2

My company has a router/firewall deployed with the "common" Proxy ARP setup: it sits between some servers and the ISP gateway, and intercepts all the packets with proxy arp, so that it can apply both filtering rules and traffic shaping for enforcing bandwidth constraints. Using Proxy ARP means that, if the router/firewall breaks for any reason, we can simply pull it off the network, connect the ISP gateway directly to the server switch, and the service keeps going on (though not firewalled/shaped).

See: http://www.shorewall.net/ProxyARP.htm

Any idea how can we convert this setup to IPv6? I tried looking around but couldn't find any resource on the matter.

Giovanni Bajo
  • 425
  • 3
  • 9

1 Answers1

4

The page you linked to gives an answer:

The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP in a manner similar to Proxy ARP support in Shorewall:

If you're using Shorewall, then you're about 90% done already. Otherwise you'll have to configure your own NDP proxy, such as ndppd.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks! Does it work also if the default gateway for the network is a link local address (fe80::1)? IOW, can I use proxy NDP to insert a transparent proxy within a link-local eth segment, so that I can still configure fe80::1 as default gateway on all computers, and at the same time intercept all the traffic? – Giovanni Bajo Jan 28 '14 at 16:02