Virtual IP (VIP) on 6PLANE and RFC4193 networks

I’d like to define a virtual IP that can float around on a 6PLANE or RFC4193 network.

  1. Doesn’t work: “redirect TARGET_NODE_ID ipdest VIRTUAL_IP” won’t work because NDP emulation inserts the wrong MAC address that will be ignored at the target node (but the target node will at least get the packets!). I’d propose to hang the VIPs off of a bogus node ID (like ffffffffff) and would therefore suppress NDP emulation in that case; Or extend the rules engine to return custom NDP results to point directly at TARGET_NODE_ID.

  2. Does work: I can hack this by inserting a route for VIRTUAL_IP/128 via TARGET_NODE_IP. I don’t like having to manage the routing tables on the clients to achieve this though. And it also has the disadvantage that I can’t use ZeroTier’s rules engine to customize the redirection (e.g., to create a regionalized VIP, so the VIP can redirect to different target nodes depending a region tag or other criteria).

One major use case is so that I can use well-known DNS virtual IP addresses on my 6PLANE/RFC4193 network to redirect to actual DNS servers, and better yet, to have rules-based customization for how that redirection works. Critically, the virtual IP must never need to change even if the node hosting the DNS server changes (e.g. gets replaced by a new node with a different node ID).

I hope that makes sense :slight_smile:

If you add managed routes for other ip/nets, I think you should also be able to use rules that targets these IPs and have them redirected accordingly.

Hey zt-janjaap, I think if I go with what you are proposing, I would have to create a 3rd IP range just for VIP that is neither 6PLANE nor RFC4193. Do you see anyway I could do this with 6PLANE / RFC4193, so that there would be fewer IPs and routes to configure? (And even better, retain ipauth and NDP emulation.)

Hey zt-janjaap, I do see your point that that I can regain the flexibility of using rules. So that’s definitely a plus! (If only I didn’t have to create an extra IP space for it though :slight_smile: )

What I am racking my brain on now is: can I get the nodes on a 6PLANE subnet (the nodes not directly managed by ZeroTier) to “just work” with the VIPs. It just might work since the node running ZeroTier is the one that would worry about the extra route. Or it might not. I’m not 100% sure yet this would work. I need to try it.

@zt-janjaap I might propose a new wording of this request (or a new request): “Enhance NDP emulation to evaluate rules in order to honor redirects.” The idea here is that NDP emulation would return the redirected link-local address if a redirect action was matched. This would be an elegant way to solve my Virtual IP use case without the disadvantages of other proposals. Thoughts? Thanks!

Solved! The solution is to create an interface with the MAC address expected to be associated with the VIP target, and bridge this interface with the ZeroTier interface. So simple it’s kind of embarrasing in retrospect.