So, here it is in all its ugly glory...
# - Pre-build items (to
do before) IPv6 demo 1
# - Show building
everything out
# - from gold image of
server 2012 (a server w/ nothing on it)
#
#
-----------------------------
# - first get your
network adapter naming
Get-NetIPInterface
# - determine the
interface index number for the interface you want to set - in this case 12
# - see if any existing
IP addresses are assigned to the interface
Get-NetIPAddress
# - if not then you can
set the IP address on the interface for the first time using
New-NetIPAddress
-InterfaceIndex 12
–IPAddress 10.10.1.1
-PrefixLength 24
-DefaultGateway 10.10.1.254
-whatif
New-NetIPAddress
-InterfaceIndex 12
-IPAddress 2001:0db8:cafe:0010::1
-PrefixLength 64
-DefaultGateway 2001:0db8:cafe:0010::254
-whatif
# - validate the
information
# - lets start using
some of the built in alias commands - so gip = get-netipconfiguration
Get-Alias
gip
# - now use it
gip
# - next lets look at
the routing table to confirm things are built out the way we expect
# - first confirm the
IPv4 routes
Get-NetRoute
-AddressFamily IPv4
# - next confirm the
IPv6 routes
Get-NetRoute
-AddressFamily IPv6
#
# - if you are modifying
an existing server IP stack you will need to use
Set-NetIPAddress
-InterfaceIndex 12
-IPAddress 10.10.2.1
-PrefixLength 24
-WhatIf
Set-NetIPAddress
-InterfaceIndex 12
-IPAddress 2001:0db8:cafe:0010::2
-PrefixLength 64
-WhatIf
# - notice no default
gateway modifications were done since that is a routing table function
Get-NetRoute
# - modify the routing
entries
# - you will note a
principle difference in a SLAAC IPv6 configuration vs. a Static one
# - specifically, you
will see the next hop on a SLAAC will use the link-local address of the RA
# - technically in
proper IPv6 routing the link-local address is used however in static config
# - you will likely end
up putting in a next hop with a unique local address (ULA)
# - you will have to
remove the routing entry for the default gateway before applying a new one
Remove-NetRoute
-DestinationPrefix ::/0
-Confirm
New-NetRoute
-DestinationPrefix ::/0
-InterfaceIndex 12
-NextHop 2001:db8:cafe:10::253
-Publish Yes
-RouteMetric 256
-whatif
# - the basics are now
in place for IPv4 and IPv6 to function on the interface
# - next we need to add
DNS entries onto the server for IPv4 and IPv6
# - you can use gip to
see what the DNSServer values are
gip
# - or alternately use
Get-DnsClientServerAddress
-AddressFamily IPv6
# - if the output
contains fec0 values then the interface does not have proper local IPv6 DNS
resolver entries - so fix it
Set-DnsClientServerAddress
-InterfaceIndex 12
-ServerAddresses 2001:4860:4860::8888, 2001:4860:4860::8844
-WhatIf
#
# - optionally build out
DNS and DHCP install - for now just install the services on the Server
install-windowfeature
DNS DHCP
# - make sure they
installed
get-windowsfeature
# - look at dhcp first
get-command
-module DHCPServer
# - need to figure out
how to get the account roles installed and working without the Server Manager
Wizard - not critical if you did the install w/ the wizard but w/ PowerShell it
doesn't work correctly
# - display the windows
management interface - refresh to show the DNS and DHCP services are there
# - add an IPv6 and IPv4
scope so our Windows8 computer can come up
# - IPv6 first
Add-DHCPServerv6Scope
-Prefix 2001:db8:cafe:10::
-name test1-ipv6
-state Active
-whatif
Add-DHCPServerv6ExclusionRange
-Prefix 2001:db8:cafe:10::
-StartRange 2001:db8:cafe:10::1
-EndRange 2001:db8:cafe:10::256
-whatif
Set-DHCPServerv6PolicyOptions
Get-DHCPServerv6Scope
| Format-List
*
# - notice anything odd
about the range that was excluded? What are valid IPv6 addresses - like:
2001:db8:cafe:10::a - is that in the range?
# - see the hosts that
are active in the IPv6 scope
Get-DHCPServerv6Binding
#
# - IPv4 commands for
similar purpose
Add-DHCPServerv4Scope
-StartRange 10.10.1.16
-EndRange 10.10.1.31
-SubnetMask 255.255.255.0
-Name test1-ipv4
-whatif
Set-DhcpServerv4OptionValue
-Dnsserver 8.8.8.8
-Router 10.10.1.254
-DNSDomain ipv4.example.com
#Set-DhcpServerv4OptionDefinition
–OptionId 3 –DefaultValue 10.10.1.254 -Name "default gateway"
Get-DHCPServerv4Scope
| Format-List
*
Get-DHCPServerv4OptionValue
Get-DHCPServerv4Binding
#
#
----------------------------
# - Demo 1 run through
script
# - show how to disable
6to4
# - first check the
status
Get-Net6to4Configuration
# - note the state is
Default
# - turn off 6to4
Set-Net6to4Configuration
-State Disabled
# - same task with netsh
for v2
netsh
interface ipv6
6to4 set
state disable
# - show the status
netsh
interface ipv6
6to4 show
state
#
#
# - show how to turn off
isatap
# - first check the
status
Get-NetIsatapConfiguration
# - note the state is
Default
# - turn off ISATAP
Set-NetIsatapConfiguration
-State Disabled
# - same task with netsh
for v2
netsh
interface isatap
set state
disable
# - show the status
netsh
interface ipv6
isatap show
state
#
#
# - show how to turn off
teredo
# - first check the
status
Get-NetTeredoConfiguration
# - note the state is
Default
Set-NetTeredoConfiguration
-Type Disabled
# - same task with netsh
for v2
netsh
interface teredo
set state
type=Disabled
# - show the status
netsh
interface teredo
show state
#
#
# - review through each
of the powershell cmdlets if time permits:
Get-Net6to4Configuration
| gm
Get-NetIsatapConfiguration
| gm
Get-NetTeredoConfiguration
| gm
#
#
# - get IP address,
interface alias and prefix origin info
# - example
get-netadapter formatted output for all up interfaces:
Get-NetAdapter
| ? status -eq 'Up' | Get-NetIPAddress -ea 0 | ft ipaddress, interfaceindex, interfacealias, prefixorigin
-a
#
# - show DHCP Lease
status for IPv6 network
Get-DHCPServerv6Lease
-Prefix 2001:db8:cafe:10::
| Format-List
# - switch to local Win8
client - show IPv6 address is in the DHCPv6 Lease info
gip
#
# - review through the
IPv6 specific powershell cmdlets:
Get-NetIPv6Protocol
| gm
get-help
Get-NetIPv6Protocol -full
# - go through the
specific parameter options
# -
# - review through the
IPv6 settings commands
get-help
Set-NetIPv6Protocol - full
#
#
----------------------------
# - Demo 2 run through
script
# - interface specific
configurations
# powershell for each interface type for
firewall configuration - sequencing through those
# focus is on best practice - which means
turn the service off but firewall against it also
# show RAGuard behavior via FW rules for
servers if they will have static IPv6 addresses (recommended)
# show why ICMPv6 is so important to allow
through (PathMTU discovery)
# - Show network module
NetTCPIP
Get-Module
NetTCPIP |
gm
# - Show how to test
(ping, tracert, nslookup)
# - all the command
prompt options work in powershell - demo them
# - first introduce
test-connection -Quiet returns a boolean value (True/False)
Test-Connection
10.10.1.1 -Quiet
Test-Connection
2001:db8:cafe:10::1 -Quiet
# - next show all the
specific TCP settings and what Transport filter options are available
Get-NetTCPSetting
# - next show the
Transport filters
Get-NetTransportFilter
# - you can create a
custom Transport filter using
New-NetTransportFilter
-SettingName Datacenter
-DestinationPrefix 10.0.0.0/8
New-NetTransportFilter
-SettingName Datacenter
-DestinationPrefix 2001:db8:cafe:10::/64
#
# - might need to add
additional testing / settings - not critical
#
# - next go over the
advance firewall options
Get-NetFirewallRule
| gm
# - firewall rules
# - netsh can be used
also:
netsh
advfirewall monitor
show firewall
rule name=all
dir=in
# - powershell now
Get-NetFirewallRule
# - walk through the
output of some of the firewall rules
#
# - sample creating new
firewall rule
# - first example is
blocking a specific application (not just a port)
New-NetFirewallRule
-DisplayName “Block
Outbound Telnet” -Direction Outbound -Program
%SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
#
# - second example is
blocking a specific IPv4 address to prevent 6to4
New-NetFirewallRule
-DisplayName "Block
6to4 Outbound" -Direction Outbound -Protocol
41 -RemoteAddress
192.88.99.1 -Action
Block
#
# - example - allow TCP
traffic addressed to port 12345 and the range of ports 5000-5020 to a specific
application from the computers on the remote side of an edge (NAT) device,
using the Teredo IPv6 interface
New-NetFirewallRule
-DisplayName "Allow
TCP 12345 and 5000-5020 over Teredo" -Direction
Inbound -Action
Allow -EdgeTraversalPolicy
Allow -Protocol
TCP -LocalPort
12345,5000-5020 -Program "C:\Program Files (x86)\TestIPv6App.exe"
#
#- IPv6 FW examples:
# - IPv6 FW rules to
block 6to4 traffic
New-NetFirewallRule
-DisplayName "Block
6to4 Outbound" -Direction Outbound -Protocol
41 -RemoteAddress
192.88.99.1 -Action
Block
New-NetFirewallRule
-DisplayName "Block
6to4 Outbound ICMP" -Direction Outbound -Protocol
ICMPv4 -RemoteAddress
192.88.99.1 -Action
Block
New-NetFirewallRule
-DisplayName "Block
6to4 Inbound" -Direction Inbound -Protocol
41 -RemoteAddress
192.88.99.1 -Action
Block
# - display the results
Get-NetFirewallRule
-DisplayName "Block
6to4 Outbound"
Get-NetFirewallRule
-DisplayName "Block
6to4 Outbound ICMP"
Get-NetFirewallRule
-DisplayName "Block
6to4 Inbound"
# - disable the FW rule:
Disable-NetFirewallRule
-DisplayName "Block
6to4 Outbound"
Disable-NetFirewallRule
-DisplayName "Block
6to4 Outbound ICMP"
Disable-NetFirewallRule
-DisplayName "Block
6to4 Inbound"
# - enable the FW rule:
Enable-NetFirewallRule
-DisplayName "Block
6to4 Outbound"
Enable-NetFirewallRule
-DisplayName "Block
6to4 Outbound ICMP"
Enable-NetFirewallRule
-DisplayName "Block
6to4 Inbound"
# - finally remove the
FW rule:
Remove-NetFirewallRule
-DisplayName "Block
6to4 Outbound"
Remove-NetFirewallRule
-DisplayName "Block
6to4 Outbound ICMP"
Remove-NetFirewallRule
-DisplayName "Block
6to4 Inbound"
#
# - IPv6 FW rules to
block ISATAP traffic
# - more specific rules
can be built for this around isatap.domain-name but those would be specific for
AD joined hosts
# - this rule will also
block 6to4 traffic automatically making the above FW rule redundant but useful
for tracking purposes
New-NetFirewallRule
-DisplayName "Block
ISATAP Outbound" -Direction Outbound -Protocol
41 -RemoteAddress
Internet -Action
Block
# - display the results
Get-NetFirewallRule
-DisplayName "Block
ISATAP Outbound"
# - disable the FW rule:
Disable-NetFirewallRule
-DisplayName "Block
ISATAP Outbound"
# - enable the FW rule:
Enable-NetFirewallRule
-DisplayName "Block
ISATAP Outbound"
# - remove the FW rule:
Remove-NetFirewallRule
-DisplayName "Block
ISATAP Outbound"
#
# - IPv6 FW rules to
block Teredo traffic
New-NetFirewallRule
-DisplayName "Block
Teredo Outbound" -Direction Outbound -Protocol
udp -LocalPort
3544 -RemoteAddress
Internet -Action
Block
# - display the results
Get-NetFirewallRule
-DisplayName "Block
Teredo Outbound"
# - disale the FW rule:
Disable-NetFirewallRule
-DisplayName "Block
Teredo Outbound"
# - enable the FW rule:
Enable-NetFirewallRule
-DisplayName "Block
Teredo Outbound"
# - remove the FW rule:
Remove-NetFirewallRule
-DisplayName "Block
Teredo Outbound"
#
# - a better way is to
link the FW rule to the application for Teredo since the port can be dynamic
# - academic exercise to
determine service name and build the rule
#
# - the actual built in
client FW rule for 6to4 and ISATAP inbound are:
Disable-NetFirewallRule
- Name
CoreNet-IPv6-In
# - the actual built in
FW rule for Teredo (UDP-In) are:
Disable-NetFirewallRule
- Name
CoreNet-Teredo-In
# - there are several
others - academic exercise to find them all - simpler to add the specific deny
rules
#
# - Windows 8 and Server
2012 already have the correct ICMP filter types in place but to show an example
# - finally, make sure
to allow ICMPv6 per RFC4443 - so specifically allow the following codes:
New-NetFirewallRule
-DisplayName "ICMPv6
RFC4443 135 In" -Direction Inbound -Protocol
ICMPv6 -IcmpType
135
New-NetFirewallRule
-DisplayName "ICMPv6
RFC4443 136 In" -Direction Inbound -Protocol
ICMPv6 -IcmpType
136
#
#
#
----------------------------
# - Demo 3 run through
script
# A powershell cmdlet
that does the set up properly for the appropriate IPv6 configurations for the
end system based on best practices.
# Store the existing
configuration before changing and provide an option switch to revert back to
old settings.
# The best practices
will do:
# 1. - Turn off isatap
# 2. - Turn off teredo
# 3. - Turn off 6to4
#
# 4. - Put ADV FW rules
in place on the host
# - Consider Limiting input rate of ND
traffic? - future
#
# - future:
# - Build ACL that allows all global,
link-local, ULA and multicast - does not permit 2001:db8::/ or legacy IPv6
address space like site-local or compatible
# 5. - Ensure the client
host has DHCPv6 client enabled
get-service
dhcp
start-service
dhcp
# 6. - Consider turning
off the DHCPv6 client on statically assigned server hosts
get-service
dhcp
stop-service
dhcp
# - show error that
happens when you try this
# - you need to shut off
other services first
stop-service
WinHttpAutoProxySvc
get-service
WinHttpAutoProxySvc
# - and the next one -
Network Location Awareness
stop-service
nlasvc
get-service
nlasvc
# - now try disabling
dhcp again
stop-service
dhcp
# 7. - Limit number of
addresses per interface ? - see #6 & #8
# 8. - Turn off Random
Addresses - optional
Set-NetIPv6Protocol
-RandomizeIdentifiers disabled
set-netipv6protocol
-RandomizeIdentifiers Enabled
# 9. - Make settings
persistent - by default
# 10. - Turn off LLMNR?
- no
# 11. - Turn off
Internet Connection Sharing (maybe) - future
get-service
sharedaccess
set-service
sharedaccess -StartupType
Manual
start-service
sharedaccess
# 12. - Turn off icmp
redirection (maybe) - future
# 13. - Turn off IPv4
(maybe) - future
# 14. - Install Routing
in RemoteAccess
Install-WindowsFeature
RemoteAccess
# 15. - Determine
multicast listening
# - you can't do this
with powershell, you have to use netsh
netsh
interface ipv6
show joins
#
#
And that is it - a bit of a long post but hopefully someone can glean some useful information out of all that mess. Remember, it was really an outline for myself of commands to run through for a presentation demo so it isn't designed to be one big PowerShell cmdlet or module.
- Ed
1 comment:
Post a Comment