On Tue, 2 Aug 2022, Lee wrote:
On 8/2/22, Tim Woodall wrote:On Tue, 2 Aug 2022, Lee wrote:On 8/2/22, Tim Woodall wrote:On Mon, 1 Aug 2022, Lee wrote:Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2?Not sure I exactly understand what you want but you can specify the local part of an SLAAC ipv6 address thus: iface eth0 inet6 auto pre-up echo 64/proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plenpre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0Yes!! That looks like what I want. Where does it go if I want to always done at boot time?I've got it in /etc/network/interfaces.d/eth0 but whereever you've put the network configuration /etc/network/interfaces perhaps?*sigh* Back when I first set up this machine I couldn't figure out how to get the /etc/network/xxx config to work. I ended up using the Advanced Network Configuration GUI that set up /etc/NetworkManager files.
Running ip token set almost any time during the boot process should work. Ideally you'd want to run it before network manager. Perhaps that has a way to run pre-up scripts but otherwise almost any other way to run a script early during boot would work. If you run it after the interface is up then I think it will still work but might require you to wait for the next unsolicited RA which may or may not occur quickly. One thing to think of is whether you'll have a networking headache after a power outage or internet outage. Presumably your firewall won't start serving RAs until after the internet is connected and it can get the /56 from your ISP. Not sure what a good solution is to that. One option, as someone else suggested, is to use a locally routable /56 and then NAT at the firewall to the assigned globally routable /56. That way local connectivity will be independent of getting a /56 from upstream. If you nat an entire local /56 then it will be one rule each way IIRC. Your local machines might also take a while to stop using old addresses that you no longer "own". Again NAT will move all of the complicated logic to handle a changing /56 to the firewall. Best of all though would be to convince your ISP to give out static /56s... Tim.