Posts in category 'ipv6'

  • Revisiting IPv6

    Many years ago I experimented with running IPv6 in my home network (dual-stacked, not IPv6-only… I’m not that crazy!). At the time this was mainly an intellectual exercise. While a lot of major services already offered IPv6 (including Google, Facebook, and Netflix), the big draw of v6 is the ability to completely do away with NAT and simplify access to services and P2P applications running out of my home. But without broad v6 support, even if my home network was available via v6, the rest of the world wouldn’t be able to access it, which pretty severely curtailed the utility of the whole thing.

    But, it was still an interesting exercise!

    Until, that is, Netflix started cracking down on VPNs.

    The way v6 was deployed in my network was via a tunnel supplied by Hurricane Electric. That tunnel terminated in California, and, while not intentional, it allowed me to watch US Netflix in Canada.

    That is until Netflix realized people were abusing those tunnels and started blocking inbound traffic via HE.

    I considered potential workarounds, but I could never figure out a satisfying solution (in large part thanks to closed devices like Chromecasts).

    And so I shut down v6 in my network. While, previously, v6 didn’t provide a lot of value, it also didn’t cause me any problems. Once this issue surfaced, it was no longer worth the effort.

    Recently I decided to take another look at the situation to see if anything had changed.

    Well, unfortunately Netflix still blocks traffic coming from Hurricane Electric traffic originating in the US.

    However, it turns out, back in 2013, HE added new Points of Presence (POPs) in both Calgary and Manitoba. That meant I could set up a tunnel with an exit point inside the country.

    Would Netflix block that?

    It turns out, the answer is: No!

    So I now have IPv6 back up in my home network.

    But has the connectivity story changed? Yes!

    Much to my astonishment, I discovered that in the last couple of years, AT&T, Rogers, and Telus have all deployed native IPv6 inside their networks. That means that, when I’m out and about in both Canada and the US, I have direct v6 connectivity back to my home network! Even my mother-in-law’s house has access thanks to her Telus internet package.

    That’s a huge expansion in coverage!

    In fact, ironically enough, of the places I frequent, the only location that lacks v6 connectivity is my workplace. Go figure. But, in that case, I can always just tunnel through my linode VPS, which has had v6 connectivity for many many years.

    IPv6 adoption may be taking a while, but it is happening!

  • The Great IPv6 Experiment

    So during the last week I decided it was about time I rebuilt my firewall, if for no other reason than to upgrade to the latest version of m0n0wall, as the version I was running dated back to 2006. Of course, naturally enough, during the course of my initial experimentation, my old firewall hardware kicked the bucket (it was an old 150Mhz P-II… I’m surprised it hadn’t died sooner), so I suddenly found myself in need of a new firewall PC. “Lucky for my, I ditched my old MythTV motherboard”, I thought to myself… what a fool I was.

    As a bit of background, I’ve been running an open wireless access point for years and years now, and to achieve reasonable security, the network topology was something like the following:

    Topology graph "Topology" { rankdir = LR; node [shape = rectangle]; WiFirewall Firewall; node [shape = circle]; Wireless -- WiFirewall; WiFirewall -- LAN; LAN -- Firewall; Firewall -- WAN; } Topology WiFirewall WiFirewall LAN LAN WiFirewall--LAN Firewall Firewall WAN WAN Firewall--WAN Wireless Wireless Wireless--WiFirewall LAN--Firewall

    Where both the WiFirewall and Firewall perform network address translation. Unfortunately, this means:

    1. The wireless network is double-NATed, which makes forwarding ports back from the firewall to the wireless network a heck of a lot more cumbersome.
    2. I have to maintain two separate sets of firewall rules.

    Plus, the WAP I have doesn’t support IPv6, so if I wanted to deploy IPv6 internally, I couldn’t do so for the wireless pool.

    Well, this screamed for a solution, hence me building a new firewall. My vision was the following:

    Topology graph "Topology" { node [shape = rectangle]; Firewall; node [shape = circle]; WAN -- Firewall; Firewall -- LAN; Firewall -- Wireless; } Topology Firewall Firewall LAN LAN Firewall--LAN Wireless Wireless Firewall--Wireless WAN WAN WAN--Firewall

    In this sort of arrangement, the firewall acts as a single NAT for both subnets, and also allows me to control access from the wireless pool to the LAN and vice versa all in one place. Plus, because both subnets are directly connected to the firewall, which supports IPv6, I can deploy v6 across my network.

    Of course, this scenario requires three NICs in the firewall, one for the WAN, one for the wireless subnet, and one for the LAN subnet. So I took my spare machine, threw three NICs in it, fired up the newest version of m0n0wall, and got… “watchdog timeout: dc0”, followed by hard locks.

    sigh

    Many hours later, after running up and down the stairs a couple dozen times, my conclusion was IRQ conflicts between one of the NICs and the USB controller on the board. Yes, that’s right, in 2010, I was fighting with IRQ conflicts. Seriously, what the heck?

    The next day, I relented and decided to try out another motherboard I had lying around (yes, that’s right, I had two spare motherboards just lying around. Go figure.) Luckily, this one seems to work beautifully, and I now have a brand new firewall set up as described above. I even configured m0n0wall’s traffic shaping such that bittorrent traffic is de-prioritized versus other traffic, so I no longer need to perform upstream throttling in rtorrent, as the firewall takes care of everything (and it works beautifully… rtorrent can now saturate my upstream, while web browsing, etc, continue to work flawlessly).

    Furthermore, I figured, hey, why not deploy IPv6 for kicks? So I went and allocated a tunnel from Hurricane Electric. They provide free IPv6 tunnels plus a free routable /48 if you want it (yes, that’s right, an 80-bit address space for nothing). You just need a router/firewall that supports it. Well, as you might imagine, m0n0wall does. Additionally, Hurricane Electric has a deal with Google such that, if you use HE’s nameservers, then all of Google’s services will be accessible over IPv6. So now anyone connected to my WAP will be able to browse the IPv6 internet, and access Google’s services over v6. Neat!

    And, as if that weren’t enough, I registered a new domain name: “b-ark.ca”. I then plan to use afraid.org, which is a free DNS hosting service which provides support for IPv4, both static and dynamic, and IPv6, both forward and reverse. Of course, I’ll need to find a way to cleanly migrate away from “frodo.dyn.gno.org”, but once I do, that address will be disappearing, and this place will be reachable at “blog.b-ark.ca”.