> hi everyone > i have a dual redundant firewall setup the same as the example given at > https://www.openbsd.org/faq/pf/carp.html > i was originally with virgin media but have moved to a provider > offering ipv4, ipv6 and fixed ip addresses, > i am now trying to add ipv6 and pppoe to the firewall. > i haven't found an example on the web of a carp, pppoe and ipv6 firewall , > so i've had to pieced together bits of info from different places > using the following hypothetical addresses this is my planned > configuration , > please feel free to correct where there are mistakes. > > IPv6 Address: > ND Prefix: aaaa:bbbb:cccc:dddd::/64 > PD Prefix: 1111:2222:3333::/48 > IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255) > > fw1 em0: 192.168.2.2 (lan) > fw1 em1: 192.168.3.2 (wan) > fw1 em2: 192.168.4.1 (pfsync) > fw2 em0: 192.168.2.3 (lan) > fw2 em1: 192.168.3.3 (wan) > fw2 em2: 192.168.4.2 (pfsync) > LAN shared IP: 192.168.2.1 (carp_lan) > WAN/internet shared IP: 12.34.56.78 (carp_wan) > > fw1 > /etc/hostname.em0 > inet 192.168.2.2 255.255.255.0 NONE > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::100 64 > > /etc/hostname.em1 > inet 192.168.3.2 255.255.255.0 NONE > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::200 64 > > /etc/hostname.em2 > inet 192.168.4.1 255.255.255.0 NONE > > /etc/hostname.carp_lan.nic > inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew > 5 pass $PASSWORDIN > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::300 prefixlen 64 vhid 1 carpdev em0 > advskew 5 pass $PASSWORDIN > > /etc/hostname.carp_wan.nic > inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1 > advskew 100 pass $PASSWORDOUT > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::400 prefixlen 64 vhid 2 carpdev $em1 > advskew 100 pass $PASSWORDOUT > > > fw2 > /etc/hostname.em0 > inet 192.168.2.3 255.255.255.0 NONE > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::150 64 > > /etc/hostname.em1 > inet 192.168.3.3 255.255.255.0 NONE > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::250 64 > > /etc/hostname.em2 > inet 192.168.4.2 255.255.255.0 NONE > > /etc/hostname.carp_lan.nic > inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew > 5 pass $PASSWORDIN > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::350 prefixlen 64 vhid 1 carpdev em0 > advskew 5 pass $PASSWORDIN > > /etc/hostname.carp_wan.nic > inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1 > advskew 100 pass $PASSWORDOUT > inet6 autoconf -autoconfprivacy -soii > inet6 alias aaaa:bbbb:cccc:dddd::450 prefixlen 64 vhid 2 carpdev $em1 > advskew 100 pass $PASSWORDOUT > > /etc/hostname.pppoe > mtu 1500 > inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap > authname "XXX@isp" authkey "XXX" up > dest 0.0.0.1 > inet6 -autoconfprivacy > inet6 autoconf > !/sbin/route add default -ifp pppoe0 0.0.0.1 > !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8 > > % cat /etc/rc.d/dhcp6c > #!/bin/sh > > daemon="/usr/local/sbin/dhcp6c" > > . /etc/rc.d/rc.subr > > rc_reload=NO > > rc_cmd $1 > > % cat /etc/dhcp6c.conf > interface pppoe0 { > send ia-pd 0; > send domain-name-servers; > send rapid-commit; > }; > > id-assoc pd { > prefix-interface em1 { > sla-id 0; > sla-len 8; > }; > }; > > % echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local > dhcp6c_flags=pppoe0 > > % echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0 > !/etc/rc.d/dhcp6c restart > > % /etc/rc.d/dhcp6c restart > dhcp6c(ok) > }; > }; > > question 1 > in hostname.pppoe do i set pppoedev to the wan facing nic or the wan > carp interface on each firewall > question 2 > in dhcpv6.conf do i set the interface and prefix_interface to the wan > and lan facing nic or the wan and lan carp interface on each firewall > question 3 > what broadcast address do i use for in the carp_wan configuration if the > mask is 255.255.255.255 > question 4 > do i just add interface em0 to rad.conf > or do i use the complex case to set the prefix and basic DNS options. > interface em1 { > prefix 1111:2222:3333::/48 > dns { > nameserver 1111:2222:3333::53 > search example.org > question 5 > do i need to put -autoconfprivacy -soii in the nics or should i remove it. > > shadrock is there no one who can help me with this ?
shadrock
