Zapnout IPv6 a forwarding
Poeditovat sysctl.conf
root@DB2-router1-debian12:~# nano /etc/sysctl.conf
Najít net.ipv6.conf.all.forwarding
a nastavit 1
. (projeví se po rebootu)
# Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1
Spustit sysctl (projeví se hned)
root@DB2-router1-debian12:~# sysctl net.ipv6.conf.all.forwarding=1
Kontrola (musí tam bejt 1)
root@DB2-router1-debian12:~# sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 1
Nastavit vlastní adresu pro router
Poeditovat /etc/network/interfaces
před (pouze IPv4) | po (oboje IPv4 a IPv6) |
---|---|
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # Spoj -> PMV, uplink auto enp0s8 iface enp0s8 inet static address 10.107.99.130/30 # AP Oblast-DB2, router 1, tady jsou pripojenci auto enp0s9 iface enp0s9 inet static address 10.107.185.1/26 | source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # Spoj -> PMV, uplink auto enp0s8 iface enp0s8 inet static address 10.107.99.130/30 # AP Oblast-DB2, router 1, tady jsou pripojenci auto enp0s9 iface enp0s9 inet static address 10.107.185.1/26 iface enp0s9 inet6 static address 2a01:16d:b210::/64 |
- Na interface routeru doporučuji vždy nasazovat IPv6 adresu s prefixem /64 (pokud tam chcete adresovat více zařízení) nebo /128 (pokud vám stačí jen jedna adresa pro management). Vyvarujte se adresovat velké prefixy /40, /44 a /48 pokud vyloženě nevíte co děláte - přináší to problémy a nestandardní chování. Například nefunguje redistribute static apod.
Shodit a nahodit interface (bacha na ostrý síti!)
root@DB2-router1-debian12:~# ifdown enp0s9; ifup enp0s9
Kontrola
root@DB2-router1-debian12:~# ip address show
root@DB2-router1-debian12:~# ping6 2a01:16d:b210::
Routování - co budeme šířit ven?
Zadat 1x agregovanou routu pro tento router. Velikost bude mezi /40 - /48, záleží na správci. Doporučuju /44.
/etc/frr/daemons.conf
... ospf6d=yes ...
/etc/frr/frr.conf
před (pouze IPv4) | po (oboje IPv4 a IPv6) |
---|---|
! ! Vzorovy router, oblast DB2, router 1 ! hostname DB2-router1-debian12 log syslog informational frr defaults traditional password free enable password q7823yfbksldmf872fwfigu3ef97 ! Verejky IPv4 ip route 89.200.202.0/28 eth0 interface enp0s8 description Spoj -> PMV, uplink ip ospf cost 10 ip ospf hello-interval 2 ip ospf dead-interval 6 router ospf ospf router-id 10.107.185.1 redistribute static | ! ! Vzorovy router, oblast DB2, router 1 ! hostname DB2-router1-debian12 log syslog informational frr defaults traditional password free enable password q7823yfbksldmf872fwfigu3ef97 ! Verejky IPv4 ip route 89.200.202.0/28 eth0 ! IPv6: Agregovana routa pro cely tento router (jde ven pres OSPF) ipv6 route 2a01:16d:b210::/44 blackhole interface enp0s8 description Spoj -> PMV, uplink ip ospf cost 10 ip ospf hello-interval 2 ip ospf dead-interval 6 ipv6 ospf6 area 0.0.0.0 ipv6 ospf6 cost 10 ipv6 ospf6 hello-interval 2 ipv6 ospf6 dead-interval 6 ipv6 ospf6 network point-to-point router ospf ospf router-id 10.107.185.1 redistribute static network 10.107.99.134/30 area 0.0.0.0 router ospf6 ospf6 router-id 10.107.185.1 redistribute static metric-type 1 route-map JEN-VELKY-SUBNETY route-map JEN-VELKY-SUBNETY permit 10 match ipv6 address prefix-list velikost-40-az-48 ipv6 prefix-list velikost-40-az-48 seq 5 permit 2a01:168::/29 ge 40 le 48 |
Kontrola na chybu v konfiguraci
root@DB2-router1-debian12:~# vtysh -C root@DB2-router1-debian12:~#
žádnej výstup → je to OK
Restart FRR
root@DB2-router1-debian12:~# systemctl restart frr
Adresy pro připojence
Rozvaha
Ze subnetu 2a01:16d:b210::/44 (oblast DB2, router 1) si ukrojíme 2a01:16d:b120::/48 (oblast DB2, router 1, interface enp0s9).
Tento menší subnet rozdělíme na
- 2a01:16d:b210:0000::/56 - nepoužijeme
- 2a01:16d:b210:0100::/56 - pro připojence UID2350
- 2a01:16d:b210:0200::/56 - pro připojence UID2351
- 2a01:16d:b210:0300::/56 - pro připojence UID2352
- 2a01:16d:b210:0400::/56 - pro připojence UID2353
DHCPv6 server
Použijeme ne úplně mainstreamový dhcpy6d. Proč ne "běžné" DHCP servery? Protože chceme stejně jako v DHCPv4 indentifikovat klienty podle MAC adres. To v principu DHCPv6 neumí (umí pouze DUID). Tento dhcpy6d je jediný soft kde jsou MAC adresy (v rozporu s RFC) spolehlivě funkční (na Linuxu).
Běžné DHCPv6 servery:
dhcp6s - umí pouze DUID, neumí MAC
ISC DHCP - umí pouze DUID, navíc discontinued as of 2022
ISC Kea - pouze DUID, teoreticky umí MAC, prakticky špatně/nepoužitelně (mac-source metoda "raw" je popsaná ale není implementovaná, ostatní metody nespolehlivý)
Instalace
root@DB2-router1-debian12~# apt install dhcpy6d root@DB2-router1-debian12~# apt install radvd root@DB2-router1-debian12~# apt install sudo
root@DB2-router1-debian12:~# systemctl enable dhcpy6d
Poeditovat /etc/dhcpy6d.conf
# dhcpy6d configuration for hkfree.org # 2023 VojtaLhota <vpithart@lhota.hkfree.org> # # Please see the examples in /usr/share/doc/dhcpy6d and https://dhcpy6.de/documentation for more information. # [dhcpy6d] # Interface to listen to multicast ff02::1:2. interface = enp0s9 really_do_it = yes store_config = file store_file_config = /etc/dhcpy6d-clients.conf # SQLite DB for leases and LLIP-MAC-mapping. store_volatile = sqlite store_sqlite_volatile = /var/lib/dhcpy6d/volatile.sqlite log = on log_file = /var/log/dhcpy6d.log manage_routes_at_start = yes # # Adresy a prefixy pro pripojence podle dhcpy6d-clients.conf # [class_valid_client] advertise = addresses prefixes addresses = hkfree_global_members prefixes = hkfree_global_members nameserver = 2a01:168:0:10::f:2 2a01:168:0:10::a call_up = sudo ip -6 route add $prefix$/$length$ via $router$ dev enp0s9 call_down = sudo ip -6 route delete $prefix$/$length$ via $router$ dev enp0s9 [address_hkfree_global_members] category = id pattern = 2a01:16d:b210::$id$ preferred_lifetime = 86400 valid_lifetime = 86400 [prefix_hkfree_global_members] category = id pattern = 2a01:16d:b210:$id$:: length = 56 preferred_lifetime = 86400 valid_lifetime = 86400 # # Nezname MAC adresy: dostanou adresu+prefix z rozsahu "f" na 3 minuty (max 5 minut) # [class_default] advertise = addresses prefixes addresses = hkfree_global_neznamy prefixes = hkfree_global_neznamy t1 = 180 t2 = 180 # tady zamerne neni call_up a call_down - neznama MAC adresa nebude mit routovani # -> musi se spravne zadat do dhcpy6d-clients.conf, pak bude fungovat [address_hkfree_global_neznamy] category = range range = fa00-ff00 pattern = 2a01:16d:b21f::$range$ preferred_lifetime = 180 valid_lifetime = 300 [prefix_hkfree_global_neznamy] category = range range = fa00-ff00 pattern = 2a01:16d:b21f:$range$:: length = 56 preferred_lifetime = 180 valid_lifetime = 300
Vytvořit /etc/dhcpy6d-clients.conf
# dhcpy6d configuration for hkfree.org # 2023 VojtaLhota <vpithart@lhota.hkfree.org> # # 1 pripojenec = 1 zaznam # # [uid2350] 2350 - ID clena podle userdb # hostname = uid2350 # mac = 08:00:27:1b:36:f9 MAC adresa klientskeho zarizeni clena # id = 0700 0700 - cast adresy (bity 49-56), tj. v rozsahu 0100 - ff00 # class = valid_client # # [uid2351] 2351 - ID clena podle userdb # hostname = uid2351 # mac = 08:03:f3:22:33:54 MAC adresa klientskeho zarizeni clena # id = 7a00 7a00 - cast adresy (bity 49-56), tj. v rozsahu 0100 - ff00 # class = valid_client [uid2350] mac = 08:00:27:1b:36:f9 hostname = uid2350 id = 0100 class = valid_client [uid2351] mac = 08:00:37:dc:c6:23 hostname = uid2351 id = 0200 class = valid_client
Vytvořit /etc/sudoers.d/dhcpy6d-can-alter-ipv6-routes
# User dhcpy6d can add/remove ipv6 routes dhcpy6d ALL=NOPASSWD: /usr/sbin/ip -6 route *
Vytvořit /etc/radvd.conf
interface enp0s9 { AdvSendAdvert on; AdvManagedFlag on; MinRtrAdvInterval 30; MaxRtrAdvInterval 300; prefix 2a01:16d:b210::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; };
(re)start DHCP serveru
root@DB2-router1-debian12:~# systemctl restart dhcpy6d
Logy s DHCP serveru:
root@DB2-router1-debian12:~# tail -f /var/log/dhcpy6d.log
Logy: Znamy klient (MAC 08:00:27:1b:36:f9) vyzaduje prefix
2023-12-17 16:04:17,425 dhcpy6d INFO SOLICIT | transaction: 4d469f | answer: normal | client_llip: fe80:0000:0000:0000:0a00:27ff:fe1b:36f9 | counter: 1 | duid: 000300010800270aef86 | ia_options: [25] | iaid: 00000002 | interface: enp0s9 | last_message_received_type: 1 | mac: 08:00:27:1b:36:f9 | options_request: [23] | rapid_commit: True 2023-12-17 16:04:17,426 dhcpy6d INFO REPLY | transaction: 4d469f | options: [7, 14, 23, 25] | addresses: 2a01:016d:b210:0000:0000:0000:0000:0100 | client_class: valid_client | hostname: uid2350 | prefixes: 2a01:016d:b210:0100:0000:0000:0000:0000/56 2023-12-17 16:04:17,555 dhcpy6d INFO Called 'sudo ip -6 route add 2a01:016d:b210:0100:0000:0000:0000:0000/56 via 2a01:016d:b210:0000:0000:0000:0000:0100 dev enp0s9' to modify route - result: 0
Logy: znamy klient (MAC 08:00:27:1b:36:f9) vyzaduje prefix + adresu
2023-12-17 16:05:26,917 dhcpy6d INFO SOLICIT | transaction: 56026a | answer: normal | client_llip: fe80:0000:0000:0000:0a00:27ff:fe1b:36f9 | counter: 1 | duid: 000300010800270aef86 | ia_options: [3, 25] | iaid: 00000002 | interface: enp0s9 | last_message_received_type: 1 | mac: 08:00:27:1b:36:f9 | options_request: [23] | rapid_commit: True 2023-12-17 16:05:26,921 dhcpy6d INFO REPLY | transaction: 56026a | options: [3, 7, 14, 23, 25] | addresses: 2a01:016d:b210:0000:0000:0000:0000:0100 | client_class: valid_client | hostname: uid2350 | prefixes: 2a01:016d:b210:0100:0000:0000:0000:0000/56 2023-12-17 16:05:27,092 dhcpy6d INFO Called 'sudo ip -6 route add 2a01:016d:b210:0100:0000:0000:0000:0000/56 via 2a01:016d:b210:0000:0000:0000:0000:0100 dev enp0s9' to modify route - result: 0
Logy: neznamy klient vyzaduje prefix + adresu → dostane "fa00" z odpadniho "f" rozsahu
2023-12-17 16:06:33,509 dhcpy6d INFO SOLICIT | transaction: 570ee2 | answer: normal | client_llip: fe80:0000:0000:0000:0a00:27ff:fe1b:36f0 | counter: 1 | duid: 000300010800270aefd8 | ia_options: [3, 25] | iaid: 00000002 | interface: enp0s9 | last_message_received_type: 1 | mac: 08:00:27:1b:36:f0 | options_request: [23] | rapid_commit: True 2023-12-17 16:06:33,510 dhcpy6d INFO REPLY | transaction: 570ee2 | options: [3, 7, 14, 25] | addresses: 2a01:016d:b21f:0000:0000:0000:0000:fa00 | client_class: default_enp0s9 | prefixes: 2a01:016d:b21f:fa00:0000:0000:0000:0000/56
Přidat komentář