ADD RFC 6296 for futur version pfsense

fredlubrano

Hi,

is it possible to add RFC 6296 to the IPv6 Network Prefix Translation function in a future PfSense release. RFC 6296 (https://www.rfc-editor.org/info/rfc6296) is added in the future version of Freebsd12 :

https://svnweb.freebsd.org/base?view=revision&revision=303012
https://reviews.freebsd.org/rS303012
https://reviews.freebsd.org/D6420

Thanks

Best regards,

fred

MikeV7896

This paragraph from the Status of this memo section tells me that it’s not likely to find any kind of official support in the GUI here, regardless of FreeBSD’s decision to implement it at the OS level...

This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.

It’s not an internet standard. At least not yet. It is experimental.

MikeV7896

And now that I’ve gotten the “nice” response out of the way... NO! NAT and IPv6 do not go together! There is no need to waste TWO /64’s when one and a properly configured firewall works just fine! Why do people want the internet to remain broken with NAT?!

JKnott

@fredlubrano said in ADD RFC 6296 for futur version pfsense:

is it possible to add RFC 6296 to the IPv6 Network Prefix Translation function in a future PfSense release. RFC 6296

Why??? NAT is a hack to get around the IPv4 address shortage. No need for it on IPv6.

JKnott

@virgiliomi said in ADD RFC 6296 for futur version pfsense:

Why do people want the internet to remain broken with NAT?!

They're so used to it, they think it's normal. They don't realize it's a hack that breaks things.

BTW, I'm allergic to NAT.

fredlubrano

Gentlemen, this is just a proposal and I notice that you know very little about the implementation of IPv6 at our French ISPs.
I totally agree with you that IPv6 is not creating for NAT, so I'm asking you to skim your answers.

I think I should comment on this conversation at freebsd dev, he loses his time

Grimson

If you post something in a discussion board expect to hear the opinions of others.

As for your proposal, well you have my pity if French ISPs are incompetent enough that you would need NAT on IPv6. But that is no reason to support their incompetence by adding that crap to pfSense.

fredlubrano

Unfortunately if pfsense wishes more to develop towards the company and professionals it will have to add these kinds options. Example Fortinet will add this option.

I close this request.

PS: you are part of people who decides to add function?

MikeV7896

No, all of us are just users of pfSense. Netgate employees are identified with a badge next to their username indicating such.

It's certainly possible that, for whatever reason, they could decide to include this functionality. But based on responses to previous requests about NAT and IPv6, I would be very surprised if it happens.

It's also possible that some generous individual could do all of the work and submit it to pfSense for inclusion into their software. That's the beauty of Open Source software.

But if your ISP is only giving you one single IPv6 address and you want to NAT that one IPv6 address to your LAN (which I think is what your real issue is), this RFC won't be helping you. 1:1 NAT means that for every internal IP address, you have an external one to point to it. So you'd still need a /64 from your ISP in order to use the ideas in this RFC. To make sure this is clear, I'm referring to this statement in the Abstract of the RFC...

...provides a 1:1 relationship between addresses in the "inside" and "outside" prefixes...

So you would have an "inside" (likely ULA) /64 on your LAN, and an "outside" /64 (from your ISP) on your WAN... and you're wasting a perfectly good /64 for this nonsense when you could just be using that /64 from your ISP on your LAN in the first place.

jimp

The referenced FreeBSD commit is for ipfw, pfSense uses pf. pf already does NPt and it's available under Firewall > NAT, NPt tab.

MikeV7896

Ok then, I lose.

But as I mentioned, this is still 1:1 NAT... you still need a /64 on your WAN to use a /64 on your LAN. And you shouldn't be using anything other than a /64 on your LAN. So one single IPv6 address will not let you use IPv6 on a whole LAN.

jimp

NPt still isn't useful in that context. There is no such thing as "Proxy NDP" to answer NDP requests for addresses in the /64 on WAN.

It is useful for use with a network (/64 or larger) routed to your firewall WAN address, though.

fredlubrano

Hello Jimp,
Thank you for those answers, it was in the idea. Can you send me by email a procedure to submit requests for improvements, I will answer you by my professional email.

Thanks for the moderation of the forum and good day

fred

jimp

The procedure to request features is in the documentation. No need to discuss a public topic privately.