Testbed Network for IPv6 Forum Training

The projects below build a complete dual stack testbed network to help in learning the material in the IPv6 Forum training. When you take an instructor-led class, the instructor has generally set up the infrastructure of a dual stack network for you, and you build projects within that network. When you study on your own, no such network has been set up for you, obviously. The good aspect of this approach is you learn a lot setting up the infrastructure yourself, and when the class is over, you don't have to leave the network or your projects behind. You can keep working with them, and those can actually be the beginning of your real IPv6 deployment.

There are a number of ways you can build the testbed network depending on what you currently have available. It can be built with physical machines, or if you have a machine running VirtualBox with sufficient memory, you can build the entire network virtually.

Most of the nodes are built with open source software (m0n0wall, FreeBSD, Linux, Apache, Postfix, Dovecot, etc). There is a commercial alternative to the open source m00n0wall dual stack firewall, called SolidGate, that you can download from this site and install on any compatible hardware or even VirtualBox. You can get a 30 day evaluation license, but you can also buy 1 year or permanent licenses online from this site for extended usage. The cost is very reasonable compared to other commercial dual stack firewalls, but the functionality and usability are comparable, and in some aspects, better than available commercial units. If you don't want to buy this, or don't have the funds, the free open source m0n0wall firewall will be adequate for most purposes.

Some of the projects involve installing a pair of Microsoft Windows Server 2008 R2 nodes. This software is available commercially and via various Microsoft partner programs. You can also obtain a free evaluation copy of this from Microsoft (this runs only a limited time, but is sufficient for learning IPv6). See the Microsoft website for details. The Windows Server 2008 R2 operating system is widely used. The projects using this involve dual stack network configuration, plus deploying redundant dual stack DNS and DHCP servers and the IIS web server. You can deploy just one Windows Server, but of course you will not be able to configure redundancy on DNS or DHCP. If you have Windows Server 2008 available, but not 2008 R2, this will work pretty much the same way. Do not try to use Windows Server 2003 (IPv6 support is not very good - Microsoft was just learning). You can use Windows Server 2012, but some of the steps may be a little different. I may do Windows Server 2012 versions of these projects later, if demand justifies it. Again, these nodes can be deployed on physical machines or in VirtualBox. I usually provide 4GB of RAM for each virtual Windows Server. If you don't have access to Windows Server, you can deploy DHCPv4 and DHCPv6 on either firewall, and just use external DNS servers. There are several places from which you can get hosted dual stack DNS service, and even configure authoritative IPv4 and IPv6 resource records. Contact Sixscape if you want to purchase commercial grade hosted dual stack DNS service from us, complete with web based management (based in our colo).

If you have access to a working dual stack network (in a company or academic environment), you can build the testbed network as an interior subnet behind the dual stack firewall (m0n0wall or SolidGate). Either firewall can route IPv4 and IPv6 between an external dual stack network and an internal dual stack network. It doesn't matter how you got IPv6 into your external network (native, DS-Lite or various tunnel mechanisms), the firewall linking it to your internal subnet will be doing native dual stack forwarding. You can optionally deploy many of the projects (Windows 7 node, FreeBSD node, Linux node, web server, mail server, etc) in the existing dual stack network. However, deploying DHCP in an existing subnet may conflict with existing infrastructure and cause problems. Also, you will have to use the IPv4 address block in the existing network, rather than the 172.21/16 address block used in the projects.

You will need to add two static routes in the border gateway of the external network (one to route the internal IPv4 address block to the WAN interface of the new gateway, and one to route the internal IPv6 address block to the WAN interface of the new gateway).

If you have a working IPv4-only network with at least one public IPv4 address, you can replace your existing firewall with m0n0wall or SolidGate (both are capable of replacing the router/firewall part of your CPE, including authentication with PPPoE). This may require putting your existing CPE into bridging mode (disabling its NAT gateway and DHCPv4 server). Consult your ISP for available options and assistance. Tell them you want to deploy a firewall on the LAN side of their CPE and need a public address on its WAN interface. In this case you can bring IPv6 into your existing network using a basic 6in4 tunnel with free service from Hurricane Electric, making it native dual stack. You could also obtain service via a 6to4 tunnel using m0n0wall, but 6in4 is better, and Hurricane Electric 6in4 tunneled service is easy to use and works very well.

If you have a working IPv4-only network with multiple public IPv4 addresses (common in commercial ISP accounts), and at least one is available, you can use an available public address for the WAN interface of your dual stack firewall, leaving the existing network unaffected. Consult with the administrator of your existing network for available options. This will require adding two static routes in the border gateway of the external network as before.

If you have a working IPv4-only network, but no public IPv4 addresses, you can do the same thing but use the TSP tunnel protocol, obtaining free or commercial IPv6 tunneled service from various sources, such as IPv6Now in Australia. Of the two firewalls covered, only SolidGate supports TSP tunneling. TSP works behind a NAT gateway.

If you have a working IPv4-only network, but no public IPv4 address, and access to 6rd service (perhaps from your ISP), you can do the same thing using the 6rd service. Of the two firewalls covered here, only SolidGate supports 6rd tunneled service. I do not know of any providers of free 6rd service currently. 6rd can be made to work behind a NAT gateway.

If you have a working IPv4-only network, but no public IPv4 address, you can do the same thing using the AYIYA protocol with free service from sixxs.com. Of the two firewalls covered here, only m0n0wall supports AYIYA tunneled service. AYIYA works behind a NAT gateway.

There is a list of providers of free IPv6 tunneled service here. If you are only deploying one subnet, you can make do with a single /64 block. If you are deploying an internal subnet behind a firewall, you will need one /64 block for the external subnet and a different /64 for the internal subnet. Both /64s must be within the IPv6 address block routed to the external gateway. You will also need a static route in the external gateway.