English Forums > High availability
How to do IPv6 with DHCPv6-PD?
bimbar:
Scenario is 2 firewalls behind a router that hands out prefixes via DHCPv6-PD.
Since the firewalls are effectively standalone, they get different prefixes, which they in turn hand out to the LAN.
Now the problem is that each client gets the 2 prefixes, and gets 2 default routes but does not typically associate the prefix to the default router, so that for example clients are trying to communicate with the prefix from fw1 over the gateway fw2, which the firewall drops.
I can prioritize the default gateways, but then it still can happen that a client chooses the wrong prefix for the assigned gateway.
So, how can that be solved? I could go stateful with dhcpv6, but then each client only gets one IP and redundancy is lost.
meschmesch:
Same problem here. I could work around that by allowing as last rule on the LAN interface all IPv6 traffic instead of allowing only traffict originating from LAN net.
Another problem: for IPv4 I can define a virtual IP which is "shared" between the two firewalls. What about IPv6? It appears that with prefix delegation each firewall has to use its own IPv6 adresses. So it's not possible to assign an IPv6 adress to a domain in order to reach a server behind the firewall. Either the domain points to the address of the first or to the address of the second firewall?
Where am I wrong here?
bimbar:
As I run it now, I have internal ULA addresses and NAT on WAN. The internal side is done with CARP fe80::1 and this is advertised via RA (there is a PR in github that allows to select the RA SRC address).
I have one external service with dyndns, but that's not redundant.
There is a heap of RFCs I read that basically mean that in the end it's not possible because the end devices do not cleanly implement said RFCs (source and nexthop selection). They don't even respect the RA priorities.
So that's not perfect. Maybe best to stick to IPv4 or use something like cloudflare for internal services.
meschmesch:
@bimbar, do I understand correctly that "internally" you only work with ULA addresses?
Regarding the external service, I also have no solution yet. But since sooner or later I may loose my public IPv4 access with IPv6 remaining as only access possibility from outside, I have rent a virtual server which has a public IPv4 address and forwards any request e.g. on port 443 via IPv6 to my firewall (using 6tunnel).
I consider that on this virtual server I may run a script which tests accessability of firewall 1 and firewall 2 using the IPv6 addresses of the firewalls each published via DynDNS to respective Domains. In case connection is lost to one of the Domains (i.e. firewalls), the script just instructs 6tunnel to use the other domain for forwarding requests.
bimbar:
Explicit Routes should not be required.
If you want to do outgoing NAT, the Firewalls should also request an address, not only a prefix.
I do work with ULA addresses only on LAN.
Navigation
[0] Message Index
[#] Next page
Go to full version