Archive > 21.7 Legacy Series
HA cluster, IPv6 CARP and router advertisements - best practice?
franco:
I think for static prefixes this is solvable, but for cross-ISP dynamic PD I don't think anyone but single-line consumers are happy (for the most part).
The problem isn't IPv6... it's the lack of NAT with the business decision of the ISPs to hand out dynamic prefixes. And that likely isn't going to change.
Cheers,
Franco
bimbar:
I solved this the ugly way by using outgoing NAT on my firewalls, so that works, but it's hardly the brave new world ipv6 is supposed to be.
franco:
Yeah, I agree. I'm not saying I miss NAT in IPv6, but "it is what it is". ;)
Cheers,
Franco
bimbar:
I've been trying to do this right with multiple firewalls for the last 10 years now, but it never quite works the way it should. With opnsense I've come the closest so far.
I hope we're thinking about it the right way, if there even is such a thing, and don't want the wrong features we don't even know yet we don't need because there's a better way to do it, if that makes any sense.
Patrick M. Hausen:
I must admit that I am only interested in the static prefix case. Sorry, dynamic prefixes i.e. consumer subscriber lines and a HA setup? Seriously?
In most scenarios it is of course perfectly ok to announce a link local address via RA. But there's nothing in the standard that explicitly prohibits using a global unicast address as the default gateway.
Fact: Sidewinder did that. You defined a cluster address that was bound to the active node and that was the default gateway. This is a closed source system but it's FreeBSD based and it's perfectly doable. To announce a "cluster" address, no matter that HA protocol, via RA.
I retired all physical Sidewinder firewalls I can toy with, even installed OPNsense on two of the appliances now, but I have a virtualised instance in my private home lab (in ESXi) - too busy this weekend, but I could turn this into a clustered setup and try to find out from the "outside" how a Sidewinder cluster presents itself as far as IPv6 is concerned. We have had this running for more than a decade, it's rock solid.
So possibly that would give us an idea of the best approach ...
Kind regards,
Patrick
P.S. I will look up the linked issues later.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version