IPv6 is coming. We’ll all have to learn how to deal with it. With this in mind I’ve set out to educate myself about IPv6. I learn better by doing than by reading. I like to read enough that I have a very basic understanding of the subject then play. After playing with it I generally find I need to do some more reading or possibly even take some courses. With IPv6 I’m at the playing stage. I decided to setup a Server 2008 R2 virtual machine as a test bed for IPv6. I needed a second domain controller on my SBS 2003 network so I made it a DC and a DNS server. It’s probably not the best idea to use a DC for an IPv6 experiment but I figured I may as well go whole hog and learn by making mistakes.

The reason for the DNS server is so once I figure out IPv6 it can answer IPv6 queries from the workstations. Plus it’s a DC which implies a DNS server. This is the first place I ran into a problem. There is a bug in the 2008 R2 DNS server implementation. It wasn’t resolving some queries. NSlookup microsoft.com worked but nslookup www.microsoft.com didn’t. It was very perplexing and took a lot of Bing-foo and Google-foo to fix. The fix is here in Scott Forsyth’s Blog. It appears it’s a combination of some DNS servers not returning EDNS results properly and the way Server 2008 R2 DNS deals with that.

The server was now setup as a DC and a DNS server. To play with IPv6 I needed to set up a tunnel. My ISP doesn’t support IPv6 and neither does my router. I decided to activate a free IPv6 tunnel at tunnelbroker.net. This was relatively straight forward. I was happily testing IPv6 over the tunnel thinking that was too easy. I was right, it was too easy. I decided to run a port scan of the IPv6 tunnel. Imagine my surprise to find out that as far as the Windows firewall was concerned the tunnel was part of the local network. I had just put a DC on the Internet with no firewall. Not good to say the least. I quickly disabled the tunnel. I spent the next several hours Googling and Binging to no avail. So far I haven’t found any way to block incoming ports on the IP6Tunnel interface while leaving ports open for the local network. I’m stuck for now. I need to use the Windows firewall because the tunnel by definition bypasses the firewall in my router. I’m sure there’s a way but until I find it no IPv6 for me. Once I get past this setback I’ll continue this blog series.

Update

It looks like the only way to do this is to add a second NIC for the IPv6 tunnel. I should be able to set the firewall profile for the second NIC to Public which would solve the problem. I don’t want the headaches caused by a multi-homed domain controller. I’d probably need to setup a VLAN as well, which my router doesn’t support. The project is temporarily on hold while I rethink things.