5

I've the following setup:

client(s)  <---> (eth0) router (eth1) <---> wan

I have a static IPv4 address and a /48 IPv6 address block. I need to connect all the clients to (wan). Each client will have it's own public IPv6. Meanwhile, I need to NAT those same clients over to (wan).

Everything IPv4-related and the NAT are working fine. The IPv6 communication to/from (eth0)<->(clients)> works fine, as does the IPv6 communication from (eth1)<->(wan) works fine.

To provide IPv6 to all my clients, I've thought of too choices:

  • Having the router as a gateway, which different IP on each interface. This sounds like I need to tell my ISP to route the entire block through that single IP, so it's not really an option.

  • Transparently pass IPv6 packets to/from eth0<->eth1, so all clients can communicate with the upstream gateway (I would actually have a switch here if it weren't for the need to remain IPv4 compatible).

So, since I've opted for the second choice, I'm in doubt: How can I pass all IPv6 traffic from eth0 to eth1 transparently? What I need is a level 3 bridge, but linux's bridgeutils create a level 2 bridge (which would bridge ipv4 as well, and I can't have that).

This is a DD-WRT device, but it's pretty much an embeded linux, so most suggestions that would work on linux are welcome.

Thanks.

WhyNotHugo
  • 247
  • 3
  • 12

2 Answers2

3

you can achieve that with proxy ARP, if I was trying to pseudo bridge ipv4 I would do this:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

You need to setup both your NICs with the EXACT same information (ip_address, netmask and gateway), not sure if DD-WRT will allow that, for sure it won't on the web ui but it might allow you to do this from the console, then recheck your gateway, make sure you only have gateway pointed to the interface that goes to the ISP, something like this:

ip route del default dev eth0
ip route del default dev eth1

ip route del $LAN_NETWORK dev eth0
ip route del $LAN_NETWORK dev eth1
ip route add $DEFAULT_GATEWAY dev eth0
ip route add $LAN_NETWORK dev eth1

ip route add default via $DEFAULT_GATEWAY dev eth0

This is for an IPv4 Pseudo Bridge using Proxy-ARP, I guess you can do the same using IPv6.

On the other hand and as I said on the other question, you can still NAT IPv4 even if it's bridged in layer 2.

You would need to setup both your IPv4 public address and IPv4 lan address on the BR0 interface, and then NAT them as I told you before

iptables -t nat -A POSTROUTING -j SNAT -s $LAN_NETWORK --to-source $WAN_IP_ADDRESS

That would solve both your problems without the hassle of proxy arp. Problem is most of this stuff won't work from DD-WRT's interface.

As a better and cleaner alternative you might add a subinterface on the bridge to the LAN side, something like 

ifconfig br0:1 192.168.1.1 netmask 255.255.255.0

And use the same NAT line I said above

Radius
  • 559
  • 2
  • 9
  • The first suggestion does not work; client# ping6 www.google.com : From 2800:40:403::7 icmp_seq=1 Destination unreachable: Address unreachable – WhyNotHugo Jun 21 '12 at 04:02
  • I'm trying to avoid bridging both networks and still running the NAT. I'm pretty sure DD-WRT will break this, or this will break the web interface. Or both. I'll definitely loose all of the webinterface's functionality (it doesn't even support IPv6 on the webintf, BTW). – WhyNotHugo Jun 21 '12 at 04:04
  • Yes you are probably better off building a cheap intel atom router.. Proxy ARP is weird to understand and configure sorry about it – Radius Jun 21 '12 at 04:17
1

Are you trying to NAT your ipv6 connections? If so, what is the motivation for the IPv6 NAT? You do have /48 block, which is more than enough.

If your router is IPv6 capable, then it's only the matter of setting up the right IPv6 routes. The IPv6 routing is separate from IPv4, so there should be no conflict to what you already have on IPv4.

hc6
  • 21
  • 2
  • No, I'm not trying to NAT the IPv6 connections, I'm trying to have each computer have it's own public IPv6 IP. That why I mentioned needed to have IPv6 traffic pass transparently through. – WhyNotHugo Jun 21 '12 at 01:44
  • Don't I need to have my ISP route all traffic to the block THROUGH the WAN IP of the router as well? Also, the main part of the question is HOW to configure those routes, I've had no luck with what seemed to be intuitive to me. – WhyNotHugo Jun 21 '12 at 01:45
  • Your ISP already knows the block belongs to you, so the return path is fine. The issue is creating the default ipv6 route to use the IPv6 address assigned to you. For example, the assigned global IPv6 address from ISP is 1234:5678::1, then you can add a v6 route using: sudo ip -6 route add default via 1234:5678::1 and turn on forwarding: sudo sysctl net.ipv6.conf.default.forwarding = 1 On the clients, do the same thing to set up IPv6 default routes. Also, if your router does support DHCPv6, you may want to turn that on, and your clients will automatically get the right default. – hc6 Jun 21 '12 at 01:54
  • 1
    If he subnets the network further he'd need to tell you the ISP to route the remainder of the network through his WAN ip address. If he can ask the ISP to do that or to assign another public ip address for the WAN side routing is trivial. In the router you only need to point default to the ISP provided gateway and configure the gateway to the public block on the LAN side. – Radius Jun 21 '12 at 02:00