neighbor discover proxy
-
Pfsense customers are asking for about 10 year to implement Neighbor Discovery Proxy and it is clear that NetGate NEVER EVER will implement it.
For a simple thing as splitting a /64 subnet we are on our own. That is a fact. We have to step down to FreeBSD
But I'm just wondering :
Has anyone ever succeeded in implementing the simple LINUX command ip -6 neigh add proxy 2001:42d0:ac:2604:b055::1005 dev eth0 in FreeBSD? I have tried the kernel module ndproxy.ko but never got it to work :-( .
It must be possible: JUNOS runs on FreeBSD and HAS (of course ) neighbor discover proxyAnyone who knows the secret?? I really want to split a subnet: I 'm married to a bad provider.
Please help.
-
@tanya-0 said in neighbor discover proxy:
Please help.
You are not supposed to split a /64. That is the prefix size LANs are supposed to use. The exception would be point to point links, where a /127 could be used.
-
@jknott splitting /64
I know, I know but as I said: "I am married to a bad provider, so I get a Single /64 block BEFORE my router.and it's a breeze with other routers or Linux OS-es
A was just wondering if anyone succeeded in splitting with FreeBSD
NB
A have the feeling that NetGate doesn't understand their customers or doesn't understand IPV6:
Look at this picture :-) -
One problem with what you want to do is it breaks SLAAC. With SLAAC, the router provides the 64 bit prefix and the client, the 64 bit suffix. Also, with privacy addresses, that suffix could be anything within that 64 bits. How are you supposed to route, when the addresses could be anything?
-
@jknott of cause it breaks SLAAC but I want subnet splitting in a serverrack with webservers. I dont need and I don't want SLAAC there. Fixed IPV6 only.
And that always works with NDproxy.
It's 2023, so customers want to have their website to have both IPV4 and IPV6 addresses. Our racks starts with a ROUTER ( not with a switch ) and webservers now have private IPV4 addresses. Provider gives us one /64 block on the WAN side of our pfSense...Grrrrrrr no splitting with pfSense/FreeBSD no IPV6 for our webservers.
I guess nobody ever succeeded.
Frustrating part is: I post this message entering the internet with a splitted OVH ipv6 adress. Works fine.....
-
You can split with a static config, but then you can't use track interface.
-
@jknott Of course you can do static setup with /120 WAN and /80 LAN to SPLIT the /64 block. But you shall see that the LAN side is unreachable because the multicast Neighbor Discovery doesnt pass from WAN to LAN. With normal routers you configure NDproxy to solve that problem . PFsense is lacking NDproxy. They choose to be the nicest guy in the classroom ( indeed: you are not supposed to split a /64 block ) . But they leave me with a big problem :-(
And /64 ARE a lot of IP addresses ( 4 billion x 4 billion a guess ) Why not split it ?
-
@tanya-0 I believe those decisions are made either from a performance standpoint (must be cheaper resource-wise to not having to handle network prefixes greater than half the address), a security standpoint (most pfsense subsystems, which are dependent on the specific implementation of the BSD kernel would IM ignorant O have to be re-written to change the long-standing in-code "assumptions" about the IPv6 netstack, which would introduce bugs and vulnerabilities that would take a lot of revisions to be ironed out and would reduce customer trust in the product) and a demand standpoint (not many of us, either pros like you, or enthusiasts like me) ask for that specific thing (I think).