-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/07/2017 07:57 PM, Luke Jordan wrote: > Am 07.01.2017 um 18:11 schrieb Tom Eastep: >> I have two providers, IPv6Beta and HE. >> >> /etc/shorewall6/shorewall6.conf: >> >> USE_DEFAULT_RT=Yes >> >> /etc/shorewall6/providers: >> >> IPv6Beta 1 0x100 - eth0 fe80::22e5:2aff:feb7:f2cf\ >> track,primary,loose,persistent HE 2 0x200 - sit1 - >> track,fallback,persistent >> >> Most local networks have IPv6 addresses delegated by the router >> on eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of >> eth0) >> >> I have one local network that has addresses routed via sit1 >> (2001:470:b:227::/64). The IP address of sit1 is >> 2001:470:a:227::2 >> >> /etc/shorewall6/snat: >> >> SNAT(&sit1) 2601:601:8b00:bf0::/60 sit1 >> SNAT(ð0) 2001:470:b:227::/64,2001:470:a:227::2 eth0 >> >> When I was running a version of Shorewall that still used the >> masq file, the corresponding entries were: >> >> sit1 2601:601:8b00:bf0::/60 &sit1 IPv6Beta >> 2001:470:b:227::/64,2001:470:a:227::2 ð0 >> >> /etc/shorewall6/rtrules: >> >> 2001:470:B:227::/64 ::/0 HE 11000 >> 2601:601:8b00:bf0::/60 ::/0 >> IPv6Beta 11000 > > ok, npt is ugly because of stateless. it run's with shorewall, but > is really bad. > > in shorewall (ipv4) i have a multi-homing setup with two > providers. depending on the /etc/shorewall/mangle the configuration > which destination (ip/port) should connect over which provider. an > /etc/shorewall/rtrules doesn't exists. > > 256 (0x100): Provider A 512 (0x200): Provider B > > /etc/shorewall/mangle: MARK(512):P 10.0.0.0/11 0.0.0.0/0 - > - > MARK(256):P 10.0.0.0/11 0.0.0.0/0 tcp 22,47238,52486 > MARK(256):P > 10.0.0.0/11 1.1.1.1 tcp 80,443 MARK(256):P 10.0.0.0/11 > 2.2.2.2 > tcp 80,443 MARK(256):P 10.0.0.0/11 3.3.3.3 - - > MARK(256):P > 10.0.0.0/11 4.4.4.4 - - MARK(256):P 10.1.2.1 5.5.5.5 > - - > > now i would like to have this for ipv6 with a internal prefix > (fdae:fa7:dead:beef::/64) and two provider-prefixes > (2001:aaaa:bbbb:100::/64 and 2a02:cccc:dddd:eeee::/64). > > if is possible with your snat solution?
Yes. You do it the same way that you do it in IPv4. > which other solutions (statefull) are possible? There is stateful NETMAP available in Shorewall 5.1.0, but that requires both upstream routers to delegate a subnet to the Shorewall box (given how restricted proxy NDP is compared to proxy ARP). - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYc7oRAAoJEJbms/JCOk0QB2EQAIBKeLGcMEx4x6JBSNBRDBIb cYMm3gQi3wkuVXDA+5xDKBJn3eXTKWW6d2tDPi3uPddK2FGLqiAxG6V7/12SMZVr 2KnBOXo9dQBD/H/1/sZkXw40A98VlyLBobvugQbUSIeTtnyHuTfnvpayowcJtM3L gossL7gqrZxZpDSxIdm7DJHWoJMdiNjjOwaTk2za51pCFWj5BYbOh/wQy05rVcAq FL9JYq9/l3MoZEPegi2TLGSmJZpf+oUxaGuJYAYD/fSPJukck6UzOchhY33ZvnBK +fV5XltAdQlbSbzjPqFg1pK9jg+eCeoTTphLrhp6nF6UbdFtKYzsa29wPTAWWcjW 5K1kIz4RNHJ9Xuw9U1tN4Pg4N4c69WBF3tVWr/JKlM1Wkp3fjamkRh548g/1ugn6 1DUFjuB0aVhT7qxNEmp6iXSQxYO9PlhRcxv4taSjYur5elZ6cGacER9jiKPK5zO/ uEaA3Dzt/BZt8geu3gzzQ0h67UWICZVQlFo3FXjAF7XTAqCGF1MWd/egcJj9uowJ 0VfNh90FxES5MiiRot/wOo+iMwEHGFjbzaX/Ojd3IAp6GY1X0Horgwe3uwdEi0kw h9l/3Buvkeqy1k/Nbzn/mxIy/zpr8p390rIr6hOjfeyPLBm9v/Ya/T09jol/M+KI qTwyJrmFmsvbMmskCBJ2 =y0DB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
