On 2012-06-21 03:05, Jérémie Courrèges-Anglas wrote: > Hugo Osvaldo Barrera <h...@osvaldobarrera.com.ar> writes: > >> Hi, > > Hi. > >> I'm trying to evaluate how to set up my OpenBSD server as an internet >> gateway. >> >> I've a static IPv4 address, and a /48 IPv6 block. >> I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the >> IPv6 part without breaking the IPv4 NAT. >> >> I'll assume lan=eth0 and wan=eth1 to make this a bit more readable. > > Sadly, what should we understand here? Are they really both ethernet > interfaces?
I just meant to give them names to reference them more easily later on. Yes; they're just two ethernet interfaces. > >> From what I've managed to think up, I'd have to bridge both interfaces >> (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1. > > Bridging can be seen as an ugly solution when you only get a /64 from > your ISP, and you have to let RAs go through. Slightly less ugly, ndp > proxying. I've not tested it, though, but I believe ndp(8) could be > used here. But... My ISP doesn't seem to be running any RA actually (more related info below). > >> My doubt is: if I bridge both interfaces, can I still NAT properly? >> If br0 contains eth1 and eth0, can I bridge "from br0 to br0"? >> This may sound odd, but br0 has actually two IPv4 addresses; the private >> and public. >> >> Also, if eth1 in bridged, I can still drop packets using pf properly, >> right? (discarting private-network packets on it is what I've in mind). >> >> Is this the proper solution? Or is there some other way I haven't >> thought of? > > ... how does your ISP provide you IPv6 connectivity? I can't see why > someone couldn't use proper subnetting, being given a /48. You should > also tell us how you get v4 connectivity, I think. I get a /48 block, and a gateway I should use. As for IPv4, I get an IP address, and a gateway I should use. If I subnet the IPv6 block, and set up my server as a router, wouldn't my ISP have to now which IP is the route to my subnet? Or is this what you mean by ndp proxying? I'd still don't understand how to set up pf to forward the appropiate packets if I managed to do that. > > HTH > -- > Jérémie Courrèges-Anglas > GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494 > Sorry, I should have mentioned those details in the first place. -- Hugo Osvaldo Barrera
