[Dnsmasq-discuss] Prefix delegation with DNSmasq

Oliver Freyermuth o.freyermuth at googlemail.com
Sun Apr 12 18:49:03 BST 2020 

Hi,

thanks for the elaborate reply! 

Am 12.04.20 um 19:33 schrieb Uwe Schindler:
> Hi
>  
>> I have a setup in mind and wonder whether dnsmasq is the correct tool (since I
>> have not found the necessary functionality in the documentation yet).
>>
>> We have a /56 IPv6 network, and plan to use pure DHCPv6 (no stateless
>> autoconfiguration) in several /64 networks.
> 
> That's perfect. Looks much like a standard German DSL account. 😊

In our case, even better, since the prefix is completely fixed and will never change ;-). 

> 
>> There are several subnets (currently NATed IPv4), such as — for example — a
>> WireGuard VPN network, or a local isolated subnet.
>> While with IPv4, the answer was the use of private addresses and NAT every
>> time, potentially using a DHCP fowarder, for IPv6, the answer should be to use
>> Global Unicast addresses everywhere (right?).
>> How do I approach this correctly?
> 
> That's very easy because you have a /56 net.
> 
>> Three options come to mind to handle such subnets:
>> - Use ULAs and NAT (but that does not feel like IPv6...).
> 
> No no no, bad idea and very stupid for such a large network.

That's what I thought :-). 

> 
>> - Delegate a prefix from the large network (where we'd use dnsmasq) to the
>> "gateway" machine, which then would be a router.
>>   However, I am not aware if dnsmasq can delegate prefixes?
> 
> This should all be done on the central router. For each subnet you have a separate dnsmasq.

Since we already have gateway nodes for IPv4, we'd rather scale the dnsmasqs out, but that does not seem to interfere with the proposed solution. 

> 
>> - Use ProxyNDP (via npdpd or Linux kernel functionality). But I'm not sure if
>> that scales well to a larger number of machines?
> 
> No need to do that (see below). ProxyNDP is only needed if you want delegate some global addresses to devices that are in the same subnet but behind another machine (MAC address). You don't need this. All can be done with plain simple routing.

I see :-). 

> 
>> - Use static routes on the central machine which send the /64 subnet to the
>> "gateways" and use dnsmasq on the gateways.
> 
> That's the way to go and it will just work! Explanation:
> 
> The provider delegates a /56 prefix to you. How this is done depends, but for DSL (dynamic) or also at Hetzner (static) the whole thing works on the link level addresses. For DSL you have the PPP-Daemon wo gets a link local address on the end point assigned. For DSL you get a prefix delegated using DHCP-PD (prefix delegation), for static roulds (e.g., Hetzner) you get all traffic routed to the link-local address of your router (that's coming from the mac address of router known to provider).
> 
> On the router you just assign the subnets and their primary address (....:1) to a separate interface or VLAN in portions of /64. The linux kernel will then just automatically route all incoming packets from the WAN interface (PPP or Ethernet) to the correct (virtual) network adaptor. On each of those network adaptors you have a dnsmasq listening.

There's a slightly more special case for us: We have one central firewall (which gets the full /56 net on the upstream interface routed to it) and most gateways are separate nodes
(i.e. most VLANs are not connected to the central FW). 
So I believe in that case I just need an ip6tables rule (per /64 subnet) on the central firewall to redirect all traffic to the gateway for the /64 subnet, right? 

> Just some recommendation: I'd NOT go with DHCPv6, as no Chromebook or Android device supports it. I'd go for SLAAC. Very easy. As you can setup a separate /64 subnet (up to 256 of them), you have enough flexibility to handle all of them in a separate network with full /64 SLAAC address space. Each of those networks have firewalling on the router box and are delegate to the network switch .e.g, via VLANs.

I know (while I knew about Android, good point about the Chromebooks!). Our main usecase is addressing of Linux servers (i.e. there will only be "DHCP reserved" entries). 
Indeed, for a general purpose network (one of those /64s), we need to think whether we'll go with DHCPv6 (and lose Android and Chromebooks) or really stay with DHCPv6. For now, I'll plan with DHCPv6 ;-). 

Cheers and thanks,
	Oliver

> If you are interested how to setup the Prefix Delegation with PPP, just ask. The usual howtos seen on internet with wide-dhcpd are outdated and not very modern and relying on a broken tool which should not be used anymore. The correct way for that is "dhcpcd" client daemon listening on the PPP interface and waiting for DHCP-PD packets. The dhcpcd config file can then automatically split the delegated /56 network and assign it to various real/virtual interfaces each with a /64 subnet, where a separate dnsmasq is handling everything. No hacks needed, just plain routing on the bx (its enough to enable ip forwarding unless you want to firewall). All on a single box. I have set this up multiple times.
> 
> Uwe
>

More information about the Dnsmasq-discuss mailing list