Home / server / Questions / 400777
In Process
WhyNotHugo
Asked: 2012-06-21 17:31:19 +0800 CST

NATing IPv4 while routing IPv6

  • 772

I've the following setup:

client(s)  <---> (eth0) router (eth1) <---> wan

I have a static IPv4 address and a /48 IPv6 address block. I need to connect all the clients to (wan). Each client will have it's own public IPv6. Meanwhile, I need to NAT those same clients over to (wan).

Everything IPv4-related and the NAT are working fine. The IPv6 communication to/from (eth0)<->(clients)> works fine, as does the IPv6 communication from (eth1)<->(wan) works fine.

To provide IPv6 to all my clients, I've thought of too choices:

  • Having the router as a gateway, which different IP on each interface. This sounds like I need to tell my ISP to route the entire block through that single IP, so it's not really an option.

  • Transparently pass IPv6 packets to/from eth0<->eth1, so all clients can communicate with the upstream gateway (I would actually have a switch here if it weren't for the need to remain IPv4 compatible).

So, since I've opted for the second choice, I'm in doubt: How can I pass all IPv6 traffic from eth0 to eth1 transparently? What I need is a level 3 bridge, but linux's bridgeutils create a level 2 bridge (which would bridge ipv4 as well, and I can't have that).

This is a DD-WRT device, but it's pretty much an embeded linux, so most suggestions that would work on linux are welcome.

Thanks.

linux bridge ipv6

2 Answers

  1. you can achieve that with proxy ARP, if I was trying to pseudo bridge ipv4 I would do this:

    echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

    You need to setup both your NICs with the EXACT same information (ip_address, netmask and gateway), not sure if DD-WRT will allow that, for sure it won't on the web ui but it might allow you to do this from the console, then recheck your gateway, make sure you only have gateway pointed to the interface that goes to the ISP, something like this:

    ip route del default dev eth0
ip route del default dev eth1

ip route del $LAN_NETWORK dev eth0
ip route del $LAN_NETWORK dev eth1
ip route add $DEFAULT_GATEWAY dev eth0
ip route add $LAN_NETWORK dev eth1

ip route add default via $DEFAULT_GATEWAY dev eth0

    This is for an IPv4 Pseudo Bridge using Proxy-ARP, I guess you can do the same using IPv6.

    On the other hand and as I said on the other question, you can still NAT IPv4 even if it's bridged in layer 2.

    You would need to setup both your IPv4 public address and IPv4 lan address on the BR0 interface, and then NAT them as I told you before

    iptables -t nat -A POSTROUTING -j SNAT -s $LAN_NETWORK --to-source $WAN_IP_ADDRESS

    That would solve both your problems without the hassle of proxy arp. Problem is most of this stuff won't work from DD-WRT's interface.

    As a better and cleaner alternative you might add a subinterface on the bridge to the LAN side, something like 

    ifconfig br0:1 192.168.1.1 netmask 255.255.255.0

    And use the same NAT line I said above

    • 3

  2. Are you trying to NAT your ipv6 connections? If so, what is the motivation for the IPv6 NAT? You do have /48 block, which is more than enough.

    If your router is IPv6 capable, then it's only the matter of setting up the right IPv6 routes. The IPv6 routing is separate from IPv4, so there should be no conflict to what you already have on IPv4.

    • 1