NDP proxy where are you
-
Thank you all
ISP : SFR
they give me : 2a02:8428:ef:7500::/56
the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
ping from 2axy:8428:ef:7501::100 to :
2a02:8428:ef:7501::10 -> ok
2a02:8428:ef:7500::2 -> ok
2a02:8428:ef:7500::1 -> ko
on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply …. :tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
^C
10 packets captured
6077 packets received by filter
0 packets dropped by kernelmy config : for pfsense :
--------------LAN------------
|
|
|
|
2a02:8428:ef:7501::10/64 IPv6 LAN pfsense
|
P
F
S
E
N
S
E
|
2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
|
|
|
|
BOX
2a02:8428:ef:7500::1/56
|
|
|
|
-------------WAN-----------------thank you for your help
pra -
i can t change PTR
i can t do bridge the box
i can use a DMZ , they impose (i try this) :
2a02:8428:ef:7501::/64
gateway :
2a02:8428:ef:7500::2/56for my rules you can see the attachments
-
You have two router in series, cascading networks. ?
If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…
IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.
Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).
-
Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.
A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.
If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.
Sure you used /64 for the prefix on all your interfaces?
-
thank you for your help.
traceroute to google.fr :
=>traceroute6 google.fr
traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
1 2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10) 0.552 ms 0.538 ms 0.524 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *=>traceroute6 2a02:8428:ef:7500::1
traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
1 2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10) 0.532 ms 0.518 ms 1.364 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *in attachment you find my routing
-
No idea?
Thank you -
-
@hda -> not sure to anderstand :
You have two router in series, cascading networks. ?
If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…
IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.
Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
i can try -
@hda ->dhcp give me a /128 :
inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)have you an idea?
thank you
pra
-
@pra:
…
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...Yes DHCP6, and ask for a prefix /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/ -
@hda:
@pra:
…
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...Yes DHCP6, and ask for a /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/dhcp give me a /128, do you suggest to use a IPv6 /128 for pfsense WAN and a /62 for IPv6 pfsense LAN?
i try :
2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)what do you suggest ? because /128 in pfsense WAN and /62 for pfsense LAN seems strange
-
Consider: your ISP-Box supplies on request, you probably can not grab a number you like…
SO, don't do all static, but do DHCP6 from pfSense-WAN to your ISP-Box. Then read reply #19 again...
-
@hda
i try :
=> pfsense WAN IPv6 DHCP6 -> give me inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128
but how to configure pfsense LAN because the pfsense WAN has a /128 prefixethank you
pra
-
You may read & understand to request a prefix /62 for pfSense from ISP-box (/56) for the pfSense LAN's. The WAN address mask (/64 or /128) no problem for that, just an intermediair. The LAN's are each with a unique subnet and mask /64.
-
@hda :
sorry but i can't configure the box ….
DHCP is imposed :
2a02:8428:ef:7500:c9ca:8e5d:732b:0000 to 2a02:8428:ef:7500:c9ca:8e5d:732b:ffff
i tray this :
i fixe the ip on the DHCP6 on the box :
IPv6 pfsense WAN : 2a02:8428:ef:7500:c9ca:8e5d:732b:1/128
IPv6 pfsense LAN : 2a02:8428:ef:7500:c9ca:8e5d:732b:8001/113i test:
pfsense WAN can't ping the box (2a02:8428:ef:7500::1)
PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:1 --> 2a02:8428:ef:7500::1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1--- 2a02:8428:ef:7500::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet losspfsense LAN can't ping the box (2a02:8428:ef:7500::1):
PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:8001 --> 2a02:8428:ef:7500::1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1--- 2a02:8428:ef:7500::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
thank you for your help
pra -
Why are you now trying to divide up a /64? You'll have a horrible time trying to use IPv6 with an allocation narrower than /64 on a LAN unless everything on that network supports address allocation via DHCPv6. Some devices only support SLAAC (such as Android devices, also Windows XP if you still use it and haven't installed a DHCPv6 client). SLAAC requires you to advertise a /64 (and exactly a /64) for things to work correctly.
Are you running router advertisement on your LANs (Services -> DHCPv6 Server/RA, Router Advertisements tab)?
I'd start by working out what your ISP supplied box offers. If it will allow you to delegate prefixes via DHCP-PD, your task becomes a lot easier. You've said you can't bridge this device, but does the ISP allow you to replace it with a DSL bridge and use PPPoE or similar?
-
I have a similar issue where NDP proxy would be really useful.
My colo provider gives me a /64 for my rack. I use NPt to do 1:1 NAT so I can have my pfsense firewall while still allowing machines behind it to have IPv6 connectivity. This works, but I have to manually configure a virtual IP for each machine. I'd really like to avoid that by just proxy NDPing the whole range.
-
Don't do that. NAT sucks. The main point of IPv6 is to do away with NAT. Make them give you another /64 and route it properly.
-
I can try, but I don't have much leverage over them. They're the central IT department for the university I work for.
As an aside, this is what I really don't like about IPv6. It takes away the ability for end users to do stuff on their own. NAT was invented to begin with because ISPs weren't interested in giving out extra subnets; now we're back to begging for them to give out static routes again. I remember the "bad old days" when ISPs would only allow you one computer per Internet connection…one of IPv6's goals seems to have been to enable that kind of restriction again. :/
-
IPv6 was designed to eliminate the need for any of that. Any ISP that doesn't give you multiple subnets is implementing IPv6 incorrectly. IPv4 was scarce, IPv6 is not. There is no reason (aside from pure greed) that they should not give you at least two /64's with one routed to your address in the other.
