Dear fellow Shorewall users, I'm well aware that this is probably not really a Shorewall question, but it should be a common ProxyNDP scenario, so my hope is that somebody on this list can provide help, or insight - or redirect me.
To shortly summarize: ProxyARP is "easy": One machine plays ProxyARP and may in addition push the ip addresses and default gateway to the internal hosts, or may even relay that via dhcrelay / dnsmasq and the like. For IPv6, however, the default gateway is pushed via the router advertisement, and can not be set via DHCPv6. To make ProxyNDP work, the internal machine(s), if not statically configured, thus need(s) to be sent router advertisements advertising the gateway from the external network (which also the ProxyNDP'ing machine itself is using). The problem here: radvd only supports sending router advertisements for link local addresses actually existing on the interface it is running on. If I assign the link local address of the external gateway to the internal interface of my ProxyNDP-machine and run radvd on it, the router advertisements will work fine, but things arriving from the internal hosts on that internal interface of the ProxyNDP machine targeting the external gateway will not be routed to it (as expected, since that interface has the address itself...). Is radvd the wrong tool here (and should I use something else, which allows spoofing of the gateway address? I failed to find anything), or is my understanding wrong? Does anybody have a working ProxyNDP setup with non-static configuration of the internal hosts? Should ProxyNDP proxy link-local addresses at all (if not, how to reach the gateway, which should have a link local address)? Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=1340509 I found a report with a similar issue. Does this mean the kernel should (but does not) proxy RA packets and other special v6 multicasts from "external" to "internal", rewriting the link-layer address in the process (which would also mean I would not have to run radvd on my ProxyNDP machine)? Also https://tools.ietf.org/html/rfc4389#section-4.1.2 seems to indicate that this is what ProxyNDP should do, but it seems this does not happen on Linux (yet). So maybe it's not really a lacking feature with radvd (even though adding gateway address spoofing in there might solve the problem at hand), but a lack of kernel functionality? Cheers, sorry for the many questions, all the best and many thanks in advance, Oliver ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users