On Thu, Feb 12, 2026 at 01:16:11AM +0000, H. Hartzer wrote: > Hi misc@, > > I have a bit of an unusual desire. > > I have one main router with IPv4 and IPv6. > > There are "routers" beneath it with only IPv6. > > Under those routers are servers, some of which I want to have IPv4 > connectivity. > > I want them to be directly assigned a real WAN address -- no NATing of > any type. I want the IPv4 connectivity to be established via a tunnel. > > So the server will have its "physical" interface with only IPv6, and a > "wg1" interface with IPv4 that connects to 0.0.0.0/0. > > What comes to mind is a gif tunnel, but there is a problem. A gif tunnel > is point to point, so if I have a /28, I can only give IPv4 to one > server. I'd prefer not to break up the /28 and waste a bunch of IPs in > the process, turning it into several /30s. > > What seems to work, but is wasteful, is Wireguard. Wireguard lets me box > in the IPs nicely, so my servers can't spoof another server. It lets me > work with multiple connections easily. > > Perhaps it's possible to do multiple gif (or hundreds of gif?) with > rdomain? I haven't used rdomain and I'm a little leery of opening some > Pandora's Box. > > Maybe there's another option?
there's a lot to work through here. the most important detail is how your /28 is delivered to you. hopefully your ISP routes the /28 to you rather than expecting you to put all the hosts using that IP on the link to the ISP. if it's the latter and you want a single firewall facing the ISP, then you'll need proxy arp, but our (openbsds) implementation isn't in good shape at the moment. if they route the /28 to you, then you can split up the IPs and route them independently. ie, you don't need to use /30s and burn up the provided ips on links between the hosts. this is especially true for point to point links (like gif) where the ips on each end can be discontiguous. eg, let's assume the ISP talks to your router with a public ip on your wan interface, and routes 203.0.113.0/28 to you via that ip. if that is the situation, then you could just put the /28 on a common ethernet network all your backend hosts sit on. you will lose 2 of the IPs in the /28 to the broadcast and network address though. if you want the router act as a hub and your hosts as spokes so all ipv4 communication goes through the router, you could do something like this with gif interfaces over v6: router# cat /etc/hostname.gif1 tunnel fd40:6ed3:97ff::1:0 fd40:6ed3:97ff::1 inet 169.254.0.1 255.255.255.255 203.0.113.1 up router# cat /etc/hostname.gif2 tunnel fd40:6ed3:97ff::1:0 fd40:6ed3:97ff::2 inet 169.254.0.2 255.255.255.255 203.0.113.2 up then on the hosts: host1# cat /etc/hostname.gif1 tunnel fd40:6ed3:97ff::1 fd40:6ed3:97ff::1:0 inet 203.0.113.1 255.255.255.255 169.254.0.1 up host1# cat /etc/mygate 169.254.0.1 host2# cat /etc/hostname.gif2 tunnel fd40:6ed3:97ff::2 fd40:6ed3:97ff::1:0 inet 203.0.113.2 255.255.255.255 169.254.0.2 up host2# cat /etc/mygate 169.254.0.2 if you want the router to use one of these ips too, you can assign it to a loopback interface: router# cat /etc/hostame.lo1 inet 203.0.113.0 255.255.255.255 up there are a lot of alternatives to this too though. > > Thank you! > > -Henrich > > PS: Does anyone know if anything has come of this ARP Proxy patch? I ran > into this issue today. > https://marc.info/?l=openbsd-tech&m=159684898502125&w=2 like i said, hopefully you don't need proxy arp. if you do, it might be easier to (ab)use https://github.com/eait-itig/commarp. i know it says it's intended for use in a pvlan setup, but i dont think the other IPs in the /28 need to be on the same link for it to work. so if you are supposed to have all the IPs in your /28 on the wan link, you'd set up the gif tunnels like above, but you'd need a config like this on your external interface. maybe that's em0. i'm going to assume your /28 is part of a much larger prefix used on that link so you can use all the IPs you were allocated. router# cat /etc/hostname.em0 inet 203.0.113.0 255.255.0.0 up router# cat /etc/commarp.conf interface em0 { allow 203.0.113.1 - 203.0.113.15 }
