DS-Lite (IPv4 over IPv6) Internet connection with CentOS

This article tested Internet access speedup by IPv6 connection, but IPv6 Plus (MAP-E) provided by @nifty requires dedicated equipment, the Cisco ASA5505, VyOS, Linux etc. can only perform simple IPoE connection , It was not possible to speedup the IPv4 service.

en-designetwork.hatenablog.com

Services and Web sites to be used on a daily basis Since IPv4 access is required for the majority of Web sites, we will build an environment of IPv4 over IPv6 tunnel using the DS-Lite service of ZOOT NATIVE (Interlink).

The DS-Lite service of ZOOT NATIVE is a provider-like service that enables connection to transix provided by Internet multifeed. (Japanese services)

無料体験・即日ID発行のプロバイダ - 株式会社インターリンク【公式】

Network diagram
NIC configuration
Firewall configuration for NIC
Disable SELinux
Routing activation at CentOS
IPv6 address and communication confirmation
IPv4 over IPv6 tunnel setting
Communication confirmation
Speed comparison
You can also use IPoE
Conclusion - DS-Lite (IPv4 over IPv6) Internet connection with CentOS

Network diagram

Use Catalyst2960 (L2SW) for changing multiple routers connect to the Internet.

NIC configuration

inside NIC

$ sudo cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens160
UUID=531a8e7d-07d1-4b71-9d27-96433ca6f8fc
DEVICE=ens160
ONBOOT=yes
DNS1=192.168.1.77
DNS2=8.8.8.8
DOMAIN=designet.local
ZONE=trusted
IPADDR=192.168.1.8
PREFIX=24
IPV6_PRIVACY=no

outside physical NIC

Use Sub Interfaces because outside NIC is shared some segments.

$ sudo cat /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens192
UUID=05c28633-5849-4892-bdc0-08e69b574ac1
DEVICE=ens192
ONBOOT=yes
ZONE=trusted
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no

outside Sub Interface

$ sudo cat /etc/sysconfig/network-scripts/ifcfg-outside
VLAN=yes
TYPE=Vlan
PHYSDEV=ens192
VLAN_ID=99
REORDER_HDR=yes
GVRP=no
MVRP=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=outside
UUID=9e20f5e5-3a57-4441-9b78-cb784c42d3fe
ONBOOT=yes
ZONE=trusted
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

Firewall configuration for NIC

Test in no security.

$ sudo firewall-cmd --zone=trusted --change-interface=ens160
The interface is under control of NetworkManager, setting zone to 'trusted'.
success

$ sudo firewall-cmd --zone=trusted --change-interface=ens192
The interface is under control of NetworkManager, setting zone to 'trusted'.
success

$ sudo firewall-cmd --zone=trusted --change-interface=ens192.99
The interface is under control of NetworkManager, setting zone to 'trusted'.
success

Disable SELinux

$ sudo setenforce 0
$ getenforce
Permissive

Routing activation at CentOS

Temporary enable routing for test.

$ cat /proc/sys/net/ipv4/ip_forward
0
$ su -
# echo 1 >/proc/sys/net/ipv4/ip_forward
# cat /proc/sys/net/ipv4/ip_forward
1

IPv6 address and communication confirmation

IPv6 address

I got the IPv6 global address: 2409:10:24e0:2000::/64

$ ip -6 a
15: ens192.99@ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2409:10:24e0:2000:b8bb:e04d:d79a:xxxx/64 scope global noprefixroute dynamic
       valid_lft 2591913sec preferred_lft 604713sec
    inet6 fe80::2fc9:356d:ef33:cee9/64 scope link
       valid_lft forever preferred_lft forever

IPv6 neighbor

$ ip -6 neigh
fe80::221:d8ff:fe9a:d1c1 dev ens192.99 lladdr 00:21:d8:9a:d1:c1 router REACHABLE

IPv6 default route

$ ip -6 r
default via fe80::221:d8ff:fe9a:d1c1 dev ens192.99  proto static  metric 400

DS-Lite communication confirmation

Check your connectivity to Tunnel Destination.

$ ping6 2404:8e00::feed:100
PING 2404:8e00::feed:100(2404:8e00::feed:100) 56 data bytes
64 bytes from 2404:8e00::feed:100: icmp_seq=1 ttl=59 time=5.71 ms
64 bytes from 2404:8e00::feed:100: icmp_seq=2 ttl=59 time=2.71 ms
^C
--- 2404:8e00::feed:100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.719/4.216/5.713/1.497 ms

$ traceroute6 2404:8e00::feed:100
traceroute to 2404:8e00::feed:100 (2404:8e00::feed:100), 30 hops max, 80 byte packets
 1  2409:10:24e0:2000::fffe (2409:10:24e0:2000::fffe)  1.071 ms  1.061 ms  1.581 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  2404:8e00:feed:ff07::2 (2404:8e00:feed:ff07::2)  5.506 ms  10.365 ms  9.893 ms
 7  2404:8e00::feed:100 (2404:8e00::feed:100)  17.772 ms  17.704 ms  11.916 ms

If it can not be connected successfully, restart the Network etc.

$ sudo systemctl restart network

IPv4 over IPv6 tunnel setting

I tried settings with help .

$ ip -6 tunnel help
Usage: ip -f inet6 tunnel { add | change | del | show } [ NAME ]
          [ mode { ip6ip6 | ipip6 | ip6gre | vti6 | any } ]
          [ remote ADDR local ADDR ] [ dev PHYS_DEV ]
          [ encaplimit ELIM ]
          [ hoplimit TTL ] [ tclass TCLASS ] [ flowlabel FLOWLABEL ]
          [ dscp inherit ]
          [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]

Configuration command

Create tunnel.

$ sudo ip -6 tunnel add ds-lite mode ipip6 remote 2404:8e00::feed:100 local 2409:10:24e0:2000:b8bb:e04d:d79a:xxxx dev ens192.99

Disable input packet from the internet. (Return packets are permitted)

$ sudo firewall-cmd --zone=drop --change-interface=ds-lite
success

Activate tunnel.

$ sudo ip link set dev ds-lite up

IPv4 routing (default route) setting

$ sudo ip route add 0.0.0.0/0 dev ds-lite

status check

$ ip a
77: ds-lite@if4: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN qlen 1
    link/tunnel6 2409:10:24e0:2000:b8bb:e04d:d79a:4a82 peer 2404:8e00::feed:100
    inet6 fe80::9805:daff:fe9c:5d8b/64 scope link
       valid_lft forever preferred_lft forever

$ ip -6 tunnel show
ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
ds-lite: ip/ipv6 remote 2404:8e00::feed:100 local 2409:10:24e0:2000:b8bb:e04d:d79a:4a82 dev if4 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)

$ ip r
default dev ds-lite  scope link
192.168.1.0/24 dev ens160  proto kernel  scope link  src 192.168.1.8  metric 100

Communication confirmation

Success connect to the Internet via DS-Lite.

$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  ike-gw00.transix.jp (14.0.9.66)  3.063 ms  2.763 ms  2.737 ms
 2  ike-bbrt10.transix.jp (14.0.9.65)  2.994 ms  2.927 ms  2.940 ms
 3  210.173.176.243 (210.173.176.243)  3.799 ms  3.778 ms  3.747 ms
 4  108.170.242.129 (108.170.242.129)  3.877 ms 108.170.242.97 (108.170.242.97)  4.138 ms 108.170.242.129 (108.170.242.129)  3.725 ms
 5  108.170.236.179 (108.170.236.179)  4.530 ms 108.170.236.195 (108.170.236.195)  4.575 ms 216.239.54.21 (216.239.54.21)  4.622 ms
 6  google-public-dns-a.google.com (8.8.8.8)  4.211 ms  4.377 ms  4.341 ms

I can communicate from inside Mac via CentOS 7 in the same way.

Mac: $ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  o-cent-rt01.designet.local (192.168.1.8)  2.404 ms  0.978 ms  1.001 ms
 2  ike-gw00.transix.jp (14.0.9.66)  3.785 ms  3.350 ms  6.000 ms
 3  ike-bbrt10.transix.jp (14.0.9.65)  4.419 ms  4.177 ms  4.495 ms
 4  210.173.176.243 (210.173.176.243)  5.231 ms  4.827 ms  5.182 ms
 5  108.170.242.193 (108.170.242.193)  5.537 ms
    108.170.242.97 (108.170.242.97)  5.386 ms  5.042 ms
 6  72.14.236.107 (72.14.236.107)  5.284 ms
    209.85.143.51 (209.85.143.51)  5.706 ms
    216.239.41.247 (216.239.41.247)  5.453 ms
 7  google-public-dns-a.google.com (8.8.8.8)  5.106 ms  4.944 ms  5.183 ms

Speed comparison

Compare the communication speed between conventional IPv4 PPPoE and ZOOT NATIVE DS-Lite (IPv4 over IPv6).

Previously IPv4 PPPoE

@nifty IPv4 PPPoE + Cisco ASA 5505
-> about 5.8 Mbps

ZOOT NATIVE DS-Lite

ZOOT NATIVE DS-Lite + CentOS 7
-> About 66 Mbps

Also, traceroute results is slow in previous PPPoE. DS-Lite results are avobe.

Mac: $ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  asa5505 (192.168.1.5)  9.144 ms  1.565 ms  1.376 ms
 2  133.160.170.13 (133.160.170.13)  36.559 ms  44.012 ms  174.003 ms
 3  133.160.170.117 (133.160.170.117)  174.886 ms  130.233 ms  177.554 ms
 4  133.160.148.209 (133.160.148.209)  189.458 ms  171.760 ms  87.412 ms
 5  133.160.182.129 (133.160.182.129)  170.154 ms
    133.160.182.41 (133.160.182.41)  143.139 ms
    133.160.182.33 (133.160.182.33)  174.666 ms
 6  210.173.176.245 (210.173.176.245)  43.980 ms  131.435 ms  37.133 ms
 7  108.170.242.193 (108.170.242.193)  137.539 ms  38.798 ms
    108.170.242.97 (108.170.242.97)  135.910 ms
 8  209.85.255.33 (209.85.255.33)  177.034 ms
    72.14.236.129 (72.14.236.129)  41.840 ms
    209.85.255.173 (209.85.255.173)  37.989 ms
 9  google-public-dns-a.google.com (8.8.8.8)  44.316 ms  49.897 ms  49.448 ms

You can also use IPoE

ZOOT NATIVE supports IPv6 native communication in IPoE system together with DS-Lite. Therefore, the IPv6 Internet access by the IPv6 NAPT method with the Cisco ASA 5505 written in this article is also possible.

en-designetwork.hatenablog.com

Conclusion - DS-Lite (IPv4 over IPv6) Internet connection with CentOS

DS-Lite (IPv4 over IPv6) Internet connection to transix (Internet multifeed) via ZOOT NATIVE using CentOS (Linux). As a result, the communication speed to the IPv4 internet network has improved 10 times . Continue to use DS-Lite for free period and consider whether to continue using ZOOT NATIVE.