IPv6 only for the enterprise

This text inspired by https://labs.ripe.net/Members/mirjam/ipv6-only-at-microsoft

The idea was that I should use Windows 10 for this test but after Windows 10 Anniversary Update, which destroys DHCPv6 in Windows 10 you will have to stay up with MacOS Sierra 10.12.3.
None of the names or addresses shown is my real setup.

Here is my setup. I created a IPv6-only network with NAT64/DNS64 enabled. I use an internal DNS/DNS64 resolver as forwarder in my Fortigate so I can resolve our Active Directory and other internal recourses.

IPv6-only Interface

I’m using both SLAAC and DHCPv6 if some equipment can’t get address from DHCPv6 but using the O flag for DNS.

config system interface     edit "ipv6-only"        config ipv6            set ip6-address 2001:db8:101::1/64             set ip6-send-adv enable    <- enable RA             set ip6-manage-flag enable <- enable M flag             set ip6-other-flag enable  <- enable O flag             config ip6-prefix-list                 edit 2001:db8:101::/64                     set autonomous-flag enable <- enable SLAAC                     set onlink-flag enable                 next             end         end        next end

Local DHCPv6 server

config system dhcp6 server     edit 1         set domain "our.ad.name"         set subnet 2001:db8:101::/64         set interface "ipv6-only"         config ip-range             edit 1                 set start-ip 2001:db8:101::8                 set end-ip 2001:db8:101::ff             next         end         set dns-server1 2001:db8:101::1     next end

Set up Fortigate’ system DNS

config system dns     set primary 192.168.100.2     set ip6-primary 201:db8:100::2 end

Enable NAT64
“set always-synthesize-aaaa-record disable ” is important if you wan’t to use your native IPv6. If it’s not enabled all DNS-answers will be with the NAT64 prefix 64:ff9b::

config system nat64     set status enable     set always-synthesize-aaaa-record disable end

Enable DNS-resolver with DNS64 on IPv6-only Interface

config system dns-server     edit "ipv6-only"         set mode forward-only     next end

After this setup I had to create IPv6 and NAT64 policies and those are not included in this example.

First impression is that it works great and It’s only my printer in the normal Office network that doesn’t works. Bonjour with L3 isn’t the greatest thing… J ( can be fixed with some DNS magic… )
But everything else works  great as long it’s a DNS RR for the things I connect to. I can map disks on our server as normal and RDP,http/https, SSH, Telnet (ouch!! J ), Office365 things, AppStore, Google things, Twitter, Teamviewer, Swedish newspapers works as normal and some services have IPv4 only and some is dual stacked.
The only thing that is messy is hosts that don’t have a DNS RR added but I can solve that with https://[64:ff9b::192.0.2.2] and those are mostly my or other staff at Interlan failure.

So what are you waiting for? Remove IPv4 in your office now and do native IPv6 and NAT64!

More IPv6 stuff
Test if your or other webbserver works ok with IPv6 – https://ipv6alizer.se/
Test if your webb works ok with NAT64 – https://nat64check.go6lab.si/v6score/
More to read about IPv6 – https://dnssecandipv6.se

 

Dela inlägget

Dela på facebook
Dela på twitter
Dela på linkedin
Dela på print
Dela på email

Lämna en kommentar

E-postadressen publiceras inte. Obligatoriska fält är märkta *

Denna webbplats använder Akismet för att minska skräppost. Lär dig hur din kommentardata bearbetas.