ipv6 – Giovanni F. Mazzeo De Santolo https://desantolo.com That italian IT guy Sun, 20 Jun 2021 03:51:32 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 123042357 How to setup dual-stack IPv4 IPv6 Azure VM without a load-balancer https://desantolo.com/2021/04/how-to-setup-dual-stack-ipv4-ipv6-azure-vm-without-a-load-balancer/ https://desantolo.com/2021/04/how-to-setup-dual-stack-ipv4-ipv6-azure-vm-without-a-load-balancer/#respond Sun, 11 Apr 2021 20:32:31 +0000 https://desantolo.com/?p=616 Continue reading ]]> I wanted to document my Microsoft Azure saga in getting a public IPv6 address to work in a virtual machine without a load balancer in front of it. My needs were pretty simple and straightforward I wanted a virtual server that had a static IPv4 and IPv6 public addresses so that I can monitor my home network and other websites.

You would think this would be pretty easy, a few clicks and done? That wasn’t my experience on Azure and setting this up isn’t easy nor straightforward. Below is how to get it done, if this helps you – you can buy me a coffee or beer.

What Microsoft documentation said

You can use public IPv6 address on a load balancer which needs to be a separate paid server/product in front of your servers. This isn’t what I was looking – I complained about it on github with screenshots issue #69167.

Disclaimer: I have no expertise on Microsoft Azure prior to this (I currently work at Google and GCP is what we do). I chose to use Azure for my hobby/playground primarily because I get $50 a month free credit with my MSDN subscription.

My hacky (undocumented) way of getting it set up

  1. Create a new Virtual Machine

Use portal.azure.com – I am not going to go in depth here but I will call out the items you need to make sure to enable or change at setup.

Do pay attention to these when creating VM:

  • Use "create a resource" select "Ubuntu Server 18.04 LTS" and should default to virtual server.
  • Make sure to select ‘create new resource group’ to bundle everything of this server together.
  • Disable default ‘scheduled shutdown’

Deploy it. Go back to the newly created resource group.

  1. Edit Virtual Network to add IPv6 (address space)

You should see only IPv4 listed here. Like 10.0.0.0/24 – add IPv6.

Input: ace:cab:deca::/48

Hit save.

  1. Edit Virtual Network to add IPv6 (subnets)

You should see default click it. On the right dialog that opens click Add IPv6 address space

Input: ace:cab:deca::/64

Make sure to select a network Security Group. (whatever the name you gave it). Save.

  1. Create a dual-stack IPv4 and IPv6 public address

Search Azure for Public IP addresses create one.

Pay attention at creation:

  • Select IP version both
  • Select SKU standard
  • Ensure you associate it to your VM resource group and zone otherwise it won’t work
  1. Stop virtual machine.

Self explanatory, or during step 1 make sure to ensure it won’t be auto started.

  1. Associate the new NIC and delete the old NIC from the VM

With the VM shutdown, networking settings > "Attach network interface" menu. Select create and attach network interface.

At NIC create:

  • NIC security group select NONE.
  • Select Private IPv6 address. Give it a name "v6" for me.

Detach the old NIC and delete from resource group (self-explanatory).

  1. Associate the public IPv6 and IPv6 to the network interface

Go to the new NIC we created and associated, "IP configuration" menu.

You should see ‘ipconfig1’ is IPv4 and "v6" is secondary with our local IPv6 we gave on step 2.

Associate IPv4 public address by clicking ipconfig1 a new menu with a drop-down box and the new IPv4 (dual-stack) shows up. Select and save.

Associate IPv6 public address same as above. You should end up with something like this

  1. Incoming firewall rules

Make sure to add necessary firewall rules, if you created the default settings on the security group you probably already have SSH (port 22) and that’s it.

You probably want to add a rule for ICMP traffic (ping).

If you like to have no security at all (or implement your own firewall on the virtual server) you can add a blanked incoming rule for all ports 0-65535 and this should open everything.

Note microsoft IPv6 implementation sucks and ICMP ping on IPv6 incoming/outgoing WILL NOT WORK! This is what tripped me out and I spent several hours trying to troubleshoot something that Microsoft could have easily documented… but here we are… I spent hours frustrated but hopefully with this guide I wrote for you it saved you all this time. If you appreciated it – remember you can buy me a coffee 🙂

Go ahead start your virtual server and you should be able to use nmap on its IPv6 address or SSH remotely and see it work. See above in:re ping on IPv6.

Updates

June 2021: Reader “Ben R” contacted me about this article and shared some noteworthy information for folks using older VM images or installations. DHCPv6 may be disabled and must be manually enabled. See this article for enabling DHCPv6 on Azure.

]]> https://desantolo.com/2021/04/how-to-setup-dual-stack-ipv4-ipv6-azure-vm-without-a-load-balancer/feed/ 0 616 Linux IPv6 command cheatsheet https://desantolo.com/2021/03/linux-ipv6-command-cheatsheet/ https://desantolo.com/2021/03/linux-ipv6-command-cheatsheet/#respond Fri, 05 Mar 2021 05:02:14 +0000 https://desantolo.com/?p=596 Continue reading ]]> This post is intended to be a quick note to self on linux IPv6 commands, for quick reference when needed.

 

 

# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e

ip -6 route
route -A inet6 (apt-get install net-tools) # equivalent to netstat -rn -A inet6
netstat -A inet6 -rn
netstat -r
ip -6 route show table 51820
ip -6 neigh
ip -6 neigh show proxy

# DHCPv6 release / renew
dhclient -6 -r ens18
dhclient -6 ens18

# Flush IPv6 neighbors cache
ip -family inet6 neigh flush any

# Find the route decision for a given address.
ip route get 2a00:1450:4001:820::200e

# Request a router advertisement (apt-get install -y ndisc6)
rdisc6 eth0

# Perform a Neighbor Solicitation (arp IPv4 equivalent) (apt-get install -y ndisc6)
ndisc6 2001:db8::42 eth0

# ping multicast address to have all link-local hosts to respond.
ping ff02::1%eth0

Good articles about IPv6:

Troubleshooting tools:

Bonus section ‘ufw’ firewall

Check status of firewall and enable or disable.
# ufw status
# ufw enable
# ufw disable

View firewall rules and number to delete a specific rule.
# ufw status verbose
# ufw status numbered

Delete a firewall rule (from number of last cmd)
# ufw delete 12

Rules needed to allow IPv6 routing via wireguard to endpoint (no iptables forwarding would be needed on IPv6 as the other peer carries the public IP – they also should implement a firewall before using the below command!)
# ufw route allow in on eth0 out on wghub to 2602:xxx:730b:xxx:cafe::12

IPv4 firewall and routing rule to open Plex Media Server port 32400 and internal IPv4 space of wireguard peer.
# ufw allow in on eth0 out on wghub to 10.100.100.11 port 32400
# ufw route allow in on eth0 out on wghub to 10.100.100.11 port 32400

Add rule and get logs for matches of that rule:
# ufw allow log proto any from any to 192.168.1.x

View logs:
# tail -f /var/log/ufw.log

Extra bonus iptables NAT forwarding

On VPS (public endpoint) forward IPv4 traffic on tcp/32400 to wireguard peer. (recall IPv6 doesn’t need a rule)
# iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 32400 -j DNAT –to 10.100.100.11:32400

Test your port forwards

For IPv6 I use:
http://www.ipv6scanner.com/cgi-bin/main.py

For IPv4:
https://www.yougetsignal.com/tools/open-ports/

]]> https://desantolo.com/2021/03/linux-ipv6-command-cheatsheet/feed/ 0 596