[Dnsmasq-discuss] Prefix delegation with DNSmasq

Uwe Schindler uwe at thetaphi.de
Sun Apr 12 18:33:20 BST 2020


Hi
 
> I have a setup in mind and wonder whether dnsmasq is the correct tool (since I
> have not found the necessary functionality in the documentation yet).
> 
> We have a /56 IPv6 network, and plan to use pure DHCPv6 (no stateless
> autoconfiguration) in several /64 networks.

That's perfect. Looks much like a standard German DSL account. 😊

> There are several subnets (currently NATed IPv4), such as — for example — a
> WireGuard VPN network, or a local isolated subnet.
> While with IPv4, the answer was the use of private addresses and NAT every
> time, potentially using a DHCP fowarder, for IPv6, the answer should be to use
> Global Unicast addresses everywhere (right?).
> How do I approach this correctly?

That's very easy because you have a /56 net.

> Three options come to mind to handle such subnets:
> - Use ULAs and NAT (but that does not feel like IPv6...).

No no no, bad idea and very stupid for such a large network.

> - Delegate a prefix from the large network (where we'd use dnsmasq) to the
> "gateway" machine, which then would be a router.
>   However, I am not aware if dnsmasq can delegate prefixes?

This should all be done on the central router. For each subnet you have a separate dnsmasq.

> - Use ProxyNDP (via npdpd or Linux kernel functionality). But I'm not sure if
> that scales well to a larger number of machines?

No need to do that (see below). ProxyNDP is only needed if you want delegate some global addresses to devices that are in the same subnet but behind another machine (MAC address). You don't need this. All can be done with plain simple routing.

> - Use static routes on the central machine which send the /64 subnet to the
> "gateways" and use dnsmasq on the gateways.

That's the way to go and it will just work! Explanation:

The provider delegates a /56 prefix to you. How this is done depends, but for DSL (dynamic) or also at Hetzner (static) the whole thing works on the link level addresses. For DSL you have the PPP-Daemon wo gets a link local address on the end point assigned. For DSL you get a prefix delegated using DHCP-PD (prefix delegation), for static roulds (e.g., Hetzner) you get all traffic routed to the link-local address of your router (that's coming from the mac address of router known to provider).

On the router you just assign the subnets and their primary address (....:1) to a separate interface or VLAN in portions of /64. The linux kernel will then just automatically route all incoming packets from the WAN interface (PPP or Ethernet) to the correct (virtual) network adaptor. On each of those network adaptors you have a dnsmasq listening.

Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or Android device supports it. I'd go for SLAAC. Very easy. As you can setup a separate /64 subnet (up to 256 of them), you have enough flexibility to handle all of them in a separate network with full /64 SLAAC address space. Each of those networks have firewalling on the router box and are delegate to the network switch .e.g, via VLANs.

If you are interested how to setup the Prefix Delegation with PPP, just ask. The usual howtos seen on internet with wide-dhcpd are outdated and not very modern and relying on a broken tool which should not be used anymore. The correct way for that is "dhcpcd" client daemon listening on the PPP interface and waiting for DHCP-PD packets. The dhcpcd config file can then automatically split the delegated /56 network and assign it to various real/virtual interfaces each with a /64 subnet, where a separate dnsmasq is handling everything. No hacks needed, just plain routing on the bx (its enough to enable ip forwarding unless you want to firewall). All on a single box. I have set this up multiple times.

Uwe




More information about the Dnsmasq-discuss mailing list