-1

I want to forward incoming connections to any address within an assigned ipv6 /64 subnet on a VPS.

Obviously I can't add a billion individual address to the interface, but perhaps I could use a bogus route with a mangle iptables rule to pretend 1 address is a router for the subnet, then just answer arriving packets instead of forwarding them on? Not sure if that's possible or if there's a cleaner approach.

Luke Mlsna
  • 123
  • 4
  • Why do you need it? Why you should have whole /64 subnet on one machine? Just point only IPs you are really using. – Ondra Sniper Flidr Jun 02 '16 at 21:37
  • I am going to enable the server to be accessible at every address in the /64 subnet to make it harder for the Chinese firewall to block access to the server. I am aware it is an unusual step, that's why I am asking the question here. I have a VPS with a /64 assigned, might as well use it. – Luke Mlsna Jun 02 '16 at 21:40
  • 1
    Do you really think the Chinesse firewall will block only one IP and not whole /64 subnet? – Ondra Sniper Flidr Jun 02 '16 at 21:48
  • No actually, It doesn't block /64s automatically as that would cause huge unintentional collateral damage in many situations. They might do it manually after they figure out what I'm doing, but I'll just get a new /64. In any case, the title of this question is not "try to talk me out of doing a weird networking thing lol." So can you help? – Luke Mlsna Jun 02 '16 at 21:55

1 Answers1

0

From your question it seems that you are connected, I guess over ethernet, to a /64 network from your VPS provider. In that case what you ask is not possible. Your upstream router would have to keep a Neighbor Discovery entry for each separate IPv6 address in memory, which will use much more memory than available (1). You can ask your provider to route a static prefix to your machine, but using that many addresses from your server LAN is impossible.


1: It would need at least 16 bytes for the IPv6 address + 8 bytes for the MAC address per entry, which for 2^64 addresses is about 393216 petabyte.

Sander Steffann
  • 7,572
  • 18
  • 29
  • I already have a static routed /64. I want to set up 1 actual ipv6 connection within that subnet to the upstream router, but spoof the rest of the subnet so that any connection that is incoming to an address on that /64 is forwarded/masqueraded/mangled to point to the single real connection. I don’t need the whole /64 to actually be really connected, I just want the server to be publically reachable on all of those addresses. – Luke Mlsna Jun 03 '16 at 08:50
  • Dynamically adding connections based on what address they come in on would be fine too. That might work better actually. – Luke Mlsna Jun 03 '16 at 08:52