tech-net: ipf, ipv6 & arp questions

Subject: ipf, ipv6 & arp questions
To: None <tech-net@netbsd.org>
From: Tomi Nylund <wizard@oulu.invalid>
List: tech-net
Date: 10/16/2001 01:44:54
Hello all,

first of all, sorry for a longish mail.


I'm building a proxy-arp'ed subnet for some of our machines
in our university. Our setup looks like this:

	------Router------


	[subnet 1 192.168.0.0/16]


	-----proxy-arp & firewall-----

	[subnet 2 192.168.30.128/28]

--------------------------------

There is a bigger network 192.168/16, and a small portion of
it proxy-arped behind my gw at 192.168.30.128/28.

This is in order to be able to test ipv6 & other stuff inside the 
"sandbox" without disrupting the rest of the LAN,
in case something goes wrong.

To answer the first two questions straightaway: no, the /16 cannot
be subnetted into smaller parts, and no, there is no possibility
of getting a direct route from Router to my subnet. So I'm stuck
with proxy-arp.

I am running NetBSD 1.5.2/sparc.

Now, I read the archives, did some homework and managed to get the
system up and running. However, two problems are still unresolved:

1) In order to use ipv6, I must enable ipv6 on the kernel. However,
   ipfilter does not filter it at all (see PR#  13178. Should
   this be finally documented in 1.5.3?).

2) How do I compile a more recent ipfilter into the kernel, with
   ipv6 support enabled, either
   as a module, or directly into kernel? For example, ipf 3.4.20
   distribution's compilation instructions are a bit outdated, at
   least for a stupid bofh like me ;) I tried the BSD/kupgrade as
   instructed on some mail, actually managed to 
   compile something but it did not work ( ipfstat -io segfaulted after
   inserting some rules). Same thing with make netbsd & bsd-install.
   Also, it would be nice if it did not by default overwrite your
   good & working /sbin/ipf etc. ;)
   Are there any howto's, or would someone throw some instructions
   to the mailing list?

3) I publish arp entries for the /28 using arp -f <filename> like this:
   
inside the file:

   ipv6ws1 00:00:c0:de:84:56
   ipv6ws1 08:00:20:58:e5:2e pub

   I have two arp entries: first is the real one, for the machine
   to be proxyed, and the second is for the proxy arp to work correctly
   (gw's MAC address). I tried arpd from pkgsrc,
   but it just ate all cpu, didn't work as supposed, so I stayed
   with the normal "arp" command.
   Now, the problems start when a windows machine
   on the inside boots up, and sends an arp query for it's own ip
   address, and my gateway replies to it. According to docs, this
   should not happen, but it happens. There's a bug regarding this
   on database, PR# 10482. Based on my experiments, it's still
   unresolved, or I've been doing something terribly wrong.


So, my questions again in brief:

   1) How to compile a kernel with ipv6-capable ipfilter?

   2) How to publish arp info correctly, so that my gateway does
   not answer to arp queries from inside the subnet, only to the
outside?


Thanks for any answers!

Tomi