On 2019-07-11, shadrock uhuru <[email protected]> wrote:
>> hi everyone
>> i have a dual redundant firewall setup the same as the example given at
>> https://www.openbsd.org/faq/pf/carp.html
>> i was originally with virgin media but have moved to a provider
>> offering ipv4, ipv6 and fixed ip addresses,
>> i am now trying to add ipv6 and pppoe to the firewall.
>> i haven't found an example on the web of a carp, pppoe and ipv6 firewall ,
>> so i've had to pieced together bits of info from different places
>> using the following hypothetical addresses this is my planned
>> configuration ,
>> please feel free to correct where there are mistakes.
>>
>> IPv6 Address:
>> ND Prefix: aaaa:bbbb:cccc:dddd::/64
>> PD Prefix: 1111:2222:3333::/48
>> IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255)
>>
>> fw1 em0: 192.168.2.2 (lan)
>> fw1 em1: 192.168.3.2 (wan)
>> fw1 em2: 192.168.4.1 (pfsync)
>> fw2 em0: 192.168.2.3 (lan)
>> fw2 em1: 192.168.3.3 (wan)
>> fw2 em2: 192.168.4.2 (pfsync)
>> LAN shared IP: 192.168.2.1 (carp_lan)
>> WAN/internet shared IP: 12.34.56.78 (carp_wan)
>>
>> fw1
>> /etc/hostname.em0
>> inet 192.168.2.2 255.255.255.0 NONE
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::100 64
>>
>> /etc/hostname.em1
>> inet 192.168.3.2 255.255.255.0 NONE
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::200 64
>>
>> /etc/hostname.em2
>> inet 192.168.4.1 255.255.255.0 NONE
>>
>> /etc/hostname.carp_lan.nic
>> inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
>> 5 pass $PASSWORDIN
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::300 prefixlen 64 vhid 1 carpdev em0
>> advskew 5 pass $PASSWORDIN
>>
>> /etc/hostname.carp_wan.nic
>> inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
>> advskew 100 pass $PASSWORDOUT
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::400 prefixlen 64 vhid 2 carpdev $em1
>> advskew 100 pass $PASSWORDOUT
>>
>>
>> fw2
>> /etc/hostname.em0
>> inet 192.168.2.3 255.255.255.0 NONE
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::150 64
>>
>> /etc/hostname.em1
>> inet 192.168.3.3 255.255.255.0 NONE
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::250 64
>>
>> /etc/hostname.em2
>> inet 192.168.4.2 255.255.255.0 NONE
>>
>> /etc/hostname.carp_lan.nic
>> inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
>> 5 pass $PASSWORDIN
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::350 prefixlen 64 vhid 1 carpdev em0
>> advskew 5 pass $PASSWORDIN
>>
>> /etc/hostname.carp_wan.nic
>> inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
>> advskew 100 pass $PASSWORDOUT
>> inet6 autoconf -autoconfprivacy -soii
>> inet6 alias aaaa:bbbb:cccc:dddd::450 prefixlen 64 vhid 2 carpdev $em1
>> advskew 100 pass $PASSWORDOUT
>>
>> /etc/hostname.pppoe
>> mtu 1500
>> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap
>> authname "XXX@isp" authkey "XXX" up
>> dest 0.0.0.1
>> inet6 -autoconfprivacy
>> inet6 autoconf
>> !/sbin/route add default -ifp pppoe0 0.0.0.1
>> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8
>>
>> % cat /etc/rc.d/dhcp6c
>> #!/bin/sh
>>
>> daemon="/usr/local/sbin/dhcp6c"
>>
>> . /etc/rc.d/rc.subr
>>
>> rc_reload=NO
>>
>> rc_cmd $1
>>
>> % cat /etc/dhcp6c.conf
>> interface pppoe0 {
>> send ia-pd 0;
>> send domain-name-servers;
>> send rapid-commit;
>> };
>>
>> id-assoc pd {
>> prefix-interface em1 {
>> sla-id 0;
>> sla-len 8;
>> };
>> };
>>
>> % echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local
>> dhcp6c_flags=pppoe0
>>
>> % echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0
>> !/etc/rc.d/dhcp6c restart
>>
>> % /etc/rc.d/dhcp6c restart
>> dhcp6c(ok)
>> };
>> };
>>
>> question 1
>> in hostname.pppoe do i set pppoedev to the wan facing nic or the wan
>> carp interface on each firewall
pppoe runs directly on an ethernet or vlan interface. OpenBSD doesn't
have any particular support for failover with pppoe carp+pppoe.
I would suggest disabling the second machine while you get it
working on one.
You can then probably bring the second one into play using ifstated
to only bring the pppoe interface up and run rad when the machine has
master on another carp interface (but tbh I've never got round to
setting that up anywhere at a pppoe site ..)
>> question 2
>> in dhcpv6.conf do i set the interface and prefix_interface to the wan
>> and lan facing nic or the wan and lan carp interface on each firewall
If you need DHCPv6-PD then don't hardcode the addresses on the
inside interfaces, just let PD fetch them. (I have no idea about the
ancient wide-dhcpv6, for the config I'm using for ipv6 with
PPPoE and DHCPv6-PD, pkg_add dhcpcd and look at the pkg-readme).
But your ISP might just route you the block anyway without using
PD. In that case, you don't need to run a PD client, just hardcode
them. Your choice, just don't do both.
(For the UK ISPs I'm most familiar with, zen seems to need PD otherwise
they don't route the block to me, at least in the config they've got
on my user account - for aaisp it's optional whether you use PD or not).
>> question 3
>> what broadcast address do i use for in the carp_wan configuration if the
>> mask is 255.255.255.255
See q1 - you don't use carp_wan :)
>> question 4
>> do i just add interface em0 to rad.conf
>> or do i use the complex case to set the prefix and basic DNS options.
>> interface em1 {
>> prefix 1111:2222:3333::/48
>> dns {
>> nameserver 1111:2222:3333::53
>> search example.org
Don't set the prefix in rad.conf, you want to pick it up from
the prefix on the interface, either statically configured or
fetched by DHCPv6-PD. It's up to you about the nameserver options
(many common clients don't use them anyway though, I just use v4
for that).
>> question 5
>> do i need to put -autoconfprivacy -soii in the nics or should i remove it.
Don't use autoconf on interfaces where you run rad(8), that is like
running dhclient and dhcpd on the same interface.
>> shadrock
> is there no one who can help me with this ?
>
> shadrock
>
>
