NPt and ICMP6 neighbor solicitions?

mhugo

Hi,

I'm trying to get  NPt  to work on a native IPV6 link. 
To keep things simple I have an internal LAN and a single WAN and a  single NPt rule

The problem comes in when I  try to ping6 something in that I don't get any echo reply but I get an ICMP6 request from the ISP router that goes unanswered.  Any hints?

ping6 from LAN computer

15:57:02.566961 IP6 2606:400:xx:xx:33:f56f:e112:e458 > 2001:4860:4001:801::1010: ICMP6, echo request, seq 23, length 40
15:57:03.576654 IP6 fe80::216:46ff:fe14:ae3f > ff02::1:ffc0:e458: ICMP6, neighbor solicitation, who has 2606:400:xx:xx:33:f56f:e112:e458, length 32

ping6 from pfsense shell

15:52:40.257878 IP6 2606:400:xx:xx:55:7fff:fc11:b5f5 > 2001:4860:4001:801::1010: ICMP6, echo request, seq 4, length 16
15:52:40.263991 IP6 2001:4860:4001:801::1010 > 2606:400:xx:xx:55:7fff:fc11:b5f5: ICMP6, echo reply, seq 4, length 16

Just to confirm the WAN IP address is a  /64 so unless I'm missing something the ip addresses that NPt is using for the LAN translation is within the range of the adapter.

WAN

inet6 2606:400:xx:xx:55:7fff:fc11:b5f5 prefixlen 64 autoconf

LAN

inet6 fc00:400:xx:xx:55:7fff:fc11:b5f6 prefixlen 64

As far a  I can tell NPt is doing its thing as the IPv6 address it generated were all inline with the address scope I have. 
It appears that the upstream  router is trying to figure out how to route the packet back and sense out a ICMPv6 message that Pfsense either ignores or I don't have a setting for.  I have firewalls rules right now that are wide open to allow anything ipv6 to go in and out of both the LAN and WAN subnets.  Obviously those will need to be updated once things start to work but since I'm trying to understand a thing or two about IPV6 and its various protocols I'm not worried about firewall rules right now.

Any help would be appreciated.

jimp

NPt does not work to translate from the LAN subnet to the WAN subnet in that way.

The only way that works on IPv4 is when you add proxy ARP, carp, or IP alias VIPs for all the hosts you want to answer for on the WAN, so that it answers ARP for them.

That isn't feasible on IPv6 unless you only have a handful of IPs to work with, in which case adding IP alias VIPs should do the trick.

The main purpose of NPt is to translate between two different subnets routed to you, or between a "private" IPv6 subnet and a subnet routed to you. (Such as two he.net tunnels using the routed /64 networks and not the tunnel interconnect subnets.

mhugo

Jimp,

Thanks for the reply.  Adding a single an IP Alias VIP worked around the issue for at least a single IP address just like you described.

After reading the NPt RFC (rfc6296) I am a bit disappointed in that there is no attempt at trying to make it work without a routed subnet but can understand the complexity of doing so especially since the IP address mapping is done on the fly in programmatic fashion and hence there is no sure way of know what address need to be advertised.  Really is a shame as I can see uses for this without the aid of routing.

jimp

It could be possible in the future if we discover some sort of "proxy NDP" type daemon for FreeBSD that would arbitrarily respond to NDP requests for an entire prefix.

IPv6 really doesn't like NAT though. The intent was to route everything as much as possible and do no NAT.