networking – Giovanni F. Mazzeo De Santolo

How to setup dual-stack IPv4 IPv6 Azure VM without a load-balancer

Giovanni — Sun, 11 Apr 2021 20:32:31 +0000

I wanted to document my Microsoft Azure saga in getting a public IPv6 address to work in a virtual machine without a load balancer in front of it. My needs were pretty simple and straightforward I wanted a virtual server that had a static IPv4 and IPv6 public addresses so that I can monitor my home network and other websites.

You would think this would be pretty easy, a few clicks and done? That wasn’t my experience on Azure and setting this up isn’t easy nor straightforward. Below is how to get it done, if this helps you – you can buy me a coffee or beer.

What Microsoft documentation said

You can use public IPv6 address on a load balancer which needs to be a separate paid server/product in front of your servers. This isn’t what I was looking – I complained about it on github with screenshots issue #69167.

Disclaimer: I have no expertise on Microsoft Azure prior to this (I currently work at Google and GCP is what we do). I chose to use Azure for my hobby/playground primarily because I get $50 a month free credit with my MSDN subscription.

My hacky (undocumented) way of getting it set up

Create a new Virtual Machine

Use portal.azure.com – I am not going to go in depth here but I will call out the items you need to make sure to enable or change at setup.

Do pay attention to these when creating VM:

Use "create a resource" select "Ubuntu Server 18.04 LTS" and should default to virtual server.
Make sure to select ‘create new resource group’ to bundle everything of this server together.
Disable default ‘scheduled shutdown’

Deploy it. Go back to the newly created resource group.

Edit Virtual Network to add IPv6 (address space)

You should see only IPv4 listed here. Like 10.0.0.0/24 – add IPv6.

Input: ace:cab:deca::/48

Hit save.

Edit Virtual Network to add IPv6 (subnets)

You should see default click it. On the right dialog that opens click Add IPv6 address space

Input: ace:cab:deca::/64

Make sure to select a network Security Group. (whatever the name you gave it). Save.

Create a dual-stack IPv4 and IPv6 public address

Search Azure for Public IP addresses create one.

Pay attention at creation:

Select IP version both
Select SKU standard
Ensure you associate it to your VM resource group and zone otherwise it won’t work

Stop virtual machine.

Self explanatory, or during step 1 make sure to ensure it won’t be auto started.

Associate the new NIC and delete the old NIC from the VM

With the VM shutdown, networking settings > "Attach network interface" menu. Select create and attach network interface.

At NIC create:

NIC security group select NONE.
Select Private IPv6 address. Give it a name "v6" for me.

Detach the old NIC and delete from resource group (self-explanatory).

Associate the public IPv6 and IPv6 to the network interface

Go to the new NIC we created and associated, "IP configuration" menu.

You should see ‘ipconfig1’ is IPv4 and "v6" is secondary with our local IPv6 we gave on step 2.

Associate IPv4 public address by clicking ipconfig1 a new menu with a drop-down box and the new IPv4 (dual-stack) shows up. Select and save.

Associate IPv6 public address same as above. You should end up with something like this

Incoming firewall rules

Make sure to add necessary firewall rules, if you created the default settings on the security group you probably already have SSH (port 22) and that’s it.

You probably want to add a rule for ICMP traffic (ping).

If you like to have no security at all (or implement your own firewall on the virtual server) you can add a blanked incoming rule for all ports 0-65535 and this should open everything.

Note microsoft IPv6 implementation sucks and ICMP ping on IPv6 incoming/outgoing WILL NOT WORK! This is what tripped me out and I spent several hours trying to troubleshoot something that Microsoft could have easily documented… but here we are… I spent hours frustrated but hopefully with this guide I wrote for you it saved you all this time. If you appreciated it – remember you can buy me a coffee

Go ahead start your virtual server and you should be able to use nmap on its IPv6 address or SSH remotely and see it work. See above in:re ping on IPv6.

Updates

June 2021: Reader “Ben R” contacted me about this article and shared some noteworthy information for folks using older VM images or installations. DHCPv6 may be disabled and must be manually enabled. See this article for enabling DHCPv6 on Azure.

OPNsense firewall on Proxmox fix ‘no internet’

Giovanni — Sat, 17 Nov 2018 18:17:25 +0000

Quick post to note how I determined and then fixed the internet access issue I was having when I installed OPNsense on Proxmox.

OPNsense virtual machine is configured with VirtiO network drivers.

Other than the obvious “I can’t access anything on the internet” or can’t reach external IP addresses problem I looked at troubleshooting via nmap – because the devices on the network could ping externally (8.8.8.8) and also resolve DNS requests.

In a broken state you may see ‘tcpwrapper’ when testing a known host serving HTTP, like so:

root@test:~# nmap -p 80 -sV 216.58.194.206

Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-17 17:54 UTC

Nmap scan report for sfo03s01-in-f206.1e100.net (216.58.194.206)

Host is up (0.010s latency).

PORT STATE SERVICE VERSION

80/tcp open tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds

To fix this issue, ensure that “Disable hardware checksum offload” is enabled in the OPNsense interface, then reboot the firewall for changes to take effect.

After a reboot, doing another test via nmap will actually respond with HTTP fingerprints, as expected and internet is back.

root@test:~# nmap -p 80 -sV 216.58.194.206

Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-17 18:00 UTC

Nmap scan report for sfo03s01-in-f14.1e100.net (216.58.194.206)

Host is up (0.0096s latency).

PORT STATE SERVICE VERSION

80/tcp open http gws

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port80-TCP:V=7.40%I=7%D=11/17%Time=5BF0574C%P=x86_64-pc-linux-gnu%r(Get

SF:Request,8A7A,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2017\x20Nov\x202

SF:018\x2018:00:43\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20private,\

SF:x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1\r\nP3

SF:P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\x20g\.co/p3p

SF:help\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-Protection:\

SF:x201;\x20mode=block\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x2

SF:01P_JAR=2018-11-17-18;\x20expires=Mon,\x2017-Dec-2018\x2018:00:43\x20GM

SF:T;\x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=146=0dp1WLb

SF:UhFIr1MIVwhAglx_4O6x-0eJHrmYFTov9a3oFxE2-lZSUI_9mmKBFXQZjYbjKbSRiirLZ-U

SF:cfybTiNQR_vmHD2MY4RBHP-hj4K7oyQX4lXuCgrSU7ESRXiX2Jn0qwoLWvvEItnC2hgDHEb

SF:oLJffQrfiEazdGDp5XppPU;\x20expires=Sun,\x2019-May-2019\x2018:00:43\x20G

SF:MT;\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAccept-Ranges:\x

SF:20none\r\nVary:\x20Accept-Encoding\r\n\r\n

SF:emscope=\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en\">

SF:

SF:cluding\x20webpages,\x20images,\x20videos\x20and\x20more\.\x20Google\x2

SF:0has\x20ma")%r(HTTPOptions,71B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Al

SF:lowed\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Sat,\x2017\x20Nov\x202018\x

SF:2018:00:44\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nSe

SF:rver:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x201;\x20m

SF:ode=block\r\nX-Frame-Options:\x20SAMEORIGIN\r\n\r\n\n

SF:\n\x20\x20\n\x20\x20

SF:me=viewport\x20content=\"initial-scale=1,\x20minimum-scale=1,\x20width=

SF:device-width\">\n\x20\x20Error\x20405\x20$Method\x20Not\x20Allo</span></code></p> <p class="p1"><code><span class="s1">SF:wed$!!1\n\x20\x20