too, but this is not nessecary.

Configure Portforwarding (Fritzbox)

To get access from the outside the firewall at the DSL router have to be opened. At the webinterface of the Fritzbox goto Internet → Permit Access → IPv6 → New Device, enter the data and set setting like needed. Recommended:

(*) Open firewall only for certain protocols

and to activate PING6 too.

Troubleshooting

If you can't reach your host from the outside, make sure that no firewall setting is blocking. Disable the (local) firewall temporarily. Especially on Windows 7, there maybe a new rule have to be created to allow the ping.

Just to mention it: IMHO the usage of a dynamic DNS with IPv6 does have much more potential than with IPv4!

Comments