On Jan 6, 2008, at 11:09 AM, Good Good wrote:
Hello,
My ISP (free.fr) now proposes to me a native connectivity in IPV6.
I wish to implement this functionality on my network, that here:
Switch Firewall ISP Box ISP Network/
Internet
__ ___ ___
|PC1|-------| | vr0 | | vr1 | |
| x|-----------| |------------| |----------O
|PC2|-------|__| |___| |___|
Here some information :
- the ISP box is running as a bridge ;
- the firewall is running Openbsd 4.1 GENERIC#1435 i386 (upgrade to
4.2 not
yet done) ;
- workstations are running Win XP ;
- pf rules are quite simple (just filtering and NAT for IPV4) ;
- my ISP provided to me an IPV6 address of the type 2a01:5d8:X:X::/64
The problem :
The /64 provided by my ISP is made to fuel only one ethernet segment
and no
more.
They're not willing to route a /64 to you?
So, it is not possible to route a part of the /64 to another ethernet
segment (the private segment).
One solution :
The firewall NAT IPV4 traffic and bridge IPV6 traffic, that here:
Switch Firewall ISP Box ISP Network/
Internet
__ ___ ___
|PC1|-------| | vr0 | | vr1 | |
| x|-----------| |------------| |----------O
|PC2|-------|__| | |___| | |___|
| | |
|bridge0 |
| _|_ |
| | | |
|_| |_ _|
|__|
IPV6 bridge only
Some clues :
I found some clues on the following web site where my need is
summarized.
An English translation ->
http://64.233.179.104/translate_c?hl=fr&ie=UTF-8&oe=UTF-8&langpair=fr%7Cen&u=http://www.ip6.fr/free-broute/&prev=/language_tools
The original French link ->
http://ip6.fr/free-broute/
Second problem :
The author of the previously quoted web site is running under Linux.
Here used commands :
brctl addbr br0
ifconfig br0 up
brctl addif br0 eth0
brctl addif br0 eth1
ebtables -t broute -A BROUTING -p ! ipv6 -j DROP
The magic command is "ebtables -t broute -A BROUTING -p ! ipv6 -j
DROP".
Questions :
1) Did you understand my problems ? :)
Kind of. My understanding is you want to know if you can just accept
the /64 traffic, and simply pass it through the firewall, while it's
acting as a NAT for IPv4 traffic. My inclination is "no, that's not
possible." I suspect it can be done though.
2) Is it the right solution to bridge only IPV6 traffic (I hope for
it) ?
I think you could redirect v6 traffic from the external interface to
the internal one. My concern is that you bypass the firewall. You may
want to simply bridge, but I'd filter IPv6 just as much as IPv4.
3) The most important question, how to do this type of bridging under
Openbsd (without ebtables) ?
brconfig(8) would configure the bridges, but I believe you'd be pretty
much screwed on the routing and NAT once you do that.
You could bridge between the external interface, an internal tun/gif,
and the internal interface, then route all v6 traffic to the tun/gif.
it'd require some interesting work with route(8), though.
According to the man page, "brconfig" can only perform layer 2
filtering.
Just a thought, you could set up a non-bridging "route" label in pf,
forwarding all IPv6 traffic to a bridged "virtual" interface with the
internal interface. It's horribly complex, even in just thinking it out.
