Kernun UTM supports IPv6 since version 3.5. An example of an IPv6-enabled
configuration can be found in the sample configuration file
/usr/local/kernun/conf/samples/cml/ipv6.cml. It is
a dual-stack configuration with IPv4 and IPv6 enabled both in the internal and
the external network. Clients from the internal network can access HTTP
and SSH servers in the external network. For a transparent (HTTP or SSH)
proxy, the target server IP address is taken from the destination address of
the client's connection. Hence the same IP version is used by the client and
the server. In the case of the non-transparent HTTP proxy, the target server
name is passed by the client to the proxy in the request URI. The proxy
resolves the name and establishes connection to the server. Hence an IPv4
client can access an IPv6 server and vice versa.
The configuration of network interfaces is depicted in Figure 5.110, “IPv6 interfaces”. There are three interfaces:
LOOPBACK is the standard system loopback interface;
INT and EXT are the internal and the
external Ethernet interfaces, respectively. IPv6 support in Kernun UTM is enabled
if at least one IPv6 address is assigned to any network interface in the
configuration[47]. IPv6 addresses are defined by the
ipv6 item. It is also possible to specify IPv6 aliases by the
alias section. By default, Kernun UTM operates as an IPv6 router,
but it does not send router advertisements.
Router advertisements can be turned on and their parameters can be set for an
interface in the ipv6-rtadv section.
Some global IPv6-related networking parameters are depicted in Figure 5.111, “IPv6 networking parameters”. The resolver section defines
the name server address[48].
A single domain name can be resolved to an IPv4 or an IPv6 address. The
preference item selects, which resolved addresses will be
used. There are four possibilities: use IPv4 and ignore IPv6, use IPv6 and
ignore IPv4, use both and prefer IPv4, or use both and prefer IPv6. The last
choice is used in the sample configuration. The default is to prefer
IPv4. The routes section defines the default IPv4 and IPv6
routes. It is also possible to add static routes to IPv4 and IPv6 networks by
the static item. The ipv6-router item
enables or disables forwarding of IPv6 packets. IPv6 forwarding is enabled by
default, so this item can be omitted. The ipv6-rtadv section
defines default values for IPv6 router advertisements. These defaults can be
overriden by an interface.ipv6-rtadv section. In the example
configuration, router advertisements are configured so that they provide
address and default route autoconfiguration and DHCPv6 is not used.
The sample IPv6 configuration contains HTTP and TCP proxies, depicted in
Figure 5.112, “Proxies with IPv6 support”. Their configurations are similar to
IPv4-only proxies. The only differences are IPv6 addresses in the listen-on items and in acl INTOK.
IPv6 addresses can be used in place of IPv4 addresses in many other
places in the Kernun UTM configuration. It is possible to use other proxies for
IPv6 communication, as well as define IPv6 packet filter rules and IPv6 IPsec
VPN connections. We do not show configurations of these components here,
because they are essentially the same as the respective IPv4-only
configurations. DHCPv6 server is configured in the
dhcp6-server section, in a way similar to DHCPv4 server in
the dhcp-server section. Fixed IPv6 addresses and AAAA DNS
records can be defined by entries in the hosts-table
section.
There are also some important differences and limitations of
IPv6. Destination IPv6 address must not be set for a point-to-point network
interface (TUN, GIF, GRE). The GRE network interface type does not support
IPv6 tunnel addresses. OpenVPN cannot use IPv6 transport. The
mac value of an IPv6 entry of the
hosts-table is interpreted as the host's DUID.