![[July 6 and 7] DX realized by content cloud, advanced platform for business transformation](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_9/2022/3/9/6bbafe438d78271513761788166cbf94_0.jpeg)
ASCII.jp NAT also used? FLET'S IPv6 PPPoE Connection Address and Security
In Part 3, we looked at the settings for using an "Internet (IPv6 PPPoE) connection" (hereafter referred to as "IPv6 PPPoE connection"), and in Part 4, we looked at the connection mechanism. Next, let's look at how IPv6 addresses are assigned to home PCs (hosts).
Status of IPv6 allocation to hosts
As explained in the previous article, MA-100 allocates IPv6 addresses to hosts (PCs) as shown in the figure below.
How to assign IPv6 addresses. The MA-100 is assigned by the ISP, and the host (home PC) is assigned by the MA-100
And the next screen is the address information of two home PCs running Windows 7.
In-house PC with a Hikari Denwa subscription (red lines are related to IPv4)
Home PC without Hikari Denwa line
On the line with the Hikari Denwa contract (on the screen), the Hikari Denwa is connected via IPv4, and the IPv4 address is assigned to the PC from the Hikari Denwa router (the part circled in red). On the other hand, for lines without a Hikari Denwa contract (bottom of the screen), IPv4 is disabled because an IPv4 environment is not available.
Either way, when accessing the Internet with IPv6, the IPv6 address assigned to the PC is used. Upon examination, the source address of the packet was the IPv6 address configured by the PC, and it was confirmed that routing was performed from the home PC using the global IPv6 address.
In addition, for IPv4, a private address ("192.168.1.2" in this example) is assigned to the PC, just like a normal IPv4 service. Then, when accessing the Internet, the NAT (IP masquerade) function of the roadband router (router for Hikari Denwa) is used to convert to a global address.
So, what happens when you access a server in NGN (internal network of FLET'S Hikari Next) instead of Internet connection?
When I accessed a service in NGN on a line without a Hikari Denwa subscription, the source address of the IPv6 packet was not the IPv6 address configured on the PC, but "2408:40:bfff:35:7466:1a48:4103 :789c".
The status of IPv6 address allocation for "lines without a Hikari Denwa subscription". "IPoE RA" in the upper row is the address for NGN access
This address prefix (2408:40:bfff:35::/64) was provided by NGN to MA-100 on RA. And this prefix is not assigned to the PC. In other words, the IPv6 address of the IPv6 PPPoE connection is used from the PC to the MA-100, but the MA-100 uses the NAT function to convert it to an NGN address and access the NGN server. Although they do not share a single global address like IPv4 Internet access, NAT is also used in IPv6.
Because the above is done automatically, users do not need to distinguish between Internet access and NGN access. Once the MA-100 is correctly configured and the IPv6 address is correctly configured on a PC that supports IPv6, IPv6 can be used freely. Of course, it is possible to connect to services within NGN, the Internet, and home PCs using the same IPv6 PPPoE connection.
Communication and security between IPv6 PPPoE
As mentioned above, private addresses are used for home PCs in the IPv4 environment, so there is little risk of direct access from the Internet side. However, in the IPv6 environment, it becomes a global address even in the home, so in theory it can be accessed from anywhere on the Internet. This will cause security problems.
When I tried it, the default operation of MA-100 was to discard communication requests from the outside. If you want to accept communications from the outside, you need to create rules for accepting communications with a packet filter. There is no danger that "IPv6 can be accessed from the outside as much as you want".
Of course, that doesn't mean you can't communicate. By setting the NA-100's packet filter, you can allow access from the Internet side and respond to commands such as ping and Tracert.
MA-100 packet filter settings
The following is an access log from a home PC to another line without a Hikari Denwa subscription.
Ping and Tracert from a PC without a Hikari Denwa line to a PC with a Hikari Denwa line (2001:2c0:cc00:5500:7c5c:7f95:b43d:d96c)
As an example of an application, I accessed a remote desktop and it worked without any problems.
What about IPv6 PPPoE connection without MA-100?
By the way, is it possible to use IPv6 PPPoE connection without using an adapter that supports "Internet (IPv6 PPPoE) connection"?
In conclusion, you should think that you can't do it. If IPv6 PPPoE connection is supported and IPv6 IPoE connection for communication with NGN can be connected by NAT, it can be used as connection equipment. However, because it is a very special function, we have no choice but to judge that it cannot be used unless it is clearly indicated that it supports "Internet (IPv6 PPPoE) connection".
Then, FLET'S service provided PC software for terminating IPv4 PPPoE, but is it possible to use this for IPv6 PPPoE? This is no good either. To be precise, I can connect as PPPoE, but I can't communicate with the Internet with IPv6. This is because the IPv6 PPPoE connection uses "DHCP-PD" to provide IPv6 addresses. As I wrote earlier, DHCP-PD is a protocol for distributing IPv6 addresses to gateways such as broadband routers, and cannot directly assign addresses to hosts such as PCs.
Also, with PPPoE, some users may find it inconvenient that IPv4 and IPv6 are in separate sessions. FLET'S Hikari Next has a limit on the number of PPPoE sessions per line. This limit is usually 2, so if you are using 1 for IPv4 Internet service and 2 for VPN service or other provider connection, you are already using 2. If a user already has two PPPoE sessions and wants to use an IPv6 Internet connection, it is necessary to apply for "FLET'S Session Plus" separately and increase the number of PPPoE sessions. In this case, the cost will be 315 yen/session per month.
●
So far, we have built an IPv6 Internet environment with IPv6 PPPoE connection and confirmed its operation. Once you purchase the MA-100, you can build an Internet connection environment using IPv6 with very simple procedures. Although MA-100 is required, if a user name and password for PPPoE is issued, it is also an advantage that you can use FLET'S Hikari Next line wherever it is installed without being tied to the FLET'S line installation location. Wax *1.
*1 The user name and password issued by the ISP may differ depending on the line type, and in that case, the same user name and password may not be available unless the line type is the same. If you want to change the installation location without changing the settings of the MA-100, it is necessary to check in advance whether the line type is the same. (IPv6 IPoE)”, let’s see how to use it and how it works.