3

I'm working on a solution to allow remote Linux nodes that are behind firewalls to be accessible for SSH and web server.

Can anyone suggest an IPv6 tunnel scheme that would work with NAT firewalls? And what software would be needed on the remote nodes and the central server? Also I do not believe the ISP at either side does native IPv6. I should also point out that the remote Linux nodes will be on cell modems (we can choose the modem).

A solution where we could have static IPv6 addresses on the remote Linux nodes would be ideal.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
fred basset
  • 665
  • 2
  • 7
  • 14
  • This will probably be closed as a shopping question. That said, using sixxs with the aiccu daemon handles most aspects of punching through NAT and dynamic IP addresses with little difficulty. – Michael Hampton Nov 19 '12 at 16:51
  • Since you are looking at linux, you could use OpenVPN. It requires a relatively new version of the client though for IPv6 functionality. – Zoredache Nov 19 '12 at 21:39

2 Answers2

2

There's nothing unusual about the setup you're asking about - The fact that you're using a tunnel broker doesn't change anything.

You need to get an IPv6 network allocation from somewhere (your tunnel broker or your ISP - if you need a tunnel broker and don't have one yet Google can find you a dozen or more), and configure your firewall to handle the IPv6 traffic.
There is no need to use NAT with IPv6 - simply have your firewall pass (route) the IPv6 traffic to the hosts on the inside of your network, and assign each host a public IPv6 address.

Configure your firewall appropriately to allow/block traffic to the IPv6 addresses, and you're all set.
Your firewall will act as a packet filter / pass-through router. No NAT necessary.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • The issue is not NAT of IPv6 itself, but the fact that IPv4 is NATted and thus the IPv4 NAT appliance, whatever it is, needs to be configured to pass protocol 41 to the user's chosen IPv6 tunnel endpoint. – Michael Hampton Nov 19 '12 at 18:16
  • @MichaelHampton Good point - I'm assuming the firewall or an inside router will be terminating the tunnel (because presumably we're talking about a real firewall and not a crappy Netgear or D-Link home box -- if that's not the case this becomes a whole different kind of messy hell, and might be off-topic for SF anyway :-) – voretaq7 Nov 19 '12 at 18:21
2

I've personally been very happy with Hurricane Electric's tunnel service, but any tunnel broker should do. If you can DMZ one host on your network (likely) or pass just protocol 41 to a specific host (less likely on consumer hardware), then you can use standard IPv6 tunneling. You'll be given at least a /64 for your endpoint, and that's plenty of room for setting up static addresses.

If you can't use the standard IPv6 in IPv4 protocol because your firewall won't terminate or forward it, then you can instead find a broker offering Teredo tunneling which runs over UDP and will punch through NAT without explicit forwarding.

My office and my home are both behind NAT firewalls, but I can cleanly ping from one to the other over IPv6.

Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85