> I have a setup in mind and wonder whether dnsmasq is the correct tool (since I
> have not found the necessary functionality in the documentation yet).
> We have a /56 IPv6 network, and plan to use pure DHCPv6 (no stateless
> autoconfiguration) in several /64 networks.

That's perfect. Looks much like a standard German DSL account. 😊

> There are several subnets (currently NATed IPv4), such as — for example — a
> WireGuard VPN network, or a local isolated subnet.
> While with IPv4, the answer was the use of private addresses and NAT every
> time, potentially using a DHCP fowarder, for IPv6, the answer should be to use
> Global Unicast addresses everywhere (right?).
> How do I approach this correctly?

That's very easy because you have a /56 net.

> Three options come to mind to handle such subnets:
> - Use ULAs and NAT (but that does not feel like IPv6...).

No no no, bad idea and very stupid for such a large network.

> - Delegate a prefix from the large network (where we'd use dnsmasq) to the
> "gateway" machine, which then would be a router.
>   However, I am not aware if dnsmasq can delegate prefixes?

This should all be done on the central router. For each subnet you have a 
separate dnsmasq.

> - Use ProxyNDP (via npdpd or Linux kernel functionality). But I'm not sure if
> that scales well to a larger number of machines?

No need to do that (see below). ProxyNDP is only needed if you want delegate 
some global addresses to devices that are in the same subnet but behind another 
machine (MAC address). You don't need this. All can be done with plain simple 

> - Use static routes on the central machine which send the /64 subnet to the
> "gateways" and use dnsmasq on the gateways.

That's the way to go and it will just work! Explanation:

The provider delegates a /56 prefix to you. How this is done depends, but for 
DSL (dynamic) or also at Hetzner (static) the whole thing works on the link 
level addresses. For DSL you have the PPP-Daemon wo gets a link local address 
on the end point assigned. For DSL you get a prefix delegated using DHCP-PD 
(prefix delegation), for static roulds (e.g., Hetzner) you get all traffic 
routed to the link-local address of your router (that's coming from the mac 
address of router known to provider).

On the router you just assign the subnets and their primary address (....:1) to 
a separate interface or VLAN in portions of /64. The linux kernel will then 
just automatically route all incoming packets from the WAN interface (PPP or 
Ethernet) to the correct (virtual) network adaptor. On each of those network 
adaptors you have a dnsmasq listening.

Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or Android 
device supports it. I'd go for SLAAC. Very easy. As you can setup a separate 
/64 subnet (up to 256 of them), you have enough flexibility to handle all of 
them in a separate network with full /64 SLAAC address space. Each of those 
networks have firewalling on the router box and are delegate to the network 
switch .e.g, via VLANs.

If you are interested how to setup the Prefix Delegation with PPP, just ask. 
The usual howtos seen on internet with wide-dhcpd are outdated and not very 
modern and relying on a broken tool which should not be used anymore. The 
correct way for that is "dhcpcd" client daemon listening on the PPP interface 
and waiting for DHCP-PD packets. The dhcpcd config file can then automatically 
split the delegated /56 network and assign it to various real/virtual 
interfaces each with a /64 subnet, where a separate dnsmasq is handling 
everything. No hacks needed, just plain routing on the bx (its enough to enable 
ip forwarding unless you want to firewall). All on a single box. I have set 
this up multiple times.


Dnsmasq-discuss mailing list

Reply via email to