Subject: ipf, ipv6 & arp questions
To: None <firstname.lastname@example.org>
From: Tomi Nylund <email@example.com>
Date: 10/16/2001 01:44:54
first of all, sorry for a longish mail.
I'm building a proxy-arp'ed subnet for some of our machines
in our university. Our setup looks like this:
[subnet 1 192.168.0.0/16]
-----proxy-arp & firewall-----
[subnet 2 192.168.30.128/28]
There is a bigger network 192.168/16, and a small portion of
it proxy-arped behind my gw at 192.168.30.128/28.
This is in order to be able to test ipv6 & other stuff inside the
"sandbox" without disrupting the rest of the LAN,
in case something goes wrong.
To answer the first two questions straightaway: no, the /16 cannot
be subnetted into smaller parts, and no, there is no possibility
of getting a direct route from Router to my subnet. So I'm stuck
I am running NetBSD 1.5.2/sparc.
Now, I read the archives, did some homework and managed to get the
system up and running. However, two problems are still unresolved:
1) In order to use ipv6, I must enable ipv6 on the kernel. However,
ipfilter does not filter it at all (see PR# 13178. Should
this be finally documented in 1.5.3?).
2) How do I compile a more recent ipfilter into the kernel, with
ipv6 support enabled, either
as a module, or directly into kernel? For example, ipf 3.4.20
distribution's compilation instructions are a bit outdated, at
least for a stupid bofh like me ;) I tried the BSD/kupgrade as
instructed on some mail, actually managed to
compile something but it did not work ( ipfstat -io segfaulted after
inserting some rules). Same thing with make netbsd & bsd-install.
Also, it would be nice if it did not by default overwrite your
good & working /sbin/ipf etc. ;)
Are there any howto's, or would someone throw some instructions
to the mailing list?
3) I publish arp entries for the /28 using arp -f <filename> like this:
inside the file:
ipv6ws1 08:00:20:58:e5:2e pub
I have two arp entries: first is the real one, for the machine
to be proxyed, and the second is for the proxy arp to work correctly
(gw's MAC address). I tried arpd from pkgsrc,
but it just ate all cpu, didn't work as supposed, so I stayed
with the normal "arp" command.
Now, the problems start when a windows machine
on the inside boots up, and sends an arp query for it's own ip
address, and my gateway replies to it. According to docs, this
should not happen, but it happens. There's a bug regarding this
on database, PR# 10482. Based on my experiments, it's still
unresolved, or I've been doing something terribly wrong.
So, my questions again in brief:
1) How to compile a kernel with ipv6-capable ipfilter?
2) How to publish arp info correctly, so that my gateway does
not answer to arp queries from inside the subnet, only to the
Thanks for any answers!