<html><head></head><body><div>Hi François,</div><div><br></div><div>Well, I've once again passed a few hours scratching my head on it, and defitively, it cannot work as is even using source routing.</div><div><br></div><div>My situation as compared to the one described in your document is a bit different : there is no NAT implied anymore in the setup. </div><div>I've suppressed NAT because our customer had a lot of problem to have VoIP working (it is a well known fact that VoIP doesn't work well on NAT, and a workaround such as STUN was not possible for him). I was using NAT before and it worked perfectly well indeed till the VoIP problems pop up.</div><div><br></div><div>It is impossible in my setup that the VPN clients will be able to answer any IPv6 sollicitation coming from the customer networks, without ndp proxy on the server itself. </div><div><br></div><div>But I've finally found a solution using a couple of bash scripts :</div><div><br></div><div>- one launched by the hook "connectScriptPath" that will pass the IPv6 address to next one;</div><div>- one launched as a daemon with root privileges to be able to add/del IPv6 address as neigh proxy for the eth1 connection.</div><div>I'm using a netcat 'service' to glue both.</div><div><br></div><div>It works now perfectly well.</div><div><br></div><div>I've attached both scripts to the mail for people that could be interested reusing it.</div><div><br></div><div>With kind regards,</div><div><br></div><div>Pascal</div><div><br></div><div>Le Tuesday 13 September 2022 à 12:34 +0000, François Kooman a écrit :</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>On 13.09.22 12:23, Pascal Panneels wrote:<br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hi François,<br></div></blockquote><div><br></div><div>Hi Pascal,<br></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>hmm, I'm still not convinced how it could help me.<br></div></blockquote><div><br></div><div>Where do the VPN client traffic come from go to? I assume all through eth1.<br></div><div><br></div><div>So you need two default gateways, one for eth0 (the VPN server itself) <br></div><div>and one for eth1 for all VPN client traffic. This is only possible if <br></div><div>you use source/policy routing.<br></div><div><br></div><div>See the SOURCE_ROUTING.md file for how to do this manually to try it out <br></div><div>and see if that works.<br></div><div><br></div><div>I think ARP/NDP proxy should not be used at all, seems very much <br></div><div>unnecessary as this is a quite simple scenario, solvable with just routing.<br></div><div><br></div><div>Regards,<br></div><div>François<br></div></blockquote><div><br></div><div><span><pre>-- <br></pre><div><b><font face="Arial, Helvetica, sans-serif" size="4" color="#0092d2">Pascal Panneels</font></b></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>System Architect</b></font></div><div><font face="Arial, Helvetica, sans-serif" size="4"><b>Belnet - Services</b></font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">WTC III</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Simon Bolivarlaan 30 Boulevard Simon Bolivar</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">Brussel 1000 Bruxelles</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">België - Belgique</font></div><div><font color="#8b8e8d" face="Arial, Helvetica, sans-serif">T: +32 2 790 33 33</font></div><div><a href="http://www.belnet.be"><b><font color="#0092d2" face="Arial, Helvetica, sans-serif">https://www.belnet.be</font></b></a></div><div><br></div></span></div></body></html>