Dear Bill, Am 09.01.2018 um 10:51 schrieb Bill Shirley: > I'm unfamiliar with ProxyNDP and it's unclear what you want to do. > > I have radvd running on my shorewall gateway. Since I can't > get my Comcast modem to issue me a slice of my static /56 that > Comcast issued to me, I split my static routed /64 into /80 subnets for > my internal networks. I know, I know, eeevil!! I don't need SLAAC, > I run DHCPv6. So that the outside can find the devices on the inside, > I run ndppd on the gateway: > https://github.com/DanielAdolfsson/ndppd I'll have a look at this project, this looks like a userspace implementation of ProxyNDP.
> > I created a .spec file and then created rpms and a source rpm if > this sounds like what you want to do. > > The problem here: radvd only supports sending router advertisements for link > local addresses actually existing on the interface it is running on. > > This is not true or I'm misunderstanding. My radvd is sending out > the gateway's public address to the internal subnets: > lan4 inet6 2603:xxxx:yyyy:zzzz:4::1/80 scope global \ valid_lft > forever preferred_lft forever > wifi inet6 2603:xxxx:yyyy:zzzz:6::1/80 scope global \ valid_lft > forever preferred_lft forever It's a misunderstanding - I was talking about the "Default Gateway", not the prefixes, which are part of the RA. So I'm talking about the the default gateway shown e.g. with "ip -6 route" on a linux client. This is set via RA, and radvd can only announce link local addresses of the interface it is running on. That means it cannot spoof, which would however be needed if the Clients should use a different gateway machine lying behind the machine doing ProxyNDP. You can find more details about such usecases in: https://github.com/reubenhwk/radvd/issues/45 And the implementation radvd uses: https://github.com/reubenhwk/radvd/pull/61 This implementation allows to select which link local address of the interface to advertise, but not freely specify it. Still, as I understand the RFC, ProxyNDP itself should take care to forward and rewrite RAs from the external network to the internal network. But it appears the me neither the implementation in the Linux Kernel nor the one in ndppd does implement the RFC completely... Cheers and many thanks, Oliver > > radvd.conf: > interface lan4 { > ... > prefix 2603:xxxx:yyyy:xxxx:4::1/80 { > ... > } > } > It complains about it not being a /64 but it works. > > Bill > > On 1/8/2018 5:24 PM, Oliver Freyermuth via Shorewall-users wrote: >> Dear fellow Shorewall users, >> >> I'm well aware that this is probably not really a Shorewall question, but it >> should be a common ProxyNDP scenario, >> so my hope is that somebody on this list can provide help, or insight - or >> redirect me. >> >> To shortly summarize: >> ProxyARP is "easy": One machine plays ProxyARP and may in addition push the >> ip addresses and default gateway to the internal hosts, >> or may even relay that via dhcrelay / dnsmasq and the like. >> >> For IPv6, however, the default gateway is pushed via the router >> advertisement, and can not be set via DHCPv6. >> To make ProxyNDP work, the internal machine(s), if not statically >> configured, thus need(s) to be sent router advertisements >> advertising the gateway from the external network (which also the >> ProxyNDP'ing machine itself is using). >> >> The problem here: radvd only supports sending router advertisements for link >> local addresses actually existing on the interface it is running on. >> If I assign the link local address of the external gateway to the internal >> interface of my ProxyNDP-machine and run radvd on it, >> the router advertisements will work fine, but things arriving from the >> internal hosts on that internal interface of the ProxyNDP machine targeting >> the external gateway >> will not be routed to it (as expected, since that interface has the address >> itself...). >> >> Is radvd the wrong tool here (and should I use something else, which allows >> spoofing of the gateway address? I failed to find anything), or is my >> understanding wrong? >> Does anybody have a working ProxyNDP setup with non-static configuration of >> the internal hosts? >> Should ProxyNDP proxy link-local addresses at all (if not, how to reach the >> gateway, which should have a link local address)? >> >> Checking here: >> https://bugzilla.redhat.com/show_bug.cgi?id=1340509 >> I found a report with a similar issue. Does this mean the kernel should (but >> does not) proxy RA packets and other special v6 multicasts from "external" >> to "internal", >> rewriting the link-layer address in the process (which would also mean I >> would not have to run radvd on my ProxyNDP machine)? >> Also https://tools.ietf.org/html/rfc4389#section-4.1.2 seems to indicate >> that this is what ProxyNDP should do, but it seems this does not happen on >> Linux (yet). >> So maybe it's not really a lacking feature with radvd (even though adding >> gateway address spoofing in there might solve the problem at hand), but a >> lack of kernel functionality? >> >> Cheers, sorry for the many questions, all the best and many thanks in >> advance, >> Oliver >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Oliver Freyermuth Universität Bonn Physikalisches Institut, Raum 1.047 Nußallee 12 53115 Bonn -- Tel.: +49 228 73 2367 Fax: +49 228 73 7869 -- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
