![\"\"](\"https:\/\/sven-seeberg.de\/wp\/wp-content\/uploads\/2019\/08\/Diagram.jpg\")
<\/figure>\n\n\n\nRegarding IPv4, First, I had to enable prefix delegation in my Fritz.Box. Coming from the IPv4 NAT world this was something new.<\/p>\n\n\n\n Now with prefix delegation enabled in the Fritz.Box, the Debian router needs to set these prefixes to its DMZ and client network interfaces (enp2s0, enp3s0). This can be achieved with the WIDE DHCPv6 client. (https:\/\/superuser.com\/questions\/742792\/how-do-i-deploy-ipv6-within-a-lan-using-a-debian-based-router-and-prefix-delegat<\/a> was very helpful for me.)<\/p>\n\n\n\n On the router, install it (and all other required packages) with<\/p>\n\n\n\n Then edit<\/p>\n\n\n\n and set its content to<\/p>\n\n\n\n Also configure the Now when connecting enp1s0, the delegated prefixes will automatically be set to the internal facing interfaces. The internal interfaces will receive the addresses $PREFIX::1.<\/p>\n\n\n\n Next, I’m using Dnsmasq on the internal interfaces to provide DNS and IPv6 router advertisements. Add the following lines to the To manage inbound and outbound traffic between the different network segments. As is common, the green zone only allows outbound traffic, while the DMZ allows inbound traffic to specified hosts. The following configuration demonstrates how to allow inbound IPv6 traffic to specific hosts. The rule can be extended to specific ports as well. To restore Iptables during boot, I’m using the iptables-persistent package. My Notice the rule To publish the IPv6 address of the server on freedns.afraid.org, I’m using the following crontab line (replace $TOKEN with your private token):<\/p>\n\n\n\n I hope I did not forget any important part. Feel free to ping me if your setup according to this post does not work.<\/p>\n\n\n\n Update 2024: some information about nft suffix matches can be found on https:\/\/github.com\/opnsense\/core\/issues\/2544#issuecomment-769811809<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Recently, I started to set up a Debian Buster based router with IPv6 prefix delegation and two \/64 subnets. One subnet is used for desktop clients, the other serves as a demilitarized zone (DMZ) for servers. The Debian router is … Continue reading enp1s0<\/code> has the address 192.168.0.2\/24<\/code>, enp2s0<\/code> has 192.168.1.1\/24<\/code> and enp3s0<\/code> has 192.168.2.1\/24<\/code>.<\/p>\n\n\n\nsudo apt install wide-dhcpv6-client dnsmasq iptables-persistent<\/code><\/pre>\n\n\n\n\/etc\/wide-dhcpv6\/dhcp6c.conf<\/code><\/pre>\n\n\n\nprofile default\n{\n information-only;\n request domain-name-servers;\n request domain-name;\n script \"\/etc\/wide-dhcpv6\/dhcp6c-script\";\n};\n\ninterface enp1s0 {\n send rapid-commit;\n send ia-na 0;\n send ia-pd 0;\n};\n\nid-assoc na 0 {\n};\n\nid-assoc pd 0 {\n prefix ::\/60 infinity;\n prefix-interface enp2s0 {\n sla-len 4;\n sla-id 0;\n ifid 1;\n };\n prefix-interface enp3s0 {\n sla-len 4;\n sla-id 1;\n ifid 1;\n };\n};<\/pre>\n\n\n\n\/etc\/network\/interfaces<\/code> like this:<\/p>\n\n\n\nsource \/etc\/network\/interfaces.d\/*\n\nauto lo\niface lo inet loopback\n\nallow-hotplug enp1s0\niface enp1s0 inet dhcp\niface enp1s0 inet6 auto\n # Important to accept delegated prefixes\n post-up sysctl -w net.ipv6.conf.enp1s0.accept_ra=2\n\nallow-hotplug enp2s0\niface enp2s0 inet static\n address 192.168.1.1\n network 192.168.1.0\n netmask 255.255.255.0\n\nallow-hotplug enp3s0\niface enp3s0 inet static\n address 192.168.2.1\n network 192.168.2.0\n netmask 255.255.255.0<\/pre>\n\n\n\n
\/etc\/dnsmasq.conf<\/code><\/p>\n\n\n\n# IPv4
dhcp-range=192.168.1.50,192.168.1.150,12h
dhcp-range=192.168.2.50,192.168.2.150,12h
# IPv6
enable-ra
dhcp-range = ::1,constructor:enp2s0, ra-stateless, ra-names, 4h
dhcp-range = ::1,constructor:enp3s0, ra-stateless, ra-names, 4h<\/pre>\n\n\n\n\/etc\/iptables\/rules.v4<\/code> and \/etc\/iptables\/rules.v6<\/code> contain the following lines:<\/p>\n\n\n\n# \/etc\/iptables\/rules.v4\n*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [81:8253]\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i enp2s0 -j ACCEPT\n-A INPUT -i enp3s0 -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A FORWARD -i enp2s0 -j ACCEPT\n-A FORWARD -i enp3s0 -j ACCEPT\n-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\nCOMMIT\n*nat\n:PREROUTING ACCEPT [44:2803]\n:INPUT ACCEPT [23:1484]\n:POSTROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [24:1535]\n-A POSTROUTING -o enp1s0 -j MASQUERADE\nCOMMIT<\/pre>\n\n\n\n
# \/etc\/iptables\/rules.v6\n*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [175:15496]\n-A INPUT -p ipv6-icmp -j ACCEPT\n-A INPUT -s fe80::\/10 -j ACCEPT\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i enp2s0 -j ACCEPT\n-A INPUT -i enp3s0 -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A FORWARD -i enp2s0 -j ACCEPT\n-A FORWARD -i enp3s0 -j ACCEPT\n-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -d ::2\/::ffff:ffff:ffff:ffff -o enp2s0 -p tcp -j ACCEPT\nCOMMIT<\/pre>\n\n\n\n
-A FORWARD -d ::2\/::ffff:ffff:ffff:ffff -o enp2s0 -p tcp -j ACCEPT<\/code>. This allows accessing the host in the DMZ from the internet. Now we need to take care that the server in the DMZ always gets the $PREFIX::3 address. This can be done by setting a token with ip. To do this every time the interface is being activated, for example on boot, add the following lines to the \/etc\/network\/interfaces configuration of the server in the DMZ:<\/p>\n\n\n\niface enp0s31f6 inet6 auto\n pre-up \/sbin\/ip token set ::2 dev enp0s31f6<\/pre>\n\n\n\n
* * * * * (IP=$(ip -6 a list dev enp0s31f6 | grep global | awk '{print $2}' | sed 's\/\\\/64\/\/') && wget --no-check-certificate -O - \"https:\/\/freedns.afraid.org\/dynamic\/update.php?$TOKEN&address=$IP\" >> \/tmp\/freedns_$HOSTNAME.log 2>&1)<\/pre>\n\n\n\n