hi everyone
i have a dual redundant firewall setup the same as the example given at
https://www.openbsd.org/faq/pf/carp.html
i was originally with virgin media but have moved to a provider
offering ipv4, ipv6 and fixed ip addresses,
i am now trying to add ipv6 and pppoe to the firewall.
i haven't found an example on the web of a carp, pppoe and ipv6 firewall ,
so i've had to pieced together bits of info from different places
using the following hypothetical addresses this is my planned
configuration ,
please feel free to correct where there are mistakes.
IPv6 Address:
ND Prefix: aaaa:bbbb:cccc:dddd::/64
PD Prefix: 1111:2222:3333::/48
IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255)
fw1 em0: 192.168.2.2 (lan)
fw1 em1: 192.168.3.2 (wan)
fw1 em2: 192.168.4.1 (pfsync)
fw2 em0: 192.168.2.3 (lan)
fw2 em1: 192.168.3.3 (wan)
fw2 em2: 192.168.4.2 (pfsync)
LAN shared IP: 192.168.2.1 (carp_lan)
WAN/internet shared IP: 12.34.56.78 (carp_wan)
fw1
/etc/hostname.em0
inet 192.168.2.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::100 64
/etc/hostname.em1
inet 192.168.3.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::200 64
/etc/hostname.em2
inet 192.168.4.1 255.255.255.0 NONE
/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::300 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN
/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::400 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT
fw2
/etc/hostname.em0
inet 192.168.2.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::150 64
/etc/hostname.em1
inet 192.168.3.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::250 64
/etc/hostname.em2
inet 192.168.4.2 255.255.255.0 NONE
/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::350 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN
/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias aaaa:bbbb:cccc:dddd::450 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT
/etc/hostname.pppoe
mtu 1500
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap
authname "XXX@isp" authkey "XXX" up
dest 0.0.0.1
inet6 -autoconfprivacy
inet6 autoconf
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8
% cat /etc/rc.d/dhcp6c
#!/bin/sh
daemon="/usr/local/sbin/dhcp6c"
. /etc/rc.d/rc.subr
rc_reload=NO
rc_cmd $1
% cat /etc/dhcp6c.conf
interface pppoe0 {
send ia-pd 0;
send domain-name-servers;
send rapid-commit;
};
id-assoc pd {
prefix-interface em1 {
sla-id 0;
sla-len 8;
};
};
% echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local
dhcp6c_flags=pppoe0
% echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0
!/etc/rc.d/dhcp6c restart
% /etc/rc.d/dhcp6c restart
dhcp6c(ok)
};
};
question 1
in hostname.pppoe do i set pppoedev to the wan facing nic or the wan
carp interface on each firewall
question 2
in dhcpv6.conf do i set the interface and prefix_interface to the wan
and lan facing nic or the wan and lan carp interface on each firewall
question 3
what broadcast address do i use for in the carp_wan configuration if the
mask is 255.255.255.255
question 4
do i just add interface em0 to rad.conf
or do i use the complex case to set the prefix and basic DNS options.
interface em1 {
prefix 1111:2222:3333::/48
dns {
nameserver 1111:2222:3333::53
search example.org
qeustion5
do i need to put -autoconfprivacy -soii in the nics or should i remove it.
shadrock
