Non local gateway IPv6



  • So many posts about people getting stuck trying to run pfSense at OVH Perhaps a sticky post about this? Or searching for "OVH" first.

    • OVH does not provided routed IPv6 subnet, they just give you a /56 block to play with
    • pfSense does not support NDP Proxy, which would be a solution to the above point. This point has been argued discussed innumerable times on this forum.
    • You need to put something in front of the pfSense that can act as an NDP Proxy to split apart the /56 block, then you're good to go.

  • LAYER 8 Global Moderator

    @awebster said in Non local gateway IPv6:

    OVH does not provided routed IPv6 subnet, they just give you a /56 block to play with

    That is pretty pointless and lame..



  • @awebster said in Non local gateway IPv6:

    • You need to put something in front of the pfSense that can act as an NDP Proxy to split apart the /56 block, then you're good to go.

    OK, i have my proxmox server which host my pfsense VM can act as NDP proxy.

    I install ndppd and configure proxy on WAN interface with /56 subnet, but i'm pretty weak about this subject for the rest of configuration.

    i supposed i need to configure proxy on pfsense side ? But with wich interface, because i have client VM virtual interface, pfsense virtual interface, and many other for inbound or outbound traffic.

    I red that RA service may be necessary, i also install radvd, but again i so weak on NDP purpose.

    @johnpoz said in Non local gateway IPv6:

    @awebster said in Non local gateway IPv6:

    OVH does not provided routed IPv6 subnet, they just give you a /56 block to play with

    That is pretty pointless and lame..

    I contacted OVH and they definittively don't provide routed prefix...



  • @Overclock said in Non local gateway IPv6:

    I contacted OVH and they definittively don't provide routed prefix...

    They should then explain what you're supposed to do with a /56, given that IPv6 LANs are supposed to be /64 and the normal practice is to split a /56 into /64s, as I do.



  • @JKnott This is what I'd call an impasse. 😞
    OVH is a very large, mainly European, Openstack hosting provider, and it does not appear as if they are in any hurry to change how their infrastructure works. Maybe this is also how Openstack works, I don't know, but if the OVH customer is running a Linux box (statistically, most do) with NDP Proxy, there is no issue.
    Secondly, the powers that be at pfSense are also not interested in supporting NDP proxy, so...
    NO OR NO = NO

    I wonder if the non-routed /56 is more of a European thing, seems like lots of ISPs over there are doing that too judging by the frequent questions in the IPv6 forum here. Perhaps there is a different policy interpretation over there (RIPE vs ARIN)???


  • LAYER 8 Global Moderator

    Well they clearly don't understand how IPv6 is suppose to work then... it is a lazy setup to expect users to use what amounts to a hack to how its suppose to work.. When they could just do delegation and be done with it. Prefix delegation is correct way hand a client a /56, a 60 or /48 even, etc. and let them break it how they need to..

    /64 as min size is not a arin or ripe thing, its a IPv6 thing..



  • @awebster said in Non local gateway IPv6:

    I wonder if the non-routed /56 is more of a European thing, seems like lots of ISPs over there are doing that too judging by the frequent questions in the IPv6 forum here. Perhaps there is a different policy interpretation over there (RIPE vs ARIN)???

    No it's not a RIPE vs ARIN thing. As both johnpoz and I have mentioned, only /64s are supposed to be used on LANs. Using anything else breaks things such as SLAAC. Here's what Wikipedia says:

    "Unicast and anycast addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit interface identifier used to identify a host's network interface."

    So, you have a 64 bit network address and 64 bit host address. You might be able to hack a /56 into working, but that shouldn't be necessary, if the ISP does their job right.

    Maybe you could tell them about how most ISPs use DHCPv6-PD to provide prefixes to customers.

    "DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.

    Prefix delegation is generally not supported on cellular networks, for example 3G or LTE. Most cellular networks route a fixed /64 prefix to the subscriber. Personal hotspots may still provide IPv6 access to hosts on the network by using a different technique called Proxy Neighbor Discovery. One of the reasons why cellular networks may not yet support prefix delegation is that the operators want to use prefixes they can aggregate to a single route. To solve this, RFC 6603 defines an optional mechanism and the related DHCPv6 option to allow exclusion of one specific prefix from a delegated prefix set. "

    There's also RFC 3633 and related RFCs.



  • @awebster

    BTW, perhaps you could mention that a /56, with 2^72 or 4.72236648287e+21 addresses is a tad large to use on a LAN. Not many people have that many devices. 😉


  • LAYER 8 Global Moderator

    Not a good argument ;) Nobody has as many IPs that are in a /64 either - hehehe But hey it is what it is, that is where it makes sense to break the network at..

    You wonder why ipv6 is not as deployed as it should or could be - what OVH is doing is perfect example of the guys that should be doing it correctly still manage to F it up to where clients have to hack shit together to even use it.

    Even when they have pretty much an endless supply of IPs to work with, they still F it up!! It is just freaking SAD!!! I can see them having to take short cuts and try to save space with ipv4, handing the clients IPs in the same network vs giving them their own /30 or doing nat shit because they just don't have the IPs to work with... But with IPv6 this is just not the case at all... They can pretty much get as big a block as they need...



  • @johnpoz I totally agree that the subnet should be a) routed and b) the network size should be /64. I was simply pointing out something that appears unusual, namely that there appears to be more misconfigured IPv6 related questions hitting the forums from Europe than from NA.
    It is worth pointing out that OVH is a budget provider where you can get VPSes at a fraction of the cost of some of the big guns, consequently people flock there, but being a budget provider, you can expect budget service. Tech support for anything other than basic operations is pretty much non existent.
    For the record their IPv4 setup is a bit unusual in that you are allocated a /32 from within a much bigger subnet with a non-local gateway (ie: .1 of the actual subnet), only that seems to work fine with pfSense.
    Knowing that OVH's environment is based on openstack, it appears that prefix delegation is not supported on older releases. I have no way of knowing what version OVH is running, but this might be partly to blame.



  • @awebster

    I suppose the OP could get a tunnel from he.net, until OVH comes to their senses. Cheap is not a valid excuse for incompetent.



  • @JKnott Agreed tunnel from HE.NET would make the most sense. Wouldn't surprise me if HE.NET doesn't already have a direct attach to OVH, most big BW providers are connected there.


  • LAYER 8 Global Moderator

    @JKnott said in Non local gateway IPv6:

    Cheap is not a valid excuse for incompetent.

    That is GREAT line!!! I will have to remember that...

    And I concur, he.net is a great solution to work around horrible ipv6 deployments.. Grab your /48 and you can use it where you want, even if your isp has zero ipv6 support.. Which to be honest, prob better than some of the nonsense out there - atleast then vs trying to come up with work arounds and hacks to get something that works, you just directly go with simple and easy to setup he.net tunnel.

    I have had the same /48 from he for almost 10 years now.. Multiple ISPs, I have the same IPv6 block - and my current isp doesn't have any IPv6... I don't care took all of 2 minutes to be up and running... And it works!! only thing that is adds a few ms to what it would be if it was native.



  • @awebster said in Non local gateway IPv6:

    For the record their IPv4 setup is a bit unusual in that you are allocated a /32 from within a much bigger subnet with a non-local gateway (ie: .1 of the actual subnet), only that seems to work fine with pfSense.

    Yes, they give IPv4 public range and the non local gateway is always .254. To work, it need to allocated virtual mac address generated in OVH admin interface for each IPv4.
    It's work well on pfsense.

    @JKnott said in Non local gateway IPv6:

    @awebster

    Cheap is not a valid excuse for incompetent.

    In France, OVH is not see like cheap provider, it's the leader !
    I don't know how other dedicated server provider are playing with IPv6 block.

    @johnpoz said in Non local gateway IPv6:

    @JKnott said in Non local gateway IPv6:
    And I concur, he.net is a great solution to work around horrible ipv6 deployments..

    I just try it, it's amazing ! Work perfectly on Pfsense and i could immediately subnet the given /48 on multiple /64 for VM, and you know what... it's working !

    It's make me totally mad that i must use free US tunnel provider on my paid french dedicated server...

    I also have some doubts about using free tunnel for professional use...

    I will try again to configure NDP proxy on hypervisor, but it's very tricky by multiple veth usage.

    Thanks to all of you !


  • LAYER 8 Global Moderator

    @Overclock said in Non local gateway IPv6:

    I also have some doubts about using free tunnel for professional use...

    Huh? But its ok to just use some random block of IPs your host gives you? Do they charge you for those IPs? That you have to hack up some ndp proxy to get to work?

    Go get your own IPv6 block from Ripe if you want... Will OVH allow you to route that, or will they just attach your whole /32 and expect you to proxy it?



  • @Overclock said in Non local gateway IPv6:

    In France, OVH is not see like cheap provider, it's the leader !

    Then they should have competent support. Ask them how they'd configure a Cisco router.

    I can understand an ISP providing a single /64 and expecting you to use it. At least that will work properly. Anything else, such as a /56 must be routed. There is no other way for it to work properly.



  • @johnpoz

    I just want to say, that it's a little hard for me to trust a free service. I just hope than Hurricane Electric don't spy what go trough the tunnel. But it's a great service !

    @JKnott said in Non local gateway IPv6:

    @Overclock said in Non local gateway IPv6:

    In France, OVH is not see like cheap provider, it's the leader !

    Then they should have competent support. Ask them how they'd configure a Cisco router.

    I have open ticket about this subject, wait and see :)


  • LAYER 8 Global Moderator

    @Overclock said in Non local gateway IPv6:

    I just hope than Hurricane Electric don't spy what go trough the tunnel.

    You could say the same freaking thing about your ISP ;) Or any VPN service you actually pay for ;) Or any router on the internet that your traffic routes through, etc.. For that matter.

    You understand they are like the top ipv6 backbone on the planet right?? They run a freaking HUGE network.. This is not your fly by night service providing you free vpn ;)

    network.jpg

    Can pretty much promise you if your running ipv6 traffic, at some point its going to cross thier routers.. Be it you tunnel to them or not ;)



  • @johnpoz

    Just some European security guy paranoia matters about US services ;)

    I already satisfy by my fresh /48 ;)

    I let you inform about OVH response.



  • @Overclock said in Non local gateway IPv6:

    I let you inform about OVH response.

    Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.