[Samba] Specifying an IPv6 wildcard in the interfaces directive?

[Jeff Morris]

On 4/20/2019 1:08 PM, Nico Kadel-Garcia wrote:
> On Sat, Apr 20, 2019 at 3:32 PM Jeff Morris via samba
> <samba at lists.samba.org> wrote:
>> My network uses reserved IPv4 addresses (192.168.2.0/24) behind a NAT
>> firewall, but public IPv6 addresses behind a filtering firewall.
>>
>> My ISP (Comcast) assigns both IPv4 and IPv6 addresses dynamically.
>>
>> As a result, the IPv4 address of my internal Samba server is statically
>> assigned, but its IPv6 address is dynamically assigned.
> Why can't your internal DHCP server assign reserved IP addresses,
> suitable to a non-routable address space?

Well, of course it *can*, and indeed that's what I'm doing for IPv4. 
However, best practices recommend not using NAT for IPv6. One of the 
main driving factors toward the global migration to IPv6 is so we can 
have a "flat"  Internet again, with enough address space to allow all 
devices to be individually addressable, like we did years ago with IPv4 
(yes, I'm old enough to remember) :-), and get away from NAT, 
port-forwarding, and all the other horrible kludges that have been 
implemented over the years to try to compensate for the exhaustion of 
the IPv4 address space.

>> The server has multiple IPv4 addresses assigned to it, all on interface
>> enp3s0. One of these I'd like to use for Samba, but the other is used as
>> a proxy address for another device on my network, so I do NOT want Samba
>> to bind to it , as it would conflict with SMB services on the proxied
>> device.
> So.... how are you segregating the IPv4 addresses on the same NIC? Are
> you using tagged VLAN's, or is it just not working? Is there any
> reason you can't put the proxy on a different port, rather than on a
> different IP address?

Sorry, I should have been more explicit. Both addresses are on the same 
subnet, and thus are simply assigned to the same physical interface, I'm 
not using VLANs or virtual interfaces (or at least I wasn't when I wrote 
my initial message; I've since figured out a way to do this by using a 
virtual interface for each IP address. I'll explain more below.) Both of 
the addresses work fine and can communicate with other hosts on the 
network. I just need Samba to ignore one of them.

I can't put the proxy on a different port because I am proxying SMB (TCP 
port 445) for a non-rooted Android device. Since the device isn't 
rooted, it can't run an SMB server on port 445 (only on non-privileged 
ports), and since Windows can not utilize SMB servers on any other port 
than 445, I've ended up having to set up a proxy for it on my Linux 
server. It's an ugly kludge and I don't like it, but sigh, that's what I 
get for living in a world where manufacturers have decided that people 
should not have administrative access to the hardware that they 
themselves own. :-(

So basically, I have two addresses in the same subnet assigned to the 
Ethernet interface on my Linux server (192.168.2.3, 192.168.2.4.) I want 
incoming TCP connections to port 445 on the first address to go to the 
samba daemon running on the server, and I want incoming TCP connections 
to port 445 on the second address to be NATed and routed by the Linux 
server to the Android device. I also want incoming TCP connections to 
port 445 for *any* IPv6 address on the server to go to the samba daemon 
running on the server.

> I'm going to strongly suggest you stop playing the IPv6 and IPv4 and
> exposed public IP and NAT and DHCP and static address and an umbrella
> with two olives stick on the handle sticking out of it cocktail
> approach to network configurations. The result is a chimera. Pick your
> local standards:
>
> * IPv4 or IPv6? One or the other, stop using both internally

Well, you're welcome to your opinion. I do disagree however. I'm simply 
running dual-stack, which is a perfectly valid network configuration, no 
olives or umbrellas involved. (Although there have been a fair share of 
cocktails.) :-D The necessity of running NAT for IPv4 and DHCP for IPv6 
isn't my choice, it's the result of the combination of my ISP's choices 
and the global depletion of IPv4 addresses. If you can convince Comcast 
to provide static routing of IPv6, it would make my life a lot easier, 
so good luck with that! ;-) I don't feel that running private IPv6 
addresses and NATting IPv6 is a very good solution since it's a step 
backwards. In a perfect world, everyone would get themselves migrated to 
IPv6, and I could drop all the kludgy IPv4 NATting and so forth and not 
have to support a legacy protocol (IPv4) at all, but realistically I 
don't expect to see that happen in my lifetime. :-( (And indeed I have 
old gear on my network that won't support IPv6 anyway, like my Amiga.) ;-)

> * Always use static IP addresses for all IP addresses on servers, with
> DHCP reservations if appropriate. It's usually possible, even with a
> DHCP server in play, to set the DHCP range to be a subnet of the
> allocated IP range and set static addresses in the rest of the space.

Of course, and I agree completely, and that's exactly what I'm doing 
with IPv4. Again, I don't have any choice with regards to IPv6. That's 
how Comcast assigns them, so if I want to use static IPv6 addresses, I 
would have to NAT it, which I don't want to do, as I explained above. 
(In fairness, I don't think my IPv6 /64 has ever changed, but 
technically it is dynamic, so if it ever does change I don't want to 
have to go around and reconfigure everything on my network.)

> Why are you trying to expose the IPv6 address to the Internet at all?

Because that's considered best practice for IPv6 implementations. (And 
they're not really "exposed", they are behind a firewall and not 
accessible from outside, just not NATted.)

> If you have stable IPv4 and stable port forwarding with the NAT, why
> don't you just use that?
Because it's a legacy protocol. Alternate answer: because I'm a hacker 
and like doing interesting things with technology and learning from the 
experience. Again, this is my *home* network. If this were a business's 
network that I was administering for an employer or a client, I would 
make very different decisions based on their business needs.

I appreciate your feedback, but at the end of the day, I wasn't trying 
to solicit network architecture advice, I was just asking a 
straightforward question: Can Samba be configured to bind to a specific 
IPv4 address, while at the same time binding to all IPv6 addresses? Many 
daemons support this via separate configuration directives for IPv4 vs. 
IPv6 bindings for example. Other than this one problem with needing to 
use this Linux server as both an SMB server and a proxy to another SMB 
server, everything on my network is working fine and well under control. :-)

I've figured out a way to do what I need though: rather than assigning 
both IP addresses to the same interface, I've set up an interface alias 
(not a VLAN, just a simple interface alias, a la "eth0:0" style), and 
put the second IP address on that. This way, I can simply have Samba 
bind to the Ethernet interface, so it gets the one IPv4 address and 
whatever IPv6 address is assigned, while the second IPv4 address gets 
forwarded to the Android device. So my smb.conf now simply contains 
"interfaces lo enp3s0", and everything works as I wanted, since the 
second IP address which I'm using as a proxy is now on enp3s0:0 instead. 
It's working well.

Thanks again for the feedback!