Am 12.04.20 um 20:12 schrieb Uwe Schindler:
> Hi,
>> thanks for the elaborate reply!
> No problem!

and thanks again :-). 

>> There's a slightly more special case for us: We have one central firewall 
>> (which
>> gets the full /56 net on the upstream interface routed to it) and most 
>> gateways
>> are separate nodes
>> (i.e. most VLANs are not connected to the central FW).
>> So I believe in that case I just need an ip6tables rule (per /64 subnet) on 
>> the
>> central firewall to redirect all traffic to the gateway for the /64 subnet, 
>> right?
> It's important to don't have the /56 or /64 network assigned to an interface 
> on the router (otherwise you would need proxyNDP)! 

Noted. Indeed, that's reasonable, and achieved by design for those VLANs not 
connected to the central router ;-). 

> If it's prefix delegation, don't assign the 64 or 54 subnet to any interface 
> on the main router, just bring interfaces up and assign link-local-addresses 
> to them! On the central firewall just do routing with link-local addresses 
> (basically, this subnet goes to this adaptor and this mac address - as link 
> local addresses are basically MAC addresses). Of course the packet filtering 
> uses the global addresses, but the routing is done with link-local.
> The router box gets the packets from the provider all delegated to its own 
> link-local address of the upstream interface (that's what most providers do, 
> including DSL providers with PPP or servers in data centers like Hetzner). So 
> all incoming packets are sent to the same fe80:XXXX address based on the MAC 
> known to upstream or negotiated via PPP and the router just forwards them 
> based on the global address inside of the packets.

In our case, they waste a dedicated /64 global address network for the 
connection network between our firewall and their endpoint... That also works, 
but it's rather wasteful of course ;-). 

> In the routing table of the main firewall you just add entries like global 
> subnetA/64 goes to link-local address fe80:xxxx on interface XY, and so on. 
> If you don't like the automatic assigned link-local-addresses based on the 
> mac interface you can easily change them. In my office I have the router 
> assigned fe80::1, you could assign fe80::2, fe80::3 to the secondary 
> routers's network interfaces and then routing tables look easy:
> 2001:abcd:1234:1::/64 => fe80::2@en1
> 2001:abcd:1234:2::/64 => fe80::3@en1
> 2001:abcd:1234:3::/64 => fe80::4@en1.24 (a VLAN #24 on en1)
> 2001:abcd:1234:3::/64 => fe80::4@en2 (other network interface)
> Fe80::2, 3, 4 are the separate boxes which route the traffic and have the 
> dnsmasq. If you don't want to use fe80 link-local addresses, you can use 
> ULAs, but for routing purposes the link-local ones with interface name are 
> the easiest.

Thanks, that example clarified it for me. Good thinking in using the link-local 
addresses here, that's completely sufficient. It really helps to talk about 
these things to clear up my mind from the IPv4 legacy of thinking. 

> Another idea is to use one of the /64 subnets as the "inter-router" 
> communication, but that's not needed for IPv6, because we have 
> link-local-addresses for that purpose!
> On the internal routers you only assign the full global 64 subnet to the 
> client facing network adaptors. The connection to the router uses a 
> link-local address only (as described before). No additional firewalling is 
> needed, you just need to setup routing entries like above (the other way 
> round).

Thanks, that cleared up my last question completely. Now I just have to explain 
my colleagues and we can start implementing that in the next weeks (in slow 
steps, but it seems much more straightforward than I thought) :-). 

>>> Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or
>> Android device supports it. I'd go for SLAAC. Very easy. As you can setup a
>> separate /64 subnet (up to 256 of them), you have enough flexibility to 
>> handle
>> all of them in a separate network with full /64 SLAAC address space. Each of
>> those networks have firewalling on the router box and are delegate to the
>> network switch .e.g, via VLANs.
>> I know (while I knew about Android, good point about the Chromebooks!). Our
>> main usecase is addressing of Linux servers (i.e. there will only be "DHCP
>> reserved" entries).
>> Indeed, for a general purpose network (one of those /64s), we need to think
>> whether we'll go with DHCPv6 (and lose Android and Chromebooks) or really
>> stay with DHCPv6. For now, I'll plan with DHCPv6 ;-).
> No problem. You can have both, depending on subnet.
> Uwe

Cheers and thanks again,

Dnsmasq-discuss mailing list

Reply via email to