IPv6

I have a unique network here in my home office.  I run a small web/email hosting business.  I have two T1's coming in to a Cisco 2620 router, with one IPv4 /24 and an IPv6 /48 from my upstream provider.  So far this all works.

On the inside, I have a private network, IPv4 192.168.x.x that I use for the office & home desktops.  I have a DSL(from the same ISP) with a static IPv4 address and an IPv6 /56 assigned.  I do this so websurfing and large downloads from the desktops doesn't use any of the hosting bandwidth.

I put a Soekris NET4801 running M0n0wall in as the router for the DSL.  For the IPv4 side of things, I have the WAN side going to the DSL, LAN NIC on the 192.168.x.x network and the third NIC(OPT1) attached to the public IPv4 subnet.  That way IP traffic for the public servers from the desktop machines does not go out the DSL to the Internet and back via the T1's.  This works great.

Initially, I had RA turned off on the Soekris and IPv6 was fine and routing worked just fine.  A couple of the hosts on the public network are dual homed with NICs on the public network and a NIC on the 192.168.x.x network. These are exceptions and are used for special purposes like NAGIOS & MRTG where I want to monitor equipment on both subnets, like UPS's and managed switches.

The problem is when I turned on RA on the LAN adapter on M0n0wall.  Even though the private NIC's were not assigned IPv6 addresses, just turning on IPv6 on these Linux hosts, put a LinkLocal address on the private NICs and they hear the RA announcements from the Soekris on the LAN subnet.

Now no matter how I configure these hosts, they send their IPv6 traffic to the /56 subnet to M0n0wall via the LAN interface with an IPv6 address in the /48 subnet.  And it appears no matter what rules I put in on M0n0wall, the LAN interface won't accept IPv6 traffic with a from IP address in the /48 subnet.  The /48 is assigned/attached to OPT1.

If I turn off RA on M0n0wall and flush the IPv6 routes on the dual homed hosts, things go back to working.  I have seen this behavior with M0n0wall 1.3.2 and 1.3.3b2 embedded.  I think the killer from the firewall logs on M0n0wall is that it won't accept traffic on the LAN interface with a from IPv6 address from a different subnet or from a subnet assigned to OPT1.  And the RA's is causing my Linux hosts to try to send that traffic out the 'wrong' nic.

And I don't have a switch that can filter RA"s on a per port bases and I am not sure I can afford that solution either.  I am having a hard time finding switches that have that feature unless I buy some very expensive Cisco Catalyst switches.

Any other suggestions?  Or is this a solvable 'bug' in M0n0wall/

Lyle Giese
LCR Computer Services, Inc.

Don't use autoconfiguration, use a dhcpv6 client

I am not fully grasping your answer...  I set these hosts for manual/static configuration and set IPv6 addresses and set default routes manually.  But they appear to 'listen' to the RA announcements.

Plus, if I understand DHCPv6 correctly, it depends on RA to configure the default route as DHCPv6 does not have an option for routers like DHCP for IPv4 does.

Lyle

Monowall will not accept traffic into its LAN interface if the source ip is in the OPT interface range.

Your linux host shouldn't be sending it's OPT subnet traffic out it's LAN interface, that doesn't make sense, it should be sending it out it's OPT interface.

My previous comment was from reading your post tooo quickly, I assumed you had two gateways and didn't want to use one, hence the suggestion of using a dhcpv6 client