I'm having some trouble thinking outside IPv4 and to find out what is the best way to (fully) enable IPv6 in our small company network.
(Motivation: gather knowledge, make port forwarding obsolete, long run IPv6 only)
Current situation
I think I'll start with describing our current network setup (If I'm missing something essential here, please feel free to ask; subnets and name are fictional):
Router: FritzBox 7590 (internal DHCP deactivated) IPv4: 192.168.12.250
DHCP & DNS 1: Windows 2012 Server IPv4: 192.168.12.5
DHCP & DNS 2: Windows 2012 Server IPv4: 192.168.12.15
DHCP Range: 192.168.12.100 - 192.168.12.200 Some reserved IPs for devices which have A record in the DNS Server. Some internal servers which have fixed IPs and an A record in the DNS Server.
Webserver: 192.168.12.60 Port forwarding to Port 443 is configured in Router, external domain on something like interal.company.com (dynamic DNS with http://www.nsupdate.info)
The DNS domain is something like company.local
Where I am now
I think it's a rather small setup, so I thought enabling v6 shouldn't be that hard.
We get a (non-static) IPv6 address from our internet provider: 2003:e4:feef:feef:e228:6dff:fe6f:56ff
And a IPv6 prefix. 2003:e4:ffff:ffff::/56
After enabling v6 on my machine and the router I ran into the first problem: DNS requests to internal hosts couldn't be resolved.
This was because the router announced external IPv6 DNS servers which were prefered by my DNS client. To resolve the issue I enabled IPv6 on one of the DNS servers, took the Link Local Unicast address, and configured it as static IPv6 address. (DNS 1: fe80::893:c9d6:bb08:f46) I configured this address as IPv6 DNS server in the router.
This fixed the issue, but I'm not shure how to preceed.
Questions
- Why is the router IPv6 address outside our IPv6 prefix?
- Should I be using a Unique Local Unicast address instead of the Link Local address for the DNS server(s)?
- What would be a sufficient distribution scheme for local v6 addresses?
- Shall I enter prefixed or local addresses into the DNS database? If prefixed - how are they changed when the prefix changes?
- For the webserver: Should it have a fixed address after the prefix so my external dynamic DNS provider (nsupdate.info) can be updated by the router? How do I accomplish that?
- What to to with the reserved addresses which have DNS records, how do I transition these to v6?
- I didn't mention we are also running an Active Directory domain. Does this change anything?
Thank you very much for reading!
With prefix delegation, your IP address can be different from the prefix you are given. You have multiple IPs, don't worry about it.
Try not use link local, it doesn't route. Yes you can generate a unique local address.
Give a /64 to every subnet.
Ask your provider for a static prefix. This is cheap in IPv6 so this isn't a big ask.
WARNING: Your IPv6 addresses will be globally routed, ensure you firewall traffic to and from the Internet.
Don't assign services to link-local addresses.
Assign a separate /64 to every internal subnet.
Assign a fixed IP address to servers and routers. These can be entered into DNS. (Some IPv4 DHCP/DNS servers will identify the corresponding IPv6 address using the associated MAC address.)
You should configure RADvD and/or DHCPv6 to handle address assignment. IPv6 addresses are generally self-assigned based on one one of these services. DHCPv6 allows you to assign fixed IP addresses.
If you are not getting a static prefix (which you should), the configuration of the address assignment will need to update when the prefix change. (It is not that important that your external address be static as the route to your prefix should update appropriately.)
IPv6 privacy works by periodically assigning a new IP address for outgoing traffic. Don't be surprised to see multiple global IP addresses on you devices.