NDP proxy where are you
-
The response to my ticket asking for another routable block was "why don't you use NAT?"
Perhaps this might clarify the issue to them?
-
I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.
It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".
Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
http://www.fenyo.net/newweb/ndproxy.html -
I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.
Are you certain there are no routes? It's also quite common to see a /48 allocation like that with the first /64 assumed to be the interconnect and the balance of the /48 routed to the CPE.
NDP Proxy is the wrong answer though, getting the provider to fix their broken design is better. Might take significant convincing, though. A flat /48 is insane and should not be encouraged.
-
I was just searching the same for a friend who uses pfsense, when I stumbled on this post. I'd like to clarify what the OP is asking as it seems to me.
Asking how to do ndp proxying is not like asking "how to build a socks5 proxy". In fact: what OP is asking is very similar to the question "how do I do ARP proxying". FD: I am not using pfsense (not right now anyway, but I used to and might again!) but still, here's a setup I am using myself on a linux box, and shows what ndp proxying does:
This is my host:
Upstream router -> host(eth0)
host(bridge1) -> guest(eth0)As you can see, bridge1 connects the host and the guest together, without having added eth0. It's like a cable between host and guest. I know you guys probably understand this, but I'm just adding it for brevity.
On host(eth0) I have configured an IPv6 address, let's call it haddr1::1/64. On bridge1 I have configured an address, let's call it baddr1::0/127, which is inside the /64 subnet.
On the guest(eth0) I have configured the address baddr1::1/127. The host and guest can now ping each other: from the host, ping6 baddr1::1 gets a reply, and from the guest, ping6 baddr1::0 gets a reply. Next, I configure the guest to use baddr1::0 as the default route. So far so good.
Now the guest wants to connect to a host; let's say that the guest wants to ping orange.kame.net*. It does ping6 orange.kame.net and the packet with source address baddr1::1 goes out, the host receives it on bridge1, and because forwarding is enabled, the host forwards it to its default route which means via eth0 to the upstream router. No problem.
But now the reply comes. The upstream router asks something like "who has baddr1::1". Gets no reply. Packet discarded.
This is where ndp proxying comes in, cf. the following command: "ip -6 neigh add proxy baddr1::1 dev eth0" and this commmand means: "answer on behalf of baddr1::1 on eth0". This causes the host to say "I'm the one you need for baddr1::1" and the packet gets through. Full duplex connectivity, fully working!
It's the same as arp proxying: I have a route to an IP on some interface, so I answer arp requests to that IP on some other interface.
This is exactly what I have been using for a long time. It does not violate specs, it does not work around problems, it's doing exactly what it's supposed to be doing: enable normally routed packet flows. I know people might disagree or think that other ways are better, that's fine, but to each their own: it does not mean that this way of doing things is wrong. Not at all. There are more ways to do anything and everything.
Hope this makes it clear what OP is asking with ndp proxying, or if anyone thinks I have it wrong, feel free to say so as well. Just know: this setup works for me 100% and arp/ndp proxying is a normal thing to do with virtual machines and multiple networks. It's a lot better than NAT and so forth.
- I'm being nostalgic!
-
Yes – I'm aware of what he's asking and what it does -- but it does not solve the problem of the ISP delivering him a broken configuration. He's trying to work around it and enable their awful behavior, but doing proxy NDP for billions of addresses is not the answer. Getting the ISP to deliver a proper configuration is the answer. Don't let the ISP get away with it, you're paying them for the service and they're failing to provide a proper configuration for the service.
You have a choice between an ugly, ugly hack (proxy NDP) and the ISP doing what amounts to a one or two-line change in their upstream router config for the customer to do it properly.
-
Agreed, jimp. I wasn't under the impression that you didn't get it, so when I was reading my own post again just now, I realised I had to reword the first few sentences: I didn't want to sound like I thought no one understood what OP was trying to say. Just that some of the replies came across to me like they didn't get what proxy ndp is all about. Much is lost in translation and English also isn't my first language.
I'm also wondering - In the explanation of my own setup, do you also think ndp proxy is an ugly hack? Or just in the case of him trying to work around his provider's setup. I agree that an ndp subnet proxy is not exactly the cleanest way to go, but if you have to deal with this setup, I can see why he asked for this. Better than NAT I would think. And some ISPs, or actually, many of them, probably think "ok we have it working now so let's not touch anything IPv6 related ever again!"
-
I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.
It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".
Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
http://www.fenyo.net/newweb/ndproxy.htmlFew Hosting companies do this as well, They'll allocate a /64 but presumably assume you are just going to direct bridge any VM's you run to the physical port and don't want to route yourself :-(
Fine in some cases but can't really do that with my VPN (well i could but it would be messy)
-
Just came across this issue with OVH using their Dedicated Private Cloud product. They terminate a /56 on the WAN vlan and provide no routing capability for /64 addresses. I'm trying to find out if there is some way to use PD or RA to get them to route /64's properly but no responses from their team yet.
-
Just a follow up, OVH provide no way to route /64 at all, you are forced to use ndp proxy if you want to use some of the /56 address space internally.
-
Then take your money elsewhere. That is an AWFUL network design and it's impossible to expect anyone to have a /56 in one massive flat network. Don't let them get away with that lazy crap. They have to route it to you, full stop. NDP Proxy isn't happening.
-
Im with jimp that sort of setup is just moronic… There is zero reason to be so freaking stupid in their design. Route networks they assign to you be it a /48, /56 or /60 even - or for that matter even a single /64 should be routed to you if your going to be doing anything other than hosting a few hosts on their network directly.
-
I've worked around this by putting a linux box on the wan segment that runs ndppd with ipv6 forwarding enabled. Now I can configure any of the /64s within the /56 in ndppd and it works as if it was properly routed to pfsense and can be used on my internal network segments.
-
News flash:
Just this week, ndproxy by Aexandre Freyo (a package that has already been mentioned earlier in this thread) has been added to the official FreeBSD ports tree!
See: https://github.com/AlexandreFenyo/ndproxyThat may open up new possibilities. I will ask if feature request #7746 can be reopened: https://redmine.pfsense.org/issues/7746
BTW: I love pfSense, to me it's like a Swiss Army knife for networking. I can solve any IPv4 problem with it. pfSense should be able to solve real world IPv6 problems like this one as well.
-
It is not a real world IPv6 problem. It is a completely broken ISP configuration. They need to fix it.
18-billion-billion * 256 addresses on one flat interface. Asinine. Don't host there.
-
Keep it away from pfSense, stuff the matter in the face of your ISP instead.
-
Not trying to be contrarian, but ISPs are not exactly known for giving a sh*t about their customers. I googled "america's most hated companies". Comcast was number 1 and Charter was number 12. ISPs aren't any more well liked in Canada, for good reason. It's probably no different in a lot of other countries. Some people are located in areas where there are few or no alternatives.
As an engineer, it has always grated on me to pollute a design or an implementation in order to accommodate something because someone else didn't do their job properly or at all. Unfortunately, sometimes you have to accept such things. With respect to pfsense, the "Do not wait for a RA" setting could be considered such a thing. I'm not in a position to do any development, but thankfully marjohn56 had the same issue and he implemented a fix that works very well. pfsense has a few more users because of this.
-
It is not a real world IPv6 problem. It is a completely broken ISP configuration. They need to fix it.
18-billion-billion * 256 addresses on one flat interface. Asinine. Don't host there.
Easier set than done ;(
-
I came across this thread and tickets for ndproxy, because like others my ISP gave me a flat /112.. In my case it was just given to me with my ipv4 address's. I wanted to play around with ipv6 but got stuck because there is no ndproxy support so i'm just going to disable it, as it's basically useless with pfsense as a firewall.
I agree the ISP should fix the way it's routed, but it doesn't seem ISPs are doing that, and it will likely be sometime before a majority of ISPs get ipv6 figured out correctly. I don't see what harm would come in adding ndproxy as a package.
-
Then lobby to your ISP to get it fixed.
It we add workarounds for broken designs, then ISPs will have no incentive to fix their broken designs.