Debian Linux router connected to the Livebox5 (DMZ for IPv4). All traffic passes through this machine (except the TV box).
Network : 2a01:cb1d:0005:af00:0000:0000:0000:0000/56
Network range : 2a01:cb1d:0005:af00:0000:0000:0000:0000-2a01:cb1d:0005:afff:ffff:ffff:ffff:ffff
Network : 2a01:cb1d:0005:af00:0000:0000:0000:0000/64
Network range : 2a01:cb1d:0005:af00:0000:0000:0000:0000-2a01:cb1d:0005:af00:ffff:ffff:ffff:ffff
Ethernet Interfaces :
root@gate:~ # lshw -C network
*-network:0
description: Ethernet interface
produit: NetXtreme II BCM57810 10 Gigabit Ethernet
fabriquant: Broadcom Inc. and subsidiaries
identifiant matériel: 0
information bus: pci@0000:01:00.0
nom logique: enp1s0f0
version: 10
numéro de série: 98:b7:85:20:46:e0
taille: 10Gbit/s
capacité: 10Gbit/s
bits: 64 bits
horloge: 33MHz
fonctionnalités: pm vpd msi msix pciexpress bus_master cap_list rom ethernet physical fibre 1000bt-fd 10000bt-fd
configuration: autonegotiation=off broadcast=yes driver=bnx2x driverversion=6.1.0-30-amd64 duplex=full firmware=7.13b.4.1c bc 7.13.75 latency=0 link=yes multicast=yes speed=10Gbit/s
ressources: irq:16 mémoire:fd000000-fd7fffff mémoire:fc800000-fcffffff mémoire:fdef0000-fdefffff mémoire:fe880000-fe8fffff
*-network:1
description: Ethernet interface
produit: NetXtreme II BCM57810 10 Gigabit Ethernet
fabriquant: Broadcom Inc. and subsidiaries
identifiant matériel: 0.1
information bus: pci@0000:01:00.1
nom logique: enp1s0f1
version: 10
numéro de série: 98:b7:85:20:46:e1
taille: 10Gbit/s
capacité: 10Gbit/s
bits: 64 bits
horloge: 33MHz
fonctionnalités: pm vpd msi msix pciexpress bus_master cap_list rom ethernet physical fibre 1000bt-fd 10000bt-fd
configuration: autonegotiation=off broadcast=yes driver=bnx2x driverversion=6.1.0-30-amd64 duplex=full firmware=7.13b.4.1c bc 7.13.75 latency=0 link=yes multicast=yes port=fibre speed=10Gbit/s
ressources: irq:17 mémoire:fc000000-fc7fffff mémoire:fb800000-fbffffff mémoire:fdee0000-fdeeffff mémoire:fe800000-fe87ffff
*-network
description: Ethernet interface
produit: RTL8125 2.5GbE Controller
fabriquant: Realtek Semiconductor Co., Ltd.
identifiant matériel: 0
information bus: pci@0000:04:00.0
nom logique: enp4s0
version: 05
numéro de série: 00:e0:4c:2a:03:f4
taille: 1Gbit/s
capacité: 1Gbit/s
bits: 64 bits
horloge: 33MHz
fonctionnalités: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=6.1.0-30-amd64 duplex=full firmware=rtl8125b-2_0.0.2 07/13/20 latency=0 link=yes multicast=yes port=twisted pair speed=1Gbit/s
ressources: irq:19 portE/S:c800(taille=256) mémoire:fe9f0000-fe9fffff mémoire:fe9ec000-fe9effff
*-network
description: Ethernet interface
produit: RTL8125 2.5GbE Controller
fabriquant: Realtek Semiconductor Co., Ltd.
identifiant matériel: 0
information bus: pci@0000:05:00.0
nom logique: enp5s0
version: 05
numéro de série: 00:e0:4c:2a:03:f5
capacité: 1Gbit/s
bits: 64 bits
horloge: 33MHz
fonctionnalités: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=6.1.0-30-amd64 firmware=rtl8125b-2_0.0.2 07/13/20 latency=0 link=no multicast=yes port=twisted pair
ressources: irq:19 portE/S:d800(taille=256) mémoire:feaf0000-feafffff mémoire:feaec000-feaeffff
root@gate:~ # brctl show bridge name bridge id STP enabled interfaces lanbr0 8000.eaa1ead7899a no enp1s0f0 netbr0 8000.768478e541f1 no enp4s0 srvbr0 8000.7e18ddbb3f7d no enp1s0f1 wlanbr0 8000.ea5168b1130e no enp5s0
netbr0 : 2a01:cb1d:5:af00::1/64 - Input IPv6 Address GUA.
2a01:cb1d:0005:af00:0bee:eeff:00ca:feee/104 - Ouput IPv6 Address GUA for Unique Local Addressess (ULA).
fc01::192:168:1:254/112 - fe80::7484:78ff:fee5:41f1 (192.168.1.254) ⇆ (NET) RJ45 1GiG ⇆ Box ISP : fe80::c2d7:aaff:fec0:f839 (192.168.1.1).
fec1::1/16 - Input/Ouput IPv6 Address (SLA) for Sites Locals Addressess.
# /etc/sysctl.conf net.ipv6.conf.netbr0.forwarding = 1 net.ipv6.conf.netbr0.autoconf = 0 net.ipv6.conf.netbr0.accept_redirects = 1 net.ipv6.conf.netbr0.accept_ra = 2 net.ipv6.conf.netbr0.proxy_ndp = 1 net.ipv6.conf.netbr0.accept_source_route = 0 net.ipv6.conf.netbr0.use_tempaddr = 0
root@gate:~ # ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9888 4033K MASQUERADE 0 -- * netbr0 fc01::172:16:0:0/104!fc00::/7
0 0 MASQUERADE 0 -- * netbr0 fc01::10:106:0:252 !fc00::/7
0 0 MASQUERADE 0 -- * netbr0 fc01::10:116:0:1 !fc00::/7
1 114 MASQUERADE 0 -- * netbr0 fc01::10:126:0:1 !fc00::/7
root@gate:~ # ip6tables -L FORWARD -vn
Chain FORWARD (policy DROP 1110 packets, 316K bytes)
pkts bytes target prot opt in out source destination
24168 4623K aICMPs 58 -- * * ::/0 ::/0
0 0 ACCEPT 0 -- lo * ::/0 ::/0
0 0 ACCEPT 0 -- * lo ::/0 ::/0
25M 113G ACCEPT 0 -- * * fc00::/7 fc00::/7
0 0 ACCEPT 0 -- * * ff00::/8 ff00::/8
0 0 ACCEPT 0 -- * * fe80::/10 fe80::/10
32 2560 ACCEPT 0 -- * * fec0::/10 fec0::/10
13M 951M ACCEPT 0 -- * * fec0::/10 fc00::/7
7028K 576M ACCEPT 0 -- * * fc00::/7 fec0::/10
4588K 381M ACCEPT 0 -- lanbr0 netbr0 ::/0 ::/0
9237K 31G ACCEPT 0 -- netbr0 lanbr0 ::/0 ::/0
2187K 248M ACCEPT 0 -- srvbr0 netbr0 ::/0 ::/0
2927K 4275M ACCEPT 0 -- netbr0 srvbr0 ::/0 ::/0
703 294K ACCEPT 0 -- srvbr0 lanbr0 ::/0 ::/0
868 143K ACCEPT 0 -- lanbr0 srvbr0 ::/0 ::/0
root@gate:~ # ip -6 route show dev netbr0 2a01:cb1d:5:af00:bee:eeff::/104 proto kernel metric 256 pref medium 2a01:cb1d:5:af00::/64 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium fec1::/16 proto kernel metric 256 pref medium default via fe80::c2d7:aaff:fec0:f839 proto ra metric 1024 expires 578sec hoplimit 64 pref high
root@gate:~ # ip -6 route show table 220 fc00:41d0:701:1100::/64 dev netbr0 proto static src fec1::1 metric 1024 pref medium fc00:41d0:801:2000::/64 dev netbr0 proto static src fec1::1 metric 1024 pref medium fc00:5300:60:9389::/64 dev netbr0 proto static src fec1::1 metric 1024 pref medium fec0::/16 dev netbr0 proto static src fec1::1 metric 1024 pref medium fec2::1 dev netbr0 proto static src fec1::1 metric 1024 pref medium fec3::1 dev netbr0 proto static src fec1::1 metric 1024 pref medium
root@gate:~ # ip -6 neighbor show proxy 2a01:cb1d:5:af00:1ab3::1 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:116:0:1 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:116:42:1000 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:116:42:10 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:116:42:db1 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:116:42:ad0 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:126:0:1 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:126:42:1000 dev netbr0 proxy 2a01:cb1d:5:af00:1ab3:126:42:10 dev netbr0 proxy
lanbr0 : 2a01:cb1d:5:af00:0c00::2/70
fc01::172:16:0:254/104 ⇆ (LAN) SPF+ 10GiG ⇆ Swith 4x 2.5GiG + 2x SPF+ 10GiG
# /etc/sysctl.conf net.ipv6.conf.lanbr0.forwarding = 1 net.ipv6.conf.lanbr0.autoconf = 0 net.ipv6.conf.lanbr0.accept_redirects = 1 net.ipv6.conf.lanbr0.accept_ra = 0 net.ipv6.conf.lanbr0.proxy_ndp = 0 net.ipv6.conf.lanbr0.accept_source_route = 0 net.ipv6.conf.lanbr0.use_tempaddr = 0
root@gate:~ # ip -6 route show dev lanbr0 2a01:cb1d:5:af00:800::/70 metric 1024 pref medium fc01::172:16:0:0/112 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium
Network : 2a01:cb1d:0005:af00:0c00:0000:0000:0000/70
Network range : 2a01:cb1d:0005:af00:0c00:0000:0000:0000-2a01:cb1d:0005:af00:0fff:ffff:ffff:ffff
netbr0 : 2a01:cb1d:0005:af00:0bee:eeff:00ca:feee/104
fc01::172:16:0:140/104
fc01::172:16:0:141/104
fc01::172:16:0:142/104
srvbr0 : 2a01:cb1d:5:af00:1800::2/70
fc01::10:106:0:254/124 ⇆ (SRV) SPF+ 10GiG ⇆ SPF+ 10GiG
# /etc/sysctl.conf net.ipv6.conf.srvbr0.forwarding = 1 net.ipv6.conf.srvbr0.autoconf = 0 net.ipv6.conf.srvbr0.accept_redirects = 1 net.ipv6.conf.srvbr0.accept_ra = 2 net.ipv6.conf.srvbr0.proxy_ndp = 1 net.ipv6.conf.srvbr0.accept_source_route = 0 net.ipv6.conf.srvbr0.use_tempaddr = 0
# /etc/radvd.conf
interface srvbr0 {
IgnoreIfMissing on;
AdvManagedFlag on;
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvSourceLLAddress off; # d:on
UnicastOnly off; # d:off
# DeprecatePrefix on; # d:off
AdvRASolicitedUnicast on; # d:on
prefix 2a01:cb1d:5:af00:1ab3:116::/80 {
AdvRouterAddr off;
AdvOnLink on;
AdvAutonomous on;
};
prefix 2a01:cb1d:5:af00:1ab3:126::/80 {
AdvRouterAddr off;
AdvOnLink on;
AdvAutonomous on;
};
};
root@gate:~ # ip -6 route show dev srvbr0 2a01:cb1d:5:af00:1ab3:116::/96 via fc01::10:106:0:252 metric 1024 pref medium 2a01:cb1d:5:af00:1ab3:126::/96 via fc01::10:106:0:252 metric 1024 pref medium 2a01:cb1d:5:af00:1ab3::/80 proto kernel metric 256 expires 86399sec pref medium 2a01:cb1d:5:af00:1ab3::/80 metric 1024 pref medium 2a01:cb1d:5:af00:1800::/70 proto kernel metric 256 pref medium fc01::10:106:0:250/124 proto kernel metric 256 pref medium fc01::10:116:0:0/112 via fc01::10:106:0:252 metric 1024 pref medium fc01::10:116:42:0/112 via fc01::10:106:0:252 metric 1024 pref medium fc01::10:126:0:0/112 via fc01::10:106:0:252 metric 1024 pref medium fc01::10:126:42:0/112 via fc01::10:106:0:252 metric 1024 pref medium fe80::/64 proto kernel metric 256 pref medium fec1::/16 metric 1024 pref medium fec0::/10 via fec1::1 metric 1024 pref medium
Network : 2a01:cb1d:0005:af00:1800:0000:0000:0000/70
Network range : 2a01:cb1d:0005:af00:1800:0000:0000:0000-2a01:cb1d:0005:af00:1bff:ffff:ffff:ffff
gatebr0 : 2a01:cb1d:0005:af00:1ab3:0000:0000:0001/128
2a01:cb1d:0005:af00:1aff:00ff:00ff:00ff/70
fc01::10:106:0:252/124
vmbr0 : fc01::10:116:0:252/112
Network : 2a01:cb1d:0005:af00:1ab3:0116:0000:0000/96
Network range : 2a01:cb1d:0005:af00:1ab3:0116:0000:0000-2a01:cb1d:0005:af00:1ab3:0116:ffff:ffff
vmbr0 : 2a01:cb1d:0005:af00:1ab3:0116:0000:0001/128 - Ouput IPv6 Address GUA for Unique Local Addressess (ULA).
fc01:0000:0000:0000:0010:0116:0000:0001/128
vmbr1 : 2a01:cb1d:0005:af00:1ab3:0116:00ff:ffff/96
fc01:0000:0000:0000:0010:0116:0042:ffff/112
LinuX childs Containers (LXC) :
2a01:cb1d:0005:af00:1ab3:0116:0042:1000/112 (NS1) - Name Server
fc01:0000:0000:0000:0010:0116:0042:1000/112
2a01:cb1d:0005:af00:1ab3:0116:0042:0010/124 (WE1) - BackEnd Web Server
fc01:0000:0000:0000:0010:0116:0042:0010/112
2a01:cb1d:0005:af00:1ab3:0116:0042:00db1/124 (DB1) - Datas Bases
fc01:0000:0000:0000:0010:0116:0042:0db1/112
2a01:cb1d:0005:af00:1ab3:0116:0042:0ad0/124 (AD0) - Active Directory : Domains controller for inter-site (global) networks.
fc01:0000:0000:0000:0010:0116:0042:0ad0/7
vmbr1 : fc01::10:126:0:252/112
Network : 2a01:cb1d:0005:af00:1ab3:0126:0000:0000/96
Network range : 2a01:cb1d:0005:af00:1ab3:0126:0000:0000-2a01:cb1d:0005:af00:1ab3:0126:ffff:ffff
vmbr0 : 2a01:cb1d:0005:af00:1ab3:0126:0000:0001/128 - Ouput IPv6 Address GUA for Unique Local Addressess (ULA).
fc01:0000:0000:0000:0010:0126:0000:0001/128
vmbr1 : 2a01:cb1d:0005:af00:1ab3:0126:00ff:ffff/96
fc01:0000:0000:0000:0010:0126:0042:ffff/112
LinuX childs Containers (LXC) :
2a01:cb1d:0005:af00:1ab3:0126:0042:1000/112 (NS2) - Name Server
fc01:0000:0000:0000:0010:0126:0042:1000/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0010/124 (WE2) - BackEnd Web Server
fc01:0000:0000:0000:0010:0126:0042:0010/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0bdd/124 (BDD) - Base de données
fc01:0000:0000:0000:0010:0126:0042:0bdd/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0bdc/124 (BDC) - Backup Domain Controller : Domains controller for the local network.
fc01:0000:0000:0000:0010:0126:0042:0bdc/64
wlanbr0 : 2a01:cb1d:5:af00:4700::2/70 ⇆ (WLAN) RJ45 2.5GiG ⇆ OpenWRT Ethernet Card WAN.
# /etc/sysctl.conf net.ipv6.conf.wlanbr0.forwarding = 1 net.ipv6.conf.wlanbr0.autoconf = 0 net.ipv6.conf.wlanbr0.accept_redirects = 1 net.ipv6.conf.wlanbr0.accept_ra = 2 net.ipv6.conf.wlanbr0.proxy_ndp = 1 net.ipv6.conf.wlanbr0.accept_source_route = 0 net.ipv6.conf.wlanbr0.use_tempaddr = 0
Network : 2a01:cb1d:0005:af00:4400:0000:0000:0000/70
Network range : 2a01:cb1d:0005:af00:4400:0000:0000:0000-2a01:cb1d:0005:af00:47ff:ffff:ffff:ffff
br-lan : 2a01:cb1d:0005:af00:4700:0000:0000:0002/84
2a01:cb1d:0005:af00:4700:00c0:0000:0000/96
2a01:cb1d:0005:af00:4700:00c1:0000:0000/96
Not to joke, because you never know with all this information, I'm adding the files /.well-known/security.txt to the default WebServers directory ; hoping you're not too mean.
🔑 How to configure strongSwan v6 Post-Quantum Cryptography NIST compliant #2731 : https://github.com/strongswan/strongswan/discussions/2731
🌐 Create your network map with GestióIP IPv4/IPv6 subnet calculator : http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
🖧 The IPv6 ULA (Unique Local Address) network configuration from my home to the servers ; shown in the image : https://howto.zw3b.fr/pub/vpn/strongSwan-v6.0/network_map-ipv10.jpg
Read the INFOS.txt file in my StrongSwan 6.0.1 Configuration files n°7 ; there is some nice information - I like my "traceroute" tests from home (gate-fr / command-traceroute6.txt). It's tempting.
