Build your own IPv6 lab on the cheap, part 1

IPv6 might not be quite here yet, but it's coming; here's how to get ahead of the familiarity curve now by building your own lab

1 2 3 4 5 Page 4
Page 4 of 5

If you choose this route, make sure you understand what every command I use here does so that you know the implications of setting them. Vyatta is tremendously flexible, allowing you to set firewall rules that only trigger at certain times of day, perform traffic shaping, and support fairly complex zone-based firewalling configurations. This config reflects the simplest of the simple. If you want to learn more about what you can do, check out the Vyatta documentation.

First is a rule set that will allow return traffic initiated from the router itself to return to it. It will also allow ICMP ping requests to come into the router's outside interface (you'll need that ability later when you configure an IPv6 tunnel):

set firewall name out-local default-action 'drop'

set firewall name out-local description 'IPv4 Traffic To Router'

set firewall name out-local rule 10 action 'accept'

set firewall name out-local rule 10 description 'Accept Established-Related'

set firewall name out-local rule 10 state established 'enable'

set firewall name out-local rule 10 state related 'enable'

set firewall name out-local rule 15 action 'accept'

set firewall name out-local rule 15 description 'Accept ICMP Echo'

set firewall name out-local rule 15 icmp type '8'

set firewall name out-local rule 15 protocol 'icmp'

Next, pretty much the same rule that will apply to return traffic that originated from the inside network:

set firewall name out-in default-action 'drop'

set firewall name out-in description 'IPv4 Traffic To Internal'

set firewall name out-in rule 10 action 'accept'

set firewall name out-in rule 10 description 'Accept Established-Related'

set firewall name out-in rule 10 state established 'enable'

set firewall name out-in rule 10 state related 'enable'

Now, apply both of those rules to the eth0 (outside) interface:

set interfaces ethernet eth0 firewall in name 'out-in'

set interfaces ethernet eth0 firewall local name 'out-local'

Throw in some fairly standard global firewall configuration (allowing the router to respond to ICMP pings and disabling some commonly abused and/or unnecessary IP features):

set firewall all-ping 'enable'

set firewall broadcast-ping 'disable'

set firewall conntrack-tcp-loose 'enable'

set firewall ip-src-route 'disable'

set firewall ipv6-receive-redirects 'disable'

set firewall ipv6-src-route 'disable'

set firewall log-martians 'enable'

set firewall receive-redirects 'disable'

set firewall send-redirects 'enable'

set firewall source-validation 'disable'

set firewall syn-cookies 'enable'

1 2 3 4 5 Page 4
Page 4 of 5
How to choose a low-code development platform