Re: ICMP router advertisement (ipv4)
On Mon, 10 Apr 2023, Jeremy Ardley wrote:
On 10/4/23 11:02, Tim Woodall wrote:
My firewall has a single /128 acquired via SLAAC and the RA from the
router. My entire network is masqueraded through that single IP.
What does the RA contain? Typically on connection to an IPv6 capable ISP you
will get assigned a single /128 from their range and granted a complete
routable range at least /64 for you to use.
The interface between the router and the ISP will typically use the router
fe80 to connect upstream but it will also have the /128 to use. The router
should be able to route the /64 without NAT. If it can't then time for a new
router.
I want to be able to put a firewall in front of the router. But there's
no way to get any traffic out of the router and into my network other
than that addressed to my firewalls /128
The router doesn't even attempt to see if a host exists if a packet to a
new ip arrives.
I suspect that 'silent' hosts would 'disappear' as far as the router is
concerned.
#
# radvd configuration generated by radvdump 2.18
# based on Router Advertisement from fe80::c6eb:39ff:fe4e:c771
# received by interface isp
#
interface isp
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
RDNSS 2001:730:3ec2::10 2001:730:3ec2::11
{
AdvRDNSSLifetime 300;
}; # End of RDNSS definition
prefix ****:****:****:**00::/64
{
AdvValidLifetime 604800;
AdvPreferredLifetime 604800;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
route ****:****:****:**00::/57
{
AdvRoutePreference medium;
AdvRouteLifetime 1800;
}; # End of route definition
}; # End of interface definition
It's sort of bizarre that the prefix is good for 5 days but the route
for 30 minutes.
Reply to: