Hi, thanks for the elaborate reply!
Am 12.04.20 um 19:33 schrieb Uwe Schindler: > Hi > >> I have a setup in mind and wonder whether dnsmasq is the correct tool (since >> I >> have not found the necessary functionality in the documentation yet). >> >> We have a /56 IPv6 network, and plan to use pure DHCPv6 (no stateless >> autoconfiguration) in several /64 networks. > > That's perfect. Looks much like a standard German DSL account. 😊 In our case, even better, since the prefix is completely fixed and will never change ;-). > >> There are several subnets (currently NATed IPv4), such as — for example — a >> WireGuard VPN network, or a local isolated subnet. >> While with IPv4, the answer was the use of private addresses and NAT every >> time, potentially using a DHCP fowarder, for IPv6, the answer should be to >> use >> Global Unicast addresses everywhere (right?). >> How do I approach this correctly? > > That's very easy because you have a /56 net. > >> Three options come to mind to handle such subnets: >> - Use ULAs and NAT (but that does not feel like IPv6...). > > No no no, bad idea and very stupid for such a large network. That's what I thought :-). > >> - Delegate a prefix from the large network (where we'd use dnsmasq) to the >> "gateway" machine, which then would be a router. >> However, I am not aware if dnsmasq can delegate prefixes? > > This should all be done on the central router. For each subnet you have a > separate dnsmasq. Since we already have gateway nodes for IPv4, we'd rather scale the dnsmasqs out, but that does not seem to interfere with the proposed solution. > >> - Use ProxyNDP (via npdpd or Linux kernel functionality). But I'm not sure if >> that scales well to a larger number of machines? > > No need to do that (see below). ProxyNDP is only needed if you want delegate > some global addresses to devices that are in the same subnet but behind > another machine (MAC address). You don't need this. All can be done with > plain simple routing. I see :-). > >> - Use static routes on the central machine which send the /64 subnet to the >> "gateways" and use dnsmasq on the gateways. > > That's the way to go and it will just work! Explanation: > > The provider delegates a /56 prefix to you. How this is done depends, but for > DSL (dynamic) or also at Hetzner (static) the whole thing works on the link > level addresses. For DSL you have the PPP-Daemon wo gets a link local address > on the end point assigned. For DSL you get a prefix delegated using DHCP-PD > (prefix delegation), for static roulds (e.g., Hetzner) you get all traffic > routed to the link-local address of your router (that's coming from the mac > address of router known to provider). > > On the router you just assign the subnets and their primary address (....:1) > to a separate interface or VLAN in portions of /64. The linux kernel will > then just automatically route all incoming packets from the WAN interface > (PPP or Ethernet) to the correct (virtual) network adaptor. On each of those > network adaptors you have a dnsmasq listening. There's a slightly more special case for us: We have one central firewall (which gets the full /56 net on the upstream interface routed to it) and most gateways are separate nodes (i.e. most VLANs are not connected to the central FW). So I believe in that case I just need an ip6tables rule (per /64 subnet) on the central firewall to redirect all traffic to the gateway for the /64 subnet, right? > Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or Android > device supports it. I'd go for SLAAC. Very easy. As you can setup a separate > /64 subnet (up to 256 of them), you have enough flexibility to handle all of > them in a separate network with full /64 SLAAC address space. Each of those > networks have firewalling on the router box and are delegate to the network > switch .e.g, via VLANs. I know (while I knew about Android, good point about the Chromebooks!). Our main usecase is addressing of Linux servers (i.e. there will only be "DHCP reserved" entries). Indeed, for a general purpose network (one of those /64s), we need to think whether we'll go with DHCPv6 (and lose Android and Chromebooks) or really stay with DHCPv6. For now, I'll plan with DHCPv6 ;-). Cheers and thanks, Oliver > If you are interested how to setup the Prefix Delegation with PPP, just ask. > The usual howtos seen on internet with wide-dhcpd are outdated and not very > modern and relying on a broken tool which should not be used anymore. The > correct way for that is "dhcpcd" client daemon listening on the PPP interface > and waiting for DHCP-PD packets. The dhcpcd config file can then > automatically split the delegated /56 network and assign it to various > real/virtual interfaces each with a /64 subnet, where a separate dnsmasq is > handling everything. No hacks needed, just plain routing on the bx (its > enough to enable ip forwarding unless you want to firewall). All on a single > box. I have set this up multiple times. > > Uwe > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss