Hi,
thanks for the elaborate reply!
Am 12.04.20 um 19:33 schrieb Uwe Schindler:
> Hi
>
>> I have a setup in mind and wonder whether dnsmasq is the correct tool (since
>> I
>> have not found the necessary functionality in the documentation yet).
>>
>> We have a /56 IPv6 network, and plan to use pure DHCPv6 (no stateless
>> autoconfiguration) in several /64 networks.
>
> That's perfect. Looks much like a standard German DSL account. 😊
In our case, even better, since the prefix is completely fixed and will never
change ;-).
>
>> There are several subnets (currently NATed IPv4), such as — for example — a
>> WireGuard VPN network, or a local isolated subnet.
>> While with IPv4, the answer was the use of private addresses and NAT every
>> time, potentially using a DHCP fowarder, for IPv6, the answer should be to
>> use
>> Global Unicast addresses everywhere (right?).
>> How do I approach this correctly?
>
> That's very easy because you have a /56 net.
>
>> Three options come to mind to handle such subnets:
>> - Use ULAs and NAT (but that does not feel like IPv6...).
>
> No no no, bad idea and very stupid for such a large network.
That's what I thought :-).
>
>> - Delegate a prefix from the large network (where we'd use dnsmasq) to the
>> "gateway" machine, which then would be a router.
>> However, I am not aware if dnsmasq can delegate prefixes?
>
> This should all be done on the central router. For each subnet you have a
> separate dnsmasq.
Since we already have gateway nodes for IPv4, we'd rather scale the dnsmasqs
out, but that does not seem to interfere with the proposed solution.
>
>> - Use ProxyNDP (via npdpd or Linux kernel functionality). But I'm not sure if
>> that scales well to a larger number of machines?
>
> No need to do that (see below). ProxyNDP is only needed if you want delegate
> some global addresses to devices that are in the same subnet but behind
> another machine (MAC address). You don't need this. All can be done with
> plain simple routing.
I see :-).
>
>> - Use static routes on the central machine which send the /64 subnet to the
>> "gateways" and use dnsmasq on the gateways.
>
> That's the way to go and it will just work! Explanation:
>
> The provider delegates a /56 prefix to you. How this is done depends, but for
> DSL (dynamic) or also at Hetzner (static) the whole thing works on the link
> level addresses. For DSL you have the PPP-Daemon wo gets a link local address
> on the end point assigned. For DSL you get a prefix delegated using DHCP-PD
> (prefix delegation), for static roulds (e.g., Hetzner) you get all traffic
> routed to the link-local address of your router (that's coming from the mac
> address of router known to provider).
>
> On the router you just assign the subnets and their primary address (....:1)
> to a separate interface or VLAN in portions of /64. The linux kernel will
> then just automatically route all incoming packets from the WAN interface
> (PPP or Ethernet) to the correct (virtual) network adaptor. On each of those
> network adaptors you have a dnsmasq listening.
There's a slightly more special case for us: We have one central firewall
(which gets the full /56 net on the upstream interface routed to it) and most
gateways are separate nodes
(i.e. most VLANs are not connected to the central FW).
So I believe in that case I just need an ip6tables rule (per /64 subnet) on the
central firewall to redirect all traffic to the gateway for the /64 subnet,
right?
> Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or Android
> device supports it. I'd go for SLAAC. Very easy. As you can setup a separate
> /64 subnet (up to 256 of them), you have enough flexibility to handle all of
> them in a separate network with full /64 SLAAC address space. Each of those
> networks have firewalling on the router box and are delegate to the network
> switch .e.g, via VLANs.
I know (while I knew about Android, good point about the Chromebooks!). Our
main usecase is addressing of Linux servers (i.e. there will only be "DHCP
reserved" entries).
Indeed, for a general purpose network (one of those /64s), we need to think
whether we'll go with DHCPv6 (and lose Android and Chromebooks) or really stay
with DHCPv6. For now, I'll plan with DHCPv6 ;-).
Cheers and thanks,
Oliver
> If you are interested how to setup the Prefix Delegation with PPP, just ask.
> The usual howtos seen on internet with wide-dhcpd are outdated and not very
> modern and relying on a broken tool which should not be used anymore. The
> correct way for that is "dhcpcd" client daemon listening on the PPP interface
> and waiting for DHCP-PD packets. The dhcpcd config file can then
> automatically split the delegated /56 network and assign it to various
> real/virtual interfaces each with a /64 subnet, where a separate dnsmasq is
> handling everything. No hacks needed, just plain routing on the bx (its
> enough to enable ip forwarding unless you want to firewall). All on a single
> box. I have set this up multiple times.
>
> Uwe
>
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
