Re: [Shorewall-users] NPTv6

Luke Jordan Sat, 07 Jan 2017 20:01:42 -0800

Am 07.01.2017 um 18:11 schrieb Tom Eastep:
> I have two providers, IPv6Beta and HE.
> 
> /etc/shorewall6/shorewall6.conf:
> 
> USE_DEFAULT_RT=Yes
> 
> /etc/shorewall6/providers:
> 
> IPv6Beta 1 0x100 -     eth0   fe80::22e5:2aff:feb7:f2cf\
>                                        track,primary,loose,persistent
> HE       2 0x200 -     sit1   -        track,fallback,persistent
> 
> Most local networks have IPv6 addresses delegated by the router on
> eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of eth0)
> 
> I have one local network that has addresses routed via sit1
> (2001:470:b:227::/64). The IP address of sit1 is 2001:470:a:227::2
> 
> /etc/shorewall6/snat:
> 
> SNAT(&sit1)     2601:601:8b00:bf0::/60                 sit1
> SNAT(&eth0)     2001:470:b:227::/64,2001:470:a:227::2  eth0
> 
> When I was running a version of Shorewall that still used the masq
> file, the corresponding entries were:
> 
> sit1     2601:601:8b00:bf0::/60                  &sit1
> IPv6Beta 2001:470:b:227::/64,2001:470:a:227::2   &eth0
> 
> /etc/shorewall6/rtrules:
> 
> 2001:470:B:227::/64   ::/0                    HE              11000
> 2601:601:8b00:bf0::/60        ::/0                    IPv6Beta        11000


ok, npt is ugly because of stateless. it run's with shorewall, but is
really bad.

in shorewall (ipv4) i have a multi-homing setup with two providers.
depending on the /etc/shorewall/mangle the configuration which
destination (ip/port) should connect over which provider. an
/etc/shorewall/rtrules doesn't exists.

256 (0x100): Provider A
512 (0x200): Provider B

/etc/shorewall/mangle:
MARK(512):P     10.0.0.0/11     0.0.0.0/0       -       -
MARK(256):P     10.0.0.0/11     0.0.0.0/0       tcp     22,47238,52486
MARK(256):P     10.0.0.0/11     1.1.1.1         tcp     80,443
MARK(256):P     10.0.0.0/11     2.2.2.2         tcp     80,443
MARK(256):P     10.0.0.0/11     3.3.3.3         -       -
MARK(256):P     10.0.0.0/11     4.4.4.4         -       -
MARK(256):P     10.1.2.1        5.5.5.5         -       -

now i would like to have this for ipv6 with a internal prefix
(fdae:fa7:dead:beef::/64) and two provider-prefixes
(2001:aaaa:bbbb:100::/64 and 2a02:cccc:dddd:eeee::/64).

if is possible with your snat solution?
which other solutions (statefull) are possible?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] NPTv6

Reply via email to