Monthly Archives: December 2023

Is it possible to host web server or some other web service on Starlink? Yes! With IPv6 and Cloudflare reverse proxy …

Leave a reply

Yesterday I was asked to help colleague to properly setup IPv6 that he received by Starlink. Starlink uses CGN (Carrier Grade NAT) so you are “sharing” public IP address with other users so it is not possible to “port forward” services on your router to your internal servers. But Starlink provides you with /56 IPv6 prefix delegation – it means that you can have 256 /64 prefix networks inside your home or company. That’s great!

So first thing is to have a router (in our case MikroTik) that uses IPv6 DHCP-Client to receive IPv6 /56 prefix. After that you need to assign (let say first) /64 prefix to your internal interface (Please remember to setup your IPv6 Firewall to drop/allow access on input and forward chains accordingly!) and activate Neighbour Discovery (router advertisement) so your devices will autoconfigure (stateless autoconfiguration) IPv6 addresses. You can still setup fixed IPv6 address on your server.

If you have your server setup with IPv6 address (able to ping google.com πŸ™‚ ) and your web server is running you need to go to Cloudflare, activate your free plan and use their reverse proxy to publish your service. As Cloudflare is and will be accessible via IPv4 and IPv6 (and will do the magic to serve content from your (IPv6 only) server, everyone (also internet users that are using only IPv4 will be able to access your content.

Understanding and demystifying Windows DNS Dynamic Updates in relation to DHCP server

Leave a reply

To better understand and actually see it in action I have recorded a short video that filters out only DHCP client / server communication from a Windows (10) workstation and AD (DNS / DHCP) server.

As you can see when machine is started, first it needs to get the IP address that it receives from DHCP server message. When IP is assigned there are more activities going on in DNS context but I have filtered out only Dynamic Updates (by using filter dns.flags==0x2800 and dns.flags==0xa800).

As you can see in the video (as DHCP lease is set only to 1 minute) renewals are happening every 30 seconds (which is correct) – as you probably know (https://www.ietf.org/rfc/rfc2131.txt) when lease is assigned there are two “timers” that are started – renewal (that happens on 50% of lease exhaustion) and rebinding (that happens on 87,5% of lease exhaustion (on 52 second) and after every renewal there is also DNS dynamic update happening towards Active Directory DNS servers.

Basically – Active Directory DNS dynamic updates are by default done from client side without any need for DHCP server to do the update (yes, you can configure that also but by default all the magic is done by domain joined client).

Windows Defender Firewall with Advanced Security – what is that Advanced Security part? Let’s remove the dust … (Part 4 – Allow the connection if it is secure rules and Connection security rules (IPSec) and limit to certain application)

Leave a reply

In this last post regarding security that you can apply by using Windows Defender Firewall with Advanced Security I would like to point out another option that is available when you start to configure more complex scenarios by using Connection security rules.

In this example I will force user (in this case Bill) that needs to connect from a specific workstation (PAW) (in this case C2) to use specific application (in this case Firefox) to access the web site on server (in our case SRV2). You will see that connection will not be established if Bill uses Edge (or some other browser).

This example can be an starting point to not only allow the connection to some servers services by using combination of correct user from correct workstation but also application that should be used for such connection.