6In4 Tunnels - D-Link NetDefendOS User Manual

called gre_interface then we can use the ifstat CLI command:
gw-world:/> ifstat gre_interface
This will show us what is happening with the tunnel and the ifstat command options can provide
various details.

3.4.8. 6in4 Tunnels

A 6in4 Tunnel allows the tunneling of IPv6 traffic over networks that only support IPv4 traffic. In
situations where an ISP can only provide an IPv4 public IP address, a host might still need to
connect to the public Internet with an IPv6 address. This is solved by using 6in4 tunnels which
are an implementation of RFC 4213 (Basic Transition Mechanisms for IPv6 Hosts and Routers). The
6in4 Tunnel configuration object provides this feature in NetDefendOS. It can be said that the
NetDefend Firewall then acts as a 6in4 tunnel encapsulator.
A typical scenario for use of this feature is a protected network behind a firewall on which there
are a number of IPv6 host computers. Each host will require its own unique IPv6 address and this
address will be accessible to other hosts across the public Internet. This IPv6 traffic will be sent
through a single 6in4 tunnel which stretches from the firewall to a Tunnel Server (explained next).
This is the scenario that will be discussed first in this section.
Tunnel Servers and Tunnel Brokers
A Tunnel Server is an external computer accessible through the public Internet using IPv4 that
provides a gateway for IPv6 traffic to the public Internet. Tunnel servers are provided by Tunnel
Brokers which are third party organizations that either charge for server use or provide the
service for free. In some cases, an ISP may also offer this service.
Prerequisite Tunnel Broker Information
Before being able to configure a NetDefendOS 6in4 Tunnel object to an external tunnel server,
the tunnel broker owning the server will provide the following information:
• An IPv6 prefix. This is the address range that can be used by the IPv6 hosts behind the
firewall. Addresses can be statically assigned or assigned dynamically by configuring a
NetDefendOS DHCPv6 server. A tunnel broker will have a large unique IPv6 prefix already
assigned to them from which they make this allocation.
• The IPv4 address of an interface on the tunnel server computer. This is used as the Remote
Endpoint property when configuring a 6in4 tunnel object. Instead of an IPv4 address, a DNS
resolvable address could also be used in which case NetDefendOS will automatically resolve
the address providing a DNS server has been configured.
• Optionally, the IPv6 address of the internal local endpoint of the tunnel at the client side can
be provided by the broker. This is the IP Address property of the 6in4 Tunnel object. It can be
pinged by the tunnel server to check if the tunnel is alive.
The diagram below illustrates a use case for IP6in4 tunnels with a tunnel broker. The LAN
network and DMZ networks behind the NetDefend Firewall require IPv6 access to the public
Internet but only IPv4 access is available to the ISP's router.
209
Chapter 3: Fundamentals