At NZNOG 2013 I was lucky enough to score a Mikrotik RB951-2n. This is a tiny little router with a huge feature set. It has one wifi interface and five gigabit ethernet interfaces, all of which can be bridged, routed separately, fused into VLANs and so on. For $50, a remarkable package, though I didn’t even pay that – thanks, GoWireless NZ :-) It even does BGP, though it probably can’t handle the global routing table :-)
At that time Internode was the only ISP in Australia offering native IPv6 on commodity ADSL (and as far as I know at time of writing, still is). Up until I moved to Internode I had used an IPv6Now tunnel. The performance was fine, but I wanted native access – mostly as a matter of principle, but also of course so that I could play with it, and in particular play with DHCPv6-PD as a means of delivering a prefix to me.
Sadly it proved difficult to purchase a suitable (for me) piece of CPE. The Fritz!Box from AVM looked like just the ticket, but was expensive at around $300, and when I got one it didn’t work on my “open RIM” telephone line. It would synch, but fail to authenticate – apparently a known bug, but one that is still there two years later. So it went back for a refund.
Next I tried a Billion unit. One look at the interface there got that sent back too -it was primitive beyond belief, and had no security features at all, not even the most rudimentary packet filters.
I should stress that plenty of people would be probably be very happy with the Billion. The Fritz!Box is a proven solution and is working well in many environments. These two units just didn’t work for me.
The obvious answer, and what I did in the end, was to stop looking for everything in one package. Instead, I put my trusty TP-Link ADSL router into bridge mode and let the Mikrotik do all the heavy lifting.
The Mikrotik is a lovely thing, but the various user interfaces leave much to be desired. They are like Lego – yes, you can build anything, but you have to build it out of tiny, tiny pieces. As a result I can’t recommend the Mikrotik to the masses – you will need to be skilled yourself, or have a skilled helper, or get your supplier to configure the thing for you. More on the Mikrotik in a subsequent article, when I have my head around it :-)
So, without dwelling on my learning curve with the Mikrotik, I now have the network I’ve wanted for several years – native IPv6 access from my ISP, with a fully-featured router handing the connection and a network in my home that runs IPv6 everywhere.
I print to my printers (Brother brand) via IPv6. I access our local wiki over IPv6. I access shares on our server over IPv6. I view remote websites via IPv6 if they have IPv6 connectivity, via IPv4 if they don’t. Google, for example, works over IPv6 for me. I access hosts around the world via ssh over IPv6 if they support it, IPv4 if they don’t.
About the only thing missing is automated DNS. Because my home network has few hosts in it, and even fewer that need to be contacted by name, my DNS is a manual affair. The Mikrotik distributes IPv4 nameserver info; IPv6 nameserver info is manually entered on the few machines that need it. I could (and probably will, eventually) run up a DHCPv6 server on the LAN side and distribute IPv6 nameserver information that way; the magic of dynamic DNS will make entries in the local DNS for me.
The hosts in my home network (including the printers, an iPod, an iPad and a bunch of laptops) all generate addresses using SLAAC. My main workhorse has five IPv6 addresses and one IPv4 address (not counting link local and localhost addresses). The IPv4 address is obtained via DHCP from the Mikrotik and is NATted on the way out to the Internet (same as it ever was). The router is advertising two prefixes into my LAN; a ULA prefix and one /64 out of the /56 that Internode delivers. Two addresses are generated for each of the two prefixes the router is advertising – a standard SLAAC address and a temporary “privacy” address.
I have used some operating system settings, /etc/gai.conf and some script magic (see this article in my personal blog for more info) to make sure on my own laptop that non-privacy ULA addresses are used for all internal communication, while non-ULA privacy addresses are used for communication with the Internet. I really do have the best of both worlds :-)