Hugo Osvaldo Barrera <h...@osvaldobarrera.com.ar> writes: > Hi,
Hi. > I'm trying to evaluate how to set up my OpenBSD server as an internet > gateway. > > I've a static IPv4 address, and a /48 IPv6 block. > I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the > IPv6 part without breaking the IPv4 NAT. > > I'll assume lan=eth0 and wan=eth1 to make this a bit more readable. Sadly, what should we understand here? Are they really both ethernet interfaces? > From what I've managed to think up, I'd have to bridge both interfaces > (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1. Bridging can be seen as an ugly solution when you only get a /64 from your ISP, and you have to let RAs go through. Slightly less ugly, ndp proxying. I've not tested it, though, but I believe ndp(8) could be used here. But... > My doubt is: if I bridge both interfaces, can I still NAT properly? > If br0 contains eth1 and eth0, can I bridge "from br0 to br0"? > This may sound odd, but br0 has actually two IPv4 addresses; the private > and public. > > Also, if eth1 in bridged, I can still drop packets using pf properly, > right? (discarting private-network packets on it is what I've in mind). > > Is this the proper solution? Or is there some other way I haven't > thought of? ... how does your ISP provide you IPv6 connectivity? I can't see why someone couldn't use proper subnetting, being given a /48. You should also tell us how you get v4 connectivity, I think. HTH -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494