Kannst Du vielleicht ein wenig erklären wie bei dir das DHCP eingerichted isst?
Ich bin gerade etwas im Stress, wenn etwas fehlt oder unverständlich ist, bitte einfach melden. Das sollte aber alles sein, exklusive meinem VPN-Kram…
# cat /etc/dnsmasq.conf | egrep -Ev '^(#|$)'
interface=br0
bind-interfaces
domain-needed
bogus-priv
no-hosts
read-ethers
dhcp-range=172.19.1.****,172.19.1.254,24h
dhcp-option=option:ntp-server,0.0.0.0
# cat /etc/ethers | egrep -Ev '^\s*(#|$)'
52:54:00:c2:**:** 172.19.1.***
52:54:00:bb:**:** 172.19.1.***
52:54:00:64:**:** 172.19.1.***
52:54:00:0e:**:** 172.19.1.***
# cat /etc/ndppd.conf | egrep -Ev '^\s*(#|$)'
route-ttl 30000
proxy eth0 {
router no
timeout 500
ttl 30000
rule 2a03:4000:10:****::/64 {
iface br0
}
}
# cat /etc/radvd.conf | egrep -Ev '^\s*(#|$)'
interface br0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2a03:4000:10:****::/64
{
AdvOnLink on;
AdvAutonomous on;
};
prefix fd66:6e78:21a3:****::/64
{
AdvOnLink off;
AdvAutonomous on;
};
RDNSS fd66:6e78:21a3:****::1
{
};
};
# cat /etc/network/interfaces | egrep -Ev '^\s*(#|$)'
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 188.68.34.****
netmask 255.255.252.0
gateway 188.68.32.1
iface eth0 inet6 static
address 2a03:4000:10:****::bc44:22**/64
gateway fe80::1
post-up ip -6 route del 2a03:4000:10:****::/64 dev eth0
auto tap0 br0
iface tap0 inet manual
pre-up ip tuntap add tap0 mode tap
post-down ip link del dev tap0
iface br0 inet static
address 172.19.1.****
netmask 255.255.255.192
post-up ip -6 route add fd66:6e78:21a3:****::/56 dev lo metric 64
pre-down ip -6 route del fd66:6e78:21a3:****::/56 dev lo metric 64
post-up ip -6 addr add fd66:6e78:21a3:****::1/64 dev $IFACE nodad
pre-down ip -6 addr del fd66:6e78:21a3:****::1/64 dev $IFACE
post-up ip -6 addr add 2a03:4000:10:****::1/64 dev $IFACE nodad
pre-down ip -6 addr del 2a03:4000:10:****::1/64 dev $IFACE
bridge_stp off
bridge_ports tap0
bridge_maxwait 0
bridge_fd 0
# cat ~/scripts/iptables.sh (Auszug)
IPv6_SUBNET="2a03:4000:10:****::/64"
IPv4_PRIMARY="188.68.34.***"
IPv4_KVM="172.19.1.***/26"
IFACE_DEFAULT="eth0"
IFACE_KVM="br0"
$IPv4_BIN -N "fnx_kvm_srccheck"
$IPv6_BIN -N "fnx_kvm_srccheck"
$IPv4_BIN -A "fnx_kvm_srccheck" -i "$IFACE_KVM" -o "$IFACE_DEFAULT" ! -s "$IPv4_KVM" -j LOG_DROP
$IPv6_BIN -A "fnx_kvm_srccheck" -i "$IFACE_KVM" -o "$IFACE_DEFAULT" ! -s "$IPv6_SUBNET" -j LOG_DROP
$IPv4_BIN -A FORWARD -j "fnx_kvm_srccheck"
$IPv6_BIN -A FORWARD -j "fnx_kvm_srccheck"
$IPv4_BIN -A INPUT -j "fnx_kvm_srccheck"
$IPv6_BIN -A INPUT -j "fnx_kvm_srccheck"
$IPv4_BIN -N "fnx_kvm"
$IPv6_BIN -N "fnx_kvm"
$IPv4_BIN -A INPUT -i "$IFACE_KVM" -m state --state NEW -j "fnx_kvm"
$IPv6_BIN -A INPUT -i "$IFACE_KVM" -m state --state NEW -j "fnx_kvm"
$IPv4_BIN -A "fnx_kvm" -p udp --sport 68 --dport 67 -j ACCEPT
$IPv6_BIN -A "fnx_kvm" -p udp --sport 546 --dport 547 -j REJECT
$IPv4_BIN -A "fnx_kvm" -p udp --dport 53 -j ACCEPT
$IPv6_BIN -A "fnx_kvm" -p udp --dport 53 -j ACCEPT
$IPv4_BIN -A "fnx_kvm" -p udp --sport 123 --dport 123 -j ACCEPT
$IPv6_BIN -A "fnx_kvm" -p udp --sport 123 --dport 123 -j ACCEPT
$IPv4_BIN -A "fnx_kvm" -j LOG_REJECT
$IPv6_BIN -A "fnx_kvm" -j LOG_REJECT
$IPv4_BIN -N "fnx_kvm_fw"
$IPv6_BIN -N "fnx_kvm_fw"
$IPv4_BIN -N "fnx_kvm_fw_pub"
$IPv6_BIN -N "fnx_kvm_fw_pub"
$IPv4_BIN -N "fnx_kvm_from_pub"
$IPv6_BIN -N "fnx_kvm_from_pub"
$IPv4_BIN -A FORWARD -i "$IFACE_KVM" -m state --state NEW -j "fnx_kvm_fw"
$IPv6_BIN -A FORWARD -i "$IFACE_KVM" -m state --state NEW -j "fnx_kvm_fw"
$IPv4_BIN -A FORWARD -i "$IFACE_DEFAULT" -o "$IFACE_KVM" -m state --state NEW -j "fnx_kvm_from_pub"
$IPv6_BIN -A FORWARD -i "$IFACE_DEFAULT" -o "$IFACE_KVM" -m state --state NEW -j "fnx_kvm_from_pub"
$IPv4_BIN -A "fnx_kvm_fw" -o "$IFACE_KVM" -j ACCEPT
$IPv6_BIN -A "fnx_kvm_fw" -o "$IFACE_KVM" -j ACCEPT
$IPv4_BIN -A "fnx_kvm_fw" -o "$IFACE_DEFAULT" -m state --state NEW -j "fnx_kvm_fw_pub"
$IPv6_BIN -A "fnx_kvm_fw" -o "$IFACE_DEFAULT" -m state --state NEW -j "fnx_kvm_fw_pub"
$IPv4_BIN -A "fnx_kvm_fw_pub" -j ACCEPT
$IPv6_BIN -A "fnx_kvm_fw_pub" -j ACCEPT
$IPv4_BIN -A "fnx_kvm_fw" -j LOG_REJECT
$IPv6_BIN -A "fnx_kvm_fw" -j LOG_REJECT
$IPv4_BIN -A "fnx_kvm_from_pub" -j DROP
$IPv6_BIN -A "fnx_kvm_from_pub" -j DROP
$IPv4_BIN -t nat -A POSTROUTING -s "$IPv4_KVM" -o "$IFACE_DEFAULT" -j SNAT --to "$IPv4_PRIMARY"
Alles anzeigen
Betrieben werden die Gäste über libvirt/kvm, dort ist einfach br0 als Netzwerkschnittstelle angegeben.
In den Gastsystemen laufen resolvconf, rdnssd und ntp. Gäste und Host werden mit Debian 8/9 betrieben.
MfG Christian
PS: Mit dnsmasq gab es für RA/DHCPv6 ein paar gravierende Probleme, deshalb musste doch radvd herhalten.
PPS: Im Gastsystem ist "auto" für das inet6-Interface ganz praktisch, zusammen mit: pre-up ip -6 token set ::dead:affe dev $IFACE