Patch & Pray! IPv4/v6 dual-stack gateway w/ ubuntu, no-netplan, networkd

This was much tougher than it should have been. On the surface, take a small PC with a bunch of Ethernet ports. Slap 1 of them into a cable modem, slap the others into the WiFi system and desktop in the office. Make it be a gateway for v4 and v6. Couple networks (LAN, WiFi, Guest-WiFi). Done. Well. ipv4 was great success. But, getting upstream subnet from ipv6 and then splitting it, well, not so easy. Don your peril sensitive sunglasses if you will read on.

Earlier I wrote about the first problem, receiving a ipv6 address that might change, but having to hard-code that in the DHCP file. Hmm.

Another issue, IPv6 cannot (should not) be subnetted below /64. But, the cableco hands out a /64. They do support prefix-delegation, but, netplan does not. https://bugs.launchpad.net/netplan/+bug/1771886. My earlier experience with netplan and its feature gap was not that great, but this is more of a show-stopper.

So, lets do the obvious. Delete netplan. Well, you can’t, but, you can make /etc/netplan be an empty directory, cp /run/systemd/network/ /etc/systemd/network; rm -f /etc/netplan/*; systemctl enable systemd-networkd.

OK, now we are on systemd, it should be all good? Wait? What’s that? prefix-delegation is only supported (as far as assigning an address to an interface so you can do RA or DHCP from it) as of a merge to master the day v245 released https://github.com/systemd/systemd/commit/5bb67b107f1d618453308c05958d6e987f995ee9. Hmm. I’m on v245, is it in or no? (no).

OK, its just code, I got this. But, systemd is a *dangerous* thing. Once doesn’t merely upgrade systemd, its got its tentacles in every aspect of your system.

Hmm. Let’s cherrypick that patch, its pretty simple. Just run:

git diff 5bb67b107f1d618453308c05958d6e987f995ee9^ 5bb67b107f1d618453308c05958d6e987f995ee9 and we have the patch.

Kinda rolls off the tongue, right? Now we do:

git clone https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd and we have the source tree we are using.

Now we do git checkout v245 and patch -p1 < mypatch from above.

Now we run apt-get build-dep systemd and then debuild to get going. Now its time to install and cross-fingers.

So, lets get the config. First, the WAN port:

[Match]
Name=enp1s0

[Link]
MTUBytes=1500

[Network]
DHCP=yes
DNS=127.0.0.1
Domains=agilicus.com
IPForward=yes
IPv6AcceptRA=yes
LinkLocalAddressing=ipv6

[DHCP]
RouteMetric=100
UseMTU=false

[DHCPv6]
PrefixDelegationHint=::/56
ForceDHCPv6PDOtherInformation=yes
WithoutRA=solicit

Now lets do the LAN’s.

[Match]
Name=lan

[Network]
Address=172.16.30.1/24
ConfigureWithoutCarrier=yes
IPForward=yes
IPv4LLRoute=yes
IPv6AcceptRA=no
IPv6PrefixDelegation=dhcpv6
LinkLocalAddressing=ipv6

[IPv6Prefix]
Assign=yes

[IPv6PrefixDelegation]
RouterLifetimeSec=600

(it configures a bridge called LAN which has a few of the ports on it, the others going to the WiFi on a different subnet). I repeated for the various wifi subnets

Now, we have achieved our goal. Each LAN-side interface has a unique IP, on a unique prefix. And we route properly, a few iptables rules, good to go.

My takeaway? I guess not a lot of you are using ipv6 prefix delegation to multiple subnets from your ISP? Or you are not using networkd? Or?


Posted

in

by

Tags:

Comments

2 Responses to “Patch & Pray! IPv4/v6 dual-stack gateway w/ ubuntu, no-netplan, networkd”

  1. Owen DeLong

    I’m a little confused by what you say about $CABLECO.

    It seems to imply that they provide RA for /64 on link for your router to get an address. It’s not clear that this is them giving you the entire /64.

    There are only two valid mechanism for giving a client side prefix to a subscriber in IPv6. Static (same as in IPv4, though doing so is extremely rare) and DHCP-PD (which you say they support above). Sounds like the $CABLECO is doing (mostly) the right thing. (Where they usually go wrong is in limiting your PD to something like a /60 or /56 instead of a proper /48).

    The failure of netplan to support DHCP-PD is a failure of netplan to be sure and I hope they fix that, but I’d hardly blame the cable operator for providing a /64 outside of PD as that’s the expected norm.

    1. db

      wasn’t blaming the cableco.
      the blocker was:
      a) netplan no pd support
      b) systemd, doesn’t assign an IP on the PD subnet to the router. my cableco is doing the right thing, i get 2 subnets, a /64 and a /56, but i had to make a change to systemd to get it to assign an ip to itself on the 2nd subnet on each interface so the other devices in the lan can route back.

Leave a Reply

Your email address will not be published. Required fields are marked *