Force outbound IPv6 traffic from /64 pool address on CentOS 7
Linode
Linode Staff
I have configured the primary and secondary IPv6 addresses in ifcfg-eth0 based on the examples in this guide, and I want to make it so all outgoing IPv6 traffic comes from the secondary.
I'm not sure if using something like a route6-eth0 network script or just changing the primary in ifcfg-eth0 to the pool address is the right way of doing things? With the current config I am able to ping the pool address, but all outgoing traffic is from the SLAAC address.
I have attempted a variety of commands using ip -6 route, but they are either invalid or simply not working. To test I am accessing a site on another Linode via its IPv6 address and tailing the logs, which is showing the SLAAC address.
1 Reply
bthompson
Linode Staff
To ensure stable networking, I don't recommend changing the primary in ifcfg-eth0, but according to this post it sounds like you can do this with a route6-eth0 script, or by designating the secondary as the home address. In my experience however, leveraging the firewall seems to work best for controlling the outbound source address, especially when I have configured multiple pool addresses.
You can use this one advanced firewalld-iptables direct interface rule to force all outbound IPv6 traffic to come from a single /64 pool address:
sudo firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s $SLAAC -o eth0 -j SNAT --to-source $POOLIP
sudo firewall-cmd --reload
If only using iptables, the script in my answer here provides the syntax you need (similar to the above).