O Hell Hello Internet
- Basic Configuration For An IPv4 / IPv6 SoHo Webserver
This is a simple guide intended to help people set up their own IPv6-ready home / SoHo webserver (with a single domain in this case), and to aid any who are continuously hitting a brick wall, so to speak, in their attempts to get help or advice on the forums. The setup used in this guide utilises the following, and assumes that the user is based in the UK:
Internet Service Provider broadband subscription *
Fedora box **
Drayek 2830n router ***
Block of 8 static IPv4 addresses ****
IPv6 /48 subnet
this needs to be with a fully IPv6 compliant service (https://www.ispreview.co.uk/
a laptop with Fedora 27 Web Server Edition, in my case, configured with Custom and Standard Tools (command-line, not GUI)
or a business-class router with support for Multi-NAT / IP Aliasing (or equivalent) and IP Routed Subnet (or equivalent)
a block of 4 may leave you short of required addresses [inf
.]. These will need to be purchased via your ISP, and will usually involve a monthly cost. Note:
re-sizing the allocation at a later date will usually result in being allocated different IP addresses.
This needs to be a fully IPv6 compliant router with requirements as detailed above, because the router will need to be able to handle IPv4 and IPv6 independently in addition to allowing a second system to have direct (non-NAT) internet access. It needs to be noted that, for anyone wanting to build a pure IPv6 webserver, whilst there is support for IPv6 in the UK, full implementation of dedicated IPv6 infrastructure is still seriously lacking even more than a decade following introduction of the IPv6 standard, and many ISPs are still relying on dual-stack systems or completely disallowing IPv6 connectivity. This in addition to VPN services, almost none of which support IPv6; so a pure IPv6 build of webserver would potentially prevent many visitors from being able to access the website.
Avoid routers sold as home routers (it is unlikely that they will have the necessary functionality), and be wary of routers not sold for the UK market (some will have different firmwares and, by extension, different or additional features enabled). Draytek, Buffalo, and Cisco all sell routers suitable for business use (there are also DD-WRT firmware releases for some Buffalo routers), and emulators are available for both Draytek and Cisco routers (I have only been able to find the Cisco emulators via broadbandbuyer.com
, but the Draytek emulators can be found here: https://www.draytek.com/en/products/live-web-demo/
Multi-NAT / IP Aliasing or the equivalent is necessary for the router to be able to handle multiple IPv4 addresses without recourse to NAT. In simple terms, in a pure NAT (Network Address Translation) environment, the router serves one address and one address only, - it will work with additional IPv4 addresses, too, but there will still be only one address in use, with the NAT side of things processing all connections through that one address. Obviously, this is not suitable for webserver use unless you are happy to have all your internet traffic [personal or otherwise, including your domain IP address(es)] using the same IP address and, indeed, this would only be possible if that one IP address was static (most are not, unless you are already a business user or have requested such from your ISP).
As I have two computers sharing the same router, with both located on the same LAN, a Routed Subnet is necessary for my configuration in order to prevent NAT from attempting to resolve my DNS / Webserver connections through the default gateway (ie: the initial, non-routed, gateway).
Decent business routers do not need to be expensive: Draytek 2830 routers, for example, can be purchased for around £30 and are still supported, but (as of August 2018) not for much longer. One problem that may be encountered (certainly with the Draytek routers) is that of the IPv6 failing to work with your ISP's network stack configuration, and this is one reason why it is important for the router to still be supported (I have had to request a revised firmware for Draytek's 2760, 2860, and 2830 routers due to IPv6 issues, and would have been stuck with crippled IPv6 functionality on those routers otherwise, had they not still been supported).
The router needs to be configured, initially, so as to get both the IPv4 and IPv6 ISP connection working; IPv6 connectivity can be tested on http://test-ipv6.com
. Following on from this, WAN IP Aliasing (or its equivalent) needs to be configured under the WAN
>> Internet Access
, and the first available
IP address from the block of IPv4 addresses needs to be added (the first and final addresses of the IPv4 block are reserved for use as network and broadcast addresses, respectively, and cannot be used). This address also needs to be made available, but should not
be added to the NAT IP Pool, and will serve as a gateway address (additional to the one you will already have for your everyday internet activities).
Next, the Routed Subnet, under LAN
>> General Setup
, needs to be configured using that same gateway address in both colums (Network Configuration and DHCP Server, and ensuring that the subnet mask is correct). Use LAN Port
should not be necessary. Finally, NAT
>> Open Ports
: create rules to open up ports 53 and 80 for each of the IPv4 addresses that you intend to use^
; the WAN IP drop-down menu should also contain the recently added new gateway address (which should be selected), and this completes IPv4 router configuration. Now check to ensure that both the IPv4 and the IPv6 addresses that you intend to use, including your new IPv4 gateway address, are reachable from the internet, also ensuring that ports 53 and 80 are open (via an online scanner) for the IPv4 addresses that you intend to use (if you have implemented rules to open these, that is).
All being well, IPv6 connectivity should require little to no configuration once the IPv6 side of your ISP connection is configured and active. My IPv6 is connected via PPP (Point-to-Point Protocol) using an address from my IPv6 /48 subnet. This, in turn, makes the entire subnet available to the router, so any address can be requested from that subnet with no need for further router configuration beyond establishing initial IPv6 connectivity with my ISP.
there is some dispute over whether this is necessary, but I have hit serious connectivity issues with these left as obscured or half-open (the default), so keep them as they are (with no rules in place) if that works with your configuration.
- port changes under System Maintenance >> Management Port Setup can affect your default ports
- Ping will be disabled (or not enabled on the IPv6 tab) in the above, so will need to be enabled when performing diagnostic checks
- active VPN connections, without LAN passthrough options in the VPN client, are likely to block or hinder diagnostic checks and being able to access your hosted web content
- the Block Routing Packet from WAN firewall options will block connections if ticked
- Tracert will work even when Ping will not, due to differences in the way that the two work
Under NetworkManager, the new IPv4 gateway address needs to be configured as the IPv4 gateway address to the linux adapter configuration. In the same way, an address from your IPv6 subnet should be used as an IPv6 gateway address, and this can literally be the very first address from that subnet. Any other addresses, IPv4 or IPv6, that you intend to use, or hold in reserve, for your webserver should be added into the configuration at the same time, as additional or secondary addresses, and both IPv4 and IPv6 need to be set to use full, or automatic, DHCP.
DHCP is not "one setting affects all", - everything able to use DHCP has its own implementation of DHCP, so disabling or enabling DHCP will not necessarily break something or make something work, but NetworkManager absolutely will not work properly, if at all, with anything outside of full DHCP adapter configurations. Making changes directly to the relevant network-scripts file, even with network and NetworkManager restarted, will usually break your install, so the new configuration is best added as part of a complete re-install, with the network button set to "off" and switched back to "on" after completing the new configuration (this means that you can see for definite whether or not the addresses are being added correctly before proceeding with the rest of the install).
Use the next two available addresses, after the gateway address, for the IPv4 nameserver addresses, the second of which will also be the A record address. Do likewise on the IPv6 side, giving each of the nameservers a second glue record with an IPv6 address; again, the second of these will also serve as a second AAAA record for the domain, thus giving the webserver both IPv4 and IPv6 DNS.
- zone file creation - DNSSEC
Change group ownership on the /var/named
directory to named
, remove the sticky bit, and make it +770, along with any loose files within that directory (Note:
the sticky bit will be restored automatically during later updates). Now systemctl restart named
followed by rndc reload
, followed by systemctl restart named
- Awst 2018
- Just John, @: Ex5NY27U corequery.uk
- secure email address as detailed above -