Using tunnel as IPv6 gateway on WS2008r2 domain network, firewall questions.

[andrewsi]

My network has an '08 R2 domain with a few servers and several Win7 clients. My ISP is Frontier (ex-verizon) FIOS with no native IPV6 support.

I successfully set up a server VM which is acting as a tunnel gateway and all the clients on the lan are able to get access to Ipv6 sites now.  However, the thing that has me concerned is the lack of the sort of port level protection we have via an IPv4 NAT where only the specific port/forwarding combos I want to be exposed to the inernet are available.  Using the HE port scan to probe specific IP6 addresses it's plainly visible that my domain controller is exposing RPC, AD services, remote desktop, etc.  It's fine for machines on the LAN to see these but I'm not so keen on all open ports being publicly visible.

I have been hunting around for recommendations on what sort of solution would be appropriate to maintain the same level of control, particularly with the level of simplicity we had from a simple NAT router appliance, but honestly I'm not sure there is one- does anyone have any suggestions on this topic?

Thanks,
Andy

[andrewsi]

Granted that'd be better. I have a wndr3700 and I first tried setting up the tunnel through that but Dd-wrt doesn't work so well with that router, wifi strength drops, and I'm not much of a Linux expert so getting ip6tables installed and configured was getting to be a pain. This I why I was hoping to find a good software firewall that'd make this simpler.  Also looked at putting pfSense back in place but their ip6 support doesn't seem to be fully baked yet either.

[andrewsi]

It might be usable for filtering traffic to that server that comes from off-LAN, but I'd have to repeat the process on every other machine on the net. I was hoping to find a gateway-level solution.

[andrewsi]

So maybe I'm confused, but I believe that the firewall in Windows is only useful for filtering the traffic addressed to the machine it's running on.  If you have an adapter configured as the tunnel and it is acting as a router and is forwarding the incoming traffic out to the LAN that's destined for dfferent address on the LAN, I think that's occurring pre-firewall, and so each machine will need its own firewall rules to filter the unwanted incoming traffic.  If I'm wrong about that, by all means clear up my misconception...

[johnpoz]

So does the 2k8r2 box act as your NAT router, ie is really the gateway for your network.  Or is inside your network already and your just using it as the endpoint for the tunnel?

Once you tunnel the ipv6 through your gateway, then yes every device that would be using this endpoint as its ipv6 gateway would need to have a firewall on it.  This is the problem with endpoint of the tunnel being inside your network.

If you endpoint the tunnel at your gateway, then its firewall could be used to filter ipv6 traffic into your network.

What device is your gateway to the public net now?  Is it this 2k8r2 box?  You have a public IP on one of its interfaces, and you nat that into your private network?  or do you have some router before this 2k8r2 box?

The ipv6 tunnel endpoint should end outside your private network, then the firewall of that endpoint device could be used.  Is possible that 2k8r2 firewall could do this, but I personally have never used it in such a setup.  Its a server OS, sure it can be configured for some basic routing, etc.  But not really the best choice if you ask me. 

If you give us some more info how the public net gets to your 2k8r2 box, we might be able to help you move the endpoint of the ipv6 tunnel to a device you could use as firewall for all ipv6 traffic in and out of your network. 

I currently use pfsense as my gateway, and is the tunnel endpoint, its firewall allows simple easy control over the ipv6 traffic flowing through this tunnel.

[Night]

yeah simple firewall, turn it on  - your 2008r2 clearly comes with one.

But this is why I am not a fan of endpoint of the tunnel being inside of your gateway device.  If you want to supply your network with ipv6 then just move the tunnel to your gateway device.  If does not support doing it, then change to a device that does, a simple $50 router running dd-wrt can do it   You will then have firewall at your edge you can block or allow traffic with.

I would like to do this, but i,have one thing i cant figure out how to do with such a set up. I have  a /28 and would like to use external ipv4 on my computers (dont get me started on NAT i hate it so much) Can this be done with ddwrt?

[andrewsi]

So does the 2k8r2 box act as your NAT router, ie is really the gateway for your network.  Or is inside your network already and your just using it as the endpoint for the tunnel?

Once you tunnel the ipv6 through your gateway, then yes every device that would be using this endpoint as its ipv6 gateway would need to have a firewall on it.  This is the problem with endpoint of the tunnel being inside your network.

If you endpoint the tunnel at your gateway, then its firewall could be used to filter ipv6 traffic into your network.

What device is your gateway to the public net now?  Is it this 2k8r2 box?  You have a public IP on one of its interfaces, and you nat that into your private network?  or do you have some router before this 2k8r2 box?

So at the moment this box is behind the WNDR3700 Netgear NAT and is the tunnel endpoint.  Since the Windows firewall is entirely oriented towards filtering traffic directed at that machine, rather than something like Forefront TMG which is a "real" forwarding firewall, I am currently playing around instead with setting up a Linux VM on this machine (rather than using the native Windows OS) with the idea that it goes:
HE->IPV4 NAT->Linux VM tunnel endpoint->(IP6TABLES or other IP6 firewall package with only IP6 packet forwarding turned on)-> other LAN machines.

I've got the tunnel set up and working on the VM (MS now has CentOS 6.0 support in Hyper-V), and now I'm playing around with the IPv6 firewall and forwarding config, which is an education for me because I'm not much of a Linux guy.

If I set things up that way, I think I will essentially have one router/firewall for IPv4 (the netgear) and one router/firewall for IPV6 (the Linux VM) and the fact that the tunneled packets are transparently forwarded through the IPv4 firewall without inspection doesn't seem like such a big deal/risk as long as the proper filtering is taking place between the incoming tunnel and the forwarding of those packets out to the LAN - those tunneled packets can't skirt around the tunnel endpoint inside the LAN and mess up other machines on my network, so far as I can see...

As for why I'm not just doing this all on the netgear device directly, well, as I mentioned earlier, using DD-WRT and such was turning into a somewhat painful exercise on this router, in that it was having undesirable effects on wireless signal strength.  So I'm just looking for a cheap solution using my existing hardware.