[isf-wifidog] Implementing ipv6 support on wifidog

Marc Blanchet marc.blanchet at viagenie.ca
Lun 14 Fév 08:03:03 EST 2011


sorry to be late on this thread.
- nat is not what a captive portal does. captive portal intercepts dns 
request and then after authentication modify firewall rules to let it go 
through. so ipv6 will be no different.
- however, something really different in IPv6 is the fact that the 
gateway receives a prefix from the DHCPv6 server. The prefix is then 
used for the internal network using router advertisements sent by the 
gateway. And the gateway does not do any NAT, only forwarding. So in the 
design, you must consider that.

Marc.


Le 11-02-12 13:27, Richard Lussier a écrit :
> Hi,
>
> Would that approach make it easier to port to FreeBSD ?... I am thinking
> about a package for pfSense ?
> Sorry if that do not make sense, i'm a newbe.. :-)
>
> Richard
>
> On 2011-02-12 13:02, Andrew Niemantsverdriet wrote:
>> Hi,
>>
>> 2011/2/12 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>>> ip6tables uses filtering, based on the ip address, instead of nat,
>>>> and you
>>>> can still build firewall and routing rules with it.
>>>>
>>>> But I'll take a look at tproxy and ipset and see if it would work
>>>> best for
>>>> wifidog.
>>>>
>>>> Geneviève
>>>>
>>>>
>>>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>>> Hi all,
>>>>>>
>>>>>> We'll soon start working on implementing the ipv6 support on the
>>>>>> wifidog
>>>>>> client. One of the problematic will be to port to ip6tables the
>>>>>> actual
>>>>>> iptables that wifidog creates at startup, so that all the redirects
>>>>>> still
>>>>>> work on ipv6.
>>>>>>
>>>>>> Can anyone help with that?
>>>>>>
>>>>>> Thanks,
>>>>>> Geneviève
>>>>> Hi,
>>>>>
>>>>> there's no nat on ipv6.
>>>>> So it's hard to port it to ipv6.
>>>>> Maybe you can look on the tproxy target, or maybe ipset, but i'm not
>>>>> sure for ipset.
>>>>>
>>>>> Regards.
>>>>>
>>>>
>>> Hi,
>>>
>>> i know what ip6tables do.
>>> But today, the redirection is made with a nat rule.
>>> You can't do the same with ip6tables.
>>>
>>> Regards.
>> I agree that making the IPTables rules as a shell script(s) would be
>> ideal. You can still do a transparent proxy with IPv6 so the operation
>> would be similar to how wifidog works now.
>>
>> The iptables would be similar to what is working now. Except rather
>> than relying on NAT a transparent box would the work. TinyProxy is a
>> program that I have had good luck with. TinyProxy would work with both
>> IPv6 and IPv4 the exact same way so the overhead of maintaining two
>> separate systems would be greatly reduced. The other thing that
>> TinyProxy supports is whitelisting sites so a "walled garden" would be
>> easy to implement.
>>
>> The bad thing about this approach is you lose the gateway code
>> maturity / stability. However as Jean Philippe has stated there is no
>> way for the existing code to just be ported a new mechanism needs to
>> be used because IPv6 does not use NAT.
>>
>> The part I understand the least is how the gateway communicates with
>> the auth server. So I don't know what would need to be changed with
>> that to enable this new system. However it would be nice to device a
>> protocol that would allow things like "whitelisted" MAC's to be passed
>> to the gateway and things like per client speed control information.
>>
>> I would be interested to hear a overview of how the gateway talks to
>> the auth server. I think moving to a proxy based system makes a lot of
>> sense so that two separate wifidog gateways do not have to be
>> maintained. I also think that abstracting the iptables rules to shell
>> scripts makes a lot of sense.
>>
>> Thanks,
>> _
>> /-\ ndrew
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog


-- 
=========
IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN Implementation: http://postellation.viagenie.ca
NAT64-DNS64 Opensource: http://ecdysis.viagenie.ca



Plus d'informations sur la liste de diffusion WiFiDog