LAG issue - HowTo solve it

[voobscout]

Take teh survey, find your best choice tunnel broker and while you're at it learn how freaking easy it is to get connected to ipv6 !

the form can be found in my first post in this thread.... or just click here - http://spreadsheets.google.com/viewform?fo...RHpONWhxOEE6MA..

[sgt_baker]

I've given this a go with tunnelbroker. My initial assessment isn't quite rosy. It would appear that I'm required to give the IPv6 tunnel carte blanche where my firewall is concerned, or get my hands dirty recompiling my firewall's kernel to support IPv6. Neither of which are things I really want to do.

/me will investigate other options.

B

[TheCorsair]

QUOTE (voobscout @ Apr 28 2009, 12:18 AM) There're quite a few ipv6 tunnel brokers, wikipedia provides a summary here:
http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

The best option is to find out which POP is the closest to you, IP-wise, since geographical distances rarely account for ISP peering agreements ;-)

For our AU users, there's

http://broker.aarnet.net.au/ - 202.158.196.131
http://ipv6.internode.on.net/ - 150.101.0.201

Ok there will be HEAPS of Aussie players as well as NZ and others where 3FL was our hope that never was reality, we just NEED to try this and be done with the whole LAG issues that we get with GPZ and to some extent Planet through IPV4.

So many thanks to the GPZ guys for being interested in trying this. I know that if this gets LAG down significantly I will no doubt donate to the server that puts this in place.

This is simply an awesome game and we need to get more people playing and get the LAG down so we can all stop the whining and have fun.

I really look forward to trying this ASAP.

Thanks!

[Mighty_Mouse]

This sounds like it could potentially provide a great deal of benefit for relatively little effort. Even if it turns out badly nothing much is lost.

I say lets give it a shot

[voobscout]

QUOTE (sgt_baker @ Apr 28 2009, 12:47 PM) I've given this a go with tunnelbroker. My initial assessment isn't quite rosy. It would appear that I'm required to give the IPv6 tunnel carte blanche where my firewall is concerned, or get my hands dirty recompiling my firewall's kernel to support IPv6. Neither of which are things I really want to do.

/me will investigate other options.

B

this depends on which OS you're running, if it's a mustdie, then you never actually had control of your firewalling to begin with... you have a poor implementation of some immature port filter..... however, even this crap supports ipv6.

The convenience is that you can use netsh from command line, instead of mucking around in some GUI....

ie. c:\>netsh firewall show config

so, you can set anything that relates to ipv6 from within.... the only question would be, what exactly DO you need to set ? do you have a list of IPs you want to block ? very unlikely, since you haven't been using ipv6 up till now... If it is open ports you're worried about, whatever applies to your ipv4, also applies to your ipv6, since you're basically just changing the underlying IP protocol from version 4 to 6, you're not touching anything above, all the TCP/UDP stuff stays exactly the same...

I can refer you to OSI model, where IP (any version) is a networking layer (or layer 3 on OSI model), that is only responsible for path determination and addressing. a good explanation can be found here: http://www.webopedia.com/quick_ref/OSI_Layers.asp

Now, if you're talking about something like solaris/linux/osX/IOS, then you have total firewalling control over everything, including ipv6, including NAT PT, excellent pf and all the perks of running a real operating system, instead of some GUI dos shell ;-)

if it's your local router you're concerned with, you can always run openwrt equivalent on it and have the full ipv6 support built in.

In short - you're definitely not giving your ipv6 anything beyond what you already had with ipv4, you don't even need to reconfigure your firewall on mustdie to support ipv6, it does it straight away....

[sgt_baker]

QUOTE (voobscout @ Apr 28 2009, 03:31 PM) this depends on which OS you're running, if it's a mustdie, then you never actually had control of your firewalling to begin with... you have a poor implementation of some immature port filter..... however, even this crap supports ipv6.

The convenience is that you can use netsh from command line, instead of mucking around in some GUI....

ie. c:\>netsh firewall show config

so, you can set anything that relates to ipv6 from within.... the only question would be, what exactly DO you need to set ? do you have a list of IPs you want to block ? very unlikely, since you haven't been using ipv6 up till now... If it is open ports you're worried about, whatever applies to your ipv4, also applies to your ipv6, since you're basically just changing the underlying IP protocol from version 4 to 6, you're not touching anything above, all the TCP/UDP stuff stays exactly the same...

I can refer you to OSI model, where IP (any version) is a networking layer (or layer 3 on OSI model), that is only responsible for path determination and addressing. a good explanation can be found here: http://www.webopedia.com/quick_ref/OSI_Layers.asp

Now, if you're talking about something like solaris/linux/osX/IOS, then you have total firewalling control over everything, including ipv6, including NAT PT, excellent pf and all the perks of running a real operating system, instead of some GUI dos shell ;-)

if it's your local router you're concerned with, you can always run openwrt equivalent on it and have the full ipv6 support built in.

In short - you're definitely not giving your ipv6 anything beyond what you already had with ipv4, you don't even need to reconfigure your firewall on mustdie to support ipv6, it does it straight away....

I had IPv6 running this morning as per configuration mentioned here and on the tunnelbroker site. It was 50% working that that I had IPv6 address, DNS etc, but no dice as far as connecting to anything was concerned. A bit of quick research pointed to my linux firewall messing things up. I could give this a whilst connected directly to teh internets just to make sure. Which I will do now, in fact

[voobscout]

QUOTE (sgt_baker @ Apr 28 2009, 04:41 PM) I had IPv6 running this morning as per configuration mentioned here and on the tunnelbroker site. It was 50% working that that I had IPv6 address, DNS etc, but no dice as far as connecting to anything was concerned. A bit of quick research pointed to my linux firewall messing things up. I could give this a whilst connected directly to teh internets just to make sure. Which I will do now, in fact

Aha ! Good sir Baker has not specified the nature of his concerns, thus i missunderstood what he ment.

What was being said is that when you start tunneling traffic directly from a box located inside some network, you become vulnerable to all kinds of crap... that applies to any kind of tunnels, vpn, gre etc... It is more of a general security concern rather then something specific to ipv6.

The obvious solution would be to have your border router / firewall create the tunnel and not the box inside your network. That will allow you to continue to manage your security policy from a single place.

Depending on your setup (ie, linux net tools or iproute2) you'd have to take nessesary steps to insure continuos security, however, generally speaking whatever applies to your ipv4 setup still applies to ipv6, the only thing you have to remember is to not bind firewall rules to a specific interface and incase you have to, just duplicate your ruleset over to sit0...

In a perfect setup, you'd be using ipv4->ipv6 NAT on your border device.

oh and btw: remember ! since you're behind an ipv4 NAT already, in configuration you have to actually give your internal private subnet address (ie 192.168.178.xxx) as your local tunnel endpoint, when done properly, from a mustdie box inside your local net, your border router wouldn't even feel anything is amiss, since for it, the traffic appears to be regular ipv4.

[sgt_baker]

QUOTE (voobscout @ Apr 28 2009, 04:11 PM) Aha ! Good sir Baker has not specified the nature of his concerns, thus i missunderstood what he ment.

What was being said is that when you start tunneling traffic directly from a box located inside some network, you become vulnerable to all kinds of crap... that applies to any kind of tunnels, vpn, gre etc... It is more of a general security concern rather then something specific to ipv6.

The obvious solution would be to have your border router / firewall create the tunnel and not the box inside your network. That will allow you to continue to manage your security policy from a single place.

Depending on your setup (ie, linux net tools or iproute2) you'd have to take nessesary steps to insure continuos security, however, generally speaking whatever applies to your ipv4 setup still applies to ipv6, the only thing you have to remember is to not bind firewall rules to a specific interface and incase you have to, just duplicate your ruleset over to sit0...

In a perfect setup, you'd be using ipv4->ipv6 NAT on your border device.

As suspected, neither of my firewalls (Sygate Personal Firewall on this box and Smoothwall Express 3.0) will have anything to do with the tunnel. Both fail silently. Obviously I was able to connect first time when I was plumbed directly into the internet from this machine, but as soon as I enabled Sygate, everything just went quiet. And that's despite my adding specific rules to Sygate to allow the Ipv6 driver unrestricted access. Nothing. Nada. Just sits there doing bugger all.

Yeah I wasn't entirely clear regarding my security concerns, but that appears to be a moot point at this juncture. The only way around this that I can see is to disable Sygate when I need Ipv6 access, and recompile smoothwall to support Ipv6. Whilst I know that it is possible to coerce smoothwall into natively supporting IPv6, it obviously isn't supported by any of the GUI elements, so I'd be stuck adding rules/bindings/everything via the linux command prompt, which.... to say the least... isn't exactly my forte.

[voobscout]

Sir Baker:

Sygate Personal Firewall:

Tools -> Advanced Rules -> Add

Tab General:
- Give description, press Allow this traffic

Tab Ports and Protocols:
- Drop down box: Protocol IP Type
- IP Type: 41
- Traffic direction: both

---

The same would also apply to your smoothwall, but as i have stated earlier, you'd be negating your firewall.... a simple solution is to have your sygate mimic the ruleset from your smoothwall....

[voobscout]

hm... turns out smoothwall is perfectly capable of running ipv6 with HE.... here it is, including detailed instructions on how to set it up: http://community.smoothwall.org/forum/view...=26&t=29744