1

I'm still wrapping my head around the finer points of IPv6. It just hasn't been a priority to mess with it much and I didn't have the personal interest until my latest little project. However, one thing I've read, time and time again, is to use the link-local IP of the gateway when configuring a gateway for clients. Buuut... that seems problematic to me...

For example, assume I have a client and gateway each with globally routable v6 IPs in the same subnet on the lan side. I configure the client to use the gateway's link-local IP as it's gateway for IPv6 traffic as per the common recommendation.

Will internet bound traffic from lan clients always use their global unicast IPs as the source ip even with the client's gateway being configured to a link-local ip? This matters because I will be setting up snort using nfqueue and will need to be able to configure it with the ip ranges it needs to protect. And I'd rather not have it eating up cpu cycles and memory on link-local traffic that's not a threat. But I also don't want to introduce a security hole that can bypass snort.

Context

Let me explain, briefly, my setup. I have a small ITX computer running Arch linux on an old Intel Atom D525 configured as my network's gateway. It has two Ethernet ports identified as lan and wan and in the OS. Both lan and wan are dual-stack with a globally routable v6 and v4 IPs on the wan side. Both wan ip stacks are automatically assigned IPs by my ISP (DHCP and RA). All lan clients, as well as the lan interface of the gateway, have globally routable v6 IPs as well as private (rfc1918) v4 IPs. I've implemented a netfilter based firewall protecting the lan and the gw from the wan side for both IPv6 and IPv4.

One point of interest is that I am using Stateful DHCPv6 on my lan for assigning the globally routable v6 IPs. The DHCPv6 daemon (ISC DHCPd) is on the gateway and makes use of a v6 Prefix also automatically assigned by my ISP. I still use router advertisements to assign a v6 gateway address to clients but that is the only thing assigned via RA. Everything else is handled via DHCPv6 with address pools and even some static IP assignments.

Obviously, there are link-local v6 IPs for each client and each Ethernet interface on the gateway as well.

Improve this question

1 Answer 1

Reset to default
1

The packets will always contain the source and destination addresses of the endpoints. The only way the gateway or next-hop addresses are used is to look up the layer-2 MAC address to forward the packet to. They don't influence anything in layer-3 of the packet.

Improve this answer
1
  • In hind sight this seems really obvious. I guess I was still hung up on how IPv4 gateways work with SNAT.
    – Cliff Armstrong
    Commented Aug 17, 2019 at 18:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .