Step 11: Prepare access to the Internet: Add IPv6 to your network

Start

Now that you have a working network, the next step is to expand it by enabling IPv6 on your setup.

You do not have to create a new router, as the existing one will be used.

The cloud images we supply have a predefined primary network interface with DHCP enabled. Once you have completed this step, IPv6 will work as well.

Subnet

We have already defined an IPv6 pool. It will be used to create a new subnet.

Let’s list all existing pools:

$ openstack subnet pool list
+--------------------------------------+---------------+---------------------+
| ID                                   | Name          | Prefixes            |
+--------------------------------------+---------------+---------------------+
| f541f3b6-af22-435a-9cbb-b233d12e74f4 | customer-ipv6 | 2a00:c320:1000::/48 |
+--------------------------------------+---------------+---------------------+

You can now use the pool to generate a subnet. The 64 bit prefix length is fixed for each generated subnet.

You can use the subnet in the creation process, or you can accept the default from OpenStack.

Let’s create your subnet now:

$ openstack subnet create --network BeispielNetzwerk --ip-version 6 --use-default-subnet-pool --ipv6-address-mode dhcpv6-stateful --ipv6-ra-mode dhcpv6-stateful BeispielSubnetIPv6
+-------------------------+----------------------------------------------------------+
| Field                   | Value                                                    |
+-------------------------+----------------------------------------------------------+
| allocation_pools        | 2a00:c320:1000:2::2-2a00:c320:1000:2:ffff:ffff:ffff:ffff |
| cidr                    | 2a00:c320:1000:2::/64                                    |
| created_at              | 2017-12-08T12:41:42Z                                     |
| description             |                                                          |
| dns_nameservers         |                                                          |
| enable_dhcp             | True                                                     |
| gateway_ip              | 2a00:c320:1000:2::1                                      |
| host_routes             |                                                          |
| id                      | 0046c29b-a9b0-47c3-b5dd-704aa801704d                     |
| ip_version              | 6                                                        |
| ipv6_address_mode       | dhcpv6-stateful                                          |
| ipv6_ra_mode            | dhcpv6-stateful                                          |
| name                    | BeispielSubnetIPv6                                       |
| network_id              | ff6d8654-66d6-4881-9528-2686bddcb6dc                     |
| project_id              | b15cde70d85749689e08106f973bb002                         |
| revision_number         | 0                                                        |
| segment_id              | None                                                     |
| service_types           |                                                          |
| subnetpool_id           | f541f3b6-af22-435a-9cbb-b233d12e74f4                     |
| updated_at              | 2017-12-08T12:41:42Z                                     |
| use_default_subnet_pool | True                                                     |
+-------------------------+----------------------------------------------------------+

Router

Now that the subnet has been created, it can be added to the router.

To do so, execute the following command:

openstack router add subnet BeispielRouter BeispielSubnetIPv6

Security Group

The security group rules that you created in Step 9 were IPv4 rules. Now you need to add two more rules for IPv6.

First, allow SSH access using IPv6 (::/0 is the equivalent of 0.0.0.0/0 but for IPv6):

$ openstack security group rule create --remote-ip "::/0" --protocol tcp --dst-port 22:22 --ethertype IPv6 --ingress allow-ssh-from-anywhere
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2017-12-08T12:44:04Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv6                                 |
| id                | 7d871e85-05fa-4620-b558-c6fc64076cde |
| name              | None                                 |
| port_range_max    | 22                                   |
| port_range_min    | 22                                   |
| project_id        | b15cde70d85749689e08106f973bb002     |
| protocol          | tcp                                  |
| remote_group_id   | None                                 |
| remote_ip_prefix  | ::/0                                 |
| revision_number   | 0                                    |
| security_group_id | 1cab4a62-0fda-40d9-bac8-fd73275b472d |
| updated_at        | 2017-12-08T12:44:04Z                 |
+-------------------+--------------------------------------+

For completion’s sake, we will allow ICMP access so that you can ping your VM with IPv6:

$ openstack security group rule create --remote-ip "::/0" --protocol ipv6-icmp --ingress allow-ssh-from-anywhere
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2017-12-08T12:44:44Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv6                                 |
| id                | f63e4787-9965-4732-b9d2-20ce0fedc974 |
| name              | None                                 |
| port_range_max    | None                                 |
| port_range_min    | None                                 |
| project_id        | b15cde70d85749689e08106f973bb002     |
| protocol          | ipv6-icmp                            |
| remote_group_id   | None                                 |
| remote_ip_prefix  | ::/0                                 |
| revision_number   | 0                                    |
| security_group_id | 1cab4a62-0fda-40d9-bac8-fd73275b472d |
| updated_at        | 2017-12-08T12:44:44Z                 |
+-------------------+--------------------------------------+

Adjustments to the operating system

Any new VM based on our images will now have both IPv4 and IPv6 configured, and our provided heat templates will also enable IPv6.

Many standard vendor images do not have IPv6 configured and only have IPv4 enabled by default.

If you want to enable IPv6 on a VM where it is not already enabled, you can follow the instructions below.

Ubuntu 16.04

To use IPv6 correctly, the following files must be created with the specified content.

  • /etc/dhcp/dhclient6.conf

      timeout 30;
    
  • /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

      network: {config: disabled}
    
  • /etc/network/interfaces.d/lo.cfg

      auto lo
      iface lo inet loopback
    
  • /etc/network/interfaces.d/ens3.cfg

      iface ens3 inet6 auto
          up sleep 5
          up dhclient -1 -6 -cf /etc/dhcp/dhclient6.conf -lf /var/lib/dhcp/dhclient6.ens3.leases -v ens3 || true
    

Now that you have created the files, you can reenable the interface:

sudo ifdown ens3 && sudo ifup ens3

Once complete, you will have working IPv4 and IPv6 addresses.

If you want to automate the actions above, you can add this to the cloud-init part of our heat template (we will go over cloud-init in Step 19:

#cloud-config
write_files:
        - path: /etc/dhcp/dhclient6.conf
          content: "timeout 30;"
        - path: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
          content: "network: {config: disabled}"
        - path: /etc/network/interfaces.d/lo.cfg
          content: |
              auto lo
              iface lo inet loopback
        - path: /etc/network/interfaces.d/ens3.cfg
          content: |
              iface ens3 inet6 auto
                  up sleep 5
                  up dhclient -1 -6 -cf /etc/dhcp/dhclient6.conf -lf /var/lib/dhcp/dhclient6.ens3.leases -v ens3 || true

runcmd:
        - [ ifdown, ens3]
        - [ ifup, ens3]

CentOS 7

To use IPv6 correctly, the following files must be created with the specified content.

  • /etc/sysconfig/network

      NETWORKING_IPV6=yes
    
  • /etc/sysconfig/network-scripts/ifcfg-eth0

      IPV6INIT=yes
      DHCPV6C=yes
    

Now that you have created the files, you can reenable the interface:

sudo ifdown eth0 && sudo ifup eth0

Once complete, you will have working IPv4 and IPv6 addresses.

If you want to automate the actions above, you can add this to the cloud-init part of our heat template (we will go over cloud-init in Step 19:

#cloud-config
write_files:
        - path: /etc/sysconfig/network
          owner: root:root
          permissions: '0644'
          content: |
              NETWORKING=yes
              NOZEROCONF=yes
              NETWORKING_IPV6=yes
        - path: /etc/sysconfig/network-scripts/ifcfg-eth0
          owner: root:root
          permissions: '0644'
          content: |
              DEVICE="eth0"
              BOOTPROTO="dhcp"
              ONBOOT="yes"
              TYPE="Ethernet"
              USERCTL="yes"
              PEERDNS="yes"
              PERSISTENT_DHCLIENT="1"
              IPV6INIT=yes
              DHCPV6C=yes
runcmd:
        - [ ifdown, eth0]
        - [ ifup, eth0]

External access

Important: This VM can now be reached from anywhere in the world via its IPv6 address (only on the ports that you allowed in the security group).

Unlike IPv4, you do not need to assign a floating IP address to be able to reach the VM.

If you want to reach the VM with IPv4, you must assign a floating IP address.

If you want to test the IPv6 reachability but do not have access to a machine with IPv6, you can use certain web-based tools, for example: https://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php

Conclusion

In the previous step, you established a connection with IPv4. Access via IPv6 has now also been added.

In the next step, the instance from Step 7 will be used as a template and made accessible from outside.