[LAB 1]
IPv6 Implementation on
SOHO Network
Read Me
● Ini adalah modul gratis, kamu boleh membagikan, menggunakan, atau mengambil sebagian materi dari modul ini, tanpa menghapus credit footer dari webiptek.com..
● Jika kamu menemukan kesalahan pada teori yang disampaikan, mohon sampaikan koreksi tersebut ke pembuat (kontak tercantum di bawah).
● Isi bisa saja berubah tanpa pemberitahuan, baik dari segi struktur maupun materi. ● Buka link berikut untuk melihat modul terupdate: https://files.webiptek.com/IPv6
Penjelasan dalam format video (Bahasa Indonesia), tonton di link berikut: (belum tersedia)
Syarat mengerjakan Lab 1 - IPv6 Implementation on SOHO Network, kamu harus sudah memahami: 1. Konsep IPv6
2. Routing Fundamental
Contributor
Nama
Kontak
Rizqi Aldi Prayugo
xdnroot@gmail.com xdnroot
Ingin berkontribusi?
Kamu bisa menambahkan materi dan/atau merevisi materi yang sudah ada. Hubungi saya (Rizqi) melalui sosial media atau email di atas.
Lab Summary
1. IPv6 Addressing2. SLAAC
3. Stateless and Stateful DHCPv6 4. 6to4 Tunneling
5. IPv6 DNS Record
Cara mendapatkan IPv6 GUA Gratis:
● https://blog.webiptek.com/2021/02/cara-mendapatkan-prefix-ipv6-gratis.html
6to4 vs Teredo
Teredo: Tunneling IPv6 over UDP [RFC 4380]
● Paket IPv6 dienkapsulasi oleh UDP header (UDP port 3544), sehingga bisa diteruskan oleh Source NAT. ● Tidak bisa digunakan untuk berkomunikasi dengan host yang hanya mempunyai IPv6.
6to4: Tunneling IPv6 over IPv4 (Protocol 41) [RFC 3056, RFC 7059].
● Paket IPv6 dienkapsulasi oleh IPv4 header, sehingga kedua peer harus terhubung menggunakan IPv4 publik.
● Tidak bisa digunakan untuk berkomunikasi dengan host yang hanya mempunyai IPv6.
IPv4 Header
(Protocol 41) IPv6 Header TCP/UDP Header Data IPv4 Header UDP Header
Get IPv6 without Static IPv4 Public:
Teredo
$ sudo apt install miredo
$ sudo service miredo [start|stop] $ ip a
5: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet6 2001:0:53aa:64c:3c39:b61b:4902:8388/32 scope global valid_lft forever preferred_lft forever
inet6 fe80::ffff:ffff:ffff/64 scope link valid_lft forever preferred_lft forever
inet6 fe80::44fb:6a61:a62d:d883/64 scope link stable-privacy valid_lft forever preferred_lft forever
Untuk sistem operasi Windows:
https://id.k2rx.com/step-step-guide-install-microsoft-teredo-tunneling-adapter
6to4:
Important Notes
Saat mengkonfigurasi tunnel 6to4, bagian local address diisi alamat IPv4 yang terpasang pada interface tersebut.
Contoh, router GW memiliki IPv4 publik statis dari hasil NAT pada router NAT. Maka konfigurasi tunnel 6to4 untuk tunneling ke HE dengan GW adalah sebagai berikut:
# Router GW local-address=10.13.0.21 remote-address=216.128.221.42 # Router HE local-address=216.128.221.42 remote-address=157.230.250.14
Cisco:
6to4 Tunneling
HE(config)# interface Tunnel0
HE(config-if)# description “to GW” HE(config-if)# ipv6 enable
HE(config-if)# ipv6 address 2001:470:35:3f::1/64 HE(config-if)# tunnel source 216.218.221.42
HE(config-if)# tunnel destination 157.230.250.14 HE(config-if)# tunnel mode ipv6ip
HE(config)# ipv6 route 2001::xx/y Tunnel0
GW(config)# interface Tunnel0
GW(config-if)# description “to HE” GW(config-if)# ipv6 enable
GW(config-if)# ipv6 address 2001:470:35:3f::2/64 GW(config-if)# tunnel source 157.230.250.14
GW(config-if)# tunnel destination 216.218.221.42 GW(config-if)# tunnel mode ipv6ip
Juniper:
6to4 Tunneling
[edit interfaces ip-0/1/0 unit 0]
lab@HE# set tunnel source 216.218.221.42
lab@HE# set tunnel destination 157.230.250.14
lab@HE# set family inet6 address 2001:470:35:3f::1/64
[edit routing-options rib inet6.0]
lab@GW# set static route 2001::xx/y next-hop 2001:470:35:3f::2
[edit interfaces ip-0/1/0 unit 0]
lab@GW# set tunnel source 157.230.250.14
lab@GW# set tunnel destination 216.218.221.42
lab@GW# set family inet6 address 2001:470:35:3f::2/64
[edit routing-options rib inet6.0]
lab@GW# set static route 2000::xx/y next-hop 2001:470:35:3f::1
# Jika menggunakan SRX series, ubah ipv6 forwarding ke packet-based [edit]
Mikrotik:
6to4 Tunneling
# Konfigurasi pada HE
/interface 6to4 add comment="6to4 to GW" local-address=216.218.221.42 name=to-GW remote-address=157.230.250.14
/ipv6 address add address=2001:470:35:3f::1/64 advertise=no interface=to-GW /ipv6 route add dst-address=2000::xx/y gateway=2001:470:35:3f::2
# Konfigurasi pada GW
/interface 6to4 add comment="6to4 to HE" local-address=157.230.250.14 name=to-HE remote-address=216.218.221.42
/ipv6 address add address=2001:470:35:3f::2/64 advertise=no interface=to-HE /ipv6 route add dst-address=2000::xx/y gateway=2001:470:35:3f::1
(Opsional) L2TP Configuration:
Mikrotik
/interface l2tp-server server set enabled=yes
# buat PPP profile dengan tambahan script on up and on down
Disable Autoconfiguration:
Linux
Menonaktifkan konfigurasi otomatis pada interface tertentu. $ sudo sysctl -w net.ipv6.conf.eth1.autoconf=0 $ sudo sysctl -w net.ipv6.conf.eth.accept_ra=0 Menonaktifkan konfigurasi otomatis pada semua interfaces. $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
Configure IPv6 LLA Manually
## CiscoRouter(config)# interface g0/0/1
Router(config-if)# ipv6 address fe80::1111 link-local
## Juniper [edit]
root@Router# set interfaces ge-0/0/1.0 family inet6 address fe80::1111/64 ## Mikrotik
Cisco:
SLAAC
1. Aktifkan IPv6 unicast-routing
Router(config)# ipv6 unicast-routing 2. Konfigurasi neighbor discovery
Router(config)# interface g0/0/1
Router(config-if)# ipv6 address 2001:470:EC29:2100::1/64
Router(config-if)# ! atau
Router(config-if)# ipv6 nd prefix 2001:470:EC29:2100::/64
Router(config-if)# ipv6 nd ra dns server 2001:4860:4860::8888 Router(config-if)# ipv6 nd ra dns server 2001:4860:4860::8844
3. (Opsional) Aktifkan IPv6 Neighbor Discovery Debugging Router# debug ipv6 nd
Cisco:
Stateless DHCPv6
1. Aktifkan IPv6 unicast-routingRouter(config)# ipv6 unicast-routing
2. Konfigurasi DHCPv6 server
Router(config)# ipv6 dhcp pool STATELESS_DHCPv6
Router(config-dhcpv6)# dns-server 2001:4860:4860::8888
Router(config-dhcpv6)# dns-server 2001:4860:4860::8844
Router(config-dhcpv6)# domain-name webiptek.com
3. Konfigurasi neighbor discovery dan set flag O=1. Router(config)# interface g0/0/1
Router(config-if)# ipv6 address 2001:470:EC29:2100::1/64 Router(config-if)# ! atau
Router(config-if)# ipv6 nd prefix 2001:470:EC29:2100::/64 Router(config-if)# ipv6 nd other-config-flag
Router(config-if)# ipv6 dhcp server STATELESS_DHCPv6
4. (Opsional) Aktifkan IPv6 Neighbor Discovery dan DHCP Debugging Router# debug ipv6 nd
Cisco:
Stateful DHCPv6
1. Aktifkan IPv6 Unicast RoutingRouter(config)# ipv6 unicast-routing
2. Konfigurasi DHCPv6 server
Router(config)# ipv6 dhcp pool STATEFUL_DHCPv6
Router(config-dhcpv6)# address prefix 2001:470:EC29:2100::/64 Router(config-dhcpv6)# dns-server 2001:4860:4860::8888
Router(config-dhcpv6)# dns-server 2001:4860:4860::8844 Router(config-dhcpv6)# domain-name webiptek.com
3. Aktifkan neighbor discovery dan set flag M=1. Router(config)# interface g0/0/1
Router(config)# ipv6 address 2001:470:EC29:2100::1/64
Router(config-if)# ipv6 nd prefix 2001:470:EC29:2100::/64 no-advertise Router(config-if)# ipv6 nd managed-config-flag
Router(config-if)# ipv6 dhcp server STATEFUL_DHCPv6 4. (Opsional) Aktifkan IPv6 Neighbor Discovery dan DHCP Debugging Router# debug ipv6 nd
Cisco:
IPv6 Monitoring Command
Router# show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface FE80::E6A:93FF:FE8E:5000 0 0c6a.938e.5000 REACH Gi0/0/1 FE80::C430:84C0:ED58:8F25 1 000c.2914.752d STALE Gi0/0/1
Router# show ipv6 dhcp binding
Client: FE80::E6A:93FF:FE8E:5000 DUID: 00020000AB11B49C3C329CFDF8D2 Username : unassigned VRF : default IA NA: IA ID 0x405663A2, T1 43200, T2 69120 Address: 2001:470:EC29:2100:7D0A:86F6:4BC2:5705
preferred lifetime 86400, valid lifetime 172800 expires at Feb 05 2021 09:18 AM (172743 seconds)
Juniper:
SLAAC
1. Konfigurasi IPv6 Address pada interface. [edit interfaces ge-0/0/1 unit 0]
lab@Router# set family inet6 address 2001:470:ec29:2100::1/64
2. Konfigurasi router-advertisement
[edit protocols router-advertisement interface ge-0/0/1 unit 0] lab@Router# set prefix 2001:470:ec29:2100::/64
lab@Router# set dns-server-address 2001:4860:4860::8888
3. Mengaktifkan logging (save ke file /var/log/ipv6-nd-log)
[edit protocols router-advertisement traceoptions] lab@Router# set file ipv6-nd-log
lab@Router# set flag all top
lab@Router> show log ipv6-nd-log
Feb 3 07:00:58.984354 ipv6_ra_receive_solicit: received solicit from fe80::e6a:93ff:fe8e:5000 Feb 3 07:00:58.984532 ipv6_ra_receive_solicit: task Router-Advertisement src
Juniper:
Stateless DHCPv6
1. Konfigurasi IPv6 Address pada interface. 2. Set flag O=1 di router advertisement.
[edit protocols router-advertisement interface ge-0/0/1 unit 0] lab@Router# set other-stateful-configuration
3. Konfigurasi Address Pool
[edit access address-assignment pool STATELESS_POOL family inet6] lab@Router# set prefix 2001:470:ec29:2100::/64
lab@Router# set dhcp-attributes dns-server 2001:4860:4860::8888
lab@Router# set dhcp-attributes maximum-lease-time 120 grace-period 3600
4. Konfigurasi DHCP Server
[edit system services dhcp-local-server dhcpv6 group STATELESS_DHCPV6] lab@Router# set overrides interface-client-limit 100
lab@Router# set overrides process-inform pool STATELESS_POOL lab@Router# set interface ge-0/0/1
5. Mengaktifkan logging (save ke file /var/log/ipv6-dhcp) [edit system processes dhcp-service]
lab@Router# set traceoptions file dhcpv6-trace lab@Router# traceoptions flag all
Juniper:
Stateful DHCPv6
1. Konfigurasi IPv6 Address pada interface.
2. Set flag M=1 di Router Advertisement
[edit protocols router-advertisement interface ge-0/0/1 unit 0] lab@Router# set managed-configuration
3. Konfigurasi Address Pool
[edit access address-assignment pool STATEFUL_DHCPV6 family inet6] lab@Router# set prefix 2001:470:ec29:2100::/64
lab@Router# set range STATEFUL_DHCPV6_RANGE low 2001:470:ec29:2100::1001/128 high 2001:470:ec29:2100::1100/128
lab@Router# set dhcp-attributes dns-server 2001:4860:4860::8888 lab@Router# set dhcp-attributes maximum-lease-time 120
lab@Router# set dhcp-attributes grace-period 3600
4. Konfigurasi DHCP Server
[edit system services dhcp-local-server dhcpv6 group STATEFUL_DHCPV6] lab@Router# set overrides interface-client-limit 100
lab@Router# set interface ge-0/0/1
5. Mengaktifkan logging (save ke file /var/log/ipv6-dhcp) [edit system processes dhcp-service]
Juniper:
IPv6 Monitoring Command
lab@Router> show ipv6 router-advertisement
Interface: ge-0/0/1.0
Advertisements sent: 5, last sent 00:00:20 ago Solicits received: 1, last received 00:13:34 ago Advertisements received: 0
Solicited router advertisement unicast: Disable IPv6 RA Preference: DEFAULT/MEDIUM
lab@Router> show ipv6 neighbors
IPv6 Address Linklayer Address State Exp Rtr Secure Interface fe80::e6a:93ff:fe8e:5000 0c:6a:93:8e:50:00 stale 726 no no ge-0/0/1.0 fe80::c430:84c0:ed58:8f25 00:0c:29:14:75:2d stale 638 no no ge-0/0/1.0
lab@Router> show dhcpv6 server binding
Prefix Session Id Expires State Interface Client DUID
2001:470:ec29:2100::1002/128 23 85660 BOUND ge-0/0/1.0 LL_TIME0x1-0x26463a75-08:00:27:5e:76:d2 2001:470:ec29:2100::1001/128 22 85769 BOUND ge-0/0/1.0 LL_TIME0x1-0x27ad18c3-0c:6a:93:8e:50:00
Juniper:
IPv6 Monitoring Command
lab@Router> show dhcpv6 server statistics
Dhcpv6 Packets dropped: Total 2 Authentication 2 Advertise Delay: DELAYED 0 INPROGRESS 0 TOTAL 0 Messages received: DHCPV6_DECLINE 0 DHCPV6_SOLICIT 6 DHCPV6_INFORMATION_REQUEST 0 DHCPV6_RELEASE 0 DHCPV6_REQUEST 4 DHCPV6_CONFIRM 2 DHCPV6_RENEW 86 DHCPV6_REBIND 3 DHCPV6_RELAY_FORW 0 DHCPV6_LEASEQUERY 0 Messages sent: DHCPV6_ADVERTISE 6 DHCPV6_REPLY 95 DHCPV6_RECONFIGURE 0 DHCPV6_RELAY_REPL 0 DHCPV6_LEASEQUERY_REPLY 0 DHCPV6_LEASEQUERY_DATA 0 DHCPV6_LEASEQUERY_DONE 0
Mikrotik:
SLAAC
1. Konfigurasi IPv6 Address pada interface dengan advertise=yes
/ipv6 address add address=2001:470:ec29:2100::1 interface=ether2 advertise=yes Secara default mikrotik akan mengirimkan RA di semua interface.
/ipv6 nd print
Flags: X - disabled, I - invalid, * - default
0 * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified
ra-lifetime=30m hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=no
other-configuration=no
Atau bisa disable ND default, lalu tambahkan ND baru. /ipv6 nd add interface=ether2
2. Advertise DNS, pastikan advertise DNS pada ND sudah enabled. Kemudian, setting saja ip dns server: /ip dns set servers=2001:4860:4860::8888,2001:4860:4860::8844
3. Mengaktifkan logging. /system logging
Mikrotik:
SLAAC
Saat modul ini dibuat (Router OS v6.48), mikrotik belum mendukung advertise address melalui DHCPv6. DHCPv6 mikrotik hanya mendukung advertise prefix.
Tetapi ada opsi untuk mengatur flag O dan M. O=1 set other-configuration=yes
M=1 set managed-address-configuration=yes
IPv6 DNS Record
Untuk mempermudah pemanggilan alamat IPv6, kita bisa memanfaatkan DNS server
/ip dns set allow-remote-requests=yes servers=2001:4860:4860::8888,2001:4860:4860::8844 /ip dns static add address=2001:470:ec29:2100::1 name=router.local type=AAAA
$ ping router.local Pinging router.local [2001:470:ec29:2100::1] with 32 bytes of data:
Reply from 2001:470:ec29:2100::1: time=1ms Reply from 2001:470:ec29:2100::1: time=1ms Reply from 2001:470:ec29:2100::1: time<1ms Reply from 2001:470:ec29:2100::1: time<1ms
References
1. https://www.tunnelbroker.net