# IPV6 tunnel strategy, recommendations wanted.

## 1clue

Hi guys.

The official 'running out of addresses' propaganda has piqued my interest again in IPV6, and I think it would be a fun project to set my home network up 'properly' with it.

Here is the overall situation:

Comcast cable connection, I own the modem (Motorola SurfBoard 6120) which will be referred to as the router.  This was either a small business device or the top-of-the-line consumer device when I bought it, depending on which link you clicked on.

Comcast does not support IPV6 as yet to the customer.

Cisco/Linksys WRT610N, simultaneous dual band 802.11n with 4+1 wired ports.  Referred to as the switch.

Both router and switch 'support' IPV6 according to documentation, but they don't have any controls for it.

A list of laptops, phones, workstations and a printer all or most of which support IPV6 but are irrelevant for the current discussion.

An experimental account with Hurricane Electric and tunnelbroker.net.

My goals:

First, let me say I don't expect to do all this at the same time.  I just want the whole project out there so I don't head down a path that won't get me where I want to go.   :Smile: 

Create a tunnel for the entire home network which goes to tunnelbroker.net.

Configure a dual-mode network at home, where the IPV6 side actually works.

Set up DHCP and DNS on IPV6 locally.

Make things so IPV6 is preferred if it can get there, then IPV4 as a fall-back.

Configure an IPV6+IPV4 firewall, generally pretty simple 'keep everyone out' with minor DMZ type additions.

Rope off the wireless part unless using a known MAC address and encryption.

Set up an IPV6 VPN which activates via an email message.

The VPN would be a dial-in type thing, if I'm on the road and want to get into my system.  I would send a specifically formatted email to an account, and that would bring the VPN up and ping me back with an IP address.  Then I log into the VPN from my laptop over the Internet and go on from there.  I'm pretty sure Comcast doesn't want me to be doing this, so I figure this sort of thing will be necessary.

What I would like advice on is strategy, preferably from one of you network types.  I see 2 possibilities:

Wipe the WRT610N and put on something like dd-wrt on it.

Put a Linux box in between router and switch to be an additional firewall.

My sense of neatness wants the dd-wrt option, but I've never done anything like that and I don't know how stable it is.  They have a warning about my device on the web site, but I don't know if the whole thing is shaky or if it's just that some features aren't quite there yet.  I don't know how tricky all this is or how hard it is to get my default software back in there if something goes wrong.

----------

## gerdesj

Are you sure Comcast does not support IPv6 natively?

I've seen rather a lot of IPv6 related stories on /. recently and I'm sure I've seen people mention Comcast as being one of the few that actually do support it.  I also read quite a long doc on how they went about migrating their stuff over.  Of course that does not necessarily mean they offer it to the great unwashed though!  Maybe its for business lines only at the moment - I'd check it out though first to be sure.  I'm in the UK so don't know personally.

Now, you want to get IPv6 up and running like many folk but are not sure where to start. 

If you can get an IPv6 /64 or /48 from Comcast then as your router supports IPv6 off you go! 

If you can't get a native connection then a tunnel is required and I would not bother unless you want to do some training on the use of IPv6.

IPv6 is suddenly a hot potato and I suspect that support will miraculously appear all over the place.  Waiting for a while might be the best course of action.

You can still play with link local to get the hang of things.  

Cheers

Jon

----------

## 1clue

Gerdesj,

Last time I checked Comcast used IPV6 in its backbone only.  They do not support it for customers.  There is one area where a test group of 25 customers were put on dual stack, but AFAICT they are the only ones.  They actually turned it on on my 45th birthday.

Awhile back I messed with IPV6 and went through Hurricane Electric's tutorial, got to the point where I had DNS and all that but didn't want a mail server at all so I stopped the training there.  I'm not a complete beginner, I'm just looking for advice about the best route to my goals.

My sense of neatness and security consciousness wants all my physically wired hardware to be on the safe side of the Cisco's firewall policy.  I would like to know how hard that is or if there are any likely issues to come about by wiping its firmware and putting on dd-wrt, or if it won't do what I'm after.

Thanks.

----------

## gerdesj

 *1clue wrote:*   

> Gerdesj,
> 
> Last time I checked Comcast used IPV6 in its backbone only.  They do not support it for customers.  There is one area where a test group of 25 customers were put on dual stack, but AFAICT they are the only ones.  They actually turned it on on my 45th birthday.
> 
> Awhile back I messed with IPV6 and went through Hurricane Electric's tutorial, got to the point where I had DNS and all that but didn't want a mail server at all so I stopped the training there.  I'm not a complete beginner, I'm just looking for advice about the best route to my goals.
> ...

 

I am in the same boat.  However I have the luxury of 7 ADSL (6 at work, 1 at home) lines to play with over 4 ISPs one of which gives out a /48 IPv6 automatically and native PPPoAv6.

If your ISP wont do v6 then I have two recommendations:

1) Don't worry, find other things to do until they suddenly decide that early to market is a good idea

2) Bin the ISP - I left PlusNet for that very reason and am much happier with AAISP 

On the hardware front, I don't know what you could run on your Cisco.  If you are hell bent on playing, and let's face it you wouldn't be here otherwise, I'd buy a cheapo Netgear or whatever that will definitely run DD-Wrt or Tomato or similar.  I wouldn't risk your "production" router unless you are 100% sure it will work or that you can recover it.

Or something like a Draytek 120 - ie a modem that you drive with PPPoE - its a 3 liner in your /etc/conf.d/net.

Cheers

Jon

----------

## 1clue

Gerdesj,

Sorry for being so contrary.  I'm gonna poo-poo both your recommendations.

Comcast is the fastest ISP available to me, and AFAICT there is no IPV6-capable ISP for home networks in the area, and for that matter I have a good 6 months left on my Comcast contract anyway.

The more I have read about recently, the more I want a router that supports a lot more features than the one I have.  Some of the features I am interested in just don't exist on home gear.  Oddly enough, all or most of it is on dd-wrt.

Using a tunnel to hurricane is not new to me.  I made it go using Linux before.  I just haven't done it on a router, and I haven't shared it on a whole network.

dd-wrt definitely supports my router, the only thing is they have a bunch of extra pages specifically about it.  I'm still reading.  I will probably wind up trying to install dd-wrt.  I don't like the idea of a regular box being my router, my current appliance is definitely up to the task.

I was just hoping for some advice from somebody who has been through this and made it all go.

Thanks.

----------

## gerdesj

Fair enough, if you are sure your router will run DD-WRT then that would seem a good idea.

Even though I have access to an IPv6 enabled ISP getting hardware is a bloody pain.  I am still evaluating several shoddy pieces of kit.  

I have a lot of customers (I run an IT company) and I thought it would be easy to find a router that would do both IPv4 and 6 with IPSEC etc etc.  Oh no - the only box I've tried so far is a FritzBox and the IPv6 support is beta only.  There are rumours of a recent D-Link which I will be buying tomorrow to try out.

In the past we have always specified Drayteks 2600, 2800 and then 2820 but there is no IPv6 on these and nor is any planned as far as I can tell.  here in the UK we use PPPoA over POTS predominantly with some on cable.  The only Draytek to do IPv6 is a cable modem and that doesn't work for most people!

Its pretty bad when all we can use is one device in beta and maybe one other.  The market should be awash by now with them.

Cheers

Jon

----------

## 1clue

Call me Aunt Jemima, because I'm waffling like crazy.

Now I'm thinking of a diy router.  You know, pick up a really small form factor board, a few nics, maybe a solid state drive.

The technicalities of setting up ipv6 is not nearly as challenging as figuring out my strategy.  This sucks.

I would really like to have a non-wireless router at the WAN, then have a true DMZ and a true private network.  I'm really into getting a VPN tunnel in IPV6 too, but I'm a bit squeamish on wiping my existing router.

Somebody make up my mind!

----------

