I have a bit of a complicated network setup(*) where a WAN router connects to the upstream provider and provides an "external LAN" (where actually I have some services) and another local router has its external leg on the "external LAN" and provides an "internal LAN" (where most nodes are connected and there's also a DMZ host). IPv4 Clients on the "internal LAN" are double NATed and it works well enough for my needs (also the DMZ setup works well with the internal router set as the "DMZ host" for the WAN router).
No the WAN router has been upgraded with an IPv6 connected and the "external LAN" is provided with a 56 bit network - lets call it 2001:db8:2:300::
. Hosts on the "external LAN" can DHCPv6 and get a 64 bit network address assigned to them and it works.
I want to have the internal router - which is running dnsmasq for network management - to offer IPv6 to the internal clients. I have selected a valid 64 bit network inside the "external LAN" 56 bit network - lets call it 2001:db8:2:333::
and have set up the internal router's "internal LAN" leg with the ::1
of that network. I had then set up dnsmasq to offer DHCPv6 on the "internal LAN" using:
enable-ra
dhcp-range=::2, ::FFFF:FFFF, constructor:vlan4, ra-names, 64, 12h
(on the internal router, vlan2
is the "external LAN" and vlan4
is the the "internal LAN")
I can trace now connect an "internal LAN" client and get an IPv6 address and ping the internal router. When I ping anything outside of that - such as the WAN router's internal IPv6 gateway port - I don't get a reply. Pings and connections from the internal router itself work well. I can trace an ICMP packet on the internal router and see it going out of the correct interface, but no reply is received.
As far as I understand, the WAN router doesn't understand where to send replies to hosts in 2001:db8:2:333::
as it thinks they should be directly connected on its LAN, but they aren't actually there.
I think I should have the internal router send Router Advertisement for 2001:db8:2:333::
to the WAN router? I tried to get dnsmasq to do it by adding:
interface=vlan2
dhcp-range=2001:db8:2:300:1234:5678:abcd:100,2001:db8:2:300:1234:5678:abcd:400,ra-only,infinite
But that doesn't work because clearly I have no idea what I'm doing.
A network expert that I manage to get 30 seconds of attention from said that I need to have internal router be a DHCPv6 relay towards the WAN router, so that the WAN router can allocate addresses to the internal clients and know to route to them through the internal router - but I can't figure out how to get dnsmasq to do that, while keeping IPv4 DHCP running as it is, as dnsmasq man page says that you can't have dhcp-relay
and dhcp-range
on the same interface.
I would love to try any suggestion and/or be taught about IPv6 because while I'm pretty good at IPv4 networks, IPv6 is clearly a bit over my head.
*) This weird setup is mostly due to issues of trust and control of the WAN router, which are out of scope of this issue, so if your only suggestion is to change that setup - please don't.