Foreword
IPv6 has not been one of my strengths so far. Like many others, I've probably put the topic of IPv6 on the back burner: "I'll take a look at it when it's established..."
Well, it has become established and has been for some time. IPv4 will be replaced by IPv6, that much is certain. So it's about time I switched my private network to IPv6.
I have now converted part of my network and the following article describes my first steps. Therefore, this article cannot be considered a how-to, but at least it is one of several options for small networks.
The article describes my configuration so far, but there is still a lot to do and a lot to learn, at least for me.
Surroundings
My environment is structured as follows:
The Internet connection is established via a Fritzbox. The Sophos UTM is connected to the Fritzbox as a firewall. The domain controller is connected to the Sophos UTM.
My provider has assigned me a /56 IPv6 network. The Fritzbox forwards a /62 subnet from this to the UTM. I would like to divide this /62 network behind the UTM into 4 x /64 networks. As already mentioned at the beginning, this is initially about the automatic configuration introduced with IPv6. In this case, no DHCP server is required because the clients assign their IPv6 address themselves.
Fritzbox
I had previously deactivated IPv6 on the Fritzbox, so IPv6 support must first be activated on the Fritzbox:
The relevant settings for the IPv6 addresses can then be made in the network settings of the Fritzbox:
Unique local addresses are not required in this case. The following settings are important so that the UTM can form the corresponding networks:
- Also allow IPv6 prefixes that announce other IPv6 routers in the home network
- Assign DNS server, prefix and IPv6 address
The settings are documented in the following two screenshots:
Once the Fritzbox has been configured for IPv6, we can continue with the Sophos UTM.
Sophos UTM
IPv6 is also activated on the Sophos UTM first:
The "Renumbering" feature is then activated:
IPv6 is now activated for the WAN interface of the UTM. The UTM receives the WAN address from the DHCPv6 server of the Fritzbox:
An IPv6 address should now already be visible for the WAN interface of the UTM:
A /62 network is now already visible in the IPv6 overview of the UTM:
I would now like to divide the /62 network into 4 /64 networks. I use the IPv6 Subnet Calculator for this:
Here you can now enter the delegated &62 network and click on "4 network /64" overview:
The individual /64 networks can now be displayed in the overview:
The 4 /64 networks are now displayed here:
I select the first address from the second subnet for the internal interface of the UTM. In this case it is 2003:a:867:39fd::1 (2003:a:867:39fd:0000:0000:0000:1). This address is now permanently assigned to the interface that is responsible for the domain controller's network. In my case, it is the interface with the name "Datacenter":
The new IPv6 network is now announced in the IPv6 settings of the UTM. The IP address of the domain controller or DNS server is also specified here. The IPv6 address 2003:a:867:39fd::9 is assigned to the domain controller in the next step.
The configuration of the UTM is complete, and finally the domain controller or DNS server is configured.
Domain Controller
The IPv6 address 2003:a:867:39fd::9, which was previously defined in the prefix announcement of the UTM, is now permanently assigned at the domain controller:
The domain controller should now have already entered its IPv6 address in the DNS:
An IPv6 reverse lookup zone is now required.
The following dialogs can be confirmed with "Next". An IPv6 lookup zone with the prefix 2003:a:867:39fd::/64 is created:
The DNS settings can now be checked:
And the connection via IPv6 should also work.
Other clients in the network now configure their IPv6 address themselves and use the domain controller as a DNS server.
Conclusion
Using IPv6 autoconfiguration, this constellation has worked for me so far without any problems. The next step is a DHCPv6 server. But first I'm going to rebuild my private network. The Fritzbox is to be replaced by a pure VDSL modem:
DrayTek Vigor 130 Router (Gigabit Ethernet, ADSL2/2+)
The IPv6 network of the provider should therefore be connected directly to the UTM in future and not already be subdivided by the Fritzbox.