Of course doing the same thing with IPv6 now fails – no more arp and proxy_ndp doesn’t really work satisfactorily. Luckily, I found this page, got npd6, activated it and bam, without any further change on my side everything works. Now I route an IPv6 range through my server into my lan and used radv successfully to configure windows machines.

The whole configuration of this not so common setup is pretty similar between IPv4 and IPv6, for the routing parts. The only difference, but a major one and absolutely unexpected, the problem with neighbor solicitation/proxying.

Check out the project via my article here: http://www.ipsidixit.net/2011/07/05/npd6-ipv6-neighbor-proxy-daemon-it-lives/

If you’ve had issues in the area described in the main article above and are using a Linux box as a gateway, hop over to the Google-code hosted project and help out by testing it.

#!/usr/bin/perl

@l = `ps aux|grep kvm`;

for($i=0; $i<scalar(@l); $i++)
{
system(sprintf("/sbin/ip -6 neigh add proxy your:prefix:goes:here:%02x%s:%sff:fe%s:%s%s dev br0 \n", hex($1)^2, $2, $3, $4, $5, $6))
if(@l[$i] =~ /mac=([0-9a-f]{2}):([0-9a-f]{2}):([0-9a-f]{2}):([0-9a-f]{2}):([0-9a-f]{2}):([0-9a-f]{2})/i);
}

I feel like I’m tantalizingly close to getting this working. From the bridge machine, I can ping either inside or outside, both by LL and global addresses. Once I do this, the inside machines can ping at least the bridge, but no further, though once the bridge’s NDP info expires, the neighbors can’t ping anything. The bridge is learning MAC addresses from both sides, and when I configure an IPv4 address on it, it also responds to ARP queries, but no traffic passes across the bridge.

Virtually all of the examples of creating a bridge are for IPv4, and are usually in some way incomplete. For instance, nothing really worked at all until I set the MAC address of the bridge, which has the effect of also setting the MAC addresses of the interfaces to the same address. No examples are really clear about exactly which sysctl options are necessary.

I’m considering using shorewall6, as it claims to also support bridging, but I’m pretty comfortable using ip(6)tables, so don’t really need it, other than to the degree that it makes things magically work. I don’t like magic…

One question from my side that occurs is about security: if you bridge the ISP’s IPv6 into your private network(s) (you mentioned VLANs…) will you firewall each inside machine? Or do some sort of L2 firewall on the bridge (I guess raw ip6tables unless there’s some funky front-end?)? Or…? For me, one reason to avoid bridging the ISP’s IPv6 is so I can easily use something like shorewall6 to run my firewall. Interested to hear about security architecture with a bridged IPv6 WAN. Interesting stuff!!!

FWIW, I can ping from my bridge both outside (e.g. to ipv6.google.com) and to inside machines, but inside machines don’t see NDP queries, and the bridge can’t see NDP queries from the inside interface, so the outside world can be reached from inside. All ebtables/ip6tables rules are default, so all traffic should be accepted. tcpdump reports nothing working from the inside.

I may try to set up an IPv4 bridge first, make sure I have all of the VLAN/VM nonsense out of the way, and then try again with IPv6. (I’m pretty sure the VLANs are OK, and I can ping6 OK between VM’s OK on the inside segment).