Linux Bridge over IPv6 - NFTables??
I've been bashing my head against a wall for several days trying to set up what I thought would be a simple bridge configuration. For learning purposes I want to set-up a DNS and Mail server on an IPv6 network then possibly add dual stack capabilities. My plan was to use an old server running a bare bones Buster install to host two lxc containers. One container for DNS (PowerDNS) and the other for Mail (Postfix). Both containers would have their own IPv6 globally routable address.
I assumed that the easiest way to make these containers visible on the web was to set up a (standard) bridge and add their interfaces to it. I set a static IPv6 address for the Nic without any problems. Then I uninstalled IPTables and installed NFTables along with bridge utilities etc. I created a bridge with brctl and added my interface to it. Unfortunately I couldn't ping anything; neither the outside world nor my router's interface.
Much of the web doc's and howto's I had initially read described the Linux bridge simplistically as a layer 2 copy device; Simply copying frames from one ethernet segment to another with no real layer 3 or IP involvement. After much additional reading and experimenting with different settings I found lots of ND and RA exchanges taking place. These exchanges were only visible in tcpdump log files and involved chatter between additional 'local' IPv6 addresses, popping up even though I had used static addressing.
These addresses included link local as well as device/interface local addresses; ff02::1 ff02::2 ff01::2 fe80 … … It appeared to me as if they were involved in trying to negotiate a path between the bridge and the router, behind the scenes, as it were. Not really understanding what was taking place, but having a rough grasp of it's significance, I enabled SLAAC on the relevant router interface and the bridge sprang into life.
This is not what I expected from a 'simple' frame copy device on a host with statically configured (ipv6) addresses. Nor what I remember from long ago IPv4 bridge configurations. I'm guessing this 'chatter' involving ND and RA is in fact the IPv6 replacement for the ARP protocol and which now involves IPv6 effectively dipping down into the layer 2 domain??
Now that i've enabled slaac on the router the bridge is 'working' but unfortunately it's NATing everything rather than simply forwarding the packets. The bridge has it's own IP address and will do nothing without an IPv6 address. If I don't give it one it now acquires one via slaac.
What I want is for the bridge to 'forward' the packets rather than NAT them. I'd prefer not to have a bridge IP address for security, but I can live with that if I have to. But perhaps that last remark is just my old IPv4 mind set. Maybe I should be saying: I don't want it to have a routable IPv6 address on the bridge and simply accept some form of local link as part of an IP/link layer connection??
As you can tell I am no network expert and have had to read two IPv6 manuals to get this far. I've also read a bunch of ipv6 and bridging doc's including howto's. The problems is that all the examples use exclusively or predominantly IPv4 optionally combined with IPTables, which have proven of no use in my case.
Since enabling slaac it's possible that the IPv6 issue is now only a distraction and to achieve what I want, I need to change something unrelated to the IPv6 ND/RA chatter. As mentioned I also removed IPTables and installed NFTable so possibly there is an issue there? I've opened everything up with nft but maybe there is a default for NAT hidden somewhere that i've missed.
Any advise or pointers to 'Relevant' doc's would be much appreciated.
Update:
I've got this 'working' now. So there is no need to spend time replying unless you want to.
When I've figured out more regarding what exactly makes the difference and a have some spare time I'll post some details. Incase anyone finds them useful.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
IPv6 Bridge Not forwarding?
Re: IPv6 Bridge Not forwarding?
That would be nice.charlie101 wrote:Linux Bridge over IPv6 - NFTables??
Update:
I've got this 'working' now. So there is no need to spend time replying unless you want to.
When I've figured out more regarding what exactly makes the difference and a have some spare time I'll post some details. Incase anyone finds them useful.
