On Jan 6, 2008, at 11:09 AM, Good Good wrote:

quoted text
> Hello,
>
> My ISP (free.fr) now proposes to me a native connectivity in IPV6.
> I wish to implement this functionality on my network, that here:
>
>
>            Switch        Firewall        ISP Box    ISP Network/ 
> Internet
>               __             ___             ___
> |PC1|-------|   |      vr0 |      | vr1       |     |
>               | x|-----------|      |------------|     |----------O
> |PC2|-------|__|           |___|            |___|
>
>
> Here some information :
> - the ISP box is running as a bridge ;
> - the firewall is running Openbsd 4.1 GENERIC#1435 i386 (upgrade to  
> 4.2 not
> yet done) ;
> - workstations are running Win XP ;
> - pf rules are quite simple (just filtering and NAT for IPV4) ;
> - my ISP provided to me an IPV6 address of the type 2a01:5d8:X:X::/64
>
> The problem :
> The /64 provided by my ISP is made to fuel only one ethernet segment  
> and no
> more.

They're not willing to route a /64 to you?


quoted text
> So, it is not possible to route a part of the /64 to another ethernet
> segment (the private segment).
>
> One solution :
> The firewall NAT IPV4 traffic and bridge IPV6 traffic, that here:
>
>            Switch        Firewall        ISP Box    ISP Network/ 
> Internet
>               __             ___             ___
> |PC1|-------|   |      vr0 |     | vr1       |     |
>               | x|-----------|     |------------|     |----------O
> |PC2|-------|__|        |  |___|  |         |___|
>                            |   |       |
>                            |bridge0 |
>                            |  _|_     |
>                            | |    |     |
>                            |_|   |_ _|
>                              |__|
>                       IPV6 bridge only
>
> Some clues :
> I found some clues on the following web site where my need is  
> summarized.
> An English translation ->
> http://64.233.179.104/translate_c?hl=fr&ie=UTF-8&oe=UTF-8&langpair=fr%7Cen&u=http://ww...
> The original French link ->
> http://ip6.fr/free-broute/
>
> Second problem :
> The author of the previously quoted web site is running under Linux.
> Here used commands :
> brctl addbr br0
> ifconfig br0 up
> brctl addif br0 eth0
> brctl addif br0 eth1
> ebtables -t broute -A BROUTING -p ! ipv6 -j DROP
>
> The magic command is "ebtables -t broute -A BROUTING -p ! ipv6 -j  
> DROP".
>
> Questions :
> 1) Did you understand my problems ? :)

Kind of. My understanding is you want to know if you can just accept  
the /64 traffic, and simply pass it through the firewall, while it's  
acting as a NAT for IPv4 traffic. My inclination is "no, that's not  
possible." I suspect it can be done though.

quoted text
> 2) Is it the right solution to bridge only IPV6 traffic (I hope for  
> it) ?

I think you could redirect v6 traffic from the external interface to  
the internal one. My concern is that you bypass the firewall. You may  
want to simply bridge, but I'd filter IPv6 just as much as IPv4.

quoted text
> 3) The most important question, how to do this type of bridging under
> Openbsd (without ebtables) ?

brconfig(8) would configure the bridges, but I believe you'd be pretty  
much screwed on the routing and NAT once you do that.

You could bridge between the external interface, an internal tun/gif,  
and the internal interface, then route all v6 traffic to the tun/gif.  
it'd require some interesting work with route(8), though.

quoted text
> According to the man page, "brconfig" can only perform layer 2  
> filtering.

Just a thought, you could set up a non-bridging "route" label in pf,  
forwarding all IPv6 traffic to a bridged "virtual" interface with the  
internal interface. It's horribly complex, even in just thinking it out.