Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NPt and ICMP6 neighbor solicitions?

    Scheduled Pinned Locked Moved IPv6
    4 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mhugo
      last edited by

      Hi,

      I'm trying to get  NPt  to work on a native IPV6 link. 
      To keep things simple I have an internal LAN and a single WAN and a  single NPt rule

      The problem comes in when I  try to ping6 something in that I don't get any echo reply but I get an ICMP6 request from the ISP router that goes unanswered.  Any hints?

      ping6 from LAN computer

      15:57:02.566961 IP6 2606:400:xx:xx:33:f56f:e112:e458 > 2001:4860:4001:801::1010: ICMP6, echo request, seq 23, length 40
      15:57:03.576654 IP6 fe80::216:46ff:fe14:ae3f > ff02::1:ffc0:e458: ICMP6, neighbor solicitation, who has 2606:400:xx:xx:33:f56f:e112:e458, length 32

      ping6 from pfsense shell

      15:52:40.257878 IP6 2606:400:xx:xx:55:7fff:fc11:b5f5 > 2001:4860:4001:801::1010: ICMP6, echo request, seq 4, length 16
      15:52:40.263991 IP6 2001:4860:4001:801::1010 > 2606:400:xx:xx:55:7fff:fc11:b5f5: ICMP6, echo reply, seq 4, length 16

      Just to confirm the WAN IP address is a  /64 so unless I'm missing something the ip addresses that NPt is using for the LAN translation is within the range of the adapter.

      WAN

      inet6 2606:400:xx:xx:55:7fff:fc11:b5f5 prefixlen 64 autoconf

      LAN

      inet6 fc00:400:xx:xx:55:7fff:fc11:b5f6 prefixlen 64

      As far a  I can tell NPt is doing its thing as the IPv6 address it generated were all inline with the address scope I have. 
      It appears that the upstream  router is trying to figure out how to route the packet back and sense out a ICMPv6 message that Pfsense either ignores or I don't have a setting for.  I have firewalls rules right now that are wide open to allow anything ipv6 to go in and out of both the LAN and WAN subnets.  Obviously those will need to be updated once things start to work but since I'm trying to understand a thing or two about IPV6 and its various protocols I'm not worried about firewall rules right now.

      Any help would be appreciated.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        NPt does not work to translate from the LAN subnet to the WAN subnet in that way.

        The only way that works on IPv4 is when you add proxy ARP, carp, or IP alias VIPs for all the hosts you want to answer for on the WAN, so that it answers ARP for them.

        That isn't feasible on IPv6 unless you only have a handful of IPs to work with, in which case adding IP alias VIPs should do the trick.

        The main purpose of NPt is to translate between two different subnets routed to you, or between a "private" IPv6 subnet and a subnet routed to you. (Such as two he.net tunnels using the routed /64 networks and not the tunnel interconnect subnets.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mhugo
          last edited by

          Jimp,

          Thanks for the reply.  Adding a single an IP Alias VIP worked around the issue for at least a single IP address just like you described.

          After reading the NPt RFC (rfc6296) I am a bit disappointed in that there is no attempt at trying to make it work without a routed subnet but can understand the complexity of doing so especially since the IP address mapping is done on the fly in programmatic fashion and hence there is no sure way of know what address need to be advertised.  Really is a shame as I can see uses for this without the aid of routing.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It could be possible in the future if we discover some sort of "proxy NDP" type daemon for FreeBSD that would arbitrarily respond to NDP requests for an entire prefix.

            IPv6 really doesn't like NAT though. The intent was to route everything as much as possible and do no NAT.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.