[Samba] Specifying an IPv6 wildcard in the interfaces directive?
jeffm966 at nullmodem.org
Sat Apr 20 23:04:40 UTC 2019
On 4/20/2019 1:08 PM, Nico Kadel-Garcia wrote:
> On Sat, Apr 20, 2019 at 3:32 PM Jeff Morris via samba
> <samba at lists.samba.org> wrote:
>> My network uses reserved IPv4 addresses (192.168.2.0/24) behind a NAT
>> firewall, but public IPv6 addresses behind a filtering firewall.
>> My ISP (Comcast) assigns both IPv4 and IPv6 addresses dynamically.
>> As a result, the IPv4 address of my internal Samba server is statically
>> assigned, but its IPv6 address is dynamically assigned.
> Why can't your internal DHCP server assign reserved IP addresses,
> suitable to a non-routable address space?
Well, of course it *can*, and indeed that's what I'm doing for IPv4.
However, best practices recommend not using NAT for IPv6. One of the
main driving factors toward the global migration to IPv6 is so we can
have a "flat" Internet again, with enough address space to allow all
devices to be individually addressable, like we did years ago with IPv4
(yes, I'm old enough to remember) :-), and get away from NAT,
port-forwarding, and all the other horrible kludges that have been
implemented over the years to try to compensate for the exhaustion of
the IPv4 address space.
>> The server has multiple IPv4 addresses assigned to it, all on interface
>> enp3s0. One of these I'd like to use for Samba, but the other is used as
>> a proxy address for another device on my network, so I do NOT want Samba
>> to bind to it , as it would conflict with SMB services on the proxied
> So.... how are you segregating the IPv4 addresses on the same NIC? Are
> you using tagged VLAN's, or is it just not working? Is there any
> reason you can't put the proxy on a different port, rather than on a
> different IP address?
Sorry, I should have been more explicit. Both addresses are on the same
subnet, and thus are simply assigned to the same physical interface, I'm
not using VLANs or virtual interfaces (or at least I wasn't when I wrote
my initial message; I've since figured out a way to do this by using a
virtual interface for each IP address. I'll explain more below.) Both of
the addresses work fine and can communicate with other hosts on the
network. I just need Samba to ignore one of them.
I can't put the proxy on a different port because I am proxying SMB (TCP
port 445) for a non-rooted Android device. Since the device isn't
rooted, it can't run an SMB server on port 445 (only on non-privileged
ports), and since Windows can not utilize SMB servers on any other port
than 445, I've ended up having to set up a proxy for it on my Linux
server. It's an ugly kludge and I don't like it, but sigh, that's what I
get for living in a world where manufacturers have decided that people
should not have administrative access to the hardware that they
themselves own. :-(
So basically, I have two addresses in the same subnet assigned to the
Ethernet interface on my Linux server (192.168.2.3, 192.168.2.4.) I want
incoming TCP connections to port 445 on the first address to go to the
samba daemon running on the server, and I want incoming TCP connections
to port 445 on the second address to be NATed and routed by the Linux
server to the Android device. I also want incoming TCP connections to
port 445 for *any* IPv6 address on the server to go to the samba daemon
running on the server.
> I'm going to strongly suggest you stop playing the IPv6 and IPv4 and
> exposed public IP and NAT and DHCP and static address and an umbrella
> with two olives stick on the handle sticking out of it cocktail
> approach to network configurations. The result is a chimera. Pick your
> local standards:
> * IPv4 or IPv6? One or the other, stop using both internally
Well, you're welcome to your opinion. I do disagree however. I'm simply
running dual-stack, which is a perfectly valid network configuration, no
olives or umbrellas involved. (Although there have been a fair share of
cocktails.) :-D The necessity of running NAT for IPv4 and DHCP for IPv6
isn't my choice, it's the result of the combination of my ISP's choices
and the global depletion of IPv4 addresses. If you can convince Comcast
to provide static routing of IPv6, it would make my life a lot easier,
so good luck with that! ;-) I don't feel that running private IPv6
addresses and NATting IPv6 is a very good solution since it's a step
backwards. In a perfect world, everyone would get themselves migrated to
IPv6, and I could drop all the kludgy IPv4 NATting and so forth and not
have to support a legacy protocol (IPv4) at all, but realistically I
don't expect to see that happen in my lifetime. :-( (And indeed I have
old gear on my network that won't support IPv6 anyway, like my Amiga.) ;-)
> * Always use static IP addresses for all IP addresses on servers, with
> DHCP reservations if appropriate. It's usually possible, even with a
> DHCP server in play, to set the DHCP range to be a subnet of the
> allocated IP range and set static addresses in the rest of the space.
Of course, and I agree completely, and that's exactly what I'm doing
with IPv4. Again, I don't have any choice with regards to IPv6. That's
how Comcast assigns them, so if I want to use static IPv6 addresses, I
would have to NAT it, which I don't want to do, as I explained above.
(In fairness, I don't think my IPv6 /64 has ever changed, but
technically it is dynamic, so if it ever does change I don't want to
have to go around and reconfigure everything on my network.)
> Why are you trying to expose the IPv6 address to the Internet at all?
Because that's considered best practice for IPv6 implementations. (And
they're not really "exposed", they are behind a firewall and not
accessible from outside, just not NATted.)
> If you have stable IPv4 and stable port forwarding with the NAT, why
> don't you just use that?
Because it's a legacy protocol. Alternate answer: because I'm a hacker
and like doing interesting things with technology and learning from the
experience. Again, this is my *home* network. If this were a business's
network that I was administering for an employer or a client, I would
make very different decisions based on their business needs.
I appreciate your feedback, but at the end of the day, I wasn't trying
to solicit network architecture advice, I was just asking a
straightforward question: Can Samba be configured to bind to a specific
IPv4 address, while at the same time binding to all IPv6 addresses? Many
daemons support this via separate configuration directives for IPv4 vs.
IPv6 bindings for example. Other than this one problem with needing to
use this Linux server as both an SMB server and a proxy to another SMB
server, everything on my network is working fine and well under control. :-)
I've figured out a way to do what I need though: rather than assigning
both IP addresses to the same interface, I've set up an interface alias
(not a VLAN, just a simple interface alias, a la "eth0:0" style), and
put the second IP address on that. This way, I can simply have Samba
bind to the Ethernet interface, so it gets the one IPv4 address and
whatever IPv6 address is assigned, while the second IPv4 address gets
forwarded to the Android device. So my smb.conf now simply contains
"interfaces lo enp3s0", and everything works as I wanted, since the
second IP address which I'm using as a proxy is now on enp3s0:0 instead.
It's working well.
Thanks again for the feedback!
More information about the samba