Luke Jordan <lujjor...@gmail.com> wrote: > I wish to have a ipv6-multi-homing with static configuration, nat and > rtrules/mangle. for ipv4 it run without problems with shorewall.
The short answer is that NAT is not supported in IPv6 - and I can see the arguments in favour of that, knowing just how much NAT screws things up in IPv4*. Longer answer ... I've been following (and occasionally sticking my oar in) over on the IPv6 OPS mailing list i...@ietf.org and multihoming is one area that still "needs some work". I've been following this area because I was expecting to be coming up against exactly the same issue at work - but I've since been made redundant and had the fun of watching from the sidelines while the cretin running the place blundered from one self inflicted (and customer impacting) breakage after another. How it's supposed to work is that each node in your network will get one or more IPv6 addresses from each ISP provided range. It will then select an address to use for outbound connections based on admin provided rules - and the gateway router(s) decide which ISP to send the packets out through based on the source address. Ie, the routing decision is effectively taken by each host. All the bits are in place apart from ... how to specify and distribute those rules which is a bit fundamental ! A secondary issue is how to notify hosts that a connection is down - which really means changing the lifetime of the RAs for that ISPs range to zero so that hosts will deconfigure addresses in that range. I think there is still a camp with a view that NPT (Network Prefix Translation) has a place in the network - that's translating only the network prefix while leaving the host part of the address and port numbers unmangled. To work properly (IMO) there needs to be a standardised method for nodes/applications to query the routers to find out what translations are in place and avoid all the problems of trying to find stuff like this out through bodges like STUN. * Many people don't realise how much NAT breaks due to the amount of effort that's gone into working around these breakages. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
