Context Navigation

IPv6 Example Network with dynmic routing and shorewall

This article describes an OSPFv3 setup for IPv6 networks using quagga and shorewall6 on openSUSE 11.1

Network Layout

The Network consists of several Subnets/Zones?. * net Zone - the Internet - connected via www.sixxs.net Tunnelbroker

* loc Zone - the local network (2 subnets)

* dmz Zone - Hosting a Webserver/Mailserver?

* vpn0 Zone - Hosting some servers in a remote site - connected via openvpn/IPv6

* vpn1 Zone - Hosting some servers in a remote site - connected via openvpn/IPv6

The OSPFv3 area is between the two firewalls/routers.

Routing setup and Quagga configuration

Firewall/Router?1

Routing table before starting quagga (zebra/ospf6d)

Note that the route to the subnet 2a01:198:2b0:5000::/64 is not know.

fire:~ # ip -6 route ls
2a01:198:200:17e::/64 dev sixxs  metric 256  expires 21334097sec mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:1000::/64 dev eth0  metric 256  expires 20701620sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:2000::/64 dev eth1  metric 256  expires 19874405sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:3000::/64 dev tun1  metric 256  expires 21171681sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:4000::/64 dev tun0  metric 256  expires 21171681sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 19874405sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth2  metric 256  expires 19874406sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth3  metric 256  expires 19874408sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb0  metric 256  expires 19874418sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 20701620sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun0  metric 256  expires 21171681sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun1  metric 256  expires 21171681sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev sixxs  metric 256  expires 21334097sec mtu 1428 advmss 1368 hoplimit 4294967295
default via 2a01:198:200:17e::1 dev sixxs  metric 1024  expires 21334097sec mtu 1428 advmss 1368 hoplimit 4294967295

While quagga is a modular routing daemon collection, zebra is the central daemon which is used to talk to the kernel routing table.
So we configure this first:

/etc/quagga/zebra.conf

! Hostname as shown in the virtual terminal
hostname zebra@fire

! passwords for access to the virtual terminal and for the "enable" mode (Cisco IOS style)
password zebra
enable password zebra1

! loc zone interface
interface eth0
    description loc

! net zone Uplink via www.sixxs.net
interface sixxs
    description IPv6 Uplink
    ! Don't send out routing information to uninterested systems
    no multicast

! Create an access list that allows access from localhost and nowhere else
access-list access permit 127.0.0.1/32
access-list access deny any

! Enable access control on the command-line interface
line vty
    access-class access
log file /var/log/quagga/zebra.log

Now start the zebra daemon: rczebra start and check the logfile for errors

After that we configure

/etc/quagga/ospf6d:

hostname ospf6d@fire
password zebra
enable password zebra1


router ospf6
 ! where to advertise our routes, area in IPv4 decimal notation
 ! ya, simple setup, we know only area 0
 interface eth0 area 0.0.0.0
 ! same procedure for the router id, just take the IPv4 address
 router-id 192.168.1.1
 ! advertise dynamic uplinks
 redistribute connected
 ! advertise staic routes
 redistribute static
 ! advertise kernel routes, which means here the default route
 ! actually in this setup this would be enough
 redistribute kernel
log file /var/log/quagga/ospf6d.log

Start ospv6d by rcospf6d start and check logfile...

Firewall/Router?2

Routing table before starting quagga (zebra/ospf6d)

Note that there is no default route nor routes to the other subnets.

firetest:~ # ip -6 route ls
2a01:198:2b0:1000::/64 dev eth0  proto kernel  metric 256  expires 1037958sec mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:5000::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1428 advmss 1368 hoplimit 4294967295
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295

/etc/quagga/zebra.conf

hostname zebra@firetest
password zebra
enable password zebra1

interface eth0
    description LAN

interface eth1
    description LAN2

access-list access permit 127.0.0.1/32
access-list access deny any

line vty
    access-class access
log file /var/log/quagga/zebra.log

/etc/quagga/ospf6d.conf

hostname ospf6d@firetest
password zebra
enable password zebra1

router ospf6
 interface eth0 area 0.0.0.0
 interface eth1 area 0.0.0.0
 router-id 192.168.1.138
 redistribute connected
 redistribute static
 ! here we don't redistribute kernel, connected/static is enough
log file /var/log/quagga/ospf6d.log

Now start zebra and ospf6d and check logfiles...

Routingtable on Router1 after route distribution:

fire:~ # ip -6 route ls
2a01:198:200:17e::/64 dev sixxs  metric 256  expires 21332110sec mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:1000::/64 dev eth0  metric 256  expires 20699633sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:2000::/64 dev eth1  metric 256  expires 19872418sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:3000::/64 dev tun1  metric 256  expires 21169693sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:4000::/64 dev tun0  metric 256  expires 21169693sec mtu 1500 advmss 1440 hoplimit 4294967295
2a01:198:2b0:5000::/64 via fe80::20d:b9ff:fe17:2fb0 dev eth0  proto zebra  metric 2  expires 21328425sec mtu 1428 advmss 1368 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 19872417sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth2  metric 256  expires 19872418sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth3  metric 256  expires 19872421sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb0  metric 256  expires 19872430sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 20699633sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun0  metric 256  expires 21169693sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tun1  metric 256  expires 21169693sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev sixxs  metric 256  expires 21332110sec mtu 1428 advmss 1368 hoplimit 4294967295
default via 2a01:198:200:17e::1 dev sixxs  metric 1024  expires 21332110sec mtu 1428 advmss 1368 hoplimit 4294967295

Yes, we see 2a01:198:2b0:5000::/64 as proto zebra.

Routingtable on Router2 after route distribution:

firetest:~ # ip -6 route ls
2a01:198:200:17e::/64 via fe80::a800:ff:fe00:ab dev eth0  proto zebra  metric 1  mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:1000::/64 dev eth0  proto kernel  metric 256  expires 1037812sec mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:2000::/64 via fe80::a800:ff:fe00:ab dev eth0  proto zebra  metric 1  mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:3000::/64 via fe80::a800:ff:fe00:ab dev eth0  proto zebra  metric 1  mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:4000::/64 via fe80::a800:ff:fe00:ab dev eth0  proto zebra  metric 1  mtu 1428 advmss 1368 hoplimit 4294967295
2a01:198:2b0:5000::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1428 advmss 1368 hoplimit 4294967295
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::a800:ff:fe00:ab dev eth0  proto zebra  metric 1  mtu 1428 advmss 1368 hoplimit 4294967295

Now we have a default route, plus the "connected routes" because of the directive "redistribute connected/static" on Router1

So we can do a little traceroute test:

firetest:~ # traceroute6 mail.adminguru.org
traceroute to mail.adminguru.org (2a01:198:2b0:3000:216:3eff:fe6c:43bd), 30 hops max, 40 byte packets using UDP
 1  fire.adminguru.org (2a01:198:2b0:1000::1)  0.277 ms   0.245 ms   0.259 ms
 2  fire1.adminguru.org (2a01:198:2b0:3000::2)  18.780 ms   32.494 ms   24.557 ms
 3  mail.adminguru.org (2a01:198:2b0:3000:216:3eff:fe6c:43bd)  21.760 ms   38.637 ms   51.177 ms

Shorewall Configuration

Yet to come

Attachments

IPv6adminguru.png (20.9 KB) - added by anonymous 3 years ago.

Download in other formats:

Plain Text