Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    neighbor discover proxy

    IPv6
    3
    8
    145
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Tanya 0
      Tanya 0 last edited by

      Pfsense customers are asking for about 10 year to implement Neighbor Discovery Proxy and it is clear that NetGate NEVER EVER will implement it.

      For a simple thing as splitting a /64 subnet we are on our own. That is a fact. We have to step down to FreeBSD

      But I'm just wondering :
      Has anyone ever succeeded in implementing the simple LINUX command ip -6 neigh add proxy 2001:42d0:ac:2604:b055::1005 dev eth0 in FreeBSD? I have tried the kernel module ndproxy.ko but never got it to work :-( .
      It must be possible: JUNOS runs on FreeBSD and HAS (of course ) neighbor discover proxy

      Anyone who knows the secret?? I really want to split a subnet: I 'm married to a bad provider.

      Please help.

      JKnott 1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott @Tanya 0 last edited by

        @tanya-0 said in neighbor discover proxy:

        Please help.

        You are not supposed to split a /64. That is the prefix size LANs are supposed to use. The exception would be point to point links, where a /127 could be used.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        Tanya 0 1 Reply Last reply Reply Quote 0
        • Tanya 0
          Tanya 0 @JKnott last edited by

          @jknott splitting /64
          I know, I know but as I said: "I am married to a bad provider, so I get a Single /64 block BEFORE my router.

          and it's a breeze with other routers or Linux OS-es

          A was just wondering if anyone succeeded in splitting with FreeBSD

          NB
          A have the feeling that NetGate doesn't understand their customers or doesn't understand IPV6:
          Look at this picture :-)

          netgate.jpg

          JKnott 1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott @Tanya 0 last edited by

            @tanya-0

            One problem with what you want to do is it breaks SLAAC. With SLAAC, the router provides the 64 bit prefix and the client, the 64 bit suffix. Also, with privacy addresses, that suffix could be anything within that 64 bits. How are you supposed to route, when the addresses could be anything?

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            Tanya 0 1 Reply Last reply Reply Quote 0
            • Tanya 0
              Tanya 0 @JKnott last edited by

              @jknott of cause it breaks SLAAC but I want subnet splitting in a serverrack with webservers. I dont need and I don't want SLAAC there. Fixed IPV6 only.
              And that always works with NDproxy.
              It's 2023, so customers want to have their website to have both IPV4 and IPV6 addresses. Our racks starts with a ROUTER ( not with a switch ) and webservers now have private IPV4 addresses. Provider gives us one /64 block on the WAN side of our pfSense...

              Grrrrrrr no splitting with pfSense/FreeBSD no IPV6 for our webservers.
              I guess nobody ever succeeded.
              Frustrating part is: I post this message entering the internet with a splitted OVH ipv6 adress. Works fine.....
              splittedIPV6.jpg

              JKnott 1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott @Tanya 0 last edited by

                @tanya-0

                You can split with a static config, but then you can't use track interface.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                Tanya 0 1 Reply Last reply Reply Quote 0
                • Tanya 0
                  Tanya 0 @JKnott last edited by

                  @jknott Of course you can do static setup with /120 WAN and /80 LAN to SPLIT the /64 block. But you shall see that the LAN side is unreachable because the multicast Neighbor Discovery doesnt pass from WAN to LAN. With normal routers you configure NDproxy to solve that problem . PFsense is lacking NDproxy. They choose to be the nicest guy in the classroom ( indeed: you are not supposed to split a /64 block ) . But they leave me with a big problem :-(

                  And /64 ARE a lot of IP addresses ( 4 billion x 4 billion a guess ) Why not split it ?

                  NightlyShark 1 Reply Last reply Reply Quote 0
                  • NightlyShark
                    NightlyShark @Tanya 0 last edited by

                    @tanya-0 I believe those decisions are made either from a performance standpoint (must be cheaper resource-wise to not having to handle network prefixes greater than half the address), a security standpoint (most pfsense subsystems, which are dependent on the specific implementation of the BSD kernel would IM ignorant O have to be re-written to change the long-standing in-code "assumptions" about the IPv6 netstack, which would introduce bugs and vulnerabilities that would take a lot of revisions to be ironed out and would reduce customer trust in the product) and a demand standpoint (not many of us, either pros like you, or enthusiasts like me) ask for that specific thing (I think).

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post