Miscreants in Action

Wednesday, September 3, 2025

So, you want to try IPv6?

I decided I should build an access router using VyOS 1.4.3. I thought you might like the journey.

I drew a lot of useful config snippets and inspiration from https://blog.daknob.net/ipv6-first-with-vyos/. Make sure you take a look at their posts.

I recently brought an Xfinity Now! connection into my house. It runs a bit over 100M/20M, so qualifies as broadband according to the lastest definition from the FCC here in the USA. At $30/month, it's pretty cheap.

My primary connection is with a WISP that I work for on/off, and we use the link to test new configurations, etc. So this Xfinity link is a backup for the times when I break the primary connection.

Knowing that Xfinity does a good job with IPv6, I thought I'd build up soemthing to show:

a VyOS config so people can implement it themselves if they want
the use of a management VRF
integrated recursive DNS (you don't need external resolvers who sell your data)
dual-stack IPv4 and IPv6 capabilities
IPv6 only with some IPv4 transition
use of IPv6 ULA for local services (DNS in this case)

Here's a diagram of the network that built up:

You'll note four interfaces in use:

eth0 -- a VRF used only for managment
eth1 -- our WAN connection to Xfinity
eth2 -- a dual-stack LAN
eth3 -- an IPv6-only LAN with DNS64/NAT64

I'm likely to add more LANs to this configuration as I go. In particular, I want a reference network using NAT66, but for now we'll live with the examples above.

First, I built up a management interface (eth0) that sits in its own VRF, then built up what you'd expect for an IPv4 environment.

#
# Build the VRF
set vrf name Mgmt table '101'
#
#setup the interface, and put it into the VRF
set interfaces ethernet eth0 address '198.51.100.11/24'
set interfaces ethernet eth0 description 'Management'
set interfaces ethernet eth0 vrf 'Mgmt'
#
# Make sure the VRF has a default route
set vrf name Mgmt protocols static route 0.0.0.0/0 next-hop 198.51.100.1 distance '200'
#
# make ssh works inside the VRF rather than in the data plane of the router
set service ssh vrf 'Mgmt'
#
# setup the WAN link
set interfaces ethernet eth1 description 'Xfinity WAN'
set interfaces ethernet eth1 address 'dhcp'
#
# setup the LAN link
set interfaces ethernet eth2 description 'LAN'
set interfaces ethernet eth2 address '192.0.2.1/24'
#
# Setup a DHCP pool for the LAN
set service dhcp-server listen-address '192.0.2.1'
set service dhcp-server shared-network-name Xfinity-Dual-Stack authoritative
set service dhcp-server shared-network-name Xfinity-Dual-Stack subnet 192.0.2.0/24 default-router '192.0.2.1'
set service dhcp-server shared-network-name Xfinity-Dual-Stack subnet 192.0.2.0/24 lease '3600'
set service dhcp-server shared-network-name Xfinity-Dual-Stack subnet 192.0.2.0/24 range 0 start '192.0.2.101'
set service dhcp-server shared-network-name Xfinity-Dual-Stack subnet 192.0.2.0/24 range 0 stop '192.0.2.200'
#
# setup NAT masquarade for the LAN
set nat source rule 100 outbound-interface name 'eth1'
set nat source rule 100 source address '192.0.2.0/24'
set nat source rule 100 translation address 'masquerade'
#
# Setup a recursive DNS server, and let it cache 10000 names
set service dns forwarding allow-from '192.0.2.0/24'
set service dns forwarding dnssec 'validate'
set service dns forwarding listen-address '127.0.0.1'
set service dns forwarding listen-address '192.0.2.1'
set service dns forwarding cache-size '10000'
#
# Make sure the dhcp-server hands out this information
set service dhcp-server shared-network-name Xfinity-Dual-Stack name-server '192.0.2.1'

Cool! Now we have IPv4 connecvitiy. Most people stop here!

Why stop with leagcy protocols? Xfinity will give us the ability to run IPv6 too!

It don't cost nuthin'

#
# First, we get an address from the provider via SLAAC.
set interfaces ethernet eth1 ipv6 address autoconf
#
# Next, we request a /56 as PD #1  (Xifiniy will only give us a /60,
# but I can dream, right?)
set interfaces ethernet eth1 dhcpv6-options pd 1 length '56'
#
# Now, we tell VyOS to build up the IPv6 address for eth2 based on the
# IA-PD we received on eth1.  It gets built up in the form:
#        [prefix]:[sla-id]:[address]
set interfaces ethernet eth1 dhcpv6-options pd 1 interface eth2 sla-id '0'
set interfaces ethernet eth1 dhcpv6-options pd 1 interface eth2 address '1'

Now the router has a dynamic address based on what our provider sends us.

Our LAN clients can build their own network addresses via SLAAC if we start router advertisements on eth2:

#
# advertise all the prefixes on the interface
set service router-advert interface eth2 prefix ::/64

At this point, anyone on eth2 has dual-stack capability, but only the IPv4 folks have DNS resolution. We have a DNS resolver running on the VyOS host, but for IPv4, it is using non-unique addresses for local communication. This local addressing is NATted before leaving the local network.

(I'm publishing this using the addresses assigned for test/examples as defined in RFC5735. You might want to substitue addresses from RFC1918 if you follow this config.)

Our IPv6 setup has dynamically assigned unique addressing. We don't have any means to setup the DNS server to listen on those addresses, becasue we don't know them!

To address this situation, we're going to utilize IPv6 ULA addresses. This block of space is defined in RFC4193, and has similar use to the IPv4 addresses defined in RFC1918.

IPv6 has an example network (2001:db8::/32), but there is not clear ULA space set aside for examples. In this config, I'm going to use fd89:73ab:e943::/48. You should generate your own prefix based on RFC4193.

At the time of this writing, there is a site that will generate a prefix for you: https://www.unique-local-ipv6.com/

Another important note at this point. We are going to have both GUA and ULA addresses on the LAN hosts. The use of mutlitple addresses on an IPv6 host is expected, but sometimes feels a bit strange to folks habituated to IPv4.

We're using fd89:73ab:e943::/48 for our ULA block, but this LAN will be using fd89:73ab:e943:2::/64.

#
# anchor the router in the ULA space, by giving it a loopback address in that space
set interfaces loopback lo address 'fd89:73ab:e943::1/128'
#
#  Assign a static ULA address to the interface (and point out we're dual-stack!)
set interfaces ethernet eth2 address 'fd89:73ab:e943:2::1/64'
set interfaces ethernet eth2 description 'dual-stack LAN'
#
# Tell the LAN hosts that they should generate SLACC addresses with this ULA block
#    (this isn't actually neeed, because we did it earlier with ::/64, but
#     leaving things this explicit might help someone trying to reason this out)
set service router-advert interface eth2 prefix fd89:73ab:e943:2::/64
#
# Start advertising the DNS server via RA
set service router-advert interface eth2 name-server 'fd89:73ab:e943:2::1'

At this point, we have a LAN that has dual-stack capabilities!

IPv4 address and DNS server information are delivered via DHCP. IPv6 hosts will hear RAs instructing them to generate their owan addgesses (both GUA and ULA). Those RAs will also indicate the DNS server address as well.

In IPv4, a side effect of NAT denies inbound connections. We can deny inbound IPv6 connections in a similar fashion with a stateful firewall. One example follows:

#
# build a stateful firewall so inbound connections are denied
set firewall group interface-group LAN interface 'eth2'
set firewall group interface-group WAN interface 'eth1'
set firewall ipv6 forward filter default-action 'drop'
set firewall ipv6 forward filter rule 10 action 'accept'
set firewall ipv6 forward filter rule 10 state 'established'
set firewall ipv6 forward filter rule 10 state 'related'
set firewall ipv6 forward filter rule 20 action 'accept'
set firewall ipv6 forward filter rule 20 protocol 'ipv6-icmp'
set firewall ipv6 forward filter rule 30 action 'accept'
set firewall ipv6 forward filter rule 30 inbound-interface group 'LAN'
set firewall ipv6 forward filter rule 90 action 'drop'
set firewall ipv6 forward filter rule 90 inbound-interface group 'WAN'

Now, we'll setup the final LAN as an IPv6 only network:

#
# setup our static ULA assignement for eth3
set interfaces ethernet eth3 description 'IPv6 only - NAT64'
set interfaces ethernet eth3 address 'fd89:73ab:e943:3::1/64'
#
# add our dynamic allocation as well for GUA
set interfaces ethernet eth1 dhcpv6-options pd 1 interface eth3 address '1'
set interfaces ethernet eth1 dhcpv6-options pd 1 interface eth3 sla-id '1'
#
# Setup RA for this LAN (we'll trust the "prefix ::/64" to advertise both GUA and ULA
set service router-advert interface eth3 prefix ::/64
set service router-advert interface eth3 name-server 'fd89:73ab:e943:3::1'
#
# Tell the DNS server that it's ok to listen to the new LAN
set service dns forwarding listen-address 'fd89:73ab:e943:3::1'

We now have a working IPv6-only LAN!

With a little bit more of configuration, we can take advantage of a pair of IPv6 transtition technologies referred to as DNS64/NAT64. I'll leave deeper study to the casual reader, but a quick overview of this is:

DNS64 -- In cases of host that have A records, but no AAAA records, we'll synthesize a AAAA that uses a special IPv6 prefix
NAT64 -- Whenever the special prefix is used, we'll NAT from IPv6 to IPv4 to proxy the service requested

In this case, we're going to use the default IPv6 DNS64 prefix: 64:ff9b::/96

Let's say you want to connect to example.com which has an A record for 192.0.2.123. The DNS transaction will look like:

you request an AAAA record from the DNS server (you're IPv6 only, remember?)
the DNS server will note that no AAAA is published, but there is an A record
the DNS servie will create an AAAA record based on the A record, and return it to you

In essence, the DNS serve will LIE to you. The AAAA record in this case would be: 64:ff9b::192.0.2.123

When you iniate a connection to anything within the 64:ff9b::/96 prefix, the router will undertand that it needs to proxy an IPv4 connection to the appropriate host.

Although not strictly needed, RFC8781 also points out good reasons to let the LAN hosts know the NAT64 prefix.

The VyOS config is rather short for all of this:

#
# tell the DNS server we're going to do DNS64
set service dns forwarding dns64-prefix '64:ff9b::/96'
#
# tell the router to do NAT64
set nat64 source rule 1 source prefix '64:ff9b::/96'
#
# use RAs to tell the LAN hosts the NAT64 prefix
set service router-advert interface eth3 nat64prefix 64:ff9b::/96
#
# add this LAN to the stateful firewall setup
set firewall group interface-group LAN interface 'eth3'

At this point, there are two working LANs:

eth2 -- dual stack IPv4/6
eth3 -- IPv6 only with DNS64/NAT64

I'll probably add a few more LANs before I'm done to document other IPv6 transitional technologies. For now, I'm pretty happy with this setup.

As I started to publish this, I realized that the router itself didn't have DNS services! I decided that it should use it's own recursion and use IPv6 for all queries, so add this:

#
# allow queries from the loopback
set service dns forwarding listen-address '::1'
#
# send queries to the loopback
set system name-server '::1'

Monday, February 26, 2024

Where are the rants?

I need to apologize. I started this as a place to rant. It hasn't turned out that way.

At first, I wasn't happy about the state of our government, and I wanted to proclaim ideas that I thought would help. I didn't think they'd get anywhere, but I wanted to make sure they were published. I'm still not happy about all aspects of our government, but at least I can point to some of my early posts and say, "See? I tried to give you some options!"

Since then, I've published things that stuck me as interesting or fun.

But I think I need to rant more...

Friday, November 10, 2023

Edge Computing (or something)

A little over a month ago (October 4/5, 2023 if you're reading this in the far future), I was invited to be a delegate at Gestalt IT's second Edge Field Day (#EFD2). I'd participated in a couple of earlier Field Days, so I knew the format: Vendors would present information to a group of technical folks and discussion would ensue.

At the moment, the core of my consulting work lies in helping a WISP with networking issues, and giving technical advice to the State of New Mexico's Office of Broadband Expansion and Access. Also, I run the ABQIX, an Internet Exchange in multiple data centers in Albuquerque, New Mexico.

I don't really design/implement things that I think of as "Edge Computing," so I wasn't really sure what value I would add. But I knew I'd learn a lot, and am old enough that I'm willing to ask questions that others might feel are obvious without getting embarrassed. Also, I figured I'd be able to add comic relief if nothing else to the fray.

On site, we had a roundtable discussion with all of the delegates to talk about Edge Computing. In the end, we talked about a number of issues important to IT workloads, security, and many other points. But I was still fuzzy on Edge Computing.

Next up was a presentation from Solidigm. Their presentation showcased their SSD products. They've got everything: speed, reliability, physical form, rugged packaging, storage density. At the end of their presentation, I was convinced that if I was an OEM, I'd be considering the use of their gear. But I'm not sure I knew a lot more about Edge Computing.

We then heard from StorMagic. They showed us their SvSAN product which was quite cool. Running on top of hypervisors, you can scale the underlying hardware to create the performance level you need. They also have some cool tools for managing these storage devices as you scale -- in fact, they let us see their Edge Control tool before releasing info publically. I was starting to wonder if Edge Computing was really about storage...

Edge Field Day #2 ended with an introduction to NodeWeaver. I know I didn't grok this product, but it spoke to me. A slim hypervisor with a slick install system that lets you build (yet another) hyperconverged platform. A compute and storage swiss-army knife that runs on virtually any x86 hardware, so you can mix/match to meet your performance needs -- just want you need for Edge Computing. Right?

I went home from Edge Field Day with a heavy heart. I seriously wondering if I'd been worth anyone's time. We had good talks on technology with great people, but I still wasn't sure what Edge Computing was.

On October 20, David Linthicum published an article titled "Whatever Happened to Edge Computing?" The title made me wonder if I could stop worrying about Edge Computing because I'd already missed the boat. (Actually my take on David's thoughts indicate that Edge Computing is alive and well -- but the wealth of possible applications make it difficult to define meaningful standards.)

After the last few weeks, I've decided that I'll define Edge Computing for myself until someone can get me a better definition. To wit:

Edge Computing is a optimization strategy that involves distributed computing.

Or something.

At least it isn't the typical consultant weasel words: "It depends."

Postscript:

Thanks go out to Gestalt IT, Solidigm, StorMagic, and NodeWeaver to making things rattle around my head for a couple of weeks. I didn't realize how much this was bothering me until this article started to flow. My conclusion is overly broad -- but so the the term I tried to define.

David Linthicum gets credit for writing an article that helped me gel my thoughts.

Tuesday, January 17, 2023

An Old Sysadmin Tries Out ChatGPT

(Editorial note: Pretend this post is a Star Trek episode with folks spouting techno-babble, use the words as place holders, and feel the flow of the story...)

A while back, I built some anycasting DNS resolvers using bind on a loopback, and FRR talking OSPF to a router. I finally decided I should hammer together a script to turn off FRR if there was something wrong with the bind process so the servers would pull themselves out of service.

Why not try this new ChatGPT thingee?

I won't bore you with the code that was created, but you'll see my thoughts, and the input I gave to ChatGPT as I worked through this problem until... the end?

The Ramp Room

If you've ever spent time doing telecommunication work in Albuquerque, NM, the odds are you've had to work at 505 Marquette NW. If you're local, you just talk about "505" and everyone knows what you mean.

505 was built during 1965 and 1966, and isn't a bad looking place, but it is showing it's age. Wikipedia quotes a July 10, 1966 Albuquerque Journal article: "It has twelve floors of office space above a wider six-story base which incorporates a parking garage on floors 2–6." The Wikipedia article has this picture:

Now that Albuquerque has become a center for shooting TV and Movie productions, you will sometimes see this building in the background. Perhaps my favorite is from the Netflix series Daybreak where the building gets an FX makeover to fit the apocalyptic theme of the show:

I can't find a picture on the interwebs, so you have to settle for the one I took while watching Daybreak on Netflix. Note: Palm trees, background hills, and building damage are all simulated. I do, however, get my home Internet connectivity from the antenna on the roof.

Did you note that the parking garage was on floors two through six? That means you have to drive up a ramp to get to the parking levels. This architectural need has lead to one of Albuqueruque's telecom black holes known as the Ramp Room.

To enter the Ramp Room, you need to get the the garage ramp, where air conditioning condensers congregate to release the heat of the inner building. In between the first and second floors you'll find a non-descript door:

Upon opening the door, you'll find that it immediately blocks your way. It feels like you aren't really welcome, but you move forward anyway...

...And end up in a narrow hallway.

Behind the door at the end of the hall way you immediately see a rack of batteries that were put in twenty years ago and never maintained.

One step into the room and you can see the building punch downs -- the metallic path over which the business conversations from fifty years ago used to pulse. Yet there is also a veneer of modern fiber optic communications that reside here as well. In fact, they are the mainstay of the Ramp Room.

In every city, there is a nexus of communication that isn't ensconced in a pristine data center. A place where various players gather. But not because they really want to do so. Rather, their customers demand they work together.

The path of least resistance nets small, out-of-the-way rooms where fiber optics from multiple carriers co-exist. A place that isn't official, but becomes important.

Some players have been around for a long time. They've been sold, bought others, been forced to divest assets, and any number of other acquisition issues. Sometimes you forget what they're called now, and just refer to them by their "old" names. After a while it you stop worrying about what to call them.

They have, and will persist.

Other are younger. More nimble. Willing to do things out of the ordinary, and force the old guard to play their way.

For a time.

They will become the old guard for a new generation.

Years roll on, and old gear is left in rooms like this. Forgotten. Useless technology from the past interwoven with the modern.

Old gear isn't ever removed. It sits and drinks power from the building.

No one owns it, so no one cleans it.

Everyone is afraid to shut anything off. Few know how to tell if something is still in use or not.

Within this building are a multitude of other places to interconnect -- but none have the diversity of the Ramp Room.

Friday, January 22, 2021

ModemCast -- a podcast

I tend to babble a lot. Sometimes I find people that babble about some of the same things. My friend Nick has talked me into helping him babble as well. His take on things is here:
https://forwardingplane.net/2021/01/21/modemcast-podcast/

You might even enjoy some of our mutual babbling:
https://www.modem.show/

If you find it to your liking, do not blame me.

Sunday, May 26, 2019

Joe's Internet -- an IGP adventure

Before we can setup inter-network links, Joe's Internet (J-Inet) need to get the internal network in order. We'll implement an Internal Gateway Protocol (IGP) so all of our infrastructure will be able communicate with other parts of our network.

The IGP's job is to advertise what it knows to all of it's neighbors. If there are multiple paths to a destination, it will pick the best of those available, and pick alternates in case of a path failure. The IGP ensures communication resiliency as long as there are redundant paths.

Quick network overview

We're going to make sure each router has a single IP address on a "loopback" interface. Loopbacks give you a management interface on the router that is not dependant upon any given interconnection link's state. As long as the IGP is running properly, every router will know how to get to every other router via their loopback regardless of what path is in use.

Our infrastructure addressing is going to include the networks that interconnect the routers, and the loopback addresses on each router:

J-Inet's IGP Map. Click on it for more detail.

IGP by psuedo-code

No matter the platform, we have a few things we need to do to ensure our goal. Those steps come down to:

setup loopback interface address
set global IGP parameters
get IGP to adopt the loopback
for each infrastructure link (one or more)

setup interface address
get IGP to adopt the interface

Pretty simple, really. We're going to use OSPF in this example. I'll assume a passing familiarity with OSPF, and just point out that we will only be using Area 0. There's no reason to do things in a fashion more complicated than a single area. (If that doesn't make sense, find some background material on OSPF, and come back.)

Also, we're going to pretend these routers run something that looks a lot like Cisco IOS from a syntax standpoint. Take a look at a config for routers R1 and R2:

! Router R1
!
! global IGP parameters
router ospf 1
router-id 192.168.92.1
! setup loopback, and add to IGP
interface Loopback20
ip address 192.168.92.1 255.255.255.255
ip ospf 1 area 0
! setup infrastructure link, and add to IGP
interface ether 1
description Link to R2
ip address 192.168.92.129 255.255.255.252
ip ospf 1 area 0
! setup infrastructure link, and add to IGP
interface ether 2
description Link to R3
ip address 192.168.92.137 255.255.255.252
ip ospf 1 area 0

! Router R2
!
! global IGP parameters
router ospf 1
router-id 192.168.92.2
! setup loopback, and add to IGP
interface Loopback20
ip address 192.168.92.2 255.255.255.255
ip ospf 1 area 0
! setup infrastructure link, and add to IGP
interface ether 1
description Link to R1
ip address 192.168.92.130 255.255.255.252
ip ospf 1 area 0
! setup infrastructure link, and add to IGP
interface ether 2
description Link to R3
ip address 192.168.92.149 255.255.255.252
ip ospf 1 area 0
! setup infrastructure link, and add to IGP
interface ether 3
description Link to R3
ip address 192.168.92.145 255.255.255.252
ip ospf 1 area 0

I will leave the construction of configs for routers R3 and R4 to our readers.

While your setting things up on a Cisco router, you will find the following commands useful to help you track your progress:

show ip ospf neighbor
show ip route
show ip route ospf

Adding Complications to the IGP setup

Most of the time, I tell people to stick to the simplest setup they can. The configs above should let you build a simple IGP to keep your network running. However, there are some things you may encounter that require a bit more thought into your setup and will force your to consult your platform's documentation. A couple of the more common issues and a method to use them are:

password / encryption / message-digest for IGP on links
link type (point-to-point vs. point-to-multipoint, etc.)
changing link metrics

Consult your platform documentation, but to implement the above features, we could have added something like the following to our configs:

router ospf 1
area 0 authentication message-digest
auto-cost reference-bandwidth 10000
!
interface ether-whatever
ip ospf network point-to-point
ip ospf message-digest-key 1 md5 <some key/password>

Conclusion

All of our routers now know how to reach each other because the IGP keeps them all informed. If we add new routers, we simply need to add them into the IGP, and they will be added to the reachability information that all of the routers share.

Our eventual goal is to ensure that the customers share this type of reachability. To do that, we will use BGP to leverage the IGP information for anything else we need to reach on this network. That will be the subject of the next episode of J-Inet...