I'm unfamiliar with ProxyNDP and it's unclear what you want to do.
I have radvd running on my shorewall gateway. Since I can't get my Comcast modem to issue me a slice of my static /56 that Comcast issued to me, I split my static routed /64 into /80 subnets for my internal networks. I know, I know, eeevil!! I don't need SLAAC, I run DHCPv6. So that the outside can find the devices on the inside, I run ndppd on the gateway: https://github.com/DanielAdolfsson/ndppd I created a .spec file and then created rpms and a source rpm if this sounds like what you want to do. The problem here: radvd only supports sending router advertisements for link local addresses actually existing on the interface it is running on. This is not true or I'm misunderstanding. My radvd is sending out the gateway's public address to the internal subnets: lan4 inet6 2603:xxxx:yyyy:zzzz:4::1/80 scope global \ valid_lft forever preferred_lft forever wifi inet6 2603:xxxx:yyyy:zzzz:6::1/80 scope global \ valid_lft forever preferred_lft forever radvd.conf: interface lan4 { ... prefix 2603:xxxx:yyyy:xxxx:4::1/80 { ... } } It complains about it not being a /64 but it works. Bill On 1/8/2018 5:24 PM, Oliver Freyermuth via Shorewall-users wrote:
Dear fellow Shorewall users, I'm well aware that this is probably not really a Shorewall question, but it should be a common ProxyNDP scenario, so my hope is that somebody on this list can provide help, or insight - or redirect me. To shortly summarize: ProxyARP is "easy": One machine plays ProxyARP and may in addition push the ip addresses and default gateway to the internal hosts, or may even relay that via dhcrelay / dnsmasq and the like. For IPv6, however, the default gateway is pushed via the router advertisement, and can not be set via DHCPv6. To make ProxyNDP work, the internal machine(s), if not statically configured, thus need(s) to be sent router advertisements advertising the gateway from the external network (which also the ProxyNDP'ing machine itself is using). The problem here: radvd only supports sending router advertisements for link local addresses actually existing on the interface it is running on. If I assign the link local address of the external gateway to the internal interface of my ProxyNDP-machine and run radvd on it, the router advertisements will work fine, but things arriving from the internal hosts on that internal interface of the ProxyNDP machine targeting the external gateway will not be routed to it (as expected, since that interface has the address itself...). Is radvd the wrong tool here (and should I use something else, which allows spoofing of the gateway address? I failed to find anything), or is my understanding wrong? Does anybody have a working ProxyNDP setup with non-static configuration of the internal hosts? Should ProxyNDP proxy link-local addresses at all (if not, how to reach the gateway, which should have a link local address)? Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=1340509 I found a report with a similar issue. Does this mean the kernel should (but does not) proxy RA packets and other special v6 multicasts from "external" to "internal", rewriting the link-layer address in the process (which would also mean I would not have to run radvd on my ProxyNDP machine)? Also https://tools.ietf.org/html/rfc4389#section-4.1.2 seems to indicate that this is what ProxyNDP should do, but it seems this does not happen on Linux (yet). So maybe it's not really a lacking feature with radvd (even though adding gateway address spoofing in there might solve the problem at hand), but a lack of kernel functionality? Cheers, sorry for the many questions, all the best and many thanks in advance, Oliver ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
