Home > Blogosphere > Tunneling IPv6 with Ubuntu Linux Behind NAT ? Why Not..

Tunneling IPv6 with Ubuntu Linux Behind NAT ? Why Not..


Source from WIKI:

An IP tunnel is an Internet Protocol (IP) network communications channel between two networks. It is used to transport another network protocol by encapsulation of its packets. IP tunnels are often used for connecting two disjoint IP networks that don’t have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. In conjunction with the IPsec protocol they may be used to create a virtual private network between two or more private networks across a public network such as the Internet. Another prominent use is to connect islands of IPv6 installations across the IPv4 Internet.

 

IP tunnelling encapsulation In IP tunnelling, every IP packet, including addressing information of its source and destination IP networks, is encapsulated within another packet format native to the transit network. At the borders between the source network and the transit network, as well as the transit network and the destination network, gateways are used that establish the end-points of the IP tunnel across the transit network. Thus, the IP tunnel endpoints become native IP routers that establish a standard IP route between the source and destination networks. Packets traversing these end-points from the transit network are stripped from their transit frame format headers and trailers used in the tunnelling protocol and thus converted into native IP format and injected into the IP stack of the tunnel endpoints. In addition, any other protocol encapsulations used during transit, such as IPsec or Transport Layer Security, are removed. IP in IP, sometimes called ipencap, is an example of IP encapsulation within IP and is described in RFC 2003. Other variants of the IP-in-IP variety are IPv6-in-IPv4 (6in4) and IPv4-in-IPv6 (4in6). IP tunneling often bypasses simple firewall rules transparently since the specific nature and addressing of the original datagrams are hidden. Content-control software is usually required to block IP tunnels.

Tulisan diatas saya cuplik dari penjelasan WIKI tentang IP Tunnel yang menjelaskan gambaran umum seperti apa konsep IP Tunnel. pada tulisan sebelumnya saya menulis tentang bagaimana mengimplementasikan metode 6to4 untuk membuat jaringan IPv6 meskipun tidak memiliki Blok IPv6 sendiri. https://gigihfordanama.wordpress.com/2011/03/30/mencoba-sixxs-org-ipv6-gateway/ skim pada tulisan tsb server yang digunakan langsung terhubung ke global IPv4 dan menggunakan sistem operasi FreeBSD 8.0. Nah sekarang kita akan coba bereksperimen bagaimana jika server yang akan dijadikan server tunneling berada dibelakang NAT atau menggunakan IP Private. kita lihat contoh kasus yang saya ujicobakan, dengan topologi sebagai berikut

[(DMZ FIREWALL SERV – WITH IP PUBLIC – OS FREEBSD)/NOC ROOM]  ——–> [FAKULTAS ROUTER] ——> [JURUSAN ROUTER]

202.43.189.222                                ———-       192.168.170.254    ——-  192.168.170.211

Yang perlu dilakukan adalah:

  1. Set rule di FreeBSD-Firewall dengan konfigurasi bidirectional NAT pada paket filter BSD (karena saya tidak mau pusing),contoh skrip /etc/pf.conf binat   on $eIF from 192.168.170.211 to any -> 202.43.189.222 , kenapa saya pilih binat, karena saya akan mapping dari IPPublic ke IP 192.168.170.211 secara bolak balik dan tanpa filter apa apa, sebetulnya yang dibutuhkan untuk membuka servis tunnel cukup hanya dengan menggunakan protocol 41 di pass ke tujuan. Namun karena saya juga butuh untuk yang lain lain juga, makanya firewallnya di buat PLONG kayak jalan Tol. 😀
  2. Yak sudah itu saja, tinggal dibuktikan apakah dari NAT sudah bisa keluar                       .                                                                   elektro@elektro-desktop:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr d4:85:64:cc:58:23
    inet addr:192.168.170.211  Bcast:192.168.170.255 elektro@elektro-desktop:~$ tracepath http://www.google.com
    1:  elektro-desktop.local (192.168.170.211)                0.207ms pmtu 1500
    1:  192.168.170.254 (192.168.170.254)                      1.032ms
    1:  192.168.170.254 (192.168.170.254)                      1.028ms
    2:  192.168.1.245 (192.168.1.245)                          1.054ms
    3:  202.43.189.193 (202.43.189.193)                       10.047ms
    4:  v450.0-2-0.m7i-cyb-jkt.moratelindo.co.id (202.43.177.38)  11.356ms asymm  5
    5:  no reply
  3. buka http://tunnelbroker.net register buat account dan create tunnel anda

Asumsi bahwa kita sudah mengcreate Standar Tunnel  untuk Server LINUX sebagai berikut;

IPv6 Tunnel Endpoints
Server IPv4 address: 66.220.18.42
Server IPv6 address: 2001:470:c:fad::1/64
Client IPv4 address: 202.43.189.222
Client IPv6 address: 2001:470:c:fad::2/64
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /48: Allocate /48
Routed /64: 2001:470:d:fad::/64
RDNS Delegation NS1: none
RDNS Delegation NS2: none
RDNS Delegation NS3: none
RDNS Delegation NS4: none
RDNS Delegation NS5: none

eksekusi perintah berikut pada UBUNTU server dengan perintah sebagai berikut;

root@elektro-desktop:~# ifconfig sit0 up
root@elektro-desktop:~# ifconfig sit0 inet6 tunnel ::66.220.18.42
root@elektro-desktop:~# ifconfig sit1 up
root@elektro-desktop:~# ifconfig sit1 inet6 add 2001:470:c:fad::2/64
root@elektro-desktop:~# route -A inet6 add ::/0 dev sit1

elektro@elektro-desktop:~$ ifconfig | more
eth0 Link encap:Ethernet  HWaddr d4:85:64:cc:58:23
inet addr:192.168.170.211  Bcast:192.168.170.255
inet6 addr: fe80::d685:64ff:fecc:5823/64 Scope:Link
sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::192.168.170.211/96 Scope:Compat
sit1 Link encap:IPv6-in-IPv4
inet6 addr: fe80::c0a8:aad3/64 Scope:Link
inet6 addr: 2001:470:c:fad::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1

Saatnya kita coba apakah sudah terhubung ke global IPv6 .

elektro@elektro-desktop:~$ traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2404:6800:8005::63) from 2001:470:c:fad::2, 30 hops max, 16 byte packets
1  gigih-3.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:fad::1)  223.223 ms  219.829 ms  223.712 ms
2  gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1)  224.223 ms  222.781 ms  225.222 ms
3  PR01.LAX03.google.com (2001:504:0:3:0:1:5169:1)  217.1 ms  216.284 ms  218.688 ms
4  2001:4860::1:0:29b3 (2001:4860::1:0:29b3)  213.107 ms  236.103 ms  218.032 ms
5  2001:4860::8:0:2996 (2001:4860::8:0:2996)  214.927 ms  215.271 ms  215.478 ms
6  2001:4860::1:0:47 (2001:4860::1:0:47)  365.876 ms  371.901 ms  365.403 ms
7  2001:4860::1:0:1063 (2001:4860::1:0:1063)  368.063 ms  370.267 ms  436.043 ms
8  2001:4860::2:0:119b (2001:4860::2:0:119b)  372.152 ms  378.474 ms  365.889 ms
9  2001:4860:0:1::e1 (2001:4860:0:1::e1)  369.283 ms  374.321 ms  378.08 ms
10  2404:6800:8005::63 (2404:6800:8005::63)  368.253 ms  369.438 ms  368.415 ms
elektro@elektro-desktop:~$ traceroute6 http://www.itb.ac.id
traceroute to http://www.itb.ac.id (2403:8000:1:76::146) from 2001:470:c:fad::2, 30 hops max, 16 byte packets
1  gigih-3.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:fad::1)  223.472 ms  223.143 ms  220.389 ms
2  * gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1)  226.155 ms  217.203 ms
3  gige-g3-18.core1.hkg1.he.net (2001:470:0:16b::2)  375.667 ms  375.167 ms  372.305 ms
4  gige-g0-1.tserv19.hkg1.ipv6.he.net (2001:470:0:b8::2)  372.522 ms  376.242 ms  372.575 ms
5  affanzbasalamah-1-pt.tunnel.tserv19.hkg1.ipv6.he.net (2001:470:17:72::2)  428.956 ms  431.524 ms  427.849 ms
6  2001:d30:3::2303 (2001:d30:3::2303)  430.581 ms  431.541 ms  429.666 ms
7  * *^C

elektro@elektro-desktop:~$ traceroute6 http://www.v6.facebook.com
traceroute to http://www.v6.facebook.com (2620:0:1cfe:face:b00c::3) from 2001:470:c:fad::2, 30 hops max, 16 byte packets
1  gigih-3.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:fad::1)  221.508 ms  222.894 ms  221.717 ms
2  gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1)  218.369 ms  217.917 ms  219.098 ms
3  10gigabitethernet2-2.core1.fmt2.he.net (2001:470:0:18d::1)  225.671 ms  224.228 ms  224.639 ms
4  10gigabitethernet1-1.core1.sjc2.he.net (2001:470:0:31::2)  249.272 ms  225.826 ms  224.337 ms
5  facebook.gige-g5-9.core1.sjc2.he.net (2001:470:0:14a::2)  224.035 ms  227.453 ms  225.069 ms
6  *^C

Nah sekarang kita sudah terhubung, tinggal distribusikan saja Alamat IPv6 tadi sesuai dengan kebutuhan.

Selamat Mencoba,

Quote today: Alloh bersama Orang-orang yang sabar (Apakah kita termasuk orang sabar????)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: