Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Deprecate IPv6 local tunnel endpoint

    Scheduled Pinned Locked Moved
    Development
    2
    3
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      neo14
      last edited by

      Hi!

      I didn't want to open a bug right away because I'm not sure, if its really a bug or something that should be implemented.

      Following scenario:
      I have an IPv6 tunnel and a routed subnet from SixXS.
      With the current 2.1 snapshot it's quite easy to set that up and distribute IPv6 addresses from the subnet to the LAN.

      But my thought here is:
      I think that if I have a routed subnet, the local tunnel endpoint IPv6 address should be invalidated, so that the source address of outgoing packets is one from the routed subnet and not the local tunnel endpoint.
      There are just a few discussions about that and if it's good or not. But one good reason to use a subnet IP instead of the tunnel endpoint is that I can assign a PTR for that address. Another reason is that it just "feels" right…

      So I would suggest to deprecate the local IPv6 tunnel endpoint address if there is a routed subnet in use. I don't know how to determine to do it automatically, but I could imagine an option on the gif tunnel configuration page which can be checked or unchecked.
      On the other hand, "deprecated" doesn't mean that it's forbidden to use it but just to prefer another address. So maybe the local endpoint can always be deprecated.

      The deprecation itself is quite easy, it can be done with the ifconfig command:

      ifconfig gif0 inet6 2001:xxx:xxx:xxx::2 prefixlen 64 deprecated

      So, what do you think?

      btw. is there a possibility to add that command somewhere until it's implemented so it survives a reboot? Maybe in /etc/rc.local? Or is there a spefiic post-up file or option for the gif interface (like in linux)?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        While that could be an option I'm not sure why you'd really care which IP address the firewall used to reach the outside for things it initiates?
        Both the tunnel and your routed subnet are valid.

        The client IPs will still be the client IPs in the routed subnet, that doesn't change.

        Not sure I've ever had someone request the same on IPv4 (routed LAN IPs, wanting to source traffic from the firewall's LAN IP instead of WAN IP…)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          neo14
          last edited by

          Well, no reason, it just "feels" right. I know both IP addresses are valid, but somehow I think that the subnet is mine and the tunnel endpoint is not. I just want to control which IP address the firewall uses.

          The firewall has got two IPv6 addresses from the subnet, one being on a bridged interface (two physical ports and one vlan), the other a vlan.
          It also drives me crazy that after I deprecated the local tunnel endpoint the firewall now uses the IP address from the vlan, and not the bridge  :(
          and I have no clue how to change that. I tried to change the metric of the vlan interface but that didn't help.

          So, if you don't want to implement such a thing, is there a playce where I can put that command so that it is executed everytime the firewall boots up (or better, everytime the interface is brought up)?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post