NDP proxy where are you

jimp

There is no NDP proxy. There is no need for one.

The LAN subnet and WAN subnet must be different. You can't use NPt or similar to NAT a "private" IPv6 LAN to the WAN IPv6 subnet. There must be separate subnets for WAN and LAN and the LAN subnet must be routed to your firewall's IP address in the WAN subnet.

pra

hummm
fxxxxxg ISP ….
give me a /56 without  subnet ...., so i think i can't use pfsense for IPv6

i go to see with ISP
thank you

doktornotor

@pra:

give me a /56 without  subnet …., so i think i can't use pfsense for IPv6
i go to see with ISP

Errrrrrrr… Sounds more like you need to do some IPv6 for dummies reading... You have 256 /64s in your /56.

pra

yes but the box don t see it
i use a /64 in my lan
see up i can ping my wan IPv6 pfsense from my lan , but i can t ping IPv6 box ….

(IPv6 pfsense wan is in the /64)

hda

Show your numbers if you like help. Report your WAN address subnet-value and your LAN subnet value… [(f you must), hide the first /48 and show the last /80 part… ]

jimp

Try using ::2 in the first /64 for your WAN IP address and then use the second /64 for your LAN. Usually when ISPs give you just one large block they assume the first /64 inside it is the WAN.

johnpoz

You know if you don't like the way your isp is doing ipv6, you can just get a free tunnel from HE.. You cant get a /48 from them if you want.. I have both a /64 and /48 I use the /64 on my lan and then I use a few of the /64's out of the /48 for my other segments and openvpn clients, etc.

Rock solid works deployment.. They even allow you to setup PTR on your ipv6 addresses if you want, etc.  Or even delegate the ipv6 networks to your own nameservers, etc.  Does your isp let you do that ;)

And you don't have to worry about your isp giving you a different prefix next week.. When you hit a different dhcp server, etc.

https://www.tunnelbroker.net

pra

Thank you all

ISP : SFR
they give me : 2a02:8428:ef:7500::/56
the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
ping from 2axy:8428:ef:7501::100 to :
2a02:8428:ef:7501::10 -> ok
2a02:8428:ef:7500::2 -> ok
2a02:8428:ef:7500::1 -> ko
on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply …. :

tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
^C
10 packets captured
6077 packets received by filter
0 packets dropped by kernel

my config : for pfsense :

--------------LAN------------
                  |
                  |
                  |
                  |
              2a02:8428:ef:7501::10/64  IPv6 LAN pfsense
                  |
                  P
                  F
                  S
                  E
                  N
                  S
                  E
                  |
                2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
                  |
                  |
                  |
                  |
                BOX
                2a02:8428:ef:7500::1/56
                  |
                  |
                  |
                  |
-------------WAN-----------------

thank you for your help
pra

pra

i can t change PTR
i can t do bridge the box
i can use a DMZ , they impose (i try this) :
2a02:8428:ef:7501::/64
gateway :
2a02:8428:ef:7500::2/56

for my rules you can see the attachments

hda

You have two router in series, cascading networks. ?

If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

jimp

Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.

A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.

If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.

Sure you used /64 for the prefix on all your interfaces?

pra

thank you for your help.

traceroute to google.fr :
=>traceroute6 google.fr
traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.552 ms  0.538 ms  0.524 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

=>traceroute6 2a02:8428:ef:7500::1
traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.532 ms  0.518 ms  1.364 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

in attachment you find my routing

pra

No idea?
Thank you

hda

@pra:

No idea?
Thank you

Sure, comment on reply #12 ?

pra

@hda -> not sure to anderstand :

You have two router in series, cascading networks. ?

If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
i can try

pra

@hda ->dhcp give me a /128 :
inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128

i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

have you an idea?

thank you

pra

hda

@pra:

…
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...

Yes DHCP6, and ask for a prefix /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

pra

@hda:

@pra:

…
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...

Yes DHCP6, and ask for a /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

dhcp give me a /128, do you suggest to use a IPv6 /128 for pfsense WAN and a /62 for IPv6 pfsense LAN?

i try :
2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

what do you suggest ? because  /128 in pfsense WAN and /62 for pfsense LAN seems strange

hda

Consider: your ISP-Box supplies on request, you probably can not grab a number you like…

SO, don't do all static, but do DHCP6 from pfSense-WAN to your ISP-Box. Then read reply #19 again...

pra

@hda
i try :
=> pfsense WAN IPv6 DHCP6 -> give me inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128
but how to configure pfsense LAN because the pfsense WAN has a /128 prefixe

thank you

pra