[eduVPN-deploy] NDP problems using public IPv6
François Kooman
fkooman at deic.dk
Thu Sep 15 12:23:04 CEST 2022
On 15.09.22 10:00, Pascal Panneels wrote:
> Hi François,
Hi Pascal,
> Well, I've once again passed a few hours scratching my head on it, and
> defitively, it cannot work as is even using source routing.
I still don't understand why not?
> My situation as compared to the one described in your document is a bit
> different : there is no NAT implied anymore in the setup.
> I've suppressed NAT because our customer had a lot of problem to have
> VoIP working (it is a well known fact that VoIP doesn't work well on
> NAT, and a workaround such as STUN was not possible for him). I was
> using NAT before and it worked perfectly well indeed till the VoIP
> problems pop up.
NAT is actually not relevant here, it functions as a bit of distraction
in understanding what needs to be done / how things work.
> It is impossible in my setup that the VPN clients will be able to answer
> any IPv6 sollicitation coming from the customer networks, without ndp
> proxy on the server itself.
Why? How does your setup differ from the one discussed in
SOURCE_ROUTING.md, obviously except for the NAT part?
We could add your scenario to the documentation, or at least _also_ show
a non-NAT deployment...
> It works now perfectly well.
It would be easy for me to say: great, but I don't think this is great.
It adds a lot of complexity and potential security problems. It would be
better to dig to the bottom of this issue and properly solve it using
routing.
Could you please provide a (graphical) overview of your network setup,
similar to how it is done in SOURCE_ROUTING.md so we can compare and see
what is the actual difference and how to properly solve it?
Regards,
François
More information about the eduVPN-deploy
mailing list